Consumer Reports submitted comments in response to the Federal Communications Commission’s Notice of Proposed Rulemaking on its proposed voluntary cybersecurtity labeling program for Internet of Things devices. CR believes that the creation of a U.S. cyber trust mark will benefit consumers by helping them find connected devices they can trust on their home networks and with their data. The label will also benefit employers, retailers, and manufacturers, as well as decrease the attack surface available for those interested in harming the U.S. through cyberattacks.
For this cybersecurity labelling program to be effective, CR recommends the following key foundational principles:
- The label should evaluate the IoT product in its entirety, not as only a hardware device.
- Any device maker should have to commit to a set of robust cybersecurity principles, such as not using default or easily anticipated passwords, a vulnerability disclosure program, and a patching program that include regular security updates, in order to obtain permission to display the mark.
- In order to be able to display the mark, device makers should commit to updating their device using over-the-air updates for a set number of years and disclose this support lifetime on the product’s box and at point of purchase. This set minimum support period should be long enough to last the reasonable expected life of the connected product.
- Device makers should securely encrypt device data at rest on the device and in the cloud, and in motion when traversing local and public networks.
- As a condition to display the mark, manufacturers should be required to make a standardized set of disclosures, including the types of sensors inside a device, the data those collect, and who has access to that data, in order to populate a product registry that can be used to hold manufacturer externally accountable.
- Manufacturers should submit a Software Bill of Materials (SBOM) associated with the connected device and the cloud applications supporting it.