Export Compliance Daily is a Warren News publication.
Vulnerabilities 'Inevitable'

FCC Seeks Comment on Proposed Smart-Device Labeling Program

The FCC released an NPRM Thursday on a voluntary cybersecurity labeling program for smart devices (see 2307180054). Commissioners approved the NPRM 4-0 last weekend. The NPRM poses dozens of questions about the scope and nature of the program. Chairwoman Jessica Rosenworcel and Commissioners Geoffrey Starks and Nathan Simington released statements. Comment deadlines will come in a Federal Register notice.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

An estimated 17 billion smart devices are in use worldwide, expected to grow to 25 billion by the end of the decade, Rosenworcel said: “These technologies provide all kinds of benefits because they can make our lives easier and more efficient. However, this increased interconnection brings more than just convenience. It brings increased security risk. After all, every device connected to the internet is a point of entry for the kind of cyberattacks that can take our personal data and compromise our safety.”

The proliferation of consumer IoT devices has opened the door to cyberattacks on consumer products that can have serious privacy and national security consequences, ranging from theft of personal information to disruption of critical infrastructure,” the NPRM says: The program is intended “to provide consumers with the peace of mind that the technology being brought into their homes is reasonably secure, and to help guard against risks to communications.”

The FCC proposes a program under which the commission would create and own “a new distinctive trademark” and “would take appropriate steps to authorize its overall use in a way that ensures the integrity of the mark and the label.” The FCC would enlist third parties to “evaluate and authorize the use of the Commission’s trademark on an IoT device or product.”

The NPRM asks for comment on “the scope of IoT devices or products for sale in the United States that should be eligible for inclusion” in the labeling program and “whether to focus the program initially on IoT ‘devices’” and “specifically those wireless devices that intentionally emit” RF energy. The FCC asks whether a program “that addresses products (as opposed to just devices) would be more consumer friendly, as the public may find it easier to understand that the product (as a whole) they are looking to purchase meets the IoT security standards, rather than trying to parse which devices … meet applicable standards.”

The NPRM asks whether it should focus on only consumer devices, or include those used by businesses. The FCC proposes to exclude program devices from companies on the FCC’s covered list deemed to pose a threat to U.S. security. Devices or products from companies on the Department of Commerce’s entity list, DOD’s list of Chinese military companies and similar lists also would be excluded. “We find it could be harmful to consumers to portray such a message on devices or products made by companies that our sister agencies have identified publicly as part of their national security review,” the FCC said.

Cybersecurity vulnerabilities are “inevitable,” but it often takes months for fixes to make their way to end users, Simington said. “The early days of the connected device industry are behind us, and the laissez-faire attitude that came with rapid innovation now threatens to thwart the industry’s progress into more serious domains where the stakes are higher,” he said: “As we entrust technology with greater responsibility for our money, privacy, personal safety, and public order, we need to have greater confidence in its security.”

Starks said he strongly supports the program but wants to make sure it’s “as pro-consumer as possible.” The FCC is right to exclude gear already identified as posing risks, he said. “It is vital that we do not place our stamp of approval on devices from producers that the United States government and its agencies have already identified publicly as part of a national security review,” he said.