The White House recently announced the launch of a cybersecurity label for internet-connected devices, known as the U.S. Cyber Trust Mark. Development of the trademarked shield logo that will be applied to certified products was spearheaded by the Federal Communications Commission. In December 2024, the FCC announced the conditional approval of 11 companies as Cybersecurity Label Administrators and the conditional selection of UL Solutions as the Lead Administrator.
As Americans worry about the rise of criminal activity that can arise from the influx of wireless devices being introduced into the modern home – from baby monitors to climate controls – remote hacks are becoming a greater reality. The White House launched this bipartisan effort to educate American consumers and give them an easier way to assess the cybersecurity level of such products, as well as incentivize companies to produce more cybersecure devise, much as EnergyStar labels did for energy efficiency.
Major electronics, appliance, and consumer product manufacturers, as well as retailers and trade associations, have been working to increase cybersecurity for the products they sell. Ideally, the U.S. Cyber Trust Mark program allows them to test products against established cybersecurity criteria from the U.S. National Institute of Standards and Technology via compliance testing by accredited labs, and earn the Cyber Trust Mark label.
While this feels like a step forward, how companies and consumers embrace the voluntary program will be interesting to watch. Roger Grimes, who focuses on data-driven defense strategies at cybersecurity solutions provider KnowBe4, offered the following thoughts.
“There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials. Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea. Those reasons alone are reasons enough for the program.
“But the devil is in the details, and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary and only suggestions. I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable.
“As another example, vendors participating in the program must tell consumers if they have a hard-coded default password instead of just preventing any vendor from having a hard-coded default password. The way I read the current requirements, a vendor could apply the mark if they simply told the consumer they only patched once a year, never automatically, and that the consumer had to manually remember and go out of their way to look for and apply a patch, if any are ever available.
“What percentage of consumers are going to do that? It would be far better to automatically patch your product without consumer involvement. But now, the way the program is written, a vendor simply disclosing that they purposefully have included very dangerous substandard cybersecurity practices seems still sufficient for using the mark.
“So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark simply for telling the consumer they use substandard cybersecurity practices, assuming the consumer actually scans the QR code and reads the information. Wouldn’t it be better if the mark actually meant the vendor was using generally accepted safe cybersecurity practices?
“When I see an FCC safety mark on an electrical cord or lamp, I know it’s safe. I don’t have to scan a code and read information to find out if it is actually safe. I wish the Cyber Trust Mark label meant the same thing…that the device was actually safe as designed. I think the problem is that consumers will see the mark and automatically assume the device meets expected cybersecurity standards and maybe it does and maybe it doesn’t.”