The U.S. government is embarking on an ambitious effort to create a cybersecurity seal of approval for Internet-of-Things devices, but the project faces a serious threat from the same agency that created it.
During the Biden administration, the Federal Communications Commission launched the U.S. Cyber Trust Mark program to much fanfare, with government officials and tech industry executives saying its certification process would transform the security of connected devices and make it much harder for hackers to exploit those devices for cyberattacks. But a few months after President Donald Trump took office, the FCC’s new Republican chairman launched an investigation of the company that the commission’s staff had just chosen to oversee the program, the veteran Illinois-based testing conglomerate UL Solutions, over its ties to China.
The FCC has said little about the investigation, and it is unclear how it is proceeding or even what specifically it is seeking to uncover in its probe. Those vagaries worry some cybersecurity experts and former Biden administration officials, who say a lengthy investigation could undermine the program and in turn prolong a dangerous state of affairs in cyberspace.
“The longer one proceeds without trying to implement something like this,” said Paul Besozzi, a senior partner at Squire Patton Boggs who focuses on telecommunications issues, “the more the risk is to the consumers” — including the many enterprises outfitting their offices with connected devices.
Buying with confidence
For years, hackers have commandeered poorly secured Internet-of-Things gadgets to assemble botnets and launch cyberattacks that lead to business disruption and data theft. To change the incentives that result in manufacturers shipping flawed products, the Biden administration worked with the FCC to create a government-backed security label for connected devices, similar to the Environmental Protection Agency’s Energy Star efficiency label.
The FCC launched the Cyber Trust Mark program in the waning days of the Biden administration, and the White House hailed the launch as a turning point that would encourage vendors to improve their products and encourage customers — from individuals to enterprises — to prioritize security when shopping, especially for sensitive use cases.
“IoT security is not what it should be for a lot of different devices,” said Matt Pearl, the director of the Strategic Technologies Program at the Center for Strategic and International Studies and a former National Security Council staffer who helped launch the Cyber Trust Mark program. “The idea was that you create a race to the top.”
Once the program launches, companies approved by UL and other program administrators will test IoT devices — including smart appliances and surveillance cameras — on how well they handle functions such as data protection, access control and life cycle documentation. The proposed testing standard, which is still under review, requires component inventories, support for secure deletion of user data, restrictions on changes to security settings and the ability to restore the product to a secure default state, among other features.
Products that meet the standard will be authorized to display the program’s label, indicating a government seal of approval designed to make secure products more appealing to corporate and individual buyers. A public database will contain information about every certified product’s test results, including the period of time for which the manufacturer guarantees support.
Focusing on “bad labs”
The Cyber Trust Mark program has fallen under a cloud as Trump’s new FCC chairman, Brendan Carr, focuses on blocking companies with ties to U.S. adversaries from certifying equipment in FCC programs. In May, the commission banned those so-called “bad labs” from its work. The Biden-era FCC had already blocked some untrusted companies from serving as administrators of the Cyber Trust Mark program. But Carr, who had voted for the program, felt the restrictions didn’t go far enough. In June, he confirmed a Fox News report that the FCC was investigating UL over its joint venture with a Chinese government-owned company and its operation of labs in China.
The joint venture alone likely isn’t dangerous enough to trigger UL’s exclusion under the FCC’s criteria, Squire Patton Boggs’s Besozzi explained, but if the commission has evidence of something more nefarious, it wouldn’t be surprising for it to investigate.
Pearl said he supports the FCC’s investigation, especially if it focused on “legitimate questions” about UL conducting testing in China, but added that “the mere fact that they have a joint venture” shouldn’t be disqualifying.
UL declined to comment on the FCC’s investigation. Kathy Fieweger, UL’s chief corporate communications officer, said the company “takes cybersecurity very seriously and has always operated with transparency and integrity.”
“We understand that the program is under review,” she said, “but have not received indications that anything has changed at this time.”
Pushback on unusual probe
Other observers were more critical of the abrupt delay in the Cyber Trust Mark program, which had bipartisan support and had to pass years of legal reviews and public-comment periods.
The investigation is “a joke,” said a former government official, who requested anonymity to speak candidly. The FCC selected UL “because they have deep experience with doing this kind of thing,” the former official added.
If the commission is concerned that Beijing could coerce UL by using its China-based staff as leverage, “we have a broader problem,” said the former official, “given the role [UL] plays in testing stuff for health and safety across the American consumer products ecosystem.”
The FCC did not respond to repeated requests for comment.
Further delays could test the tech industry’s patience with the FCC investigation, given the widespread approval of the labeling initiative. The program is “a good idea,” Besozzi said, “and there should be an attempt to move forward with it.”
David Simon, a partner and co-head of the cybersecurity practice at Skadden, Arps, Slate, Meagher & Flom LLP, said he was “not aware of any” other instances in which the FCC opened an investigation into the national security risks of a company it had just approved to oversee one of its projects.
Momentum at risk
The longer the FCC’s investigation lasts, the more it will undermine the Cyber Trust Mark program, experts said.
Prolonged delays could discourage IoT vendors from submitting their products for testing, severely limiting its efficacy.
“I have talked to companies that have told me that they’re in the process of deciding whether they’re going to bother with this,” Pearl said.
The most important factor in the program’s success “is to have a pipeline of companies submitting products,” said the former government official, who noted that major South Korean connected-device makers, including LG and Samsung, were “prepared to get started.”
Making it work, or making a break
There are several ways for the FCC to conclude its investigation and put the Cyber Trust Mark program back on track, experts said.
One option would be for UL to promise not to use its Chinese labs for the program. (The company did not respond to an email asking whether it had already made such a promise.) “I would think that moving the testing to outside of China would be a fairly easy mitigation,” Pearl said.
If the joint venture is the FCC’s biggest concern, “there is likely some mitigation that they could come up with,” Pearl said. UL could choose to end the partnership if company leaders do not see it as a higher priority than the reputational boost afforded by overseeing the Cyber Trust Mark program.
The FCC could also choose to rescind its approval of UL’s application to be the lead label administrator. That would be the most disruptive option, as it would force the commission to restart the process of picking a lead administrator. The FCC could give the job to one of the other label administrators, but it is not known if any of them are prepared to assume leadership of the project.
Besozzi said it was unclear if UL’s China ties “will result in them being disqualified,” but he added that given Carr’s interest in freezing out “bad labs,” “I think you’d have to come up with some mechanism that would assuage those concerns.”
Pressure from Europe, industry
While the FCC investigation has heightened anxieties about the future of the Cyber Trust Mark, the label wasn’t exactly on the cusp of launching anyway, experts said.
Even before the UL probe began, the program was months away from accepting product submissions. Testing standards still need to undergo a public-comment period and receive approval from the FCC (UL submitted proposed standards in June), and the parties have yet to finalize a design for the label.
“We’re not really near to people applying for these marks,” Besozzi said. “There’s a ways to go.”
The future of the program may depend on how the tech industry engages with the FCC. IoT security mandates in the European Union’s new Cyber Resilience Act may increase vendors’ desire for a way to tout their security in the U.S.
Carr has been “talking to industry,” Pearl said, and companies have “generally been very supportive of the program.”
Source link
