Biden administration wants standard cyber security labelling for smart devices

October 20, 2022 TH Author

The Biden administration has accelerated its efforts to add cyber security labelling for consumer Internet of Things (IoT) devices, and may join other nations in adopting the scheme pioneered by Singapore.

The administration’s efforts were unveiled at a Wednesday meeting attended by US deputy national security advisor for cyber and emerging technology Anne Neuberger, Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel, national cyber director Chris Inglis, and representatives from telcos and other tech companies including Google, AT&T, Cisco, Intel, Samsung and more.

Google’s VP engineering, Dave Kleidermacher, took to the Chocolate Factory’s blog to confirm the company’s attendance at the workshop. The veep summarized the problematic nature of increasingly interconnected devices amid ever evolving cybersecurity threats:

The US standards are expected to roll out by Spring 2023, initially as a voluntary system. Ratings are likely to reflect quantity of data collected, how easily the device can be patched or upgraded to mitigate vulnerabilities, data encryption, and interoperability.

The IoT workshop of industry and government reps was referenced by Neuberger on Thursday during a streamed speech at Singapore International Cyber Week (SICW) 2022 – a conference that drew government and industry representatives from all over the world to discuss cyber security.

Neuberger said countries must work to avoid fragmentation of IoT standards since such fragmentation could burden consumers – particularly as they transit between jurisdictions.

The security advisor also said the US was looking to Singapore for inspiration on labelling as it had “become a world leader in IoT” – a sentiment she also expressed to journalists the week prior.

In 2014, the city-state launched its Smart Nation initiative, which seeks not only to collect data and digitize public services, but to incorporate interoperable IoT and automation across all aspects of life – including transport, healthcare, food and beverages, logistics and more.

Singapore launched its Cybersecurity Labelling Scheme (CLS) in October 2020. Some gradients of the four-level scheme are mutually recognized by Finland.

During the conference, Cyber Security Agency (CSA) of Singapore director Soon Chia Lim said the largely voluntary CLS scheme was designed with four levels so that developers and manufacturers feel they can easily climb to higher security ratings.

At a SICW 2022 keynote, Singapore minister of state Janil Puthicheary said the CLS has “gained much traction internationally” and announced Germany was expected to sign a mutual recognition agreement (MRA) on the labels as well.

“In addition to signing these MRAs with countries with similar schemes, Singapore has been working with industry and government partners to put up a proposal to develop an international standard, ISO 27404, which defines a Universal Cybersecurity Labelling Framework (UCLF) for consumer IoT. The UCLF will serve as a guide for countries that are looking to implement and set up their own labelling schemes for consumer IoT,” said Puthicheary.

“It’s easier to use what’s out there than recreate the wheel” said Internet of Secure Things (IoXt) Alliance director of operations Grace Burkard during a SICW roundtable discussion.

“We need to be aligned not just to prevent attacks on untested IoT devices, but to fuel innovation,” said Burkard. “Without global synchronized IoT standards, IoT doesn’t have the runway it needs to evolve.” ®