Choosing secure Internet of Things (IoT) devices will be easier for consumers by the end of next year, after the US government proposed a cyber security labelling program that would use a specific logo to indicate that a product had met set security requirements.
Introduced this month by US Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel, the US Cyber Trust Mark (CTM) is inspired by the successful Energy Star energy-efficiency program, providing a new logo that IoT device manufacturers could add to their products to confirm that their products have been designed using secure practices.
“Smart devices make our lives easier and more efficient,” Rosenworcel said in announcing the voluntary program, which she said “would raise awareness of cybersecurity by helping consumers make smart choices about the devices they bring into their homes.”
Assuming the program successfully navigates public consultation and approval processes, consumers can expect to see CTM logos on products by the end of 2024.
To qualify for the CTM, devices would need to be certified to meet a range of cyber security criteria developed by the National Institute of Standards and Technology (NIST), which maintains a formal Cybersecurity for IoT Program whose activities include the maintenance of an expert IoT Advisory Board that held its first monthly meeting in January.
NIST has been proactively engaging with IoT manufacturers to promote the importance of secure by design software development, with guidelines such as the NIST secure software development framework (SSDF) (NIST SP 800-218) describing practices that can help manufacturers develop secure software and firmware.
A series of NIST baseline guidelines – which, the agency says, include “fundamental, sound, and secure software development practices based on established practices from numerous organisations” – outline issues such as the technical capabilities expected from IoT products (NIST IR 8259A) and non-technical capabilities related to IoT products (NIST IR 8259B).
NIST also offers cyber security profiles that outline expected capabilities for particular types of users – including a Consumer Profile (NIST IR 8425) and a Federal Profile (NIST SP 800-213A).
“Few software development life cycle (SDLC) models explicitly address software security in detail,” NIST explains, “so practices like those in the SSDF need to be added to and integrated with each SDLC methodology.”
Devices certified to meet the NIST guidelines – including a new standard defining cybersecurity requirements for consumer-grade routers that is expected to produce a new standard before the year’s end – would bear the label on their packaging, alongside a QR code that consumers can scan for further information.
A meaningful stamp of approval?
As the architects of Denmark’s “best practice” D-Seal data security and privacy certification program have already found, strong industry support is critical to the success of security labelling initiatives.
CTM already has the support of major manufacturers and retailers including Amazon, Best Buy, Google, LG Electronics USA, Logitech, Samsung Electronics and others, the White House noted.
Although it is a positive step overall, one analyst warned that introduction of the US Cyber Trust Mark could create a false sense of security for consumers – particularly since most IoT devices are manufactured outside the US.
“It is unclear exactly how well equipped the government is to sufficiently assess compliance for the plethora of covered devices,” GlobalData principal analyst Tammy Parker said as the program was announced, noting a mooted requirement for annual recertification to remain in the program.
“Consumers repeatedly display lackadaisical attitudes toward the risks of digital intrusions and cybercrime,” she continued, noting that the proposed CTM program “will have no effect on the weakest link in the security chain, which is the consumer.”
“There is a risk that consumers might be less inclined to engage in the necessary steps to protect their smart devices and networks if they feel product manufacturers have already done the necessary heavy lifting to earn the Cyber Trust Mark.”
Consumers must embrace a range of practices to ensure IoT security, Parker added, including opting in for automatic software updates, never reusing passwords on multiple devices or websites, protecting personally identifiable information, and “remaining sceptical regarding all digital communications.”
CTM isn’t the first IoT certification program to be floated: industry groups have, for example, converged around a standard called the IoT Security Trust Mark that assesses compliance with baseline security requirements, while the Internet of Things Alliance Australia (IoTAA) is developing its own smart devices labelling scheme.
Standards Australia last year highlighted the importance of cyber security labelling, while a government Behavioural Economics Team study explored how consumers might respond to different labels.
Tests on a sample of 6,000 Australian consumers found that participants were 13 to 19 per cent more likely to choose a device with a cyber security label than one without such a label, the report found, with consumers more likely to choose devices with high security levels or long periods of guaranteed security updates.