Consumers have become accustomed to seeing all kinds of labels and seals of approval on products as they shop, from Energy Star to sustainability standards. Now they need to prepare for the hack-proof seal of approval that the federal government will introduce to home devices and appliances.
Last July, the Biden administration and the Federal Communications Commission proposed creating the U.S. Cyber Trust Mark program, a voluntary cybersecurity product labeling initiative to allow consumers to select internet-connected devices that manufacturers have certified as safe from hackers, scammers and other cybercriminals.
Final details have yet to be worked out, but as proposed, the program would require participating makers of smart Internet of Things (IoT) devices such as doorbell cameras, voice-activated speakers, baby monitors, TVs, kitchen appliances, thermostats and fitness trackers to meet a set of cybersecurity standards established by the National Institute of Standards and Technology (NIST), including unique passwords, data protection, software patches and updates, and incident detection capabilities.
Currently, the program does not include smartphones, computers, routers or certain internet-connected medical devices covered by Federal Drug Administration regulations, such as smart thermometers and CPAP machines, nor does it exclude cars and the data stored in them, which are overseen by the National Highway Traffic Safety Administration and have raised data privacy concerns.
The program is a public-private partnership, with oversight and enforcement provided by the FCC and approved third-party label administrators managing activities such as evaluation of product applications, label approvals, and consumer education. Compliance testing is handled by accredited laboratories.
Products that meet the standard will have the U.S. CyberTrustMark shield logo printed on their packaging as a QR code that consumers can scan with their smartphones to receive detailed, up-to-date security information about that particular device. “Just as the Energy Star logo helps consumers know which devices are energy efficient, the CyberTrustMark can help consumers make more informed purchasing decisions about the privacy and security of their devices,” said FCC Chairman Jessica Rosenworcel.
To date, Amazon, Best Buy, Google, LG Electronics USA, Logitech and Samsung Electronics have joined the program, but none of the companies are yet to use the symbol.
Holiday labeling is a goal, but difficult to achieve
The FCC approved the program in March, with the goal of launching it later this year. “We would hope to start seeing devices with this technology by the holidays,” Nicholas Lazerson, the White House deputy national cyber director for cyber policy and programs, said at a cybersecurity panel discussion in May at Auburn University's McCrary Institute in Washington. [Cyber Trust Mark] “in addition.”
But despite the administration's good intentions, consumers won't see any products bearing the mark until early next year at the earliest. In an email asking about the timeline for release, an FCC spokesperson declined to provide a specific date.
“We are currently working through the process to launch this comprehensive program as quickly as possible,” the spokesperson said. “We are currently undergoing the standard intergovernmental review process required for any new rule of this nature. Once this process is complete, we will communicate our next steps publicly.”
Meanwhile, manufacturers are also waiting for the final rule, said David Grossman, vice president of policy and regulatory affairs at the National Consumer Technology Association, which represents more than 1,000 technology companies. “Once manufacturers receive TrustMark certification, they will need more time to update their packaging and get the updated products out to retailers,” he said.
70 million US households actively use smart devices
While the details of the program are being worked out, it's worth considering why consumers need the protection it offers. According to research firm Statista, about 70 million U.S. households will be actively using smart devices in 2024, up more than 10% from last year. That number is expected to reach 100 million by 2028. What's more, the average U.S. home has about 25 connected devices.
Many of these devices, as well as the Wi-Fi networks and routers that connect them, are not adequately secured. According to a 2023 survey by research firm Parks Associates, about 75% of U.S. households using internet services are concerned about the security of their personal data, and 54% reported experiencing a data privacy or security issue in the past 12 months, a 50% increase over five years.
Consumer Reports staff attended the White House meeting where the Cyber Trust Mark program was announced, and the organization subsequently conducted an Americans Experience Survey that included questions about the program and the types of data protection information consumers would like to know before purchasing a smart device.
Nearly two-thirds (69%) of those surveyed said it is very important to have information about who any collected data may be shared or sold to, and 92% said such information is very important or somewhat important. Three in four respondents said it is the device manufacturer's responsibility to provide consumers with information about privacy and security, while only 8% said the government is responsible.
“It's critical that we create standards that consumers can understand about IoT devices, because right now it's a total wild tale,” said Stacey Higginbotham, a cybersecurity expert and writer for Consumer Reports. “Consumers are very interested in having this information, which is why we need this program.”
Higginbotham said the proposed program is broad in scope, requiring stricter levels of cybersecurity not only for the devices themselves, but also for the internet services they connect to and the cloud networks where personal data is stored. He also said he was pleased that it includes a guaranteed support period that specifies how many years product makers will continue to provide software security updates and patches.
Voluntary programs are a business reality
One criticism is that the program is voluntary for manufacturers. “I would like to see it as a mandatory program, but the reality in the U.S. is that it has to be a voluntary program,” Higginbotham said, referring to frequent industry pushback against government regulation.
“If they participate, they have to meet the requirements that the FCC has set forth. Device manufacturers don't want the FCC to dictate the size of the Cyber Trust Mark on their packaging or where the mark must appear,” Grossman said. “We want a mark that is easily recognizable by consumers, but we also want to give manufacturers flexibility.”
Grossman said that if the final proposal is too prescriptive, companies may hesitate to join. “If the requirements are too onerous, companies are not going to be as proactive in participating,” he said.
Barry Mainz, CEO of cybersecurity provider Forescout Technologies, said he's a big fan of the CyberTrustMark. “It's a good step in the right direction to make accessing these devices a little more complicated,” he said. Still, he worries about the millions of IoT devices currently in people's homes that are vulnerable to cyberattacks and can't get the label retroactively. “What responsibility does the company that makes these devices have?” he said. Some of the more popular products, such as smart TVs and door locks, could be voluntarily upgraded by their manufacturers to make them more hack-proof as a goodwill gesture, Mainz said. “That way people who can't afford new ones can have confidence that they're safe.”
Steps you should take now to secure your home internet
Before the Cyber Trust Mark program begins, there are actions consumers can take to shore up their cyber security right now. Perhaps the most important component is the router, which wirelessly connects devices to each other. Routers shipped by manufacturers have a default password that, if changed, could allow hackers to spy on you or access files on hard drives connected to the network. Immediately create strong, unique passwords for your router, as well as for each connected device, and use two-factor authentication where possible. If your router has a guest network, set it up with a separate password. Also, make sure your router software is up to date. This is usually done by enabling the automatic update feature, but you can also check the manufacturer's website for patches that you can download and install.
Of course, you could take a Luddite approach and avoid all of this IoT technology and devices, but for the millions of consumers adopting smart homes, the Cyber Trust Mark, if implemented, would provide an extra layer of cybersecurity to keep you one step ahead of the bad guys, or at least give you a competitive advantage.
Correction: A 2023 survey by research firm Parks Associates found that about 75% of U.S. households with internet service are concerned about the security of their personal data. An earlier version of this story misspelled the company's name.
