What Is the US Cyber Trust Mark?
By Jenn Mullen, Contributor
In July 2023, the White House introduced U.S. Cyber Trust Mark, a voluntary cybersecurity certification and labeling program that intends to elevate the level of cybersecurity across connected devices in the United States. This move comes at a time when the Internet of Things (IoT) market is experiencing exponential growth, which can be attributed to its adoption across sectors including manufacturing, automotive, healthcare, and logistics in addition to its ubiquity in consumer products IoT devices are enriching daily life and enabling greater efficiency and productivity, but also creates new risk exposures.
Historically, cybersecurity software has been viewed as a separate entity from the product design. Oftentimes, IoT device security testing occurs late in the design stage, which can lead to unidentified gaps in production and vulnerabilities in the product. The largest challenge in IoT security, however, is the devices themselves. IoT devices often rely on unknown operating systems with unknown libraries and revisions which are accompanied by a host of equally unknown vulnerabilities. By contrast, traditional devices like laptops and computers use well-established, universal operating systems where the vulnerabilities are well-understood, cataloged, and recorded.
As IoT devices become more important in both consumer and professional settings, millions if not billions of new endpoints—and vulnerabilities—are coming online. As a result, the already staggering $3 trillion USD global cost of cybercrimes is predicted to exceed $10.5 trillion USD in 2025, according to an eSentire report published in 2022. Individuals and businesses alike recognize the significant impact that cyber security has on their financial stability, and their buying behaviors reflect this change. Companies that invest in designing devices with robust cyber security will find high returns on their security spend as customers become savvier and security conscious.
Participation is also good business sense. In a survey conducted by McKinsey, 60% of IoT buyers cite trusted cybersecurity as a critical aspect of IoT solutions. 31% of enterprise IoT buyers cited cybersecurity as the leading impediment to smart device adoption with most of those indicating that they would invest more heavily in IoT with strengthened security. Device manufacturers who respond to this shifting demand voluntarily will find their efforts rewarded with higher profit margins and stickier clients.
The U.S. Cyber Trust Mark program, which is expected to roll out by the in 2024, aims to establish a baseline IoT device cybersecurity, strengthen security of smart devices, and protect the privacy of their users. It is one of several similar regulatory proposals introduced internationally, like the European Union’s (EU) Cyber Resilience Act . The newly announced American program and others like it are working with device manufacturers and standards bodies to develop standard baseline cybersecurity and data privacy requirements that all meet or exceed.
What Is The U.S. Cyber Trust Mark Program?
The U.S. Cyber Trust Mark program is a cybersecurity certification and labeling program that intends to help American consumers more easily identify and choose IoT devices that are less vulnerable to attacks or security breach. The program would cover a large portion of consumer smart devices, including things like major home appliances, smart home systems, wearables, and others. Products that meet the criteria laid out in the program would be eligible to bear the distinct U.S. Cyber Trust Mark shield logo. Like the Energy Star logo, this new mark will differentiate certified products from others and aiding consumers in making more informed decisions when buying IoT devices.
This voluntary program establishes a minimum threshold for device cyber security. In doing so, it seeds an environment where more IoT devices are brought to market with fewer vulnerabilities and more consumers factor cybersecurity into their device decision making process. While the full scope of this program is yet to be defined, it will encompass most consumer smart devices and may extend to the industrial IoT, as well.
What criteria must be met to be U.S. Trust Mark Certified?
The program’s full criteria are not yet defined, and the FCC is seeking comment from device manufacturers and other stakeholders on how to ensure program success and adoption. What is known, though, is that the program intends to adopt NISTs criteria, which center around product-focused cybersecurity outcomes rather than issuing specific requirements or directives. The outcome-based approach allows for flexibility, something that is critical in a market as diverse and growing as IoT. Moreover, this approach may make certification easier as manufacturers will need to provide evidence that any device meets or exceeds the expected outcomes.
NIST IoT cybersecurity criteria cover both technical and technical areas and include:
- Asset identification
- Product configuration
- Data protection
- Interface access control
- Software updates
- Cybersecurity state awareness
- Documentation
- Information and query reception
- Information dissemination
- Product education and awareness
Developing standards, conformance protocols, and guidelines for certification are complex topics — and there are many questions yet to be answered. The FCC is working with stakeholders to ensure this program’s procedures are industry-led and streamlined to ensure timely and widespread adoption.
Why should device manufacturers participate?
The U.S. Cyber Trust Mark program will establish minimum standard safety thresholds that, when adhered to, will foster a much more secure, efficient IoT ecosystem. The program provides a baseline set of security benchmarks—data protection, automatic software updates, and incident detection capabilities, for example-- for device manufacturers to follow for products to receive the U.S. Cyber Trust Mark certification.
Already, industry titans like Google, Amazon, and LG Electronics among many others have committed to participating in the program. As more companies join those who have already committed to participating, they will begin to form a type of herd immunity against cyberattacks in the IoT space. Moreover, more participants will drive greater awareness of cybersecurity challenges and solutions and foster greater innovation that strengthens the entire industry landscape.
Early participation may also offer an opportunity to contribute to the development of program’s standards, processes, and guidelines—all of which are still being determined. If the U.S. Cyber Trust Mark program follows the same pattern as other similar programs, compliance is unlikely to remain voluntary indefinitely. Early adoption allows device makers to begin designing new devices to standard now and avoid the costs associated with needing to retrofit entire product fleets and fines for non-compliance. Even if this program remains voluntary, it will become a significant factor in persuading device manufacturers to adopt design workflows that consider cybersecurity throughout.
Securing the Future of IoT
The U.S. Cyber Trust Mark program marks the beginning of a new era in American IoT innovation. This program will help protect consumer privacy and safety, enable innovation, and establish the foundation for a standard IoT cybersecurity framework that may allow US manufacturers to enter and be more competitive in global markets. What makes this program unique from others represented by consumer marks is that this program’s logo is more than a ‘seal of approval’. The U.S. Cyber Trust Mark’s QR codes are a vehicle for radical transparency into IoT device security.
Consumers will be able to use these QR codes to access a living database and see how diligent manufacturers are in maintaining the security of the devices they produce. Simply by picking up their certified device, consumers will be able to access this database to see what updates or patches it has had to secure it against emerging threats and—most importantly—to see if it is impacted by any current threats or vulnerabilities. Consumers will reward retailers that stock certified devices with their loyalty and purchase power. To continue having retailers stock their items, device manufacturers may make certification a pre-requisite for component vendors.
Ultimately, this program is the first step in a new way of thinking about security for both manufacturers and consumers. The announcement of the U.S. Cyber Trust Mark program has already prompted important conversations about securing the Internet of Things and protecting consumer privacy in this vast and growing technology market. The U.S Cyber Trust Mark program lays a strong foundation for securing the future of the IoT by incentivizing manufacturers to secure their devices from the ground up and empowering consumers to take a more proactive role in shoring up IoT security both with their own devices and their purchase power.
You can learn more about this program from cybersecurity experts at Google, Yale Home, Keysight, and others at the Securing the Internet of Things virtual event, taking place January 24th, 2024.