The FCC has unanimously agreed to create a cybersecurity program meant to give consumers peace of mind when installing internet of things (IoT) technologies. The number of internet-connected devices in circulation is growing rapidly as convenient connected products become commonplace – kitchen appliances, smart thermostats, fitness systems, security cameras and many others. As the number of devices rises, the opportunities for malware, privacy breaches and other online malfeasance increases.
“The device I think of most when I think about this new world of the internet of things and, maybe it is because I am a mom, is a baby monitor,” said Chairwoman Jessica Rosenworcel during Thursday’s Commission meeting. “My goodness you want that to be safe. You want to know when you bring that monitor into your house to watch your newborn that the connection is secure.”
The Commission estimates that there will be more than 25 billion IoT devices operating by 2030. It cited third-party cyber-attack figures, which estimated more than 1.5 billion attacks on IoT devices in the first six months of 2021.
Under the program, IoT devices meeting the program’s security requirements would bear the “U.S. Cyber Trust Mark.” Next to the mark, manufacturers would place a QR code directing consumers to an online source with further information about the product’s security features.
The FCC will appoint a lead administrator of the Trust Mark program to coordinate with manufacturers and accredited test labs to oversee the certification of marked products. The Commission, however, did not estimate when consumers will begin to see the marks. The precise criteria for the Trust Mark program are still to be finalized and the Commission is waiting for the U.S. Patent and Trademark Office to approve the mark itself.
Once in operation, the Trust Mark program will be voluntary. While larger companies most likely will desire to assure the safety of their products, start-up device companies might have the means to enter the Trust Mark process.
“The IoT market is incredibly dynamic and young. The risk of inadvertently stifling it with over-regulation is real, so instead of imposing mandatory rules we are setting a high mark for products to earn the right to use the Cyber Trust Mark,” said Commissioner Nathan Simington.
The Cyber Trust Mark order accompanies a Further Notice of Rulemaking, to determine whether the Commission should require companies to reveal where the software and firmware in the devices originated before qualifying for the mark. “It is incredibly easy to hide a backdoor in an IoT device and almost impossible to detect it,” Simington said.
