The US government has been working on a new cybersecurity label for IoT devices, designed to improve security and make them harder for hackers to exploit, Cybersecurity Dive reported. But the programme, first developed under President Joe Biden, now faces delays from the very agency that built it.
The Cyber Trust Mark program, launched by the Federal Communications Commission (FCC), was designed to work much like the Energy Star efficiency label. Consumers and businesses would see the seal on connected devices and know those products met basic security standards. Supporters argued that the label could pressure manufacturers to improve security while helping buyers make smarter choices.
Now, an investigation by the FCC itself into UL Solutions – the testing company chosen to help run the programme – has put the entire effort on hold. The probe, focused on UL’s ties to China, has raised concerns that the security label may stall before it has the chance to deliver on its promise.
Why IoT security needs a federal label
For years, IoT security has been considered a weak link in cyberspace. Hackers have exploited poorly-protected cameras, routers, and smart appliances to create botnets and launch large-scale cyberattacks. Businesses outfitting offices with connected devices are especially at risk, facing disruptions and data theft when those devices are compromised.
The Biden administration worked with the FCC to change that. The Cyber Trust Mark was intended to set a baseline for IoT security, requiring companies to address issues like data protection, access control, and secure product resets. Devices that passed testing could display the seal, while a public database would show detailed results and how long manufacturers promised to support their products.
“IoT security is not what it should be for a lot of different devices,” said Matt Pearl, director of the Strategic Technologies Program at the Centre for Strategic and International Studies and a former National Security Council staffer. “The idea was that you create a race to the top.”
The UL Solutions controversy
In the final months of Biden’s term, the FCC selected UL Solutions, a long-established Illinois-based testing firm, as the main administrator of the program. But once President Donald Trump took office, the new FCC chairman, Republican Brendan Carr, launched an investigation into UL. The concern: UL’s joint venture with a Chinese state-owned company and its operation of testing labs in China.
Carr has said his goal is to prevent “bad labs” with ties to US adversaries from influencing FCC programmes. In May, the FCC banned several companies on those grounds. While UL had already passed earlier reviews, Carr argued that more scrutiny was needed.
UL declined to comment on the investigation, though its chief communications officer, Kathy Fieweger, said the company “takes cybersecurity very seriously and has always operated with transparency and integrity.” She added: “We understand that the programme is under review, but have not received indications that anything has changed at this time.”
Some experts support a closer look at UL’s China ties. Pearl said he backed an investigation if it was based on “legitimate questions” about testing conducted in China. Still, he argued that “the mere fact that they have a joint venture” should not be enough to disqualify the company.
Others were less charitable. A former government official called the investigation “a joke,” noting that UL was picked because of its long experience with testing in industries. If concerns about potential Chinese influence were enough to bar the company, the official argued, it would raise questions about UL’s wider role in certifying consumer products in the United States.
Unusual and disruptive
Some observers noted how unusual the situation is. David Simon, a partner at Skadden, Arps, Slate, Meagher & Flom, said he was “not aware of any” other instance where the FCC investigated a company it had just approved to run one of its projects.
The uncertainty is already putting pressure on the program. “The longer one proceeds without trying to implement something like this, the more the risk is to the consumers,” said Paul Besozzi, a senior partner at Squire Patton Boggs. That includes both individual buyers and companies outfitting offices with smart devices.
Delays put IoT security label at risk
The longer the investigation drags on, the weaker the Cyber Trust Mark could become. If vendors doubt the programme will move forward, they may not bother submitting their products for review.
“I have talked to companies that have told me that they’re in the process of deciding whether they’re going to bother with this,” Pearl said.
Momentum matters. “The most important factor in the program’s success is to have a pipeline of companies submitting products,” said the former government official. South Korean electronics makers like LG and Samsung were reportedly prepared to participate, but ongoing delays could cool that interest.
Besozzi added that the programme had already undergone years of review and bipartisan support before the FCC’s sudden probe. “The programme is a good idea,” he said. “There should be an attempt to move forward with it.”
What happens next
There are a few paths the FCC could take to resolve the issue. UL could agree not to use its Chinese labs for Cyber Trust Mark testing, which Pearl described as “a fairly easy mitigation.” If the joint venture is the sticking point, UL might choose to end it, depending on whether company leaders view the partnership as less valuable than its role in the program.
The more drastic option would be for the FCC to revoke UL’s approval altogether and appoint another company as lead administrator. That would be disruptive, forcing the commission to restart a lengthy selection process. It’s not clear whether the other administrators under the programme are prepared to take on the job.
Besozzi noted that Carr’s push against “bad labs” could still leave room for compromise. “I think you’d have to come up with some mechanism that would assuage those concerns,” he said.
How far the IoT security label has to go
Even before the investigation, the Cyber Trust Mark was not about to roll out immediately. Testing standards still need to go through a public comment period, receive FCC approval, and get final design details worked out. UL only submitted proposed standards this past June.
“We’re not really near to people applying for these marks,” Besozzi said. “There’s a ways to go.”
That said, the investigation adds another obstacle at a time when pressure for better IoT security is growing. In Europe, the new Cyber Resilience Act will require stronger safeguards, and some experts think US vendors will want a way to show buyers that their devices meet similar standards.
Carr has been “talking to industry,” Pearl said, and companies have “generally been very supportive of the program.” Whether that support lasts through prolonged uncertainty is another question.
A fragile moment
The Cyber Trust Mark started as a rare point of bipartisan agreement: a federal label designed to reduce cyber risks and give consumers confidence when buying smart devices. Now, with its main administrator under review and industry patience wearing thin, its future is far from certain.
As one former official put it, the FCC’s choice is simple: resolve the investigation quickly and keep the programme on track, or risk letting a promising idea wither before it takes hold.
(Photo by Caleb Fisher)
See also: Research finds human limit to overseeing self-driving cars
Want to learn more about IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and co-located with other leading technology events. Click here for more information.
IoT News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
