Biden administration release a A new sign of cyber security for today’s smart devices.
In a press briefing, FCC Chair Jessica Rosenworcel said the new mark, called the US Electronic Trust Mark, will indicate that the devices you carry meet security standards based on those standards. Established In a report by the National Institute of Standards and Technology (NIST). The voluntary program is expected to be implemented in 2024, with the devices being labeled “soon after”.
The Biden administration unveiled the new Cyber Trust logo with the Live broadcast from the White House Tuesday morning.
The program aims to cover connected devices commonly found in the home, such as smart refrigerators, smart microwaves, smart TVs, and smart climate control systems. But the ad also lists “smart fitness trackers” as a device that will be covered by the certification and labeling program, indicating ambitions beyond the commonly challenged space of smart home automation.
It has voluntary support from many electronics, appliances, consumer products, retailers, and trade associations, including Google, Samsung, Logitech, Amazon, Best Buy, and the Connectivity Standards Alliance (home of the Matter smart home standard).
Think Energy Star but for smart device security
The FCC is working “under its powers to regulate walkie-talkies” to propose a certification and naming program, which it says requires “strong default passwords, data protection, software updates, and incident detection capabilities,” according to a press release. Rosenworcel likened it to Energy Star, which refers to products such as computers or appliances that meet certain standards for energy efficiency.
The Cyber Trust sticker consists of two parts: a logo stamped on the product packaging and a QR code that buyers can scan later to verify that the device is still certified as cyber security threats evolve and patches are needed.
Photo: Federal Communications Commission
The Cyber Trust label, shown above in a gallery of screenshots from the White House livestream, has spaces for a lot of detail, especially after scanning a QR code. On the packaging and in online listings, the FCC example showed at-a-glance information about what sensor data is being collected and which of it is being shared, as well as how security updates are applied or what kind of authentication they support. By scanning the QR code, you will see more details on your smartphone; For example, it might include how long you can expect security updates.
The video also showed rows showing what type of data is being collected, why it is being collected, whether the stored data can identify you, as well as whether and what type of data is stored in the cloud. Want to know if the device maker will share or sell your data? Under the FCC’s plan, that would also be disclosed. Other columns related to video, audio, health devices, and location data are displayed, and at the bottom, there is a field for other aggregated data. The concept also showed the user clicking on a label in an online menu to see the same expanded data.
A senior FCC official said during a post-briefing question-and-answer session that the committee is considering annual recertification processes, but timelines have yet to be determined, as the proposed poster goes through a rulemaking process and a public comment period. As for who will handle the certification, Anne Neuberger, deputy national security adviser, said that would fall to third-party labs such as the Communication Standards Alliance or the Consumer Technology Association.
Neuberger said the label is needed to “nudge the market to build more secure products by design,” saying that companies’ ability to differentiate themselves with such a label can make them more comfortable with the higher costs of better security.
She also said the program will help strengthen accountability, as smart home products will have to continue to release security patches as needed to maintain their Cyber Trust label. Neuberger said in an interview with the edge that there will always be a “new zero day,” calling it “disturbing” that, sometimes, when the intelligence community discloses a vulnerability in the Internet of Things to companies, they say they’re done with those products and won’t release a patch.
During the interview, Neuberger referred to the NIST report when asked what the FCC would consider an “Internet of Things product” under the Cyber Trust labeling program. Essentially, according to NIST, any network-attached device that has a “sensor or actuator” in it can be considered an “IoT device,” while that entire device—the associated application, the cloud back-end, and the required bespoke hubs—is considered an “IoT product.” .
Separate networking devices like Zigbee and Z-Wave hubs that aren’t tied to any one device, though, are combined with Wi-Fi routers, which weren’t examined as part of the report. NIST prioritizes cybersecurity requirements for consumer routers due to the risks they pose for eavesdropping, password theft, and other nefarious activities in targeted homes. It expects to complete this work by the end of 2023 so that the committee can consider cybersecurity requirements for routers for inclusion in the labeling program.
So far, the administration lists the following “participants” in support of today’s announcement:
Amazon, Best Buy, Carnegie Melo University, CyLab, Cisco Systems, Communication Standards Alliance, Consumer Reports, Consumer Technology Association, Google, Infineon, Information Technology Industry Council, IoXT, KeySight, LG Electronics USA, Logitech, OpenPolicy, Qorvo, Qualcomm and Samsung, UL Solutions, Yale, and August US
“Infuriatingly humble alcohol fanatic. Unapologetic beer practitioner. Analyst.”