The United States is concerned about the potential risk that connected devices pose, making it easier for hackers to exploit vulnerabilities. To counter this threat and prevent hackers from taking control of smart devices for cyberattacks, Washington has announced the creation of a new label.
Connected devices, such as light bulbs, sockets, refrigerators, smart air conditioners, robotic vacuum cleaners, watches, bracelets, and televisions, represent a significant cybersecurity risk. With the increasing popularity of IoT (Internet of Things) devices, they have become prime targets for hackers.
In 2021, hundreds of thousands of connected devices fell under the control of a formidable botnet due to a security vulnerability. Last year, more than 112 million cyberattacks targeting smart devices were recorded, a staggering 87% increase in a single year, according to a report by SonicWall. The cybersecurity firm highlights that the surge in attacks is even more pronounced in the United States, with a yearly increase of 169%. According to IDC's figures, there will be approximately 49 billion connected devices in circulation worldwide by 2026.
Acknowledging the potential risks posed by connected devices, the United States has taken a strong measure to enhance the security of these intelligent devices. The Biden administration has launched a program called the "U.S. Cyber Trust Mark," aimed at pushing manufacturers to improve the resilience of their devices against cyberattacks.
The program entails encouraging brands to affix a certification label to their products' packaging. This label will assure consumers that the smart devices meet specific cybersecurity criteria. Some of these criteria include "unique and strong default passwords," regular updates, measures to protect personal data, and intrusion detection systems. These criteria are based on recommendations from the National Institute of Standards and Technology (NIST), an agency of the Department of Commerce responsible for promoting the U.S. economy through technology development.
"The inadequately secured products can allow hackers to gain access to American households and offices, causing problems or stealing data. Vulnerabilities in such devices have recently shown how malicious actors can easily exploit them to deploy computer botnets and engage in espionage," stated Anne Neuberger, White House cybersecurity adviser.
With the "Cyber Trust Mark" label, buyers can make informed decisions when purchasing connected devices, such as smart plugs, fitness bracelets, or intelligent cameras, for example. At a glance, average consumers will be able to distinguish between secure products and neglectful devices. Additionally, the product packaging will contain a QR code leading buyers to a "national registry of certified devices," providing reliable information about their potential future purchases. The platform will also facilitate easy comparisons of different offerings in the market.
Several prominent brands and retailers have already committed to participating in the initiative, including Amazon, Best Buy, Google, LG, Logitech, Samsung, and Google. Notably, Apple, a company that offers numerous connected devices through its Apple Store, is notably absent from the list. Several consumer advocacy groups, such as Consumer Reports, have also joined the project. Notably, access to the program is entirely open, and brands refusing to participate will simply miss out on the "Cyber Trust Mark" label. Authorities hope that consumers will prioritize certified products, thereby pressuring manufacturers to seek the label.
The program is scheduled to be implemented in 2024. Initially, the Federal Communications Commission (FCC) will first seek public input, and based on feedback, it will work on deploying the initiative in the U.S. market.
Marked by a series of cyberattacks, including a major attack on the Colonial Pipeline operator in 2021 and the SolarWinds hack in late 2020, the United States is intensifying its cybersecurity measures. After offering a $10 million reward for information on potential cyberattacks, the Biden administration committed to adopting a comprehensive approach to "lock our digital doors" and safeguard national security. The government has revised and increased the "federal government's cybersecurity requirements" and holds companies, particularly those in charge of critical infrastructures, accountable.
In Europe, similarly, there is an awareness of the dangers posed by connected devices. The European Union announced the creation of a stringent standard for all IoT products last year. To market connected devices in the European market, manufacturers will need to obtain a new CE marking and comply with a set of rules. "All products that contain microprocessors" will be subject to these regulations, said Commissioner Thierry Breton during the announcement. In case of non-compliance, companies will face severe fines, up to €15 billion.
For reference, a first label for connected devices was already introduced a few years ago in Europe. Launched by the French company Digital Security, the program offered industrial manufacturers a way to verify the security of their solutions based on a reference framework largely derived from national and international standards. If the device meets legislative requirements, brands are free to affix an "IoT Qualified as Secured" (IQS) label to their products. Several manufacturers adopted the label, but it did not gain widespread adoption in the industry.
