As cyberattacks become increasingly sophisticated, so too must cybersecurity initiatives and technologies. However, IoT technologies in particular seem to have lagged behind. Many IoT devices have weak cyber defenses, if they have any at all. Something as seemingly mundane as a smart dishwasher or smart lighting system might allow nefarious actors to gain access to a network.

To curtail cyberattacks, all devices on an IoT network should adopt robust cybersecurity protocols and procedures. But for this to happen, we first need regulatory action and governance frameworks. Last year, the Biden administration launched a cybersecurity labeling program, in which IoT devices would be rated according to their cybersecurity provisions and marked with a label if they meet a certain threshold of security.

To reduce the risks posed by cyberattacks, every device connected to an IoT network should implement strong cybersecurity protocols and practices. However, this level of security requires regulatory oversight and a clear framework for manufacturers. Recognizing this, the Biden administration recently took steps to address this issue by announcing the launch of a cybersecurity labeling program. This initiative aims to evaluate and rate IoT devices based on their cybersecurity protections. Devices that meet established criteria will be marked with a label, making it easier for consumers to identify those that offer a higher level of protection against cyber threats.

The program is intended to provide consumers with a quickly recognizable IoT label, which includes a QR code that’s linked to a public registry of more detailed cybersecurity information. This program will help consumers make safer purchasing decisions, raise consumer awareness of cybersecurity in IoT products, and encourage manufacturers to develop IoT products with security-by-design principles in mind. However, participation in the scheme is entirely voluntary, which has been the source of some criticism.

Here, I’ll explain what you need to know about the new cybersecurity labeling program.

What is cybersecurity labeling?

Cybersecurity labeling refers to a system in which smart devices are rated according to their levels of cybersecurity provisions. This labeling system is akin to the Energy Star labels you find on appliances, labels that provide consumers with information about energy efficiency. However, instead of focusing on energy consumption, cybersecurity labels will indicate the robustness of a device’s security features, such as encryption standards, vulnerability management processes, and the presence of secure boot mechanisms.

This labeling will allow consumers to make more informed decisions before purchasing IoT devices. By providing a clear indication of a product’s security, these labels aim to simplify the complex and often opaque world of cybersecurity for everyday consumers. The labels will also serve as a bit of a deterrent to manufacturers who might otherwise neglect security in favor of reducing costs or accelerating time-to-market.

Why label?

The White House’s move is long overdue. For years, IoT consumers have chosen cheaper connected products, which led to a race to the bottom. As a result, vendors sacrificed strong cybersecurity procedures to keep costs lower, and elements like always-on cloud features and default passwords became the norm.

But this lack of security has become increasingly untenable as our lives become increasingly filled with connected devices and attack surfaces are more exposed than ever. The explosion of IoT in both consumer and business settings means that everything from personal health devices to industrial control systems could be compromised without proper security. However, most consumers remain unaware of the significant risks of interconnectivity.

Implementing cybersecurity labels will make cybersecurity more salient in the minds of consumers by informing them about the weak protections in their favorite products. This should precipitate a shift in consumer spending to more secure products, while encouraging IoT vendors to amp up product security.

New rules take effect

On August 29, 2024, the FCC officially adopted rules for the IoT cybersecurity labeling program. This program will certify that smart devices meet specific cybersecurity standards, with compliant products earning an official cybersecurity certification.

Starting sometime next year, consumers will also see the “U.S. Cyber Trust Mark” on products that pass this certification. The logo will serve as a visible symbol of the device’s cybersecurity compliance, allowing consumers to easily identify products that meet the FCC’s baseline standards

Voluntary participation

Again, the IoT labeling program is voluntary, meaning manufacturers can choose whether to participate. Those that do must comply with specific requirements to earn and display the FCC IoT Label. These requirements include adherence to established cybersecurity standards, regular security updates, and participation in the registry that provides detailed cybersecurity information to consumers.

The program is also designed to foster collaboration between the federal government, industry, and other stakeholders, with the expectation that consumer demand will drive widespread adoption over time. By allowing the program to be voluntary, the FCC aims to encourage innovation and flexibility in how companies achieve and maintain their cybersecurity standards.

The FCC has so far rejected the idea of making the program mandatory. There is concern that without a mandate, adoption could be limited, particularly among smaller manufacturers who may lack the resources to meet the labeling requirements. But the FCC believes that a voluntary program will be more achievable and effective, allowing for faster market impact and efficient resource use. The program’s voluntary nature could also reduce the regulatory burden on companies, making it more appealing for them to participate.

However, the FCC’s voluntary initiative is in stark contrast to its EU counterpart the Cyber Resilience Act, which stipulates that IoT manufacturers must abide by certain cybersecurity standards. There are penalties for non-compliance, including fines and the possibility of a complete ban on the product in the EU.

Final thoughts

The FCC’s new cybersecurity labeling program represents a significant step forward in protecting consumers from the risks associated with IoT devices. By making cybersecurity more visible and comprehensible, the program empowers consumers and pressures manufacturers to prioritize security in their product designs. While the voluntary nature of the program has led to some contention, the hope is that consumer demand and the desire for a competitive edge will drive widespread adoption, ultimately leading to a safer and more secure IoT ecosystem.

Read our other resources

We have published a range of IoT cybersecurity resources, including:

Want to learn more about P2P IoT?

Please visit the:
P2P IoT Academy

Deep dive Into our documentation?

Please visit the:
Nabto Platform Overview

Try our demo for Video Surveillance?

Please visit the:
Nabto Edge
Video Cam Demo

Looking for other Great posts?

###

Image depicting the browser-to-browser communication protocol WebRTC
WebRTC’s One-to-One Design: A Short History of Real-Time Communication

Web Real-Time Communication (WebRTC) has transformed how people connect online, powering everything from video calls [...]

24
Jun
What Is Scalable Video Coding? A Guide to SVC for WebRTC

If you’ve worked on real-time streaming applications, you know how hard it is to maintain [...]

11
Jun
Image depicting a TURN server functioning in video streaming through WebRTC
What Is a TURN Server? Ensuring Reliable WebRTC Connections

Real-time communication is now a core feature of many web-based applications, from video calls and [...]

02
Jun