The White House and the Federal Communications Commission introduced a "U.S. Cyber Trust Mark" labeling program on Tuesday that aims to push IoT device makers to better secure their gadgets and give consumers reassurance that a product is secure before buying it.
FCC Chair Jessica Rosenworcel said the proposed labeling system would apply to smart devices that connect to the internet, such as refrigerators, televisions and climate control systems.
At a White House press briefing, Rosenworcel there were 1.5 billion attacks against IoT devices in the first six months of 2021. She also cited estimates that by 2030 there would be 25 billion connected IoT devices in use.
"Because the future of smart devices is big. And even bigger is the opportunity for us to ensure that every consumer, business, and every bank with a vending machine can make smart choices about the connected devices they use," said Rosenworcel in a prepared statement.
The proposed cybersecurity labeling program has received backing from major electronics, appliance and consumer product manufacturers. Each vowed to voluntarily increase the cybersecurity for their products they make and sell. Companies Amazon, Best Buy, Google, LG Electronics, Logitech and Samsung are among the brands committing to the program, the White House announced.
“[With] increased interconnection brings more than just convenience. It brings increased security risk," Rosenworcel said. "After all, every device connected to the internet is a point of entry for the kind of cyberattacks that can take our personal data and compromise our safety."
The FCC will use its authorities to regulate wireless communication devices to seek public comment on the proposed labeling program, which the administration expects to have in place in 2024. As proposed, certification and labeling efforts would be based on criteria by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates and incident detection capabilities.
“This voluntary program, which would build on work by the National Institute of Standards and Technology, industry, and researchers, would raise awareness of cybersecurity by helping consumers make smart choices about the devices they bring into their homes, just like the Energy Star program did when it was created to bring attention to energy-efficient appliances and encourage more companies to produce them in the marketplace,” Rosenworcel said in an FCC statement.
Consumer-grade routers were highlighted in the White House’s announcement as they are higher-risk devices that, if compromised, could be used to eavesdrop, steal passwords and attack other devices and networks. NIST will immediately seek to define requirements for routers by the end of 2023.
Routers are consistently among risky devices that connect to the internet. Last week, Forescout announced the top 20 riskiest connected devices, where routers are the No. 3 riskiest IT device, after computers and servers.