Following news that Biden administration plans for the “US Cyber Trust Mark” program, which will provide cybersecurity certification and labeling for smart devices, Tammy Parker, principal analyst at GlobalData, offers her view:
“Cybercrime is here to stay, and deployment of countermeasures resembles a game of cat and mouse as bad actors continually innovate, requiring device makers and others in the value chain to adjust their approaches. The planned US Cyber Trust Mark will encourage manufacturers and retailers to ensure the products they offer are highly secure. However, because the program will be voluntary, many equipment manufacturers will simply opt out of it, particularly since most connected devices are manufactured by companies outside the US.
“Manufacturers, retailers, broadband service providers, and others in the smart device value chain need to continue educating consumers on how to protect themselves even after the Cyber Trust Mark program is implemented.”
“Products’ security will be rated based on certain criteria established by the National Institute of Standards and Technology (NIST), such as strong default passwords and deployment of software patches to address vulnerabilities. However, it is unclear exactly how well-equipped the government is to sufficiently assess compliance for the plethora of covered devices, which are expected to require annual recertification to remain in the program.
“The program’s main upside may be in boosting awareness of cybersecurity threats. Consumers repeatedly display lackadaisical attitudes toward the risks of digital intrusions and cybercrime. Seeing the Cyber Trust logo applied to devices such as smart appliances, smart TVs, home security cameras, and more will serve as a reminder that threats to privacy and security are very real. Additionally, consumers will be able to scan QR Codes on certified devices to access a national registry where they can compare the devices’ security information.
“However, there is a risk in that the Cyber Trust initiative might provide a false sense of security to consumers. Many malicious actors engage in social engineering, such as phishing attacks, to facilitate their cybercrimes, and the White House’s proposed program will have no effect on the weakest link in the security chain, which is the individual user. There is a risk that consumers might be less inclined to engage in the necessary steps to protect their smart devices and networks if they feel product manufacturers have already done the necessary heavy lifting to earn the Cyber Trust Mark.
“The proliferation of the Internet of Things (IoT), including all manner of consumer smart devices, provides a highly attractive attack landscape for bad actors to exploit. Geopolitical events, state-sponsored cyberattacks, political hacktivism, thievery, and stalking all guarantee continued risk.
“Manufacturers, retailers, broadband service providers, and others in the smart device value chain need to continue educating consumers on how to protect themselves even after the Cyber Trust Mark program is implemented. Opting in for automatic software updates, never reusing passwords on multiple devices or websites, protecting personally identifiable information, and remaining skeptical regarding all digital communications are simple practices that can go a long way toward protecting consumers from cyber criminals.”