Cybersecurity labels are coming. Will they be effective?
The Joe Biden administration has begun work on a cybersecurity certification program for online devices and appliances that may be vulnerable to hacks or other invasive cyberattacks.
Consumers can basically think of this U.S. Cyber Trust Mark as something akin to a nutrition label, but in this case it tells you if your smart speakers, baby monitor or fitness tracker are secure.
Marketplace’s Lily Jamali spoke with Stacey Higginbotham, founder and editor of the Internet of Things newsletter, about why getting the program out soon is vital to strengthening national cybersecurity.
The following is an edited transcript of their conversation.
Stacey Higginbotham: There are two reasons we need this. One is more and more products that consumers buy are going to be connected to the internet. We need to make sure that these things are secure. So even if you don’t buy into, like, the Amazon Echo ecosystem or Google Home or any of that, you’re still getting connected products in your life, whether you’d like it or not. Reason No. 2 is security is not just important for, like, preventing giant botnets from taking out major websites. It’s also important for you as a consumer because you don’t want somebody to hack your network. A minor issue might be, like, if someone tries to get into your thermostat and holds it as part of a ransomware attack. It probably wouldn’t be around you as an individual. But someone could go after all of, like, the [Google] Nest thermostats out there and say, hey, we’re taking these down unless everybody pays us money, and you won’t be able to control your temperature in your home. That would be terrible. Another issue is these insecure products can let people eavesdrop in on, like, microphones on your device or possibly access the images coming from your security camera. Most people don’t want that to happen.
Lily Jamali: So, you know, part of the reason we’re talking about this now is because the Biden administration is out with a plan for these labels on consumer connected devices. Knowing that a device has cleared certain criteria sounds like a good thing for consumers. But I wonder where do you think the program, as it’s been laid out by the administration, where does it fall short?
Higginbotham: There’s a couple issues. One is we don’t actually know the rules that this program is going to follow, right? We don’t know what security features are going to be part of this label just yet. Two, the FCC, so the Federal Communications Commission, is the agency that’s going to be in charge of administering this program. And I have a lot of questions about their ability to do so. I had hoped when we had heard about this back in October that the [Federal Trade Commission] was going to do this because they have a lot of experience doing these sorts of labeling programs. But apparently the FCC raised their hand. And that’s the agency involved.
Jamali: And do we have a sense of when we can expect to see these labels showing up in our lives on our devices?
Higginbotham: So the goal is to get some sort of rules for the router label together by the end of this year and we’ll see something there hopefully early next year. As for labels on all of the other devices, so the actual U.S. Cyber Trust Mark, we’re looking to see it happen maybe 2024. But I feel that’s a bit optimistic.
Jamali: What do we know about what kind of information is going to be featured on these labels?
Higginbotham: So they’re looking at a two-pronged label. One is just like the sticker that says, this is the U.S. Cyber Trust Mark, right? The second is a QR code that if you scan it, you’ll get a deeper level of information about, hey, has this passed a security check recently? For example, any connected device, you have to constantly recertify it because a vulnerability could appear at any time and render it insecure. So the FCC is looking at creating a program that basically every year, you’ve got to recertify so that label is going to be out of date on the box itself. So the QR code will tell you, hey, it’s up to date. It’s good. It might also tell you things like what sensors are on this device and deeper feature information about security.
Jamali: So do you have any concerns about information that would be relevant but might not make it on the label as it’s envisioned right now?
Higginbotham: I love this program for what it’s trying to do around security. Like, there’s lots of really good stuff in here, like no default passwords, requiring over-the-air updates to be on any connected device. There are potentially rules about how companies need to set up bug bounty programs, so how to handle vulnerabilities. But it doesn’t deal with privacy. And that’s really frustrating to me because I feel like most consumers think of security and privacy pretty much the same way. They’re both important to them when they’re buying a connected device. And this program deals with privacy not at all.
Jamali: Right, and that is really a big part of the backdrop here, that data privacy is this lingering issue that pretty much still has no federal regulation.
Higginbotham: Exactly. And it is beyond frustrating to me because we’ve got the states enacting all kinds of regulations. California has been really innovative here. Indiana has something, it’s all right. Washington state has a new health data privacy rule that I think is really important. So we’re having this, like, piecemeal patchwork of privacy rules. But this is a good opportunity that we could have taken to say, hey, here’s some bare minimum things we need to show on a connected device so consumers at least know what they’re purchasing and what kind of information they’re giving away.
Jamali: Now, this is a voluntary program. What incentives are there for companies to get them to participate?
Higginbotham: I think the incentive is just going to be that, hey, you’ve already been spending a lot of money on securing these devices already. So now you can show the consumer. There’s also we’re going to need education around this. So just like there was education around the Energy Star label, we’re going to have to teach consumers to say, hey, look for the U.S. Cyber Trust Mark when you buy a connected device.
Jamali: And do you think that consumers are going to buy into this? Are they gonna care as much about this as they might about nutrition labels or, you know, have the same buy-in that seems to have been the case with the Energy Star label?
Higginbotham: I don’t even know if consumers care about nutrition labels. I mean, there’s a lot of data that’s, like, people don’t necessarily read that. I think there are a lot of people who care about the security of their connected devices. It is one of the most common questions I get. They’re like, hey, I’m looking at this plug versus this plug. Do you know which one’s more secure? Those are probably hardcore, not mainstream, consumers. But I do think people will care if it’s easy for them to see that something is secure, I think they will choose that.
One big reason that this program exists, according to Stacey Higginbotham, goes back to a cyberattack known as the Mirai botnet incident in 2016.
That’s when hackers launched a “distributed denial of service,” or DDoS, assault with a malware program that targeted smart devices connected to the internet.
And there are a lot of smart products out there. A report from the website IoT Analytics says there were more than 14 billion of them globally in 2022.
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.
Support “Marketplace Tech” in any amount today and become a partner in our mission.