FCC approves rules for IoT cybersecurity labeling program
FCC commissioners last week voted unanimously to establish a cybersecurity labeling program for wireless consumer Internet of Things (IoT) products—a portion of the communications market that industry experts have long criticized for having lackluster security.
Under the new initiative, companies can submit wireless smart products to receive the U.S. Cyber Trust Mark, which will be an indication that the item has met the program standard set by the National Institute of Standards and Technology (NIST) in its Profile of the IoT Core Baseline for Consumer Products.
FCC Chairwoman Jessica Rosenworcel cited the NIST standard and the FCC’s expertise in authorizing radio-frequency devices as indicators that the new IoT initiative has a good foundation for execution, but she said more help will be needed.
“We have both a framework for standards and a framework for execution,” Rosenworcel said during the FCC open meeting, which was webcast. “Now, to get it done, we are going to need expert partners. We will select third-party administrators, including a lead administrator, through a rigorous selection process that will work with us on the day-to-day details of the program. The administrators selected will be responsible for receiving and reviewing applications from manufacturers to use the Cyber Trust Mark.”
Rosenworcel also noted that entities deemed to be national-security threats on a federal “covered list” should not be eligible to receive a Cyber Trust Mark on their IoT products—a sentiment also emphasized by FCC Commissioner Geoffrey Starks.
“I maintain that it is imperative that we do not place our stamp of approval on devices from products that any branch of the United States government and our allies have identified as part of a national security review,” Starks said during the FCC meeting.
“I’m very happy that the order keeps that policy, as well, excluding from the Cyber Trust Mark equipment produced by any entity on our Covered List, the Department of Commerce’s Entity List, and the Department of Defense’s List of Chinese Military Companies. I’m also very happy that this prohibition applies to Cybersecurity Label Administrators and CyberLABs participating in the Cyber Trust Mark.”
In addition, the FCC is seeking comment about other potential requirements, such as whether it should be disclosed if an IoT product’s software or firmware is “developed or deployed by a company located in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country,” according to an FCC press release about the matter.
FCC Commissioner Nathan Simington said approval of the Cyber Trust Mark program potentially could mark “the beginning of a new era for American cybersecurity policy” by holding vendors more accountable in a manner more akin to the legal liabilities manufacturers have for malfunctioning products in numerous other industry sectors.
“This gives manufacturers a strong incentive to design safe products,” Simington said during the FCC meeting. “But if an attacker hacks your smart home device—like an Alexa—and steals your financial information or listens in on your private conversations, you have little to no recourse against the manufacturer, even if the attack was only possible due to its negligent cybersecurity practices.
“This is because device manufacturers and software developers routinely disclaim all liability and warranties against such failures, and tort law provides few protections in the absence of physical injury to persons or property.”
Simington expressed support for the fact that the new IoT cybersecurity initiative is voluntary for companies, allaying his concerns that mandatory rules could run the risk of “inadvertently stifling [the nascent IoT sector] with overregulation.” However, entities willing to qualify their products for the U.S. Cyber Trust Mark should gain the confidence of consumers, he said.
“If manufacturers want to be eligible for the U.S. Cyber Trust Mark, they will have to declare that they have taken every reasonable measure to create a secure device,” according to Simington. “They will have to commit to a support period up front, and during that support period, they will have to diligently identify critical vulnerabilities in their products and promptly release updates correcting them.
“Crucially, they will be prohibited from disclaiming these promises to the consumer. As a result, these promises will be enforceable not only by the FCC itself, but also by the courts of every state under product warranty and contract law.”
IoT products have been heralded for their functionality and convenience, but many industry experts have long expressed concerns about the fact that many are deemed to have lackluster security or share critical data inappropriately without a user’s knowledge and/or permission. Indeed, IoT devices have been leveraged as attack vectors for some of the highest-profile hacks on critical networks during the past two decades.