Abele Technologies

Reprinted from The Washington Post, 7-18-2023 

Analysis by Tim Starks with research by David DiMolfetta 

White House unveils new cybersecurity labeling plan to tell you when your smart devices are secure. 

The Biden administration is rolling out a voluntary program today to label internet of things devices — like smart refrigerators and baby monitors — if they meet cybersecurity benchmarks, similar to the Energy Star labeling program for energy-efficient products. 

“We now routinely rely on internet and Bluetooth-enabled devices for tasks as basic as adjusting our thermostat or as complex as securing our homes while we’re away,” 

Anne Neuberger , deputy national security adviser for cyber and emerging technology at the National Security Council, told reporters Monday in advance of a White House event. “Poorly secured products enable attackers to gain a foothold in American homes and offices, and steal data or cause disruption.” 

Device makers and sellers, from Best Buy to Samsung, will be at the event today to show support for the program proposed by the Federal Communications Commission, dubbed U.S. Cyber Trust Mark. 

The steps the Biden administration is announcing go back to May of 2021, when an executive order that the president signed directed agencies to carry out tests of a labeling initiative. 

If all goes as planned, the program will be operating in 2024, according to a Biden administration press release. 

The How and Why 

The most infamous cyber incident involving the internet of things (IoT) occurred in 2016, when the Mirai malware took over and weaponized IoT devices to carry out a distributed denial of service attack that knocked popular websites like Netflix and Twitter offline. In another case, hackers demonstrated in 2015 that they could get into an internet-connected Jeep and remotely target important elements of the vehicle like its braking system. 

The Trust Mark label will go to products that demonstrate common safeguards, like software updates and unique, strong default passwords, as spelled out by the National Institute of Standards and Technology in September. 

Agencies will take several steps as part of today’s announcement: 

The FCC will commence a rulemaking process, as well as apply for a national trademark with the U.S. Patent and Trademark Office that would be applied to products that meet the cyber criteria. The commission will use a QR code that links to a national registry of certified devices. 

The Justice Department will collaborate with the FCC on oversight of the program to determine what kind of liability a labeled company would have if they don’t meet the cybersecurity standards, or to provide liability shields for companies that do, according to a senior FCC official who spoke on the condition of anonymity to discuss the program in advance of its announcement. 

NIST will work to define cyber requirements for consumer-grade routers by the end of this year, in advance of possibly expanding the labeling program to include those routers. The Energy Department will do the same, in partnership with the National Labs and industry, on labeling smart meters and power inverters. 

The State Department will work with other countries on harmonizing standards. Beyond the Energy Star inspiration, the program follows countries like Germany and Singapore that have begun cybersecurity labeling schemes. 

“Consumers are going to be beneficiaries because they are going to be able to make informed purchasing decisions when they see this mark; they can have peace of mind with the products that they’re bringing into their homes adhere to widely accepted security and privacy standards,” said Jessica Rosenworcel, chairwoman of the FCC. “And product manufacturers are also beneficiaries because they are going to be able to differentiate their offerings in the market place when they meet these standards.” 

Multiple industry associations that will appear at the White House event, such as the Information Technology Industry Council and Consumer Technology Association (CTA), signaled their support in advance of the rollout. 

“Research shows consumers want more information on the safety and security of their connected devices, and we agree,” said Gary Shapiro, CEO of the CTA. 

Imperfections 

Labeling initiatives haven’t always proven flawless or garnered support from across the political spectrum. 

A 2010 GAO investigation made up four fake companies and submitted them to the Energy Star certification program, and found that Energy Star only required four of the 20 total products to be verified by an independent third party — and got Energy Star qualifications for things like a gas-powered alarm clock. It rejected two and didn’t answer three others. The Environmental Protection Agency later took steps to address such fraud. 

The FCC official said the cyber labeling rulemaking process will include looking into criteria for carrying out tests products must pass to obtain certification. 

The Trump administration also took aim at Energy Star with the support of free-market think tanks, but wasn’t able to kill it despite cutting its budget. 

“This gets back to what is a legitimate function of government,” Nicolas Loris, a research fellow at the Heritage Foundation, said in a 2017 Los Angeles Times story. “I don’t see Energy Star as one of those things.” 

Energy Star-certified homes are at least 10 percent more energy efficient than homes built to code, according to its website. So does that mean the cyber label will make homes 10 percent safer from cyberattacks? 

“We’re hoping it’s potentially a lot more than 10 percent, but it’s probably too early to tell,” said a senior administration official, speaking on the condition of anonymity to discuss the program in advance of its announcement.