Countdown to shutdown:

Federal cybersecurity blanket stretches to cover Internet of Things (IoT) devices

Billions of Internet of Things (IoT) devices are scattered all over the world. These devices are potential entry points for cybersecurity attacks

Organizations — both public and private — have been scattering billions of Internet of Things (IoT) devices all over the world. These devices are typically low-power and have low computing capacity. Yet they are still potential entry points for cybersecurity attacks. Now the FCC has established a voluntary cybersecurity labeling program for IoT devices, as well as some proposed rules. For details, the Federal Drive Host Tom Temin talked with Katy Milner, a partner at Hogan Lovells.

Interview Transcript: 

Tom Temin First of all, let’s talk about the voluntary labeling. Who does this apply to? What kinds of products does this apply to and what on earth do you put on a label that says what?

Katy Milner Yeah, let’s unpack that a little bit. This is a new program for Internet of Things devices. There are billions of devices that make up the Internet of Things that we use in our daily lives, from smart thermostats to fitness trackers to connected appliances. And there are concerns that these devices may not always be properly secured. People often rely on the default passwords. There’s no guarantee that these products the software will be updated as vulnerabilities are identified. So, the FTC has concerns that consumers and users don’t have the right information to really evaluate whether the product they’re purchasing has cybersecurity protections. So, what the FCC has done is attempted to fill that gap with this new cybersecurity IoT labeling program. It applies to wireless consumer devices. And there are a couple carve outs. It doesn’t apply to motor vehicles or motor vehicle devices or devices that are already regulated by the FDA, because those have other regimes that they’re subject to. But these are the devices we commonly find in our homes and that are often used as part of greater systems. So, it’s anything that’s emitting radiofrequency energy and has a network interface like Wi-Fi or Bluetooth.

Tom Temin So the federal government doesn’t buy a lot of the stuff itself. I mean, you’re talking about ring doorbells and that kind of jazz. Although the GSA got in trouble for buying a consumer grade webcam that they put in their conference rooms, it was made in China. What about industrial control sensors, things that are out on pipelines or on the electrical grid, that type of thing. Or airborne drone mounted sensors. These are all IoT things. What about them?

Katy Milner Right. Yes. For drones? Yes. Because those would be used by consumers and may be a product that is used by both consumers and for federal purposes, and that would be eligible to receive this label. Anything that’s not marketed to consumers probably would not fall into this category. As we discussed, there are considerations for federal agencies and federal procurement that don’t flow out of this, too.

Tom Temin Well, before we get to that, just a quick question on the FCC. What will it have to do to I mean, if it’s a voluntary program, does it put it out there and say, does it have guidelines like nutrition labels? Here’s what it should say and in what format? That type of thing.

Katy Milner You’re on the right track there. The FCC has set forth in its March 23rd report, in order the overall structure of what this program will look like and set forth the criteria that products will need to meet to obtain the label. But there’s still a lot of work to be done. There’s going to be a public private partnership of sorts in actually developing the program, because the FCC will be seeking applications for a cybersecurity label administrator that’ll be responsible for the day-to-day aspects of it.

Tom Temin Right? So, it could be stickers. It could be tags. I mean, some things are too small to have a sticker on them and.

Katy Milner Say, yes, yes, they did specify that there’s going to be an actual cyber trust mark, kind of like the energy star labels we see we’re used to seeing on devices that the consumers will be able to view. And then there will also be a QR code that’ll link to a registry with more information about the product and its cybersecurity features. Both the labeling process and this new registry are going to need to be set up still.

Tom Temin And so much of the stuff comes in great quantities from China. Probably a lot of it’s sitting in Baltimore Harbor as we speak. Somehow they have to convince people in China to put labels on, and then that those labels certifying their cyber security status are, in fact, true.

Katy Milner That’s right. The labeling process attempts to control for that, and that there’s a two-step way for manufacturers to obtain the label. First, they’ll need to have their product tested by a certified lab. And once they get the conformity report, then the Cybersecurity Labeling Administrator will review everything to make sure it’s verified. And then at that point, the manufacturer will be able to use the label. But there are definitely concerns that once labels on there, how do we know that the product actually meets the standards that the representations the manufacturer is making about continuing to update it are actually happening?

Tom Temin We’re speaking with attorney Katie Milner. She’s a partner at Hogan Lovells. And you mentioned there are federal procurement regulations regarding this labeling program, because at some point, these devices will cross over into what might be acquired for federal use.

Katy Milner That’s right. Yes. Even though this is a voluntary program. And on the face of it, it is not putting new contract requirements for federal contracting. We’ve often seen standards developed by NIST, the National Institute of Standards and Technology make their way into federal procurement contracts. So, if the government is procuring Internet of Things devices, the contract terms may say the product is eligible to receive the cyber label. The product meets the standards under the FCC cyber label. That may be the new baseline that we’re seeing in these agreements. So, I think both participants and any manufacturer are going to be curious to see how this program evolves. And they may find it useful just to be a competitive differentiator for their products, that it’s able to obtain this label.

Tom Temin Because there is another class of products which in fact are IoT devices, but they’re not marketed as such and not considered in the same use cases. I’m thinking of things like printers, for example, which have hard drives, and they have IP addresses, and they have wireless connectivity, and there’s a lot of high-end consumer type of devices that you might see in an industrial or business setting. And then there are the, you know, the floor standing types of printers that are in big offices. And those are internet connected in that sense, they’re IoT devices. Do you anticipate this program could migrate upwards to anything that is not that are standing alone and operating, that’s not actively keyboard by a human being?

Katy Milner Oh, certainly. I think printers are within the realm of types of devices. They were interested in being subject to this program. So, there’s so many connected devices around us that we don’t even notice anymore. But if they do have this ability to connect to the network at large, that’s going to be a device. They need to consider these requirements.

Tom Temin Yes, because by definition those things are useless unless they are connected to the net.

Katy Milner Right. And by the fact of their connection, that’s what’s introducing these security vulnerabilities that we’re concerned about, both for hacking and malicious behavior, but also the threat of national security issues from espionage, particularly in the government context.

Tom Temin And what is the timeline or intended schedule of this FCC program to get, at least at the rudimentary level here, till there are labels on doorbell chimes.

Katy Milner The FCC has set an aggressive timeline. I have heard that they want this program to be up and running by January of next year. And with the March release of this report in order and setting forth these next steps, there’s a lot to be done in the next few months to nail down the details and get this program up and running. So, it’s going to be fast moving from here.

Tom Temin And does this program have teeth, any way of enforcing the fidelity of the labels, and also just the fact of having them on there in the first place?

Katy Milner Yes, the FCC addressed that in its report, in order. One of the principal enforcement mechanisms that they’re going to be doing is post-market surveillance. So, the program administrator will be buying products off the shelf and sampling them to make sure that they actually meet the standards FCC specified. It will take administrative remedies and civil litigation to address noncompliance. So, if a manufacturer is fraudulently using the label, they could be prosecuted by, we’ve been talking about FCC, but the Federal Trade Commission as well, for deceptive practices or even trademark infringement for using the label without being authorized. Yes.

Tom Temin So there’s 3 or 4 agencies that could jump in and stomp if it doesn’t work. Was this something that the FCC adopted unanimously because they don’t agree on much these days.

Katy Milner Like the rest of the government. But this one the FCC adopted unanimously; the commissioners agreed that something needed to be done to plug this information gap that consumers have about the security of their devices.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories