US Federal government issues voluntary security guidelines.
By Tim Nodar, CyberWire senior staff writer. (The CyberWire editorial staff also contributed to this article.)
Jul 19, 2023

Industry gives the White House a generally positive review to its new US Cyber Trust Mark program.

US Federal government issues voluntary security guidelines.

The White House has announced a cybersecurity labeling program for smart devices: “Under the proposed new program, consumers would see a newly created ‘U.S. Cyber Trust Mark’ in the form of a distinct shield logo applied to products meeting established cybersecurity criteria. The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes.” Manufacturers and retailers that have committed to the voluntary program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics.

According to the Associated Press, the program will be overseen by the Federal Communications Commission (FCC).

Industry reaction to Trust Mark: generally positive, with notes on work remaining to be done.

Rick McElroy, Principal Cyber Security Strategist at VMware, sees Trust Mark as a positive step forward. “This move represents another step in the right direction for national strategic cybersecurity goals.” There are, however, aspects of the program that require attention. “With that being said, there are still several issues that arise. Setting standards for devices is needed but configurations of those devices matter as well. After reviewing this guidance from the Biden-Harris administration, a few questions come to mind. Who does the testing of these devices? Is there a testing process? Does the current proposed U.S. Cyber Trust Mark include understanding what zero-days other government agencies currently possess that impact those devices? These all must be accounted for in cyber to get a true trustworthy rating.”

George McGregor, VP at Approov, also liked the move, but thinks mobile apps might deserve more attention. "This is a good initiative. Although the NIST guidelines make it clear that the IOT "product" must include all elements of the solution it would be good to see more specific security guidelines on the mobile apps which will almost always be part of an IOT solution. This is because mobile apps present specific security challenges which must be addressed in order to protect data and protect the device."

David Mitchell, Chief Technical Officer at HYAS, believes it’s about time “sub-par” IoT received proper attention. “The U.S. Cyber Trust Mark is a big step forward to deal with the ever-expanding market of sub-par IoT devices proliferating into our homes & businesses. It will be interesting to see how the vendors react and when and to what extent the EU and other allies participate. While there is no current language around retroactively certifying the millions of later model devices already in service, it is a key piece that needs to be understood.”

Mitchell wouldn’t be surprised to see some devices increase in price. “Due to the additional workload required by the vendors to meet these criteria, it would not be surprising if there were cost increases for these devices — and hopefully not such a significant cost that consumers will decide to choose the non-certified devices.”

Thomas Pace, CEO and Co-Founder of NetRise, previously responsible for ICS security at the DOE, also approves of the approach exemplified by Trust Mark. “The US Cyber Trust Mark is undeniably a positive step in the right direction. It follows a similar path as Energy Star and ingredients lists, analogies that have been drawn for some time.” But Pace argues that it experience suggests that a voluntary approach won’t be sufficient. “However, for this to be meaningful and make an actual impact, it must have one more characteristic in common with Energy Star or ingredients lists, it NEEDS to be mandatory. No one looks to the government to give them more work voluntarily, we all have enough work to do. If real change and secure devices is the end goal, then make it mandatory. We don't need more compliance frameworks that sit on a shelf and are totally ignored.”

Finally, AJ Nash, VP and Distinguished Fellow of Intelligence at ZeroFox, sees Trust Mark as being an educational opportunity as well as a regulatory move:

"Today’s update on the proposed labeling program for smart devices, known as ‘U.S. Cyber Trust Mark,’ is a big step toward helping consumers better understand the relative risks of buying and using smart technologies at a time when the rise in these technologies in kitchen appliances, thermostats, televisions, watches, and fitness trackers - and much more - exponentially expands the threat landscape. The data collected by fitness trackers, in particular, is not considered to be health information so it lacks the same mandated protections that health-related applications do. As a result, modern cybercriminals looking for ways to target people can get the personal information and location tracking from these tools with relative ease. A frightening and very real threat that most consumers don’t understand today. 

"I see this new set of guidelines as an educational opportunity as much as a security measure, as this program will likely help teach consumers how to better research and choose devices with stronger protections prior to their purchases. Additionally, this new certification system will increase pressure on manufacturers in these competitive markets to prioritize securing their devices from the start, rather than retroactively fixing vulnerabilities after products have been released.  

"A more secure future starts with initiatives like this one, bringing together leaders from the tech industry and government agencies to implement strong, actionable guidelines that enable consumers and companies to better educate and protect themselves from growing threats."

(Added, 11:30 AM ET, July 19th, 2023. Debrup Ghosh, Senior Product Manager at Synopsys Software Integrity Group, wrote to express agreement with the initiative. “This labeling system is a step in the right direction for improving IoT device security. It’s particularly compelling that the government and key industry stakeholders are working together to improve cybersecurity for consumers. The technical guidance that NIST is driving for cybersecurity requirements for consumer-grade routers will be key, as will securing critical infrastructure for internet-connected devices such as smart meters and power inverters," Ghosh wrote. "However, the labeling system is just a minimum requirement for cybersecurity. Device manufacturers need to continue to drive risk down for consumers by focusing on automated software updates, automated incident detection, and two-factor authentication. One question that remains is whether customers will understand and appreciate this label? Put another way, if there is a less expensive device available that costs a fourth of the cost of a premium brand, would customers still choose the more expensive, cybersecurity-certified product over a much less expensive option? And with that, there need to be significant investments made to educate the public on the risk of non-certified devices.”)

(Added, 12:00 noon ET, July 19th, 2023. Chris Wysopal, Founder and CTO at Veracode, drew on his experience with the NIST workshops where he shared Veracode’s experience with creating the Veracode Verified label. He, too, agrees that Trust Mark is a positive step. "It not only brings transparency to an area that is opaque, but also encourages manufacturers and retailers to increase cybersecurity for the products they sell, as well as helps consumers easily select products that are robust," he wrote. "The label indicates devices have unique and strong default passwords, data protection, software updates, and incident detection. Ultimately, this will drive good behavior by incentivizing organizations to put in place the best practices and behaviors outlined in the program. When the Biden administration’s Executive Order was released in May 2021, it set out to improve the nation’s cybersecurity. NIST was directed to initiate two labeling programs – one on IoT consumer devices and one on software development practices. The second outlines how the software provider can demonstrate adherence to accepted secure software development practices throughout the software development lifecycle. By addressing these criteria, the label communicates to the consumer that secure software development best practices were employed. The same underlying principles and safeguards apply to the new U.S. Cyber Trust Mark program.”

And Christine Gadsby, VP of Product Security, BlackBerry, wrote to offer a consumer's perspective on how Trust Mark may be useful. "Smart thermostats, wireless security cameras, and digital doorbells come with promises of greater savings, safety, or convenience. But they can also serve as back doors for hackers looking to get into your home network. While these next-generation devices promise to make our homes “smarter”, they’re not necessarily more cyber secure. Our homes are our havens, and our smart devices are supposed to bring us peace of mind. Without understanding the level of cybersecurity baked into these products, we may unintentionally allow strangers to shatter our sense of security and violate the sanctity of our homes. So it’s no surprise four in five consumers surveyed by BlackBerry believe the rollout of a cybersecurity labeling system would make them feel safer and more informed when using Internet-connected devices, and two-thirds would be prepared to pay more for products with higher rankings. At the end of the day, we need to protect what matters the most: our families. This starts with realizing that security should be a requirement and shouldn’t be an optional add-on -- or worse, not thought of at all when it comes to the devices we buy. It’s a right.")

(Added, 1:00 PM ET, July 19th, 2023. Ilona Cohen, Chief Legal and Policy Officer at HackerOne, seconds the general approval with which Trust Mark has been received. “HackerOne applauds the White House’s recent IoT labeling initiative, U.S. Cyber Trust Mark, to enhance digital safeguards on internet-connected devices. This initiative reflects the Administration’s continued commitment to putting cybersecurity first, helping consumers find safer products, and improving IoT security transparency," Cohen wrote. "As cybersecurity complexity increases and vulnerabilities continuously evolve, we believe the certification requirements underpinning the labeling scheme should also include Vulnerability Disclosure Programs (VDPs) to help manufacturers identify cybersecurity flaws in their systems and apply patches before exploitation. We look forward to seeing how this develops and hope to be a resource to the Administration as they work to roll this program out.” 

And Lineaje's CEO and co-founder, Javed Hasan, sees consumer reassurance as a principal goal of the initiative. “The U.S. Cyber Trust Mark was created to reassure consumers that the smart devices they purchase include strong cybersecurity protections. Currently, the criterion set forth by the National Institute of Standards and Technology (NIST) includes strong passwords and incident detection capabilities, as well as, that the device offers regular updates. While these standards are great, they are missing a key component of the overall security puzzle." The standards should also be used to hold vendors to account. "IoT devices are powered by software. To prevent consumers from falling victim to the hands of an adversary, it is critical that the companies behind these products are doing their due diligence in building better software, and a more robust software supply chain. Vulnerability scanners can, and often will, miss critical flaws in software components. And software that is not built securely cannot run securely. Organizations creating and running IoT devices need to focus on building and buying better software and assessing any previous software to ensure its integrity." And Hasan has a suggestion as far as the actual label is concerned. "Instead of a seal on a particular product, I would also recommend to the NIST that it is a QR code instead. The QR Code could take you to a central repository showcasing some of the security requirements, as well as the software bill of materials (SBOM) to add a level of transparency. The Biden-Harris administration has already set forth several campaigns that indicate its commitment to securing the software supply chain, including U.S. Executive Order 14028. It is my hope that the administration and the NIST include best software supply chain security practices in its guidelines for the U.S. Cyber Trust Mark seal of approval.”)

(Added, 7:45 PM ET, July 20th, 2023. DigiCert wrote to express approval of the Cyber Trust Mark, but also to stress that public-private cooperation will be crucial to the program's success. Several of the company's leaders offered comment on the Cyber Trust Mark. Tom Klein, Senior Director, IoT Business Development, sees the Mark's value to consumers. “The White House announcement of the U.S. Cyber Trust Mark is a good first step toward providing consumers with greater assurance in the trustworthiness of the smart devices that they use," he wrote. "The next few months will be really important in assuring that items such as strong measures for ensuring device authentication beyond passwords are put in place. Similarly, the FCC needs to make sure that device manufacturers can be held accountable for using best practices for encrypting data, signing firmware and ensuring secure over the air updates of devices.”

Jason Sabin, DigiCert's Chief Technology Officer, also expressed full support for the initiative. "As a company committed to digital trust, we fully support the FCC's proposed cybersecurity labeling program. By empowering consumers with information, we can collectively raise the bar for security standards in the IoT industry."

 Brian Trzupek, SVP, Product, thinks his company has a serious contribution to make to the secure and safe operation of connected devices. "DigiCert's Device Trust solution plays a pivotal role in ensuring the safety of connected devices. Through cybersecurity labeling, the industry is enabling consumers to make informed choices about their digital lives, fostering a secure and trustworthy IoT ecosystem." And Sabin added, "Cybersecurity labeling has been a core part of DigiCert’s business on the internet for more than two decades. With IoT and smart devices, there are lessons learned from websites, the Norton Seal Powered by DigiCert and the DigiCert Smart Seal that can help consumers know what to trust and what not to do. Security labels need to be clear about what security and privacy protections device users are receiving.")

(Added, 9:45 PM ET, July 21st, 2023. Allen Drennan, Co-Founder & Principal at Cordoniq, briefly reviewed some of the legacy insecurities the Cyber Trust Mark program will face. "Many IoT devices were built using insecure protocols, and if they did implement transport layer security, these utilize outdated ciphers and hashes, or open source TLS modules that are also outdated and subject to hacking. Ideally, as part of the cybersecurity initiatives it will be important to not only make sure all devices implement up to date TLS standards for communications, but are also required to frequently update their internal security stacks as new threats are discovered and need to be addressed," Drennan wrote. "Another important aspect is the reliance on the UDP protocol for many IoT devices like thermostats, baby monitors, wireless cameras and more with most vendors not implementing current accepted security protocols such as DTLS for connectionless communications. This area is seldomly addressed with most consumer products used today.")

(Added, 3:00 PM ET, July 25th, 2023. Jim Hyman, the CEO of connected device company Ordr, offered a note of skepticism about the effectiveness of Trust Mark and similar initiatives. He thinks it shows more promise for consumer devices than it does for other systems. "The FCC’s recent proposal for a voluntary U.S. Cyber Trust Mark is a good idea for consumer IoT devices, and while it has people across other industries talking, implementing a similar strategy for the commercial sector won’t be so easy. We’ve already seen the difficulties in shepherding through legislation to improve IoT security standards through efforts like the NIST Cybersecurity Framework for IoT, proposals for improving medical IoT as part of the PATCH Act, and other provisions in the recent Omnibus spending bill allocation to the FDA. The process is complicated, and the nuances vary from industry to industry. What’s more, new security standards and trust labels do little to address security for the billions of IoT, IoMT, OT, and other connected assets already deployed, operating, and accruing in organizations across all industry sectors. Additionally, the Cyber Trust Mark may not adequately reflect how the device is being used and deployed within the network. An SBOM provided to support a Cyber Trust Mark during a product approval process may not reflect the actual applications running in a device in the real world, or changes in applications due to software updates. Security is ultimately a shared responsibility model, and security teams will need a solution for the day-to-day management and security of every device in the network, including IoT. This solution should deliver accurate device inventory, monitor devices for vulnerabilities and threats, and enable segmentation policies to secure them.")