Cybersecurity labeling program for internet-connected devices to be launched next year, White House says

The White House and Federal Communications Commission (FCC) told reporters on Monday that a new cybersecurity labeling program for smart devices will launch by 2024 with participation from several major retailers, including Amazon, Best Buy, Google, Logitech, and Samsung.

The program, which will be known as the U.S. Cyber Trust Mark, draws on voluntary commitments from manufacturers who have agreed to a certification program based on a set of cybersecurity criteria developed by the National Institute of Standards and Technology (NIST), including what the White House described as “unique and strong default passwords, data protection, software updates, and incident detection capabilities.”

Under the program, manufacturers who agree to certification would be able to use a shield logo label on their products, signaling to consumers they have agreed to the NIST standards. The program will be administered by the FCC, with support from the Cybersecurity and Infrastructure Security Agency (CISA). The FCC will seek public comment on the proposed program in the coming months. Regulators including the Department of Justice will designate oversight and enforcement standards.

The program is aimed at improving the security of consumer-grade routers — a high-value target for hackers — and curb the growth of botnets that rely on compromised smart devices. The labels will be available for widely used consumer products, including smart refrigerators, smart microwaves, smart televisions, and smart fitness trackers, among others.

Today, the Biden-Harris Administration is launching the U.S. Cyber Trust Mark – a cybersecurity certification and labeling program that will help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks. pic.twitter.com/sBzUImz5TK

— The White House (@WhiteHouse) July 18, 2023

“Consumers are going to be the beneficiaries because they are going to be able to make informed purchasing decisions when they see this mark,” FCC Chair Jessica Rosenworcel said at a press conference announcing the program. “They can have peace of mind that the products that they're bringing into their homes adhere to widely accepted security and privacy standards.”

Rosenworcel added that manufacturers also will benefit by having an easy way to differentiate product offerings so that they can better market secure devices.

A parallel effort from the Energy Department, announced Tuesday, will extend the cybersecurity labeling concept to smart meters and power inverters, both critical elements to clean energy and the smart grid, the White House said in a press release. The administration also has charged the State Department with working with allies to encourage aligned programs overseas.

A cybersecurity and privacy expert whose research informed the White House efforts said he has conducted studies showing that consumers will pay more for products with enhanced cybersecurity protections because they recognize the vulnerability of smart devices.

Yuvraj Agarwal, a member of Carnegie Mellon’s CyLab Security and Privacy Institute, has been researching the issue for five years and worked closely with the White House to develop the new program.

“People will pay significant premiums for devices that have better security and privacy clearly disclosed, as opposed to devices … that don't have any disclosed privacy or security factors,” Agarwal told Recorded Future News, citing his research.

Documented incidents where devices like baby monitors have been breached, allowing hackers footage from private homes without victims even knowing they are being spied on, have spurred consumer demand for a labeling program, Agarwal said.

“A device with advertisements, which shares my data, costs $10 and the device that doesn't costs me $20,” he said. “The fact is that privacy is key.”

The label could also help consumers avoid breaches caused by the Mirai malware, which turns smart devices that run on ARC processors into remotely controlled bots and is often used to unleash distributed denial-of-service attacks. The attacks work by flooding victim websites with junk traffic, making them unreachable.

Agarwal said the publicity surrounding Mirai and privacy breaches such as the recent Federal Trade Commission investigation into Amazon for retaining kids’ voice recordings indefinitely, while not disclosing the practice to parents, has increased marketplace demand for more secure products.

But consumers often don’t know how to gauge products’ cybersecurity themselves, making a universally recognizable label valuable, he said.

“I found it to be quite reassuring and surprising that people, once you show them the label and show them what they could know about [smart] devices — they really do want it,” he said. “This is an idea whose time has come.”