Success of the voluntary scheme in the US will depend on its widespread adoption and ability to drive competition between firms in the provision of security
Strengthening protections for consumers: On 18 July 2023, the US Government unveiled plans for a cybersecurity certification and labelling programme, which would help consumers choose safer connected devices. The voluntary ‘US Cyber Trust Mark’ initiative, proposed by the FCC, would raise the bar for cybersecurity across smart devices, including televisions, climate control systems and fitness trackers. It would take the form of a distinct shield logo applied to products meeting established criteria published by the National Institute of Standards and Technology (NIST), and is designed to enable more informed purchasing decisions. The FCC is applying to register a national trademark with the US Patent and Trademark Office and will then seek public comment on rolling out the proposed programme, which is expected to be up and running in 2024.
Regulators will pursue this alongside a number of additional measures: To further enhance transparency and competition:
The FCC intends to use a QR code linking to a national registry of certified devices to provide consumers with specific and comparable security information about these smart products. Working with other US regulators and the Department of Justice, the FCC plans to establish oversight and enforcement safeguards to maintain trust and confidence in the programme;
NIST will work immediately to define cybersecurity requirements for consumer-grade routers – a higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords and attack other devices and high-value networks. NIST will complete this work by the end of 2023, enabling the FCC to consider use of these requirements to expand the labelling program to cover consumer-grade routers;
The Department of Energy has announced a collaborative initiative with National Labs and industry partners to research and develop cybersecurity labelling requirements for smart meters and power inverters; and
The Department of State will support the FCC to engage allies and partners toward harmonising standards and pursuing mutual recognition of similar labelling efforts.
Another example of self-regulation: The White House notes that many leading electronics manufacturers and retailers have already made voluntary commitments to improve the security of their products, with a group of them (including Amazon, Google and Samsung) now lending support to the proposed initiative. The Government also states that it will work with the FCC and the Cybersecurity and Infrastructure Security Agency to educate consumers and businesses about the new label. The programme’s focus on addressing the weak default passwords of connected devices is appropriate – something the UK has sought to tackle through the Product Security and Telecommunications Infrastructure Act. However, it is another example of the US relying on a self-regulatory approach for the industry, coming almost in tandem with voluntary pledges to address safety concerns with AI. While other countries, particularly across Europe, take the route of formal regulation, effectiveness of the US initiative will depend on its widespread adoption and the degree to which it stimulates competition between firms on the basis of security.