Timeline Unclear for When Consumers Will See Devices With Cyber-Trust Mark
Challenges remain as companies implement a voluntary cyber-trust mark program based on National Institute of Standards and Technology criteria, speakers said during an FCBA CLE on Thursday. FCC commissioners approved the program 5-0 in March (see 2403180046), but the order has not appeared in the Federal Register and the program's timeline is unclear. The cyber mark label will appear on consumer IoT products with an accompanying QR code. It's comparable to the ENERGY STAR program, which certifies products as energy efficient.
Device-makers must know “the standards and procedures that they’re going to have to test to” and the lead administrator and cybersecurity label administrators are still to be identified, said David Grossman, CTA vice president-policy and regulatory affairs. Other steps also remain, pending Federal Register publication, he said. “We still have much more work to do.” CTA hopes the program will be up and running “as soon as possible,” Grossman said.
Another challenge is consumer education, Grossman said. “We’ve done a ton of work here,” but “if consumers don’t know what the mark is, what it stands for, what to look for, then we really haven’t achieved our goal,” he said. A federal government-led consumer education plan is needed, he said.
Protection from liability is another issue, Grossman said. “Manufacturers want to know that participating in this program” won’t “subject them to new liability either from government agencies or from civil litigation,” he said. The FCC order doesn’t address state preemption, but the states are always looking to engage on issues like IoT security and “we think that there needs to be one single federal program and not a patchwork of state laws.”
In addition, the approach must be harmonized with other countries, Grossman said, noting that the companies CTA represents have a global focus. The U.S. program doesn’t always align with efforts abroad, he said. The EU is embracing a mandatory approach that’s “very different than what we’re talking about here in the U.S.”
Still, CTA is mostly pleased with the program as approved by the FCC, Grossman said. That the program is voluntary is important, he said. “Manufacturers can make a decision for themselves on what’s best for their company, for their customers and for the ultimate market,” he said. NIST has “a great deal of expertise” in cybersecurity and basing the program on NIST standards “is a very good thing,” he said. The program is also binary; companies meet the requirements, or they don’t, which makes it simple for consumers to understand, he added.
Public Safety Bureau Chief Debra Jordan said the FCC order outlines the process for selecting a lead administrator for the program. There will be a public announcement when the submission window opens, she said. Timing is “unfortunately a little bit out of our control” and depends on OMB Paperwork Reduction Act approval, she said.
Jordan discussed the myriad ways people use the IoT. “But with this convenience comes risks -- IoT products are susceptible to a range of cybersecurity vulnerabilities,” she said. The cyber-trust mark will help consumers make “informed decisions” about IoT devices, “differentiate trustworthy products in the marketplace and create incentives for manufacturers to meet cybersecurity standards.”
Stacey Higginbotham, policy fellow-advocacy at Consumer Reports, agreed that education is critical. Consumers say they’re most concerned about data-sharing practices and how long device-makers will continue to update a device's security, she said. “Consumers are already looking for some of the information that we would expect to see” in cyber-mark labels, she said.
Research shows consumers are also willing to pay more for secure products, Higginbotham said. The most important considerations include providing information “consumers expect to see” and making the mark “easily accessible” and “simple to understand,” she said.
The Department of Energy’s ENERGY STAR program provides a model for the FCC on the cyber mark, said Jessica Almond, CableLabs director-technology policy. Today, everyone looks to that mark when buying an appliance, but “that of course took years,” she said. The FCC oversaw the digital TV transition 15 years ago, which was “a massive consumer education project,” she said.
The cyber-mark program will “bring improved security and trust by essentially reducing the cyber risks,” said Eric Tamarkin, senior director and public policy counsel-U.S. public affairs at Samsung Electronics America. “It will also increase consumer trust in these products,” he said. A harmonized approach would reduce compliance costs for multinational IoT device manufacturers, which will mean lower prices for consumers, he said.
The program should remain “voluntary, nimble, flexible, and allow companies to compete and achieve the mark,” Tamarkin said.