Protecting Consumers: The US Cyber Trust Mark

  • December 11, 2023
  • William Payne

The US administration is introducing a voluntary cyber security certification and labelling programme that will be known as the US Cyber Trust Mark. The new programme is to provide consumers with a Quality Assurance mark that guarantees minimum levels of cybersecurity assurance for devices and IoT home and consumer technology.

The Federal Communications Commission (FCC) proposed the new Mark following pressure from consumer groups, industry bodies and politicians.

The Cyber Trust Mark is a US response to moves by a number of overseas administrations including the EU, the UK and Singapore to establish consumer device cybersecurity labelling.

Most commentators appear to believe that the US administration will seek to harmonise its emerging IoT cybersecurity standard with European schemes such as the EU CE Mark, the Cyber Resilience Act and the UK PSTI.

Under the new programme, products that meet the new device and IoT cybersecurity standards will be able to display a shield logo. This will make cyber quality assured products easier for consumers to recognise.

The scheme is being supported by a number of electronics, appliance and consumer goods manufacturers. These include Google, Samsung, Logitech, Amazon, Best Buy, and Matter smart home standard developer the Connectivity Standards Alliance.

To encourage uptake by manufacturers of the new voluntary Cyber Trust Mark and encourage recognition by consumers, the FCC has begun a promotional campaign to increase awareness of the new standard across industry and among the public.

The FCC is also aiming to emulate UK consumer quality marks by providing a QR code that links to a national registry of certified devices, allowing consumers greater information on the security credentials of the product, and its capabilities compared to other devices in the same category.

Consumer Protection & Beyond

At present, the focus of product protection covers common consumer devices such as smart refrigerators, smart microwaves, smart televisions, smart climate control systems, and smart fitness trackers, among other devices. Even for consumer devices, it is not confined to the smart home category.

It is also likely to extend beyond devices for the consumer. The US National Institute of Standards and Technology (NIST), which has a central role in defining the technical underpinning to the FCC proposals, is also working on a set of technical cyber security standards for internet routers.

In addition to NIST, the US Department of Energy is separately researching cyber security labelling for smart meters and power inverters. it is quite possible that the Cyber Trust Mark will be extended to include the Department of Energy’s labelling requirements.

With the global cost of cyber attacks to businesses and consumers forecast to reach 10.5 trillion dollars annually by 2025, according to cybersecurity research house Cybersecurity Ventures, there is a clear requirement to improve IoT cybersecurity protection for US businesses.

The FCC already has an ongoing effort to promote cyber security to American small businesses. It has developed the Small Biz Cyber Planner 2.0, an online resource to help small businesses create customised cybersecurity plans. It also publishes a one page Cyber Security Tip Sheet, which is aimed at small business operators. It seems logical to many commentators that the Cyber Trust Mark will cross over into small business areas, a move that could significantly increase the scope of the scheme, and expand it into segments such as mobile healthcare devices, light industrial equipment, surveying and small retail systems.

Such a move into small business equipment and devices, could see a deepening and strengthening of the Mark’s technical standards. This would address concerns being voiced by, among others, FCC commissioner Nathan Simington, who believes the scheme at present is too weak to provide effective cyber security protection for consumers, and is vulnerable as it stands to being hobbled by organised resistance on the part of technology vendors.

Open Source Code & IoT

A parallel White House cyber initiative that is likely to impact on the Cyber Trust Mark going forward is the initiative on open source security, including that of IoT devices. Initially a reaction to the Apache Java Log4j vulnerability which affected a wide range of IoT devices as well as web services, the White House has held two summits on open source security, the first in January 2022 and the second in May 2022.

With the launch of the Cyber Trust Mark, the White House has revived the open source security initiative. In August 2023, the White House Office of the National Cyber Director released a request for information. This was accompanied by a presentation at Carnegie Mellon University by CISA director Jen Easterly.

In a departure from the two open source cybersecurity summits held in 2022, the focus in August 2023 is on memory unsafe code as a cyber vulnerability. IoT devices are especially vulnerable to memory unsafe code as many devices are coded in C, C++ or ASM, which are all memory unsafe. Race conditions and buffer overflows may also be easier to initiate on embedded controllers. The most common IoT coding language, Java, also suffers a range of memory safety issues. By emphasising memory safety in code, the White House has focused its open source cybersecurity initiative on a key concern of IoT cybersecurity.

Cyber Trust Data Description

In addition to the Shield label and a QR code, the scheme provides a range of detail about the product such as what sensor data is collected, which data elements are shared, how security updates are applied, and what kind of authentication is supported for stop short form details are provided on the packaging, with fuller details available online through a smartphone app by scanning the QR code.

Further details that the FCC is planning to include in the scheme include a comprehensive list of data collected by the equipment provider, if data stored can identify consumers, whether and what data is stored in the cloud, and what data is shared or sold to third parties.

The FCC is considering annual recertifications, but the intervals have not yet been decided.

Definitions and Certification

Unlike conventional quality assurance schemes, such as ISO 9000 which has a three year validity period, Cyber Trust Mark validity is not guaranteed for a set period. While Mark holders will need to recertify at set periods like ISO 9000 holders, they can lose the Mark at any time during the validity period if they fail to issue a security patch for a product.

The Cyber Trust Mark scheme is voluntary. However, once in the scheme, manufacturers are obligated to comply with its requirements. Failure to comply may be met with civil law penalties under the Communications Act. or through civil litigation. The FCC is still considering what form compliance enforcement should take.

Certification of products will be carried out by third-party labs such as the Connectivity Standards Alliance and the Consumer Technology Association. The FCC is carrying out a consultation to decide which labs should be appointed and how certification should be carried out.

The FCC is delegating the task of defining what is an IoT device for the purposes of the Cyber Trust Mark to NIST. The relevant definitions can be found in NIST IR 8425, Profile Of The IoT Core Baseline For Consumer IoT Products. According to NIST, any network connected device with a sensor or actuator can be considered an IoT device. When grouped with an associated app, cloud backend and bespoke hubs, the whole is known as an “IoT product”.

IoT specific networks such as ZigBee are not considered as part of the device environment, but instead are grouped by NIST together with Wi-Fi routers. NIST is working on a separate body of work on Wi-Fi and IoT routers, and expects to be completed by the end of 2023. These requirements are then likely to be incorporated into the Cyber Trust Mark scheme.

The Role of NIST

The Cyber Trust Mark will be based on criteria laid down by NIST. in May 2021, president Biden directed NIST and the Federal Trade Commission (FTC) to develop criteria for an IoT cybersecurity labelling programme.

In February 2022, NIST published its recommended criteria. These form the foundation for the Cyber Trust Mark scheme. The criteria define cybersecurity outcomes rather than controls. This allows IoT manufacturers to meet requirements in the way most suitable for their products. These criteria include: product configuration; interface access control; software updates; and documentation.

International comparisons and harmonisation

The US Cyber Trust Mark is not the first quality mark providing consumer assurance for IoT devices. In Europe, the EU and UK currently employ the CE Mark, which was adapted for IoT cybersecurity via the Radio Equipment Directive in 2022 and will take effect in April 2024. This covers the majority of IoT and wireless products.

For its part, Singapore became the first country in Asia to introduce cybersecurity labelling for IoT consumer devices. The country’s cybersecurity agency, the CSA, has introduced the voluntary Cybersecurity Labelling Scheme (CLS) for IoT-based consumer products. The CLS offers four levels of product security labels based on compliance with the ETSI EN 303 645 standard for IoT consumer cybersecurity.

Both the EU and the UK are planning on further strengthening IoT device and network security. The EU is aiming to achieve this through the Cyber Resilience Act. The UK passed the Product Security and Telecommunications Infrastructure Act in December 2022 and it comes into force in April 2024.

The UK legislation aims to cover all devices not already covered by existing legislation. Unlike the Cyber Trust Mark, it is mandatory. Manufacturers, importers and distributors will all be equally responsible for compliance. Fines can be up to 4% of global revenue, or £10 million, whichever is greater.

The EU CRA is similar to the UK PSTI, although its maximum fine is 2.5% of global revenue, or €10 million.

Maintaining records and automatic reporting obligations are common to both the PSTI and the CRA.

The key difference between European approaches and the US approach is the mandatory appliance to all parties and the regulatory enforcement processes adopted by EU and UK administrations.

If, as many believe, the Biden administration seeks to harmonise the Cyber Trust Mark with European legislation, a question arises whether it will be only at the technical level, or at the regulatory level as well.

The UK initially operated a voluntary scheme for industry, based on best practice advice from the National Cyber Security Centre, an adjunct of the country’s national signals intelligence agency, GCHQ. The UK then decided to proceed to a mandatory approach for manufacturers and distributors as cyber risk to IoT devices increased. In Singapore, the voluntary nature of its CLS labelling scheme is also under question, with consideration being given as to whether it should become mandatory.

Dissenting Voices

The Cyber Trust Mark has not met universal approval. Surprisingly, the strongest voice raised against it has come from within the FCC itself.

FCC Commissioner Nathan Simington believes the current proposals are too weak. He wants to strengthen the legal standing of the scheme, and bring it under tort and contract law. He fears manufacturers will aim to weaken the regulations and has called on programmers and developers to engage with the consultation process. Simington appears also to favour making the Trust Mark scheme mandatory from the outset.