The New IoT Cyber Labeling Program: What You Should Know

Security is one of the biggest concerns for the internet of things (IoT) industry today. These devices are notoriously difficult to secure, and users’ adoption of them often outpaces their knowledge of how to protect them. The White House is trying to fix that with a new IoT cyber labeling program.

In October 2022, the White House announced an IoT cybersecurity initiative to help consumers understand and address IoT vulnerabilities. Instead of focusing on security requirements for IoT developers, these voluntary guidelines outline standards to receive special labels that verify their security. Here’s everything you need to know about the program and how it could impact IoT cybersecurity.

What Is the IoT Cyber Labeling Program?

In an official statement on the IoT cyber labeling program, National Security Council (NSC) spokesperson Adrienne Watson called it “Energy Star for cyber.” Just as the Energy Star certification shows that a product meets certain energy efficiency standards, these new IoT labels will prove a smart device meets cybersecurity standards.

Brands that meet these standards will be able to display a barcode-based label on their products to showcase their security. Scanning these codes with a smartphone will take you to a page detailing what cybersecurity standards it meets and what those standards mean. That way, consumers can make the most informed decisions about buying secure smart gadgets.

Like Energy Star, meeting these requirements is voluntary. However, products without these labels may stick out to consumers as unsafe, encouraging more IoT manufacturers to pursue certification. These standards and labels will begin rolling out in the spring of 2023, starting with higher-risk devices like Wi-Fi routers and security cameras.

What Will These Labels Include?

The White House’s announcement didn’t specify what specific standards these labels would reflect. However, earlier documents from the National Insitute of Standards and Technology (NIST) suggest IoT cyber labeling criteria that this program will likely align with.

Some of the most impactful of these criteria target built-in security controls, an area where many current IoT devices fall short. The NIST suggests devices should be able to store their data securely, including the ability to delete it, and protect it in transit, likely through end-to-end encryption. Similarly, another suggested standard requires IoT devices to restrict access features and privileges to ensure that only authorized users, services and components can use their interfaces.

Many of the NIST’s suggested criteria focus on user education and controls. They recommend IoT devices inform users of any possible vulnerabilities and how to minimize them, making components easy to identify and making it easier to understand security controls. They also emphasize the ability to change default settings, as this is one of the leading best practices for IoT security.

Some recommendations focus on the labeling itself, too, not just the standards it reflects. Labels should make room for multiple approaches to security, be easy to understand and leave room for future updates.

Why Is the U.S. Launching This Program?

This IoT cyber labeling program comes as part of a larger movement toward regulating cybersecurity. Data protection and cybersecurity laws are scattered and uneven across the U.S., but threats are rising. Attacks on public infrastructure and government bodies like the 2021 Colonial Pipeline incident have highlighted the need for more comprehensive security standards.

IoT threats are particularly concerning as the number of smart device connections rises in both consumer and commercial circles. Businesses and consumers are integrating these technologies rapidly, often without understanding their inherent vulnerabilities. Providing a label system would help improve public awareness of these issues and offer easy steps toward mitigation.

The NST hopes that these labels will improve overall cybersecurity the way the Energy Star program has improved electrical consumption. While it’s not a comprehensive fix, it’s an important step in the right direction.

How Will IoT Cyber Labeling Affect Businesses?

While this program may focus on boosting consumer protection, it has several implications for businesses. Most notably, electronics manufacturers wanting to stay competitive in future markets will have to meet higher formal security standards.

Studies show that consumers are willing to pay up to 62.5% more for an IoT product if it offers better security. Consequently, by displaying a label that proves a product meets government standards for cybersecurity, IoT companies could appeal more to this increasingly security-concious market. They could charge more for their products to earn a higher profit or sell more same-priced devices to maximize revenue.

By contrast, businesses that don’t meet these standards may fall behind their competitors that do. These labels give consumers an easily recognizable indicator of superiority, so products without them may underperform.

How Will IoT Cyber Labeling Affect Consumers?

This label system will impact consumers, too. Even optional IoT security standards improve security across the entire industry because they incentivize better protection. When businesses may see declining sales without meeting these criteria, more will pursue them, giving customers more options for safer IoT devices.

IoT cybersecurity labels will also improve consumer protection by raising awareness about related vulnerabilities. As more labels appear on more devices, more people will read them. Consequently, more consumers will learn about IoT risks and what types of technologies and steps minimze them. Even if people don’t buy security-certified devices, they’ll be more likely to understand how to secure them themselves.

Other Developments in IoT Security

The IoT cyber labeling program is a significant step forward, but IoT security legislation is growing outside of it, too. The IoT Cybersecurity Improvement Act passed to become law in 2020 and requires IoT devices in government agencies to meet certain security standards. While this doesn’t include consumer devices, it may encourage broader cybersecurity improvements across manufacturers.

Some states such as California and Oregon have passed consumer-focused IoT data protection laws in the past few years, too. International laws are also rising, with the European Union, U.K., Singapore and Australia all implementing varying IoT codes and regulations. As these standards become more common, they’ll encourage higher security across the global IoT industry.

IoT Security Must and Will Improve

The general lack of IoT cybersecurity in many circles poses a significant threat to data protection and infrastructure security. However, things are trending in the right direction.

The U.S.’s new IoT cyber labeling program may not address all vulnerabilities, but it will drive security improvements for both consumers and businesses. As more legislative changes like this take place, these vulnerabilities will become less of a threat.