The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from “significant national security risks.”
It’s no secret that IoT devices generally have weak security postures. Weak default passwords have allowed botnet operators to hijack insecure routers to pummel victims with floods of internet traffic, knocking entire websites and networks offline. Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside.
As American consumers continue to fill their homes with more of these potentially insecure devices, from routers and smart speakers to internet-connected door locks and security cameras, the U.S. government wants to help educate them about the security risks.
Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the “highest-risk” devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers.
Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others.
The initiative, described by White House officials as “Energy Star for cyber,” will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC).
Though specifics of the program have not yet been confirmed, the administration said it will “keep things simple.” The labels, which will be “globally recognized” and debut on devices such as routers and home cameras, will take the form of a “barcode” that users can scan using their smartphone rather than a static paper label, the administration official said.
The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation.
The announcement comes after the White House last year ordered NIST and the FTC to explore two labeling pilot programs on cybersecurity capabilities for IoT devices. It also comes after the U.K. government last year introduced an IoT security bill in Parliament, requiring device manufacturers, importers, and distributors to meet certain cybersecurity standards.