FCC pitches voluntary security labeling program for IoT devices

In the wake of new requirements for US ISPs to provide nutrition-style labels regarding broadband prices and speeds, the FCC is now proposing a voluntary program focused on cybersecurity labeling for Internet of Things (IoT) devices.

The idea behind the proposal is to provide consumers with clear information about the security of their IoT devices. Qualifying products, determined in part by baseline criteria recommended by the National Institute of Standards and Technology (NIST), would bear a new shield-shaped "US Cyber Trust Mark" that consumers could refer to when making IoT purchasing decisions. That proposed logo would appear on packaging alongside a QR code that would link consumers to more info.

The mark would also "differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards," the FCC reasoned in an FAQ (PDF) about the proposed program.

Like the Energy Star program

While some people might be inclined to link the new security labeling program to the FCC's broadband labeling program, the Commission compares it to Energy Star, a program that helps consumers identify energy-efficient products and incentivizes companies to build them.

The FCC said it's stepping in with this Notice of Proposed Rulemaking (NPRM) as IoT devices such as home security cameras, medical devices, lights, garage door openers and baby monitors continue to proliferate and consumer adoption of such devices expands the risk of cybercriminals launching denial of service attacks and other malicious acts.

"There are now so many new devices – from smart televisions and thermostats to home security cameras, baby monitors, and fitness trackers – that are connected to the internet," FCC Chairwoman Jessica Rosenworcel said in a statement. "But this increased interconnection brings more than just convenience; it brings increased security risk."

The FCC is seeking comment in multiple areas, including the scope of devices that should be included in the program (for example, Wi-Fi gateways), who should oversee and manage the program, how security standards might apply to different types of IoT products, how to demonstrate compliance with those standards, and how to protect against unauthorized use of the cybersecurity label.

The FCC is also proposing a public-private partnership to oversee the IoT labeling program and is exploring the use of accredited third-parties for security and compliance testing. For the purpose of the proposal, the FCC is referring to such parties as Cybersecurity Labeling Authorization Bodies, or CyberLABs.

Update: One potential third-party candidate might be Kyrio, the for-profit subsidiary of CableLabs that handles a wide range of testing, including security services. It's too early to say how Kyrio might be able to pitch in, but the company is keeping an eye on the proceeding.

"The FCC's notice of proposed rulemaking was just released today and we are reviewing it to see if an opportunity presents itself for Kyrio," Jason Lauer, VP of engineering and operations at Kyrio, said in a statement.

Following the comment and reply period and an FCC vote in favor, the program could be up and running by late 2024, the Commission said.

Industry focus on IoT security

Device makers and service providers in the private sector have already launched products and technologies designed to keep IoT devices protected and to alert users on how to blunt a cybersecurity attack.

As one example, Comcast's XFi Advanced Security platform uses a blend of machine learning and artificial intelligence (AI) techniques to spot malware intrusions and hacked IoT devices, and directs customers how to resolve them. Comcast Technology Solutions recently launched DataBee, a cybersecurity offering focused on enterprise customers.

Colorado-based CableLabs has done work on Micronets, a framework for home IoT security that aims to re-architect the home network into smaller segments that can be managed individually and dynamically should a cybersecurity threat emerge.

Among other industry examples, the Consumer Technology Association has created an IoT working group that includes a focus on security.

Related posts:

— Jeff Baumgartner, Senior Editor, Light Reading