The Biden administration unveiled a long anticipated consumer labeling plan to strengthen the cybersecurity of smart home devices, which are used by millions of Americans for both remote work and daily entertainment, while becoming more targets of malicious attacks.
The Federal Communications Commission outlined a proposal for the program Tuesday, called the U.S. Cyber Trust Mark, to create a voluntary labeling program that would give clear information to consumers about the cybersecurity of their IoT devices.
Home routers and other IoT devices have increasingly come under threat from sophisticated nation-state and criminal hackers in recent years. With millions of U.S. workers operating from home office environments, information security experts consider it critical to better secure home-based networks.
The Biden administration has considered an Energy Star type of consumer labeling program a key part of an effort to strengthen the nation’s cyber infrastructure following the SolarWinds and Colonial Pipeline attacks.
FCC officials cited data indicating more than 1.5 billion attacks were made against IoT devices during the first half of 2021. More than 25 billion IoT devices are expected to be in circulation by 2030, officials said.
In recent months the China-linked Volt Typhoon campaign against U.S. critical infrastructure providers involved the compromise of vulnerable home routers and SOHO networks as a key component of the hacking strategy.
Cyberspace Solarium Commission co-chair Sen. Angus King I-Maine, praised the labeling effort this morning in pre-recorded remarks.
King said “this is going to really make a difference, and I think its going to help protect our country.”
The voluntary program, proposed by Federal Communications Commission Chair Jessica Rosenworcel, will provide cybersecurity information on everyday smart home devices, including refrigerators, televisions, thermostats and fitness trackers.
Devices that meet cybersecurity standard criteria will get a U.S. Cyber Trust Mark label. If the FCC adopts the plan, under its authority to regulate wireless communications, it would be rolled out by late 2024. The agency would also seek public comment.
The FCC will have a QR code that links to a registry of certified smart home devices. The agency plans to work with the Department of Justice on oversight and enforcement safeguards.
The National Institute of Standards and Technology will publish specific criteria for the program including criteria for strong and default passwords, data protection, software updates and incident detection.
NIST is also launching an effort to define cybersecurity requirements for consumer grade routers by the end of 2023. These devices are considered higher risk than other smart home devices, as they are vulnerable to eavesdropping, password theft and compromise to launch attacks against other devices.
The Department of Energy is also unveiling a program to develop cybersecurity labeling for smart meters and power inverters, part of a larger plan to develop a safer grid.