US FCC Launches Voluntary Cybersecurity Labeling Program for Consumer IoT Devices

The US Federal Communications Commission (FCC) has announced the launch of a voluntary cybersecurity labeling program aimed at wireless consumer Internet of Things (IoT) products.

Following the US Congress’s passage of the TikTok divestment bill, this new IoT security labeling initiative may extend US “national security” technical trade barriers to all consumer electronics, home appliances, IoT, and smart devices. At the same time, the trend of cybersecurity becoming a global product safety standard represents a significant opportunity for the cybersecurity market.

Cybersecurity as a New Product Differentiator

The FCC’s IoT security labeling program will allow certified consumer smart device manufacturers to display a label indicating that their products comply with stringent cybersecurity standards set by the FCC.

The program introduces a new “US Cyber Trust Mark” accompanied by a QR code that links to a national certified device registry. Consumers can scan the label to access detailed and comparable product cybersecurity information, such as the duration of support and whether software patches and security updates are automatically delivered.

The FCC claims that this “trust mark” will help consumers incorporate cybersecurity into their purchasing decisions while encouraging IoT manufacturers to enhance product security by differentiating safer products in the marketplace.

In recent years, IoT devices such as home cameras, fitness trackers, and baby monitors have been prime targets for cybercriminals. These devices often serve as entry points for attacks against corporations. A recent study indicated that 50% of companies have experienced IoT-related cybersecurity incidents.

According to Statista, the number of operational IoT devices worldwide is projected to exceed 29 billion by 2030, drawing government attention to smart device security. The European Union and the UK have recently introduced regulations requiring smart device manufacturers to meet minimum cybersecurity standards.

The EU’s Common Cybersecurity Certification Scheme for Digital Products, launched in February, signifies that cybersecurity capabilities have become a critical product differentiator and a “market passport” for all digital products in the EU.

According to the 2023 Consumer Cybersecurity Survey Report:

l 82% of consumers stated they would stop purchasing products from a brand if they knew it had suffered a cyberattack.

l 73% of consumers indicated they research the cybersecurity of a product before making a purchase.

l 65% of consumers expressed willingness to pay more for products with stronger cybersecurity.

Major Boost for the Cybersecurity Market

The trust mark initiative, announced by the Biden administration in July 2023, is based on cybersecurity guidelines issued by the National Institute of Standards and Technology (NIST). These include strong default passwords, data protection, software updates, and incident detection capabilities.

In addition to consumer electronics, home appliances, and smart connected devices (including vehicles), the program also extends to consumer-grade routers - a high-risk product category - and may include smart meters and inverters, which are critical components of the future smart grid.

The program highlights product vulnerabilities, particularly zero-day threats. William Wright, CEO of Closed Door Security, emphasized that all participating suppliers must consistently conduct proactive penetration testing and vulnerability assessments on their devices and ensure that patches and updates can be easily applied when issues are detected. This is expected to significantly increase demand in related cybersecurity market segments.

“Trust Mark” Poised to Become a Global IoT Security Standard

The FCC will oversee the program, while approved third-party labeling administrators will be responsible for evaluating applications, authorizing label use, and consumer education. Key aspects include:

l These administrators will be selected through a “rigorous screening process.”

l Accredited laboratories will conduct compliance testing for manufacturers.

l The FCC is soliciting public feedback on proposed additional disclosure requirements.

Future requirements may include indicating whether a product’s software/firmware was developed or deployed by companies from countries deemed threats to US national security, and whether customer data collected by the product is transmitted to servers located in such countries.

https://www.fcc.gov/document/fcc-adopts-rules-iot-cybersecurity-labeling-program