Commenters Disagree on Security Requirements for New Cyber Mark
Industry groups largely questioned the wisdom of using the voluntary cyber mark program for IoT devices, approved in March, to further clamp down on international security threats. But the proposals also received some support from the Internet Protocol Video Market (IPVM) and Whirlpool. FCC commissioners approved 5-0 a Further NPRM, along with the implementing order, asking about software and hardware from countries of national security concern and whether data from U.S. citizens will be stored abroad (see 2403140034). Comments were posted Thursday in docket 23-239.
The proposals contained in the FNPRM “would undermine the approach set in the Order, could deter participation in the Program and would not materially enhance security or value for consumers,” CTA warned. Requiring that customers “evaluate the cybersecurity and national security risk of a product that includes an entity based in a particular country in its ecosystem is beyond the scope of what most consumers should be reasonably expected to understand and would likely confuse rather than empower consumers,” CTA said.
The proposed disclosures “would not enhance the security of products bearing the Mark,” said CTIA. “Rather, such disclosures could deter legitimate manufacturer participation in the Program because such disclosures may be technically infeasible for many products,” the group said. The disclosures could also “confuse consumers at a critical stage -- the outset -- of the Program’s education and awareness campaign,” CTIA said. Proposals in the FNPRM “could sidetrack implementation and undermine the clear and well-founded approach established in the Order.”
Requiring cyber mark applicants to affirm that a device doesn’t rely on software from a country known to present security concerns is “sensible in light of the unique risks raised by high-risk countries of origin,” said IPVM, a security and surveillance industry research group. When companies “sell products featuring backdoors or other sabotage risks, those products provide potential unauthorized access points from which a high-risk government could intercept or extract information,” IPVM said.
“Consumers would benefit greatly from increased transparency” concerning whether devices come with hidden security risks, Whirlpool said. “While the security space is dynamic and new threats are always emerging, we believe most consumers would expect that IoT products certified to the label have been deemed to present no unnecessary risks to national security or consumer privacy,” the company said.
USTelecom said while it strongly supports the cyber mark, the FCC should reconsider whether it is the right agency to oversee international security risks. “Agencies such as the Department of Commerce’s Bureau of Industry and Security and the Department of Justice are already engaged in evaluating and mitigating threats related to foreign adversaries and sensitive U.S. data,” USTelecom said. “The FCC should defer” to this “expertise and ensure that its actions are harmonized with broader national security strategies, as emphasized by NTIA’s recommendations.”
Adopting proposals in the FNPRM “would detract from the program’s impact,” warned the Information Technology Industry Council (ITI). The FNPRM is focused on disclosures to “high-risk” countries as identified by the Commerce Department, ITI said. “These disclosures fall outside the program's remit and overlap with existing U.S. government-administered national security programs,” the group said: “Such disclosures would create an added layer of complexity for consumers, defeating the label’s ease of use and cyber education goals, as well as discouraging participation in the program by manufacturers.”
The FCC should consider using focus groups and polling to determine whether consumers “actually value” the data the FCC proposes to collect, said Yameen Huq, director of the U.S. Cybersecurity Group at the Aspen Institute. “It would be beneficial if consumers are interested in it, and if -- in the context of a voluntary labeling program -- a requirement to disclose this information does not deter too many manufacturers from participating,” Huq said: Since the declaration “would not disqualify a company from receiving the certification, it would not raise legal risks.”