Industry Groups Urge Voluntary, Cautious Approach on IoT Security
CTA urged the FCC to base its proposed voluntary cybersecurity labeling program for smart devices on existing National Institute of Standards and Technology guidance, in comments posted Tuesday (see 2308100032). Other commenters urged the FCC to proceed with caution and involve industry in developing the program. Products would be labeled with the "U.S. Cyber Trust Mark" logo, for which the FCC is seeking registration from the U.S. Patent and Trademark Office. Comments were due at the FCC Friday on an August NPRM (see 2307180054).
The label should “evaluate the IoT product in its entirety, not as only a hardware device,” said Consumer Reports, which favors an aggressive approach. Device makers “should have to commit to a set of robust cybersecurity principles, such as not using default or easily anticipated passwords, a vulnerability disclosure program, and a patching program that includes regular security updates, in order to obtain permission to display the mark,” the consumer group said. Device makers should also have to commit to updates using over-the-air fixes “for a set number of years and disclose this support lifetime on the product's box and at point of purchase,” and to securely encrypting device data “at rest on the device and in the cloud, and in motion when traversing local and public networks,” Consumer Reports said.
“The top-line goal of the program should be to reduce systemic cybersecurity risk to internet infrastructure and to users of connected devices,” CTA said. “This program must be voluntary to ensure the broadest reach, most efficiency and widest access to the valuable diversity of IoT technologies finding new ways to meet consumer needs each day,” the group said: The program should be based on NIST guidance, “global standards and certification processes aligned to the NIST Criteria.”
CTIA warned that despite NIST work, a federally managed labeling program is an “entirely new” undertaking and the FCC hasn’t “historically played a large role” on cybersecurity. “Consumer labeling is a difficult undertaking,” CTIA said: “Development and use of a consumer-facing label generally requires significant development and testing to ensure that consumers understand the meaning of the label and the message it conveys. Labeling programs need to remain current and make clear what products are covered and for what purposes.”
The Association of Home Appliance Manufacturers (AHAM) said it supports, “conceptually,” launch of a voluntary FCC program. The FCC’s stated goal of establishing a program next year is probably not realistic, AHAM said: “It is important that the program, if it is to exist, be established with clear rules and based on collaboration with stakeholders. AHAM urges FCC to conduct additional stakeholder outreach, including public meetings, to clarify its thinking and communicate its intentions with respect to the labeling program.”
The FCC should rely on a “collaborative, iterative process of industry engagement,” with a series of technical industry roundtables before finalizing the program, said the National Association of Manufacturers. “First and foremost, the FCC must be clear about what a cybersecurity label means under the program: that a company has implemented and taken the steps to have verified certain cybersecurity protections,” NAM said.
The U.S. Chamber of Commerce expressed reservations “about the apparent scope” of the commission’s work on labels. “The FCC could easily make a labeling initiative overly complicated, specifically by mandating certain IoT capabilities rather than working with industry to decide on a menu of acceptable standards for protecting IoT,” the Chamber said. It urged the FCC to “craft a workable conformance program in collaboration with industry” and “grant a safe harbor to the manufacturers, the sellers, and the users of labeled IoT.”
The Wi-Fi Alliance said the FCC should take into account efforts that already exist, like its certification program. The alliance “has long promoted RF device security by making security assessment part of its certification process,” the group said. A key question is how to define IoT products or devices eligible for the label, the alliance said: The FCC should “resolve this underlying issue in the current phase of this proceeding and, based on the resolution of that issue, propose detailed rules on which interested parties can further comment.”
Legal Questions
Commenters questioned the FCC’s legal underpinning to establish more than a voluntary program.
The commission cites 302(a)(2) of the Communications Act as providing authority “to adopt reasonable regulations,” but “whether that authority reasonably extends to the further, broader field of IoT device security begs clarification, and it is not clear from the prior decisions cited in the NPRM that IoT labels are a logical follow-on to the authority to protect communications from spectrum interference,” said NCTA. Section 333 of the act concerns the “integrity of the communication, as opposed to the operation of a follow-on device,” the group said.
To the extent the FCC imposes requirements “the Commission cannot carry out this mission alone through its own programs … due to limits to the agency’s authority,” said USTelecom: “In particular, sections 302 or 333 of the Communications Act do not authorize the Commission to impose general cybersecurity requirements on devices.” Congress “has long tasked the Commission with ensuring efficient use of our nation’s airwaves, and its authority under sections 302 and 333 reflect that responsibility,” USTelecom said.