The Federal Communication Commission’s cybersecurity labeling program for Internet of Things devices has suffered a major setback, as the company overseeing the U.S. Cyber Trust Mark Program has withdrawn, following an FCC investigation into its ties to China.
“We appreciate our ongoing discussions with the FCC about the future direction of the Lead Administrator role and the Program,” Chanté Maurio, an executive at UL LLC, told the FCC in a Dec. 19 letter. “Having now delivered many of the foundational elements of the Lead Administrator role and given other considerations, we respectfully submit our notice of withdrawal as Lead Administrator effective as of the date of this letter.”
The FCC created the Cyber Trust Mark initiative during the Biden administration to encourage IoT makers to improve their products’ security and encourage purchasers to pay more attention to the security features in the products they buy. The Biden White House hoped to stem the tide of major cyberattacks exploiting basic vulnerabilities in IoT devices. Through the program, IoT vendors would submit products for testing by government-accredited private labs, which would verify those products’ compliance with a set of required security practices and allow the products to carry the Cyber Trust Mark label.
The Biden-era FCC picked UL to serve as the program’s lead administrator, overseeing the work of the other companies participating in the program and managing the many bureaucratic tasks associated with standing up the testing initiative.
But after President Donald Trump took office, the FCC threw the future of its own program into doubt when it opened an investigation into UL, citing the company’s partnership with a Chinese firm and its operation of labs in China. FCC Chairman Brendan Carr cited UL’s “potentially concerning ties to the government of China” and said the FCC would “remain vigilant when it comes to safeguarding our communications networks.”
In September, security and legal experts told Cybersecurity Dive that they hoped the investigation into UL would not derail the implementation of the Cyber Trust Mark program, which they described as a promising step toward more secure IoT devices that no longer powered disruptive cyberattacks.
UL’s withdrawal from the Cyber Trust Mark program leaves the future of the initiative uncertain. It is unclear how many of its pre-launch responsibilities UL completed before withdrawing from the program. The company did not respond to a request for comment, but in its letter to the FCC, it said it “remain[ed] committed to the success” of the program and promised to work with the FCC to ensure “a seamless transition” of its remaining responsibilities.
The FCC did not respond to a request for comment about the Cyber Trust Mark program’s fate, including whether it was looking for a new lead administrator.