The goal of the new US Cyber Trust Mark, coming voluntarily to Internet of Things (IoT) devices by the end of 2024, is to keep people from having to do deep research before buying a thermostat, sprinkler controller, or baby monitor.
If you see a shield with a microchip in it that’s a certain color, you’ll know something by comparing it to other shields. What exactly that shield will mean is not yet decided. The related National Institute of Standards and Technology report suggests it will involve encrypted transmission and storage, software updates, and how much control a buyer has over passwords and data retention. But the only thing really new since the initiative’s October 2022 announcement is the look of the label, a slightly more firm timeline, and more input and discussion meetings to follow.
At the moment, the Mark exists as a Notice of Proposed Rulemaking (NPRM) at the Federal Communications Commission. The FCC wants to hear from stakeholders about the scope of devices that can be labeled and which entity should oversee the program, verify the standards, and handle consumer education.
Consumer-grade routers, according to the White House, are the priority target, with work slated to be finished on their assessment by the end of 2023. The Department of Energy intends to develop labeling for smart meters and power inverters.
Vending machine vectors
The movement to implement a standard is slow and vague, but the problem for IoT devices is real. The FCC’s release cites “one third party estimate” (seemingly Kaspersky) of more than 1.5 billion attacks against IoT devices in the first six months of 2021. And IoT devices are everywhere: The FCC points to research group Transforma’s estimate of more than 25 billion connected IoT devices operating worldwide by 2030.
When connected devices are so common and ubiquitous, they become easy to overlook. FCC Chair Jessica Rosenworcel cited a case in point first told by cybercrime author Misha Glenny in her comments Tuesday. A bank, heavily fortified in its account, transfer, and other cybersecurity, was eventually penetrated. The vector wasn’t a server, computer, or even a fallible human. It was a vending machine, which had been given its own IP address and not updated against common threats.