The Proposed IoT Cybersecurity Labeling Program May Do More Harm Than Good

In July, the Federal Communications Commission (FCC) proposed a voluntary cybersecurity labeling program where qualifying Internet of Things (IoT) devices, also referred to as smart devices, would feature a new U.S. Cyber Trust Mark. According to the FCC, this new program “would help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.” If the proposal is adopted, it could be up and running by late 2024.

Unprecedented Territory Demands Action

We are in the midst of a unique and challenging moment in history. As the world has digitized, the number of IoT devices has skyrocketed – but, so too, has the surface area for potential cyberattacks and the volume at which cybercriminals are targeting smart devices. In fact, industry research reveals the number of IoT attacks worldwide in 2022 landed at 112 million.

In this reality, the intent behind a cybersecurity labeling program is a good one. But, will it actually enhance smart device security or give consumers a false sense of complacency?

Comcast’s 2022 Xfinity Cyber Health Report found that 61% of Americans believe devices are protected from threats right out of the box at purchase. Anyone in the security industry knows this simply isn’t true. Even if a smart device has built-in security features, users need to recognize they still have a personal responsibility to think about cybersecurity and take extra safety precautions when required, long after unboxing and throwing away the packaging with the cybersecurity label. This can range from something as simple as changing default passwords to more effort-intensive actions, such as updating drivers/software/firmware if the product was sitting in a warehouse for months since leaving the manufacturer.

Adding a U.S. Cyber Trust Mark to devices will likely only add to consumers’ belief that the security onus is on the manufacturer and train them to do nothing further once they see the designated cybersecurity label.

An Alternative Approach to Educate Users

One alternative to a cybersecurity safety label would be adding a “teaching label” to IoT devices, in addition to any required safety certification. For example, a label that comes in the form of a QR code that directs users to a website outlining step-by-step instructions on how they can take the necessary security steps at home to defend against cyberattacks. Directions would focus on cybersecurity basics such as how to change default passwords, implement regular device patching, protect the device from unknown or malicious traffic, etc. 

An approach like this would show the manufacturer truly cares about its users building a greater understanding of cybersecurity best practices and empower users to take appropriate security actions.

A Collective Effort

IoT devices are here to stay, so we need to figure out how to secure them from cyberattacks. I believe doing so successfully requires action from both the device manufacturer and the end user. And, I worry a Cyber Trust Mark will falsely lead consumers to believe they can just plug and play and remain secure. 

I commend the efforts of the FCC for trying to tackle this looming threat, but I also believe adapting the program to put equal onus on manufacturers and consumers would go a long way in fending off cybercriminals (who have had it too easy for too long).