The U.S. Cyber Trust Mark and the rise of IoT regulations
In July 2023, the White House announced the introduction of the U.S. Cyber Trust Mark, a new cybersecurity certification and labelling program for consumer Internet of Things [IoT] devices. According to the Biden-Harris Administration, this new piece of legislation would aim to ‘help Americans more easily choose smart devices that are safe and less vulnerable to cyberattacks’. After all, with an estimated 53.35 million U.S. citizens having been affected by cybercrime in the first half of 2022 alone, it’s clear that attacks pose a serious threat to consumers.
Under the proposals, the U.S. Cyber Trust Mark will leverage stakeholder-led efforts to certify and label products based on specific cybersecurity criteria outlined by the National Institute of Standards and Technology [NIST]. For example, device Original Equipment Manufacturers [OEMs] would need to implement stronger and more unique default passwords, improved data protection, regular software updates, and incident detection capabilities, all in an effort to keep users safer.
Widely regarded as the first step towards U.S. legislation for consumer IoT, the program has already raised the bar for cybersecurity across many common devices like smart fridges, smart microwaves, and smart TVs. Indeed, several major OEMs – including Amazon, Google, and Samsung – have already made voluntary commitments to enhance the cybersecurity of their devices in light of the proposals.
While the unveiling of the U.S. Cyber Trust Mark is a significant development, the legislation forms part of a wider, international trend towards greater cybersecurity regulation. For example, the European Union recently announced draft rules proposing tougher cybersecurity labelling legislation for tech companies operating across EU nations – a move that has heavily influenced the U.S. program. As such, it’s evident that cybersecurity is becoming an increasingly important issue for regulators and consumers around the world, particularly as the threat landscape continues to evolve.
Given this heightened focus on cybersecurity legislations, OEMs who want to demonstrate their commitment to keeping consumers and their data safe should be aiming to adhere with these and other emerging IoT regulations.
Striking a balance
Of course, more regulation is a positive thing for the consumer IoT industry. Not only does regulation give consumers greater confidence in the products that they buy, but it also encourages manufacturers to differentiate by offering ever-better cybersecurity.
However, given the broad and varied range of cybersecurity standards that OEMs are now expected to adhere to for market access around the world, tailoring devices can prove very expensive. Therefore, it’s necessary for OEMs to strike the right balance, ensuring that device security is sufficiently robust without leading to excessive cost and time overrun.
As a result, many OEMs have striven to provide solutions that are strong enough to meet the needs of all markets, without tailoring them to any specific requirements. This is certainly what has taken place in the automotive industry, with a significant focus having been placed on harmonizing regulations. By doing so, regulators have simplified the adoption curve for OEMs, encouraging compliance and enhancing the level of protection that consumers receive.
Given the success that harmonization has achieved in improving compliance in the automotive industry, regulators should consider what can be done to simplify adoption for other IoT manufacturers. Until this happens, however, OEMs must continue to build their devices to meet the myriad of regulations that must be adhered to around the world.
While the U.S. Cyber Trust Mark represents a significant step forward for device cybersecurity, OEMs need to be aware that more initiatives of this kind are expected to follow. This is because there is a growing appetite from countries around the world to position themselves as consumer champions, given the capital that doing so can build with voters. As such, manufacturers must not only consider what they need to do to meet existing regulations, but also how they can future proof devices against non-compliance with rules that are likely to emerge over time.
How Trustonic can help
We recognize that ensuring compliance with the broad range of current cybersecurity regulations is challenging enough, without the additional challenge of preparing devices for future legislation. While there is no one solution that will solve all the issues that OEMs face when it comes to meeting regulations, we at Trustonic are proud to offer the most comprehensive solution available. Our Trusted Execution Environment [TEE], Kinibi, provides OEMs with a robust foundation to build a wide range of secure applications and services across their device architecture, supporting them in ensuring compliance with both existing and emerging regulations.
Kinibi has been certified against a Common Criteria protection profile defined by GlobalPlatform to EAL5+, positioning it as the ‘gold standard’ for consumer IoT cybersecurity. In addition, as it is Global Platform based using standard APIs it enables IoT OEMs to easily add new Trusted Applications or libraries to provide to support new features or to mitigate emerging threats over time.
Given the speed with which cyber threats – and the certifications designed to help address them – are evolving, it’s vital that OEMs don’t take a ‘DIY’ approach to security. We have helped countless manufacturers to achieve compliance with regulations around the world, and are constantly looking ahead to what’s coming down the tracks.
This means we are perfectly positioned to support manufacturers in ensuring that they are compliant with cybersecurity regulations, both now and in the future and, in doing so, continue to build trust with consumers.