The Biden administration has launched its long-awaited Internet of Things (IoT) cybersecurity labeling program that aims to protect Americans against the myriad security risks associated with internet-connected devices.
The program, officially named the “U.S. Cyber Trust Mark,” aims to help Americans ensure they are buying internet-connected devices that include strong cybersecurity protections against cyberattacks.
The Internet of Things, a term encompassing everything from fitness trackers and routers to baby monitors and smart refrigerators, has long been considered a weak cybersecurity link. Many devices ship with easy-to-guess default passwords and offer a lack of security regular updates, putting consumers at risk of being hacked.
The Biden administration says its voluntary Energy Star-influenced labeling system will “raise the bar” for IoT security by enabling Americans to make informed decisions about the security credentials of the internet-connected devices they buy. The U.S. Cyber Trust Mark will take the form of a distinct shield logo, which will appear on products that meet established cybersecurity criteria.
This criterion, established by the National Institute of Standards and Technology (NIST), will require, for example, that devices require unique and strong default passwords, protect both stored and transmitted data, offer regular security updates and ship with incident detection capabilities.
The full list of standards is not yet finalized. The White House said that NIST will immediately start work on defining cybersecurity standards for “higher-risk” consumer-grade routers, devices that attackers frequently target to steal passwords and create botnets that can be used to launch distributed denial-of-service (DDoS) attacks. This work will be completed by the end of 2023, with the aim that the initiative will cover these devices when it launches in 2024.
In a call with reporters, the White House confirmed that the Cyber Trust Mark will also include a QR code that will link to a national registry of certified devices and provide up-to-date security information, such as software updating policies, data encryption standards and vulnerability remediation.
“We knew that we didn’t want to create a label that said this product had been certified and secured and then stayed secure forever,” a senior administration official said. “The QR code will give you up-to-date information on the ongoing adherence to cyber security standards.”
U.S. retailers will also be encouraged to prioritize labeled products when placing them in stores and online, the White House said, and a number have already signed up to the initiative, including Amazon and Best Buy. Other big-name tech firms that already agreed to the voluntary labeling initiative include Cisco, Google, LG, Qualcomm and Samsung.
While the initiative will initially focus on high-risk consumer devices, the U.S. Department of Energy announced on Tuesday that it is working with industry partners to develop cybersecurity labeling requirements for smart meters and power inverters.