Smart TVs, connected thermostats, energy monitors, and home security systems are some ofthe Internet of Things (IoT) devices that many American homes use each day. However, many
consumers don’t realize that these connected devices may be increasing their risk of cybersecurity attacks from bad actors looking for exploitable vulnerabilities.
In the EU, the EU Cyber Resilience Act is the first EU-wide legislation that imposes cybersecurity laws on manufacturers and developers of connected devices – making them responsible for the security of IoT devices and providing consumers with updates that address vulnerabilities.
In the US, the government wants to educate American customers on the importance of being more aware of the security threats that they may be introducing into their homes and offices as they use more potentially unsafe devices. To shield Americans from "serious national securityoncerns," the Biden administration announced that it will establish a cybersecurity labeling scheme for consumer IoT devices. The industry-standard labeling system aims to not only educate consumers but also provide device manufacturers with an incentive to make their products more secure.
Following a meeting with the National Security Council, top device manufacturers, and consumer product associations, the White House announced the initiative that will establish basic cybersecurity standards that will be overseen by the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST).
The White House has plans to roll out an IoT labeling program similar to the labeling program
operated by the Environmental Protection Agency and the Department of Energy, starting with
devices that are considered at “highest risk,” such as Wi-Fi routers.
The labels will take the form of scannable barcodes which when scanned will link to information such as data encryption, software updating policies, and vulnerability remediation. The goal is to allow consumers the ability to gauge how secure the device is and compare its security with similar devices.
In the UK, the government has already introduced an IoT security bill, which requires device manufacturers, distributors, and importers to maintain compliance with certain security controls mandated by the Product Security and Telecommunications Infrastructure (PSTI) bill.
These security controls include a ban on using default or “easy to guess” passwords, which are often preset in devices’ factory settings. Another requirement directed at IoT manufacturers is keeping customers updated on how long the product will receive security updates. There’s also a mandatory vulnerability disclosure, which ensures that manufacturers can be contacted privately to be warned about security flaws, vulnerabilities, and bugs.
How the US IoT labeling system will differ from the UK’s security controls, assurance schemes, and conformity testing remains unknown. However, we know that the Biden administration aims for the program to achieve labels that are “globally recognized.” Therefore, it’s likely that it will cover areas such as product configuration, software updates, data protection, product education, asset identification, and interface access control.
Experts have weighed in on specific areas that a global labeling system for IoT devices should address. This includes information on the frequency and duration that manufacturers will deploy patches, access to harvested data that is stored on the device or the cloud, multi-factor authentication support, and data generation transparency.
The US government is aiming to roll out the labeling program in the Spring of 2023. To stay
updated on IoT product cybersecurity labeling, tune into our blog.