Last month, merely days after the EU passed the landmark Cyber Resilience Act, the Biden Administration proudly announced its own achievement: a cybersecurity labelling programme for connected products. However, one need only read as far as the third word of the press release — “voluntary” — to understand that the programme lacks any real enforcement power.
Security is indifferent to which party controls the Executive Branch, so this is not a critique of the Democrats alone. Ineffectiveness appears the same whether in blue or red.
Big Tech has demonstrated that the word “voluntary” does not feature in its lexicon when it comes to self-regulation. The numerous issues between Silicon Valley and the Beltway transcend the partisan deadlock that has brought the U.S. government to a virtual standstill. The pending TikTok legislation is evidence that both sides are seeking to move beyond performative acts towards genuine cybersecurity measures.
Perhaps the FCC’s new Cyber Trust Mark is an attempt to appease Big Tech in exchange for more stringent AI regulation. Or perhaps it is simply a blunder by an out-of-touch group of bureaucrats. Regardless, the industry shows little interest in resolving IoT security issues, which plays into its hands. There are 3.4 billion IoT devices today; this number is expected to reach 25 billion by the end of the decade.
Unlike high-end devices like smartphones and laptops, which are subject to extensive security protocols, the “smart” devices in our fridges, lights, and dog feeders are minimally protected. The average American household possesses dozens of these, making consumer IoT devices prime targets for hackers. Furthermore, IoT is a significant catalyst for AI, which remains a key concern for tech policymakers. A sound AI policy is incomplete without robust IoT security measures.
IoT security is arguably more complex than AI security due to the diverse and voluminous nature of the hardware involved. Unlike their industrial and business counterparts, consumer product manufacturers opt for the path of least resistance, implementing only minimal security measures and failing to follow up to ensure devices meet evolving challenges.
The Cyber Trust Mark, which the government compares to the ENERGY STAR label, is a critical error. The ENERGY STAR programme is also voluntary and, more concerningly, sets low ambitions. Enhancing device energy consumption is a far cry from protecting citizens from myriad online threats.
Warning labels and signs might seem straightforward, yet they can be more hazardous than silence. People often overlook the fine print, and attention spans are increasingly short in the Information Age. Labels that imply everything is fine encourage consumers not to think but simply to accept. How many parents will buy a product for their teenagers, believing they are being prudent? What about senior citizens who are not tech-savvy but trust the value of the FCC? There is a considerable risk that the Cyber Trust Mark will promote far riskier behaviours among American citizens.
If the Biden Administration is serious about IoT security, it must either make the programme mandatory or abandon it. It should cease wasting government resources on symbolic gestures. Establish regular audits and real penalties for failures.
Moreover, it should raise standards. The threat landscape is constantly evolving, and standards must adapt continually. Settling for the minimum now means the programme will soon be compromised and outdated. A panel of independent IoT cybersecurity experts from academia, advocacy groups, and some industry sectors should be tasked with establishing a dynamic process with best practices: a commitment to security by design, not a template, a timeline for delivering security patches to consumers, and a protocol for reporting breaches to authorities.
Furthermore, educate rather than placate. Visually appealing labels should be just the beginning. Alongside the label, the FCC proposes a QR code leading to information. Forget the label; prioritise this easily digestible, plain-speaking advice on security. The FCC could take inspiration from health advocacy campaigns for better guidance than that provided by ENERGY STAR. Public education on good security hygiene for IoT and all devices is time-consuming but essential for changing behaviour.
Interestingly, the industry consortium Connectivity Standards Alliance (CSA) has outpaced the FCC with a similar concept, but with certification standards and enforcement. Singapore has already signed on, with more countries likely to follow. The U.S. should consider this approach too.
Security is never absolute, but more logical and efficient solutions exist than the FCC’s label. Let’s see if the agreement on TikTok leads to greater bipartisanship — and common sense.
Author: Fabian Kochem is Head of Global Product Strategy at 1NCE.