In its August 10, 2023, Notice of Proposed Rulemaking (NPRM) on Cybersecurity Labeling for Internet of Things (IoT), the Federal Communications Commission (FCC) asked some intriguing questions about how to improve consumer confidence and understanding of the security of IoT devices. The NPRM seeks input on whether and how the FCC should establish a cybersecurity certification and labeling program. According to the NPRM, more than 25 billion connected IoT devices are predicted to be in operation by 2030, including everything from home office routers to personal digital assistants, Internet-connected home security cameras, voice-activated shopping devices, Internet-connected appliances, fitness trackers, GPS trackers, medical devices, garage door openers, and baby monitors. We are all using more of these than we realize.
The FCC’s program is intended to inform consumers about the cybersecurity qualities of the IoT products in the marketplace. In many cases, devices that do not have a good cybersecurity posture are a threat to their owners and others on the network. Cisco established Product Security Incident Response Team (PSIRT) decades ago to protect customers for this very reason, and it is one of the reasons why it is so important to keep software up to date.
As the FCC considers a potential labeling program, we think that there are two critical factors that will determine its success:
- A cybersecurity label must demonstrate to the consumer that meaningful measures are being taken by the manufacturer to protect the consumer. This includes providing timely software updates for the supported lifetime of the device, using industry best practices for secure development, and safe operational and manufacturing practices. A cybersecurity label should not be an afterthought.
- Consumers must be alerted when a device becomes insecure. For that to happen, automation is required, and the label must be electronically available to that automation. Do you go around the house to check the cybersecurity of all your devices? No? Neither does anyone else. In as much as it is a problem for consumers who may have over 100 devices within their home networks, enterprises, schools, governments, and manufacturers already have tens of thousands of such devices. In these environments, automation is not just an innovative idea. It is essential.
We understand that this is no small task, but we believe that it is the right thing to do – both for the consumer and everyone else. Why should enterprise customers care? What happens in the consumer household does not stay in the household.
Our engineers have worked on this specific issue with the National Institute for Standards and Technology (NIST) and other stakeholders for many years to develop a way to do this that will yield positive results for all players in the IoT landscape. Cisco hopes that it can work with the FCC and other government agencies, industry, and consumers to discuss this issue and to make real progress to build trust and further strengthen the network we all rely on to live, work, and play in today’s interconnected world.