White House Introduces Cybersecurity Labeling Program for IoT Devices

Yesterday, the White House introduced a cybersecurity labeling program for wireless Internet-connected devices, intended to help Americans make more informed decisions about the products they buy and their security.

Growing Concerns Over IoT Device Safety

As Americans continue to add Internet of Things (IoT) devices to their home networks — everything from baby monitors to security cameras — there are growing concerns about the safety of these devices and their vulnerability to hackers. The goal of this label is to guide consumers to more secure products as well as encourage vendors in their cyber practices.

Responsibility Lies with the Consumer

While the FCC safety mark may indicate a device is designed safely, the US Cyber Trust Mark doesn’t necessarily mean the same thing. This leads to consumers seeing the mark and believing they are secure. However, it is essential to note that patching on behalf of the organizations isn’t necessarily automatic, indicating that though an organization may have a cyber sticker of approval, it’s still the consumer’s responsibility to stay up to date with cybersecurity standards.

The Importance of Cybersecurity Practices

"So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark," Grimes wrote. This highlights the need for vendors to adhere to high cybersecurity standards, and for consumers to be aware of the potential risks associated with IoT devices.

The Dangers of False Sense of Security

And while the FCC safety mark may provide some assurance, the US Cyber Trust Mark doesn’t necessarily mean the same thing. This leads to consumers seeing the mark and believing they are secure. "We also must consider whether this trust mark will give consumers a false sense of being ‘unhackable’ and a false sense of complacency," Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, wrote in an emailed statement. Even if a smart device has built-in security features, users still have a personal responsibility to do their part by taking extra safety precautions — for example, changing default passwords and updating drivers/software/firmware.