March 29, 2024 | Policy Brief

Arming Consumers With Cybersecurity Data Can Protect U.S. Critical Infrastructure

March 29, 2024 | Policy Brief

Arming Consumers With Cybersecurity Data Can Protect U.S. Critical Infrastructure

The Federal Communications Commission (FCC) earlier this month approved the U.S. Cyber Trust Mark program, a voluntary cybersecurity labeling initiative for Internet of Things (IoT) devices. This much-needed effort to promote consumer purchases of secure-by-design IoT devices can help remove the ability of hackers to exploit vulnerable devices to launch attacks.  

The U.S. Cyber Trust Mark program will certify and label IoT devices, such as smart home gadgets, that adhere to cybersecurity criteria outlined by the National Institute of Standards and Technology (NIST). Devices meeting these standards will bear a visual U.S. Cyber Trust Mark logo along with a QR code providing consumer-friendly information about automatic updates, security support, and other cybersecurity features. The goal of the labeling system is to empower consumers to make informed decisions regarding the cybersecurity risks associated with their purchases, thereby using market incentives to push producers to adopt robust cybersecurity practices for their products.

When announcing the program back in July, the White House noted that Amazon, Best Buy, Cisco Systems, Consumer Reports, Google, Samsung Electronics, UL Solutions, and many others have signed up to participate.

This is the first instance of the FCC using its regulatory authority to address cybersecurity concerns and protect Americans from vulnerabilities in IoT devices. The FCC noted that in just the first half of 2021, over 1.5 billion attacks occurred against IoT devices. With the IoT market set to explode — the FCC estimates that there may be over 25 billion internet-connected devices in operation by 2023 — the attack surface will also grow.

Devices with poor cybersecurity pose risks not only to their owners but also to the larger internet ecosystem. Each insecure device is a possible tool for adversaries targeting U.S. networks and critical infrastructure systems. For example, earlier this year, the Federal Bureau of Investigation confirmed that China has been exploiting vulnerable, end-of-life routers used by small businesses to compromise U.S. critical infrastructure.

The U.S. Cyber Trust Mark’s success will depend on consumers choosing to purchase products that voluntarily employ better cybersecurity practices. Therefore, maximizing the program’s efficacy will require education initiatives to ensure the public recognizes the label and understands the value of selecting more secure IoT devices even if they are more expensive. Since consumer-owned products do not currently bear the cyber trust label, public awareness initiatives should also include information on addressing vulnerabilities in their existing devices.

There are a number of challenges in executing the Cyber Trust Mark program. Questions remain about what type of adjudication authority will step up to administer the program. It is also unclear how products will be re-validated as they experience software changes or patches.

Finally, this program will require increased funding for NIST’s cybersecurity and privacy program, the office responsible for maintaining IoT cybersecurity standards. However, there is a troubling sign in the president’s new budget: a decrease in funding for NIST’s program compared to the previous year. Sustained funding is critical since a successful program would protect Americans and U.S. critical infrastructure.

The Cyber Trust Mark program is a promising effort by the Biden administration to establish a cybersecurity labeling and certification program, an objective long called for by industry experts, including the Cyberspace Solarium Commission. The partnerships between NIST, the FCC, and industry partners could instill confidence among consumers in choosing secure IoT devices and lead to a more secure cyber ecosystem.

Jiwon Ma is a senior policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Sophie McDowall is an intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jiwon on X @jiwonma_92. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focused on national security and foreign policy.