The White House National Security Council will announce plans Tuesday for a consumer products cybersecurity labeling program intended to improve digital safeguards on internet-connected devices, a senior White House official told CyberScoop.
About 50 representatives from consumer product associations, manufacturing companies and technology think tanks will convene at the White House on Oct. 19 for a workshop on the voluntary effort ahead of an expected spring 2023 launch.
The White House briefly described the effort in a document it released Tuesday outlining various cybersecurity initiatives. The administration plans to start with recommending three or four cybersecurity standards that manufacturers can use as the basis for labels that communicate the risks associated with using so-called internet of things devices.
Deputy National Security Adviser for Cyber and Emerging Tech Anne Neuberger is spearheading the initiative, which is modeled after Energy Star, a labeling program the Environmental Protection Agency and the Department of Energy operate to promote energy efficiency, the senior administration official said.
“Today when folks buy tech, they buy it for a cool feature, speed to market — cybersecurity is often an afterthought,” said the official, who requested to remain anonymous to speak candidly about the effort. “Everybody realizes that it’s an idea whose time has come.”
The administration is working with the European Union to align on standards since the White House wants products with cybersecurity labels to be sold globally.
The standards under consideration could rate products based on how often manufacturers deploy patches for software vulnerabilities or whether devices connect to the internet without a password, the official said. It is not yet clear who will verify companies’ claims.
The White House hopes the program will reward companies that invest in cybersecurity while also helping consumers find safer products. The status quo in which products hit the market quickly, leaving consumers to muddle through or ignore products’ cybersecurity features, is “not sustainable,” the official said.
In its final report, the U.S. Cybersecurity Solarium Commission recommended that Congress create a nonprofit national cybersecurity certification and labeling authority tasked with “establishing and managing a voluntary cybersecurity certification and labeling program for information and communication technologies,” including software, devices and industrial control systems.
CSC Executive Director Mark Montgomery hailed the White House decision to pursue a labeling program but warned it will be difficult to design and stand up.
“I would hope they initially stick to OT and IoT products not software as the propensity for software updates will make management of the certification challenging,” Montgomery said. “The feds should be looking for a non-governmental organization to execute this as the certification will require an agility and persistence that will be hard for a federal agency to maintain with all their other requirements.”
Poor or nonexistent cybersecurity safeguards in connected devices has long been a problem for consumers and industries alike. The White House’s early plans include creating a barcode-like label on products that consumers can scan with their phones for updated security details. While many questions remain about how the administration will roll out the effort, the official said the White House is determined to move forward and has studied similar programs implemented in Singapore and Finland.
National Institute of Standards and Technology standards will be used, the official said, and will need to be tailored for specific products. However, NIST doesn’t currently have technical control standards in place for IoT devices, a fact that at least one cybersecurity expert said will complicate White House efforts because designing them will be time consuming. (NIST has issued guidance on IoT cybersecurity.)