The White House announced a “U.S. Cyber Trust Mark,” establishing a label for American consumers to verify if their connected devices are cybersecure. This voluntary program is designed for wireless, interconnected smart products and will be administered by the Federal Communications Commission (FCC). The goal of the program is to help Americans to make more informed decisions about the products they purchase. 

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, shares his thoughts on the program below. 

Grimes states, “There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials. Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea. Those reasons alone are reasons enough for the program. But the devil is in the details and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary and only suggestions. I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable. 

“As another example, vendors participating in the program must tell consumers if they have a hard-coded default password instead of just preventing any vendor from having a hard-coded default password. The way I read the current requirements, a vendor could apply the mark if they simply told the consumer they only patched once a year, never automatically, and that the consumer had to manually remember and go out of their way to look for and apply a patch, if any are ever available. What percentage of consumers are going to do that? It would be far better to automatically patch your product without consumer involvement. 

“But now, the way the program is written, a vendor simply disclosing that they purposefully have included very dangerous substandard cybersecurity practices seems still sufficient for using the mark. So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark simply for telling the consumer they use substandard cybersecurity practices, assuming the consumer actually scans the QR code and reads the information. Wouldn’t it be better if the mark actually meant the vendor was using generally accepted safe cybersecurity practices? 

“When I see an FCC safety mark on an electrical cord or lamp, I know it’s safe. I don't have to scan a code and read information to find out if it is actually safe. I wish the Cyber Trust Mark label meant the same thing... that the device was actually safe as designed. I think the problem is that consumers will see the mark and automatically assume the device meets expected cybersecurity standards and maybe it does and maybe it doesn’t.”