Fed 'Cyber Trust' Label: Good Intentions That Fall Short

Yesterday, the White House introduced a cybersecurity labeling program for wireless Internet-connected devices, intended to help Americans make more informed decisions about the products they buy and their security.

As Americans continue to add Internet of Things (IoT) devices to their home networks — everything from baby monitors to security cameras — there are growing concerns about the safety of these devices and their vulnerability to hackers. The goal of this label is to guide consumers to more secure products as well as encourage vendors in their cyber practices.

Known as the "US Cyber Trust Mark," the label has been a long time coming, with the Federal Communications Commission gathering input over the past 18 months. In a bipartisan and unanimous vote, the FCC authorized the program and said 11 vendors will act as label administrators while UL Solutions will serve as the lead administrator.

"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devices, much as EnergyStar labels did for energy efficiency," the White House brief read.

Just Good Intentions?

Though this new system has good intentions for both consumers and vendors, there are concerns and speculation as to how effective this cybersecurity label will be.

The FCC intends to use QR codes linking to a national registry of certified devices and information about these products, such as how to change the default password, configure the device securely, determine whether updates and patches are automatic and how to access them, and how long the vendor will support device security.

"Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea," Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in an emailed statement. "There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials."

For these reasons alone, he believes that this program is worth supporting. However, he has some reservations.

"The devil is in the details and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary, and only suggestions," Grimes wrote. "I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable."

Part of the reason the program is voluntary is because the FCC believes that "the success of a cybersecurity labeling program will be dependent upon a willing, close partnership and collaboration between the federal government, industry, and other stakeholders" and the record shows "substantial support for a voluntary approach."

Making Assumptions

In order to use the US Cyber Trust Mark, manufacturers that meet eligibility criteria must have their products tested by an FCC-recognized and accredited third-party lab to ensure that the program's requirements have been met. After this, they must submit an application to a Cybersecurity Label Administrator with the necessary supporting documents. 

But the way the requirements are written, patching on behalf of the organizations isn't necessarily automatic, indicating that though an organization may have a cyber sticker of approval, it's still the consumer's responsibility to stay up to date with cybersecurity standards.

"So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark," Grimes wrote.

And while the FCC safety mark may indicate a device is designed safely, the US Cyber Trust Mark doesn't necessarily mean the same thing. This leads to consumers seeing the mark and believing they are secure.

"We also must consider whether this trust mark will give consumers a false sense of being 'unhackable' and a false sense of complacency," Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, wrote in an emailed statement. "Even if a smart device has built-in security features, users still have a personal responsibility to do their part by taking extra safety precautions — for example, changing default passwords and updating drivers/software/firmware."