Cyber Trust Mark Meant to Inspire IoT Confidence

Some future internet-connected devices could eventually bear the “U.S. Cyber Trust Mark” under a program the FCC adopted last week. Next to the mark, manufacturers would place a QR code directing consumers to an online source with further information about the product’s cybersecurity features.

The Commission unanimously agreed to create the program meant to promote internet of things (IoT) devices that include strong cybersecurity features. The Commission estimates that there will be more than 25 billion IoT devices operating by 2030. Many consumers already use connected kitchen appliances, smart thermostats, fitness systems, security cameras and many others. The rise in connected devices increases security risks. The FCC cited third-party figures, which estimated more than 1.5 billion cyber attacks on IoT devices in the first six months of 2021.

“The device I think of most when I think about this new world of the internet of things and, maybe it is because I am a mom, is a baby monitor,” said Chairwoman Jessica Rosenworcel during the March 14 Commission agenda meeting. “My goodness you want that to be safe. You want to know when you bring that monitor into your house to watch your newborn that the connection is secure.”

However, consumers will not begin to see the marks immediately. The precise criteria for the Trust Mark program are still to be finalized and the Commission is waiting for the U.S. Patent and Trademark Office to approve the mark itself. Under the plan, the Commission will appoint a lead administrator of the Trust Mark program to coordinate with manufacturers and accredited test labs to oversee the certification of marked products.

Once in operation, the Trust Mark program will be voluntary in order to protect start-up device companies that might not have the means to enter the Trust Mark process. “The IoT market is incredibly dynamic and young. The risk of inadvertently stifling it with over-regulation is real, so instead of imposing mandatory rules we are setting a high mark for products to earn the right to use the Cyber Trust Mark,” said Commissioner Nathan Simington.

The Commission adopted the Trust Mark program the day after the House of Representatives overwhelmingly passed a bill that would either ban social media platform Tik Tok or require its Chinese owner to divest it. Many legislators fear Chinese access to consumer data through Tik Tok and other internet sources.

In addition to starting the Trust Mark program, the FCC adopted a Further Notice of Rulemaking to determine whether it should require companies to reveal where the software and firmware in the devices originated before qualifying for the mark. “It is incredibly easy to hide a backdoor in an IoT device and almost impossible to detect it,” Simington said.