The White House has unveiled the new “U.S. Cyber Trust Mark,” a labeling program intended to make the relative security level of smart devices more apparent to consumers. The label applies a National Institute of Standards and Technology (NIST) standard that was first put forward in a February 2022 white paper, addressing a longstanding problem with shortcomings in Internet of Things (IoT) device security.
The Cyber Trust Mark could encompass nearly all home- and office-based smart devices, depending upon manufacturer adoption. The program provides consumers with a range of useful at-a-glance information, but some cybersecurity experts have aired concerns about a lack of enforcement and a need to continually update the label hampering its usefulness.
U.S. Cyber Trust Mark counts Amazon, Google, Samsung among early adopters
The Cyber Trust Mark initiative is voluntary, and relies on manufacturers of smart devices to adopt it as a means of advertising device security via a familiar logo associated with government regulation. In that sense it is very similar to the EPA’s “Energy Star” program for signaling energy efficiency to consumers, an initiative that has been active since 1992 and has since signed up over 1,700 manufacturers and 1,200 retailers.
At the moment, about 20 of tech and retail’s biggest names are on board. On the manufacturer end are Google, Samsung, LG, Cisco Systems, Qualcomm and Logitech among others. Major retailers that have pledged to support the standard include Amazon and Best Buy. Some universities (Harvard and Yale), trade groups (Information Technology Industry Council) and media outlets (Consumer Reports) have also declared that they are on board.
One name that is conspicuously absent from the Cyber Trust Mark list thus far is Apple, which generally puts user security at the forefront of its marketing. There is certainly still time for Cupertino to pitch its lot in, given that the announcement is less than a week old. However, Apple also already encrypts all communications between its own “HomeKit” smart devices and the walled garden of its phones and tablets. The company may want to position its own security as superior to a standard that direct competitors will be adopting.
George McGregor, VP of Approov, notes that the standards focus on pieces of hardware but do not necessarily fully encompass the apps needed to run them: “This is a good initiative. Although the NIST guidelines make it clear that the IOT “product” must include all elements of the solution it would be good to see more specific security guidelines on the mobile apps which will almost always be part of an IOT solution. This is because mobile apps present specific security challenges which must be addressed in order to protect data and protect the device.”
The Cyber Trust Mark logos, which look like a shield with a microchip in them, will start appearing on shelves in 2024. What exactly the labels will contain is still up in the air, however. The initiative has been kicked over to the FCC, which will spend the rest of the year finalizing the details. The best available information at the moment comes from a September 2022 NIST internal report, developed as baseline guidance for IoT security. And though companies have made a broad pledge to support the new standard, there is not yet a firm commitment as to how much of their product line will carry it (and how soon).
Labels for smart devices welcomed as a positive step, but limitations abound
IoT security has been in a troubling state since IoT devices first began appearing on shelves, with manufacturers held to little in the way of requirements and a highly competitive environment that pressures them into corner-cutting in terms of security features. Major improvement is still needed, and the Cyber Trust Mark label is broadly seen as a positive initial step. However, security experts note it is also far from a solution to the problem.
The government will not only have to pitch manufacturers and retailers on voluntary adoption, but also market it to consumers that already purchase products full of labels that they pay little attention to. Putting the information out there does not guarantee that it will be read and understood, and in its present form it looks like the Cyber Trust Mark will require the added step of scanning a QR code with a phone. The system also does little to help inform consumers about the smart devices they already have in their homes and businesses, some of which they likely expect to remain in place for years to come.
Debrup Ghosh, Senior Product Manager at Synopsys Software Integrity Group, sees this as a major obstacle, particularly if the Cyber Trust Mark becomes associated with price increases: “One question that remains is whether customers will understand and appreciate this label? Put another way, if there is a less expensive device available that costs a fourth of the cost of a premium brand, would customers still choose the more expensive, cybersecurity-certified product over a much less expensive option? And with that, there need to be significant investments made to educate the public on the risk of non-certified devices.”
Smart devices will also need to be updated and patched regularly to remain secure; some may need this right out of the box if they have been sitting on a shelf for months before being purchased. There is not yet any indication if the Cyber Trust Mark system will take this into account. As it stands it will not require manufacturers to maintain support for any particular period of time, though the QR code may tell buyers up front how long the device is going to be supported for.
It also remains unclear whether individual networking devices will fall under the Cyber Trust Mark’s scope of IoT devices, or if they will be regarded as part of the “WiFi router” category, which NIST is exploring separate and stronger requirements for.
David Mitchell, Chief Technical Officer for HYAS, notes that manufacturers that sign on for the Cyber Trust Mark might also be taking on added costs that will ultimately be reflected in the unit price of smart devices: “The U.S. Cyber Trust Mark is a big step forward to deal with the ever-expanding market of sub-par IoT devices proliferating into our homes & businesses. It will be interesting to see how the vendors react and when and to what extent the EU and other allies participate. While there is no current language around retroactively certifying the millions of later model devices already in service, it is a key piece that needs to be understood. Due to the additional workload required by the vendors to meet these criteria, it would not be surprising if there were cost increases for these devices — and hopefully not such a significant cost that consumers will decide to choose the non-certified devices.”