Consumers have become accustomed to all sorts of labels and seals of approval on products in the shopping process, from the Energy Star to sustainability standards. Next up, shoppers should prepare for a hacking-safe seal of approval in the works for home gadgets and appliances coming from the federal government.
Last July, the Biden administration and the Federal Communications Commission proposed the creation of the U.S. Cyber Trust Mark program, a voluntary cybersecurity product-labeling initiative to help consumers choose internet-connected devices that are certified by manufacturers as safe from hackers, scammers and other cyber criminals.
The final details are still to be determined, but as proposed, the program will require participating manufacturers of smart, internet of things (IoT) devices — including doorbell cameras, voice-activated speakers, baby monitors, TVs, kitchen appliances, thermostats and fitness trackers — to meet a series of cybersecurity standards developed by the National Institute of Standards and Technology (NIST). That includes unique passwords, data protection, software patches and updates, and incident detection capabilities.
Not included in the program, as it now stands, are smartphones, personal computers, routers and certain internet-connected medical devices, such as smart thermometers and CPAP machines, which are protected by Federal Drug Administration regulations. Also excluded are motor vehicles and the data stored in them, which are overseen by the National Highway Traffic Safety Administration, and where data privacy concerns have been rising.
The program will rely on public-private collaboration, with the FTC providing oversight and enforcement, and approved third-party label administrators managing activities such as evaluating product applications, authorizing use of the label and consumer education. Compliance testing will be handled by accredited labs.
Packaging for products that meet the criteria will carry a U.S. Cyber Trust Mark shield logo emblazoned with a QR code that consumers can scan on a smartphone to receive detailed, up-to-date security information about that particular device. “Just like the Energy Star logo helps consumers know what devices are energy efficient, the Cyber Trust Mark will help consumers make more informed purchasing decisions about device privacy and security,” said FCC chairwoman Jessica Rosenworcel.
To date, Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech and Samsung Electronics have committed to the program, though none of those companies has yet to use the symbol.
Holiday season labeling is goal, but an unlikely one
In March, the FCC voted to approve the program, aiming to launch it later this year. During a cybersecurity panel discussion in May at Auburn University’s McCrary Institute in Washington, Nicholas Leiserson, the White House’s assistant national cyber director for cyber policy and programs, said, “You should hopefully, by the holiday season, start to see devices that have this [Cyber Trust Mark] on it.”
Despite the administration’s best intentions, however, consumers shouldn’t expect to see products bearing the symbol until early next year, at the soonest. In an email asking about the timeline for the launch, an FCC spokesperson did not provide any specific dates.
“We are now in the process of standing up this comprehensive program as quickly as possible,” the spokesperson said. “It is currently undergoing the standard intergovernmental review process that is required for new rules of this sort. Once that process is complete, we will communicate publicly about next steps.”
In the meantime, manufacturers are also awaiting definitive rules, said David Grossman, vice president of policy and regulatory affairs for the Consumer Technology Association, which represents more than 1,000 tech companies. “Once a manufacturer receives certification for the Trust Mark, they will need additional time to retool their packaging, as well as shipping updated products from the manufacturer to retailers,” he said.
70 million U.S. homes actively using smart devices
While the program’s particulars are being hammered out, it’s worth looking at why consumers need the protection it will provide. In 2024, according to research firm Statista, nearly 70 million homes in the U.S. are actively using smart devices, up more than 10% from last year. That number is expected to reach 100 million homes by 2028. What’s more, the average U.S. household contains around 25 connected devices.
Many of those devices, as well as the Wi-Fi networks and routers that connect them, lack adequate security safeguards. A 2023 study by research firm Park Associates found that nearly 75% of U.S. households with internet service were concerned about the security of their personal data, while 54% reported experiencing a data privacy or security issue in the past 12 months, an increase of 50% over five years.
Staffers from Consumer Reports attended a White House meeting during which the Cyber Trust Mark program was announced. The organization subsequently conducted an American Experiences Survey that included questions about the program and the types of data-protection information consumers would like to have before purchasing a smart device.
About two-thirds of those polled (69%) said that it is very important to have information about who the collected data is shared with or sold to, and 92% said that such information is either very or somewhat important. Three out of four respondents said that it is the responsibility of the manufacturers of those devices to provide privacy and security information to consumers, while only 8% said the government is responsible.
“It is incredibly important to make a consumer-legible standard for IoT devices, because right now it is totally a Wild West,” said Stacey Higginbotham, a cybersecurity expert and writer for Consumer Reports. “Consumers really care about having this kind of information, so that’s why we need the program.”
Higginbotham cited the breadth of the proposed program for requiring more stringent levels of cybersecurity, not only for devices themselves, but also the internet services that connect them and the cloud networks where personal data is stored. She was glad, too, that it includes a guaranteed support timeframe, stipulating the number of years that a product maker will continue to provide software security updates and patches.
A voluntary program is business reality
One criticism is that the program is voluntary for manufacturers. “I would love to see this as a mandatory program,” Higginbotham said, “but the reality in the U.S. is that it will have to be a voluntary program,” she added, referring to the business community’s frequent pushback against government-mandated regulations.
“If you’re going to participate, you’re going to have to meet the requirements the FCC has established. Device manufacturers don’t want the agency dictating things such as the size of the Cyber Trust Mark on packaging or where exactly it has to be displayed,” Grossman said. “You want something that’s easily recognizable to consumers, but you also want to ensure manufacturers have flexibility.”
Grossman said that means companies may shy away from making the commitment if the final proposal is too prescriptive. “If the requirements are too burdensome, I don’t think that companies are going to be as eager to step up to the plate and participate,” he said.
Barry Mainz, CEO of Forescout Technologies, a cybersecurity provider, says he is a big fan of the Cyber Trust Mark. “It’s a good step in the right direction to making it a little bit more complicated to get into these devices,” he said. Nonetheless, he worries about the millions of IoT devices in people’s homes today that are vulnerable to cyberattacks and can’t retroactively get a label. “What responsibility do the companies creating these devices have?” he said. Some of the more popular products, like smart TVs and door locks, could be voluntarily upgraded by their manufacturers to prevent hacking as a goodwill measure, Mainz said, “so that people that couldn’t afford to go out and buy new things could ensure that they were safe.”
Steps to take now to protect your home internet
There are actions consumers can take right now, before the Cyber Trust Mark program kicks in, to harden their cybersecurity. Perhaps the most important component to focus on are the routers that wirelessly interconnect devices. They ship from manufacturers with a default password, which a hacker could change in order to spy on you or access files on a network-attached hard drive. Immediately create your own strong and unique password, not only for the router but also for each of the connected devices, and use two-factor authentication if available. If you have a guest network on the router, set it up with a separate password. Also be sure the router’s software is current, usually by activating the automatic update feature, though you can check the manufacturer’s website for patches that can be downloaded and installed.
Of course, you could take the Luddite approach and simply avoid all of this IoT technology and devices. But for the millions of consumers who embrace the smart home, the Cyber Trust Mark — once it’s in place — should provide a heightened measure of cybersecurity and keep them one step ahead, or at least in the race, with the bad guys.