Article Details

Look for the label: White House rolls out 'Cyber Trust Mark' for smart devices. Beware the IoT that doesn’t get a security tag. The White House this week introduced a voluntary cybersecurity labeling program for technology products so that consumers can have some assurance their smart devices aren't spying on them. "The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devices, much as EnergyStar labels did for energy efficiency," the White House said. The program is overseen by the US Federal Communications Commission. It will be administered by 11 different companies [PDF], with UL Solutions as the lead administrator. Makers of wireless consumer Internet of Things (IoT) devices will be able to submit their products for a security compliance review at an accredited laboratory. And products that meet the NIST-defined testing criteria [PDF] – which cover secure software development and supply chain requirements, security lifecycle policies, vulnerability management policies, and the like – will be able to display the US Cyber Trust Mark and a QR code that device owners can use to look up online product information related to password resets, security, and updates. Vendors such as Best Buy and Amazon have said they'll highlight products bearing the mark, so there's a marketing incentive to participate in the program. Image of different versions of the US Cyber Trust Mark - Click to enlarge The US Cyber Trust Mark, available in several attractive color schemes, is focused on IoT home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers and baby monitors. It's not intended for medical devices regulated by the US Food and Drug Administration, wired products, automotive products, industrial or enterprise products, or equipment that falls under other network security regulations like the FCC Covered List. The program originated in 2021 when the White House issued an executive order to improve cybersecurity in response to high-profile attacks like those targeting Colonial Pipeline and SolarWinds. The order, among other things, directed government officials to develop IoT cybersecurity criteria for a consumer labeling program. In a statement, Amazon VP Steve Downer said Amazon looks forward to collaborating with industry partners and government officials to implement this program. "Amazon supports the US Cyber Trust Mark’s goal to strengthen consumer trust in connected devices," said Downer. "We believe consumers will value seeing the US Cyber Trust Mark both on product packaging and while shopping online." The US Cyber Trust Mark program "is not going to solve every problem that comes with the amount of connected devices a lot of us have in our homes, but it's definitely not going to hurt," RJ Cross, director of US PIRG's Consumer Privacy Program, told The Register. "The whole model is to incentivize companies to take security more seriously and prioritize transparency with the public. I'd say that we're at the point that there are so many dang breaches and hacks that most folks are aware of cyber security as an issue. So giving people more info about the security of the devices they let in their lives is going to give them more control than they've had to date and that's a good thing." Asked whether the certification program will shift the burden of security away from consumers to product makers, Cross said that's the real question. "The devil is in the details," said Cross. "Any program worth its salt is going to have to be comprehensive. It needs to look not only how secure is the hardware of your smart washing machine, but also how secure is the cloud where the company is storing the data that's collected through your washing machine."