According to the cybersecurity website Cybersecurity Dive, the US government has been developing a new cybersecurity label for Internet of Things (IoT) devices, designed to improve device security and make them more difficult for hackers to exploit. However, this plan, initially proposed by President Joe Biden, is now facing delays from its founding agency.
The Cyber Trust Mark program, launched by the Federal Communications Commission (FCC), works similarly to the Energy Star energy efficiency label. Consumers and businesses can use the mark on connected devices to determine whether products meet basic safety standards. Supporters argue that the label can incentivize manufacturers to improve security and help consumers make more informed choices.
However, an FCC investigation into UL Solutions (the program’s testing company) has forced the entire program to a halt. The investigation into UL’s relationship with China has raised concerns that regulators may abandon the safety label before it can fully function.
Why does IoT security need a federal label?
For years, cybersecurity experts have viewed IoT security as a weak link in cyberspace. Hackers are exploiting vulnerable cameras, routers, and smart appliances to create botnets and launch large-scale cyberattacks. Businesses that use connected devices in their offices face heightened risk, as attackers can disrupt operations and steal data by compromising these devices.
The Biden administration, in collaboration with the Federal Communications Commission (FCC), is working to change this. The “Cyber Trust Mark” aims to set a benchmark for IoT security, requiring businesses to address issues such as data protection, access control, and security product resets. Devices that pass the test can display the mark, and a public database will show detailed test results and manufacturer-committed product support periods.
“Many IoT devices fall far short of acceptable security standards,” said Matt Pearl, director of the Strategic Technology Program at the Center for Strategic and International Studies and a former National Security Council member.“Our idea is to create a healthy competitive environment.”
UL Solutions Controversy
In the final months of Biden’s term, the FCC selected UL Solutions, a well-known Illinois-based testing company, as the principal administrator for the program. However, after President Donald Trump took office, the newly appointed Federal Communications Commission (FCC) Chairman, Republican Brendan Carr, immediately launched an investigation into UL. The investigation focuses on UL’s joint venture with a Chinese state-owned enterprise and its testing labs operating in China.
Carr has stated that his goal is to prevent “bad labs” linked to hostile U.S. forces from influencing FCC programs. In May of this year, the FCC banned several companies from participating in its programs for these reasons. Although UL had previously passed the review, Carr believes a more rigorous review is still necessary.
UL declined to comment on the investigation, but its Chief Communications Officer, Kathy Fieweger, stated that the company “takes cybersecurity very seriously and has always operated with transparency and integrity.” She added, “We understand that the program is under review, but we haven’t received any indication of any changes at this time.”
Some experts support a deeper investigation into UL’s relationship with China. Pearl stated that he would support the investigation if it is based on “reasonable concerns” about testing conducted in China. Despite this, he still believes that “simply because they formed a joint venture” is enough to disqualify the company.
Others are less forgiving. A former government official called the investigation “a joke,” noting that regulators selected UL because of its extensive testing experience across multiple industries.This official argues that if concerns about potential Chinese influence are enough to ban the company, it raises questions about UL’s broader role in U.S. consumer product certification.
Unusual and Disruptive
Some observers point to this as extremely rare. David Simon, a partner at Skadden, Arps, Slate, Meagher & Flom, said he had “never heard of” the FCC investigating a company so soon after granting it permission to run a program.
This uncertainty has already put pressure on the program. “The longer regulators delay action, the greater the risk to consumers,” said Paul Besozzi, a senior partner at Squire Patton Boggs.This includes individual buyers and companies that equip their offices with smart devices.
Delays Threaten IoT Security Certification
The longer the investigation drags on, the weaker the Cyber Trust Mark’s effectiveness may become. If suppliers doubt the program’s ability to move forward, they may not bother submitting products for review.
“I’ve spoken to several companies, and they’ve told me they’re considering participating in this program,” Pearl said.
Momentum is crucial. “The key to the program’s success is having a steady stream of companies submitting products,” the former government official said. South Korean electronics manufacturers such as LG and Samsung reportedly prepared to participate, but continued delays could dampen their enthusiasm.
Bessozi added that the program had undergone years of review and garnered bipartisan support before the Federal Communications Commission (FCC) suddenly launched its investigation. “This program is a good idea,” he said. “The FCC should move it forward.”
What’s next?
The FCC can take several steps to address this issue. UL could agree not to use its Chinese labs for Cyber Trust Mark testing, which Pearl called “a fairly easy problem to solve.” If the joint venture is the crux of the problem, UL may choose to terminate the partnership, depending on whether the company’s leadership believes the value of the partnership is less than its role in the project.
A more extreme approach would be for the FCC to completely revoke UL’s certification and appoint another company as the lead governing body. This would create chaos and force the commission to restart a lengthy selection process. It is unclear whether the other governing bodies under the project are ready to take on this task.
Besozzi points out that there may still be room for compromise in Carr’s crackdown on “bad labs.” “I think we have to find some mechanism to eliminate these concerns,” he says.
How close is the FCC to implementing the IoT security label?
Even before the investigation, the network trust mark was not immediately available. The testing standards still need to undergo a public comment period, obtain FCC approval, and have their design details finalized. UL only submitted its proposed standards this June.
“We are still a long way from people applying for these marks,” Besozzi says. “There’s still a long way to go.”
Even so, this investigation adds another hurdle as the demand for improved IoT security grows. In Europe, the new Cyber Resilience Act will require stricter security measures, and some experts believe that U.S. suppliers also want to find a way to demonstrate to buyers that their devices meet similar standards.
Pearl stated that Carl has been “communicating with the industry,” and companies are “generally very supportive of the project.” However, prolonged uncertainty may weaken industry support for the program.
A Precarious Moment
The Cyber Trust Mark initially represented a rare bipartisan consensus: a federal label designed to reduce cyber risks and enhance consumer confidence in purchasing smart devices. Now, with its primary governing body under scrutiny and industry patience waning, the mark’s future is far from clear.
As one former official put it, the FCC’s choice is simple: either resolve the investigation quickly and allow the project to continue, or risk letting a promising idea wither before it takes root.