New FCC Role – Device Security

Depending upon the survey you believe, U.S. homes have an average of thirteen to twenty-two connected devices in their home. That can range from computers, TVs, security cameras, game boxes, baby monitors – it’s a huge list these days.  A concern for anybody with connected devices is that somebody will hack them and cause problems in the home. I’ve seen many articles that describe how people have hacked home cameras to watch families or hijacked computers for various nefarious reasons.

The White House announced a new initiative in July that would create a certification for connected devices that meet cyber safety standards. The authority to handle this program was given to the FCC. Being labeled as the U.S. Cyber Trust Mark, device makers can send devices to the FCC to be certified as meeting basic security standards. This is similar to the Energy Star efficiency sticker that comes with home appliances.

This is a voluntary program for device makers, but the hope is that companies will seek the approval label to be able to more easily market their products.

The next step for the FCC will be to open a rulemaking to determine the devices that are eligible for the certification and the standards that must be met. During the announcement of the initiative, FCC Chairwoman Jessica Rosenworcel mentioned devices that might apply, like smart refrigerators, microwaves, thermostats, fitness trackers, and baby monitors. It’s likely that many other kinds of devices will be added to the list. The FCC says it will work closely with the National Institute of Standards and Technology (NIST) to create the cyber standards.

NIST has developed a Profile of the IoT Core Baseline for Consumer IoT Products. That NIST document says that connected devices should have features like the following:

  • A clear way to identify the specific device, such as a device serial number.
  • The ability to change the configuration of a device and to be able to reset it to the default security settings.
  • Devices should protect stored data and encrypt or otherwise secure transmitted data.
  • A device should give access to settings only to authorized users.
  • A device should have the ability to receive, verify, and apply software updates.
  • A device should be cybersecurity aware and have the ability to detect and capture evidence of any changes to software or security settings.
  • Manufacturers of connected devices should have full documentation of the security measures present.
  • The product developer should be able to receive and respond to queries about cybersecurity from device users.

Security experts have been making similar recommendations for many years and have requested that the government create and enforce standards. Since Congress has never passed a law about device security, a voluntary process sounds like a good first step to get this started.

Chairman Rosenworcel said she hoped the agency could develop standards by the end of 2024. The proceeding to determine how this should work ought to be interesting reading.

Like with everything at the FCC, I have to wonder how this gets funded. I would expect that the fees charged to those seeking the certification would cover the cost.

Leave a Reply