An “Energy Star” Label for Cyber Is Moving Forward

Imagine a bad actor accessing the camera feed of a home video camera, or a smart appliance like an oven turning on remotely. These are two of many concerning realities—yet security around Internet of Things (IoT) devices remains absent from most Americans’ minds. Even for those who are aware of the threat, protection is a challenge. This is partially due to the lack of information, transparency and consistency around how these devices are secured. But the White House’s cyber label, the U.S. Cyber Trust Mark, puts the United States on a path toward changing that.

Today, the National Security Council (NSC) released a new consumer IoT label at a White House convening that brought together government and civil society leaders as well as manufacturers, retailers and other industry stakeholders. R Street was honored to attend this event and the initial 2022 planning meeting. Speakers included Deputy National Security Advisor Anne Neuberger of the NSC, Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel, Cybersecurity and Infrastructure Security Agency Director Jen Easterly, National Institute of Standards and Technology (NIST) Director Laurie Locascio, multiple members of Congress and other authorities. Experts were spread across three panels exploring industry thoughts, how the program will work and how it would impact consumers. A showcase of sample labels and products using them followed.

While IoT devices are also used in the industrial space, this program is consumer product-focused for now. It borrows from existing labels like the ENERGY STAR label. This launch followed a series of prior actions on this front, including the October 2022 White House gathering. The concept was also highlighted in the March 2023 National Cybersecurity Strategy as part of driving the development of secure IoT devices, and the July implementation plan marked it for completion in quarter four of Fiscal Year 2023 after being featured in Executive Order 14028, “Improving the Nation’s Cybersecurity.” The strategy highlighted how IoT devices often have inadequate security settings, can be difficult to patch, or have capabilities that make it easy for a bad actor to exploit them.

Under the plan, the label will include a recognizable mark and a QR code to learn specifics about product security, along with a national registry where labeled products are inventoried. NIST’s existing work around IoT standards and labels will be a core part of this endeavor. Steps will be taken by government agencies, industry and other entities, as well. For example, the FCC will start a rulemaking process to work through the many specifics that remain, including the scope of the label. This will include considerations around licensing processes, assessment and audit mechanisms, and enforcement. The State Department will be responsible for working with international partners—particularly those with existing labels.

This concept is positive because it is not mandatory for industry to follow; rather, there is an incentive in doing so to differentiate products and to embrace security. This is in line with the federal government’s calls for security-by-design and -default. Consumers stand to benefit by being able to evaluate products for security and by making purchases accordingly. However, consumer awareness will be a challenge because the label has limited utility if consumers do not understand, value or use it. As the label is implemented, efforts should harmonize label standards both nationally and internationally, ensure labels remain current as threats change, monitor the degree to which data privacy standards are incorporated, and look at incentives for quicker adoption and methods to stop fraudulent actors.

The U.S. Cyber Trust Mark is not the full solution to addressing the IoT threat, but it has the potential to be an important element of it. Companies should consider how they might incorporate the label and, more importantly, secure their devices by design and default. With IoT devices expanding in number and application, addressing cybersecurity and data privacy issues is critical.