The Biden administration launched its long-awaited Internet of Things (IoT) cybersecurity labeling program that aims to protect Americans against the host of security risks associated with Internet-connected devices.
The program, officially called the "US Cyber Trust Mark," aims to help Americans ensure they are purchasing internet-connected devices that include strong cybersecurity protections against cyberattacks.
The Internet of Things, a term that encompasses everything from fitness trackers and routers to baby monitors and smart refrigerators, has long been considered a cybersecurity weak link. Many devices ship with easy-to-guess default passwords and don't offer regular security updates, putting consumers at risk of being hacked.
The Biden administration says its Energy Star-influenced voluntary labeling system will “raise the bar” for IoT security by allowing Americans to make informed decisions about the security credentials of the internet-connected devices they purchase. The US Cyber Trust Mark will take the form of a distinctive shield logo, which will appear on products that meet established cybersecurity criteria.
This criterion, established by the National Institute of Standards and Technology (NIST) will require, for example, that devices require unique and strong default passwords, protect stored and transmitted data, offer regular security updates, and ship with incident detection capabilities.
The complete list of standards is not yet finalized. The White House said NIST will immediately begin work on defining cybersecurity standards for “highest risk” consumer-grade routers — devices that are frequently targeted by attackers. to steal passwords and create botnets that can be used to launch distributed denial of service (DDoS) attacks. This work will be completed by the end of 2023, with the goal of the initiative covering these devices when it launches in 2024.
In a press briefing, the White House confirmed that the Cyber Trust Mark will also include a QR code that will link to a national registry of certified devices and provide up-to-date security information such as software update policies, data encryption standards and vulnerability repair.
“We knew we didn't want to create a label that said this product had been certified and insured and now remains safe forever,” said a senior administration official. “The QR code will give you updated information about the continuous compliance of cybersecurity standards.
US retailers will also be encouraged to prioritize labeled products when placing them in stores and online, the White House said, and several have already signed up for the initiative, including Amazon and Best Buy. Other big-name tech firms that have already agreed to the voluntary labeling initiative include Cisco, Google, LG, Qualcomm and Samsung.
While the initiative will initially focus on high-risk consumer devices, the U.S. Department of Energy announced Tuesday that it is working with industry partners to develop cybersecurity labeling requirements for smart meters and energy storage devices.