U.S. Government Coming After IoT Devices with New Cybersecurity Labeling Requirement

Industrial representatives at the recent April RSA Conference in San Francisco believe that U.S. regulators will announce cybersecurity labeling requirements for consumer devices, intended to improve digital safeguards. The move is likely similar to schemes that countries like Singapore have embraced in order to better secure Internet of Things (IoT) consumer devices. While we are not yet sure how U.S. regulators would zero in on securing consumer devices, industry insiders have indicated the government will announce its plans for a national labeling policy this month. The potential for an announcement comes on the heels of the U.S. Food and Drug Administration (FDA) announcing in March that new medical devices should adhere to specific cybersecurity guidelines. Manufacturers of medical devices should submit a device cybersecurity outline to the government, indicating how the device is protected against cyberattacks. Based on the FDA guidance, manufacturers should also provide “a software bill of materials, including commercial, open-source, and off-the-shelf software components,” of their devices. The new IoT policy could borrow elements from the FDA guideline, particularly regarding manufacturer plans for monitoring, identifying, and addressing cyberthreats. Other crucial components could include demonstrating the level of a device’s security and making sure devices no longer connect to the Internet using default passwords.

Government regulation is the main driver of security measures at both the device and network levels. If the U.S. standards for digital devices are enacted into law, they have the potential to establish the gold standard for IoT cybersecurity. The case of Singapore serves as a notable example, demonstrating how early adopters in standards policymaking can secure a favorable position in shaping the market landscape. Following the implementation of Singapore's labeling scheme, Germany and Finland recognized the Singapore scheme through a common streamlined application process. The same could hold true of a U.S. labeling scheme with even more impact, resulting in a reduction in duplicate testing and costs for manufacturers. As dependence on IoT devices increases, security will no longer be an afterthought. Security-conscious customers will increasingly seek these safety standards when purchasing IoT devices, prompting manufacturers to include the labels, even if the label requirements are not yet legally mandatory. Eventually, governments and their constituents will push for mandatory labels, just like labels on food products, or similar to the Energy Star labeling program in the United Sates that aims to promote energy efficiency.

The cybersecurity labeling scheme will likely first target devices at high risk of infiltration, such as routers, digital cameras, and home security systems. White House officials announced last year that the labeling scheme would serve as an "Energy Star for cyber," enabling consumers to assess the cybersecurity effectiveness of devices based on standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Companies that already have plans in place for NIST compliance will benefit from a first-mover advantage if they embrace the standards and label their products. Explaining the labeling program in the past, U.S. administration officials indicated they plan to “keep things simple” by allowing consumers to scan a barcode on devices to access security information. If the government announces the labeling measures this month, the scheme is expected to have an initial voluntary stage before it becomes mandatory in nature. U.S. officials have indicated that they eventually want to reach a globally recognized label scheme, while communicating with countries like Singapore and the European Union (EU) to reach a common understanding on the scheme.

Manufacturers and industry leaders might prioritize uninterrupted production over security measures, but studies have shown that consumers seek more security, and are willing to pay a premium to purchase devices with security labels. First-market movers can consolidate their position if they indicate how long their devices retain user data and guarantee that they do not share or sell data to third parties. Products could also be rated on how often they deploy patches in case of software vulnerabilities or whether they need passwords and authentication to connect to the Internet. Most connected IoT consumer devices are manufactured outside of the United States, and while the United States might not yet impose the new standards on them, domestic suppliers and retailers could pressure manufacturers to embrace labeling standards. If penalizing foreign manufacturers operating outside national jurisdictions is challenging, governments may opt to target retailers and distributors that fail to comply with labeling mandates. As a result, retailers could potentially stop the marketing and sale of non-compliant devices in the near future. IoT device manufacturers and vendors should be mindful that the government could enforce standards on devices it procures for itself, and may even require higher security measures than usual when purchasing these devices. Ultimately, IoT vendors and manufacturers should realize that cybersecurity labels allow them to market their IoT device security solutions, providing an understandable marketing differentiator compared with any competition that does not embrace the labels.