FCC Approves Cyber Trust Mark Program With Added Further Notice
FCC commissioners approved 5-0 a voluntary cyber trust mark program based on National Institute of Standards and Technology criteria during their open meeting Thursday. As expected, commissioners noted changes in the item since a draft circulated three weeks ago (see 2403130047). Also, as expected, the FCC will ask additional questions in a further notice about software and hardware from countries of national security concern and whether data from U.S. citizens will be stored abroad. The FCC was under pressure to make changes.
Probably the most significant change is the further notice itself, Public Safety Bureau Chief Debra Jordan said during a news conference following the meeting. “We did also do some edits based on ex partes [and] feedback," she said. Using NIST criteria is mandatory, but participation is voluntary, she said.
“What we are voting on today has the potential to be remembered as the beginning of a new era of cybersecurity policy in our country,” said Commissioner Nathan Simington during the meeting. “Soon more devices than not will be smart, so this is no longer a niche issue,” he said. If manufacturers want to be eligible for the program, they will have to “declare that they have taken every reasonable measure to create a secure device,” commit to a support period in advance and “diligently identify critical vulnerabilities in their products and promptly release updates correcting them,” he said.
Simington noted that in December 2022 he urged using FCC authority under Title III of the Communications Act to address negligent cybersecurity practices by wireless device-makers on the theory that these hacked devices could be used to cause harmful interference (see 2212150078). “Today, we use exactly that theory to institute this program.” Simington thanked the other commissioners for agreeing to tweaks he had sought.
Chairwoman Jessica Rosenworcel said that, as a mother, she was especially concerned about devices like baby monitors. “You want to know when you bring that monitor into your house to watch your newborn, that connection is secure and not going to invite any malware or malicious activity into your home,” she said. “I think parents everywhere feel this way.”
“We absolutely believe the U.S. cyber trust mark will succeed if it’s a collaborative effort,” Rosenworcel told reporters. The FCC is building the program “on the well-respected work of NIST, and in particular NIST cybersecurity criteria” and is ready to work with other agencies, she said.
Too many IoT products have “lackluster security features, if any at all,” said Commissioner Geoffrey Starks during the meeting. These unsecure products “can allow remote access to our homes, allow bad actors to monitor our comings and goings remotely, lead to data theft, or, if enough insecure IoT products are combined to form a network, create botnets that can wreak havoc throughout the internet through denial-of-service attacks.”
Starks revealed he recently sent letters to five leading retailers asking about the sale and promotion of “easily hackable” video doorbells, which lack basic security measures.
“I really like this item,” said Commissioner Anna Gomez. The trust mark “will help consumers make sense of the myriad devices we use in our daily lives,” she said. Gomez said she polled her office and found its members collectively use 95 connected devices. The commissioner asked for and received edits ensuring the program is accessible in multiple languages.
A top FCC priority is making sure communications networks are secure, said Commissioner Brendan Carr. The order “aligns perfectly with that goal,” he said. Carr and other commissioners said the FCC was right to approve a voluntary program. “I really like where we ended up landing on this,” he said.
The program's launch is “a major accomplishment resulting from many years of work and close collaboration between the government, industry and other stakeholders,” CTA President Gary Shapiro said. “Internet-enabled consumer products improve everyday life from video doorbells to smart washers and dryers, but there is also the risk of bad actors exploiting consumers’ connected devices,” he said.
“Enhancing cybersecurity is a shared goal between the public and private sectors, and empowering consumers with knowledge can play a vital role,” said the Association of Home Appliance Manufacturers, the Connectivity Standards Alliance, CTA, CTIA, the National Electrical Manufacturers Association and USTelecom in a joint statement.
“Enhancing cybersecurity is a shared goal between the public and private sectors, and empowering consumers with knowledge can play a vital role,” said the Association of Home Appliance Manufacturers, the Connectivity Standards Alliance, CTA, CTIA, the National Electrical Manufacturers Association and USTelecom in a joint statement.