White House plans cyber labeling system for IoT devices
A consumer-focused cyber labeling scheme may be put into play after years on the drawing board.
The White House is apparently moving forward on long-held plans to develop a product labeling system to alert consumers to the security risks associated with connected devices.
In an Oct. 11 fact sheet, the White House teed up plans to host a meeting with stakeholders including companies and trade associations to discuss "a common label for products that meet U.S. government standards and are tested by vetted and approved entities." The effort will begin with routers and home cameras, characterized as the most prevalent and "often most at-risk" technologies.
The federal government is supposed to have its own standards for IoT security, thanks to 2020 legislation signed into law by former President Donald Trump. That law tasks the National Institute of Standards and Technology with issuing recommendations for minimum cybersecurity standards for IoT devices purchased by the federal government. Discussions around the bill centered around avoiding hard-coded, unchangeable passwords and requiring over-the-air software and firmware updates.
Additionally, the Biden administration's 2021 cybersecurity executive order gave NIST the responsibility for developing benchmarks for cybersecurity labels and incentives to get manufacturers and marketers to adopt a labeling scheme.
A consumer product labeling scheme was also included among the recommendations of the Cyberspace Solarium Commission.
The Biden administration had tried to move on cyber labeling in 2021, even before the cybersecurity executive order was released, but apparently made no progress.
At the time, a former government official speaking on background cautioned that industry buy-in would be necessary for a labeling policy to be put into place.
"If you look at the makeup of the National Security Council's cyber staff -- it's all former National Security Agency people," the former official told FCW last March. "They're not ones to start with a listening session with industry -- they look at the threat landscape and they want to address it."
That listening session appears to be in the offing, according to the fact sheet, which bills the stakeholder meeting as set for this month.
Additionally, the fact sheet tees up new activity in critical infrastructure cybersecurity regulations covering the pipeline, rail and aviation sectors. There are also plans to implement cybersecurity requirements for software purchased by the federal government. The fact sheet also lists international cooperation and ransomware protection as key cybersecurity goals.