US Unveils Cybersecurity Certification: A New Era for Smart Devices

01-08-2023 | By Robin Mitchell

In a world where technology is increasingly becoming a part of our daily lives, the security of smart devices is a concern that cannot be overlooked. The US government's recent announcement of a new certification program is a significant step in addressing this issue. This article delves into the challenges faced by smart devices, the details of the new certification program, and why it is a commendable move by the government.

Recently, the US government announced a new certification program that will allow smart devices to advertise themselves as being secure, thus providing consumers with a more informed buying experience. What challenges have smart devices faced over the past two decades, what will the new certification program do, and why is it an excellent step for governing bodies?

What challenges have smart devices faced over the past two decades?

There is no doubt that anyone who has owned smart devices over the past few decades, whether in the form of smartphones, home devices, or computers, will have faced problems at some point. In the early days, these problems were primarily related to performance, such as processing power, memory, and battery life, and the introduction of new devices would provide some improvement over these areas. 

The evolution of cyber threats is a testament to the constant cat-and-mouse game between hackers and cybersecurity experts. From simple destructive viruses to sophisticated cyberattacks aimed at stealing sensitive data, the threat landscape has drastically changed. This has necessitated the need for robust security measures, especially in the realm of smart devices. 

However, for as long as the internet has existed, the threats from cyberattacks have only continued to increase in severity. The first viruses were often used to disable systems and wipe out files with the sole purpose of being destructive, but when hackers realised the value in data and access, these malicious programs began to phone home, providing keystrokes, passwords, and other valuable credentials. 

Eventually, hackers were able to use this data to outright steal funds from bank accounts, make purchases with stolen credit card details, and even commit identity theft via social security numbers, telephone numbers, and addresses. Fast forward to today, and cyberattacks have become so incredibly sophisticated that cybersecurity experts dedicate their lives to finding and patching vulnerabilities before they can be exploited.

While cybersecurity has been reasonably well managed in computational devices such as servers, computers, and laptops, security in smaller smart devices such as doorbells, surveillance cameras, and thermostats has tremendous challenges. This area of industry, generally referred to as the Internet of Things (IoT), typically uses lower-end microcontrollers with limited processing and memory capabilities, which makes deploying antimalware solutions difficult, especially when such devices run firmware as opposed to full-fledged operating systems.

To make matters worse, due to the simplicity of early IoT devices, it was generally believed that hackers would have no interest in them, and so many engineers simply decided not to implement strong security practices. For example, default passwords in devices were often easy to guess (such as “password”), some devices didn’t even incorporate passwords, insecure connections across the internet were used, and device updates would rarely be available. 

Unfortunately, IoT devices turned out to be of interest to hackers who recognised that millions of identical devices around the world, all using the same default credentials, make an extremely powerful launch platform for large-scale Distributed Denial of Service (DDoS) attacks. Furthermore, IoT devices that have microphone and/or camera capabilities can easily be turned into spying platforms. Finally, an IoT device that can be remotely accessed can provide network credentials to hackers, giving them access to internal networks and putting any and all connected devices on that network at risk.

Fast forward to today, and while numerous security practices are now being deployed among smart devices, it is difficult to see the exact level of protection offered. Furthermore, the lack of any official certification program or legislation means that it is very easy for unsecured devices to enter the market undetected. As such, consumers from all walks of life can find it challenging to make informed security decisions when purchasing smart devices.

The US government announced a new certification program

Despite governments around the world starting to introduce cybersecurity laws to try and protect consumers, the lack of standardised signage or regulated industrial markings continues to make it difficult for consumers to identify smart devices that offer a high degree of safety. In recognition of this challenge, the US government has recently announced a new certification program that will allow smart device manufacturers to place a protected stamp on their products and certify their products as being recognised by the US government for their security.

The introduction of this certification program is a game-changer in the realm of smart device security. It not only sets a benchmark for device manufacturers but also empowers consumers by providing them with clear information about the security of the products they purchase. 

Manufacturers that sign up to the certification program must be able to provide adequate proof that their devices follow requirements set out by the National Institute of Standards and Technology (NIST), which include high-strength default passwords, software update availability, and use of encrypted messaging when connecting to remote servers. Furthermore, devices that receive certification are provided with a QR code that, when scanned, takes the user to an up-to-date webpage providing all details surrounding the security of that device.

As FCC Chairwoman Jessica Rosenworcel stated, this program could be up and running in late 2024 after a forthcoming public comment period. This initiative is a significant step towards enhancing cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.

 

Variations on the new marks

So far, numerous tech businesses have signed up to the new program, including Amazon, Google, Samsung, and even Qualcomm. It is hoped that as the certification program is rolled out, improvements over time will finally provide consumers with a high degree of confidence in the tech that they buy. Additionally, the use of the new mark also helps to discourage consumers from using devices with the mark, as this would indirectly imply that the device in question lacks strong security practices. 

The applicable cybersecurity criteria for the U.S. Cyber Trust Mark will draw on NIST’s work to establish specific cybersecurity criteria for IoT devices. The Administration noted, for example, that based on existing NIST guidance, qualifying devices would likely be required to have unique and strong default passwords, data protection, software updates, and incident detection capabilities.

Why is this an excellent step for government bodies?

Generally speaking, governments will often ruin whatever they touch, and it’s extremely rare to hear in casual conversation that the government has done some good, spending taxpayers’ money wisely. This is especially true in the field of engineering, where large projects often make numerous mistakes, a lack of transparency can see corruption at every level, and access to expertise is often limited, resulting in short-term decisions.

However, when it comes to certification and regulation, governments can often be incredibly helpful. For example, it is government regulation that prevents houses from being constructed from flammable materials and positioned close together (see the first building regulations in the UK resulting from The Great Fire of London). Another example is the numerous regulations surrounding RF emissions that prevent rouge devices from causing too much interference.

In the case of IoT devices, the government introducing a voluntary certification program is by far the best way for a government to impose a degree of control over the sale of insecure devices without infringing the rights and freedoms of engineers. There is no obligation for device manufacturers to follow the program, and consumers are free to purchase the devices if they wish, but those that choose not to follow the program will effectively be facing a penalty for producing potentially insecure devices.

The role of the government in cybersecurity is multifaceted. While it is crucial to ensure the security of national infrastructure and sensitive data, the government also has a responsibility to protect consumers. This certification program is an example of how government intervention can lead to improved security standards in the tech industry. 

That isn’t to say that devices which don’t get certified are unsecured; it is more than possible for an engineer to design the most secure platform on the planet and simply not wish to sign up to the certification program. However, considering that by default, only secure devices can be certified, consumers are almost guaranteed to get the most secure devices by those that follow the program.

Overall, the US government’s announcement should come as a sign of relief for the IoT industry and consumers alike. However, a word of caution to such programs; if the US government charges outrageous rates for certification, it could raise the barrier to entry for smaller companies looking to develop new products and thus potentially stifle innovation.

In conclusion

The US government's new certification program is a significant stride towards enhancing cybersecurity in the realm of smart devices. It is a testament to the importance of government intervention in setting industry standards and protecting consumers. However, it is crucial to ensure that the program is accessible to all manufacturers, big or small, to foster innovation and competition in the market. 

Profile.jpg

By Robin Mitchell

Robin Mitchell is an electronic engineer who has been involved in electronics since the age of 13. After completing a BEng at the University of Warwick, Robin moved into the field of online content creation, developing articles, news pieces, and projects aimed at professionals and makers alike. Currently, Robin runs a small electronics business, MitchElectronics, which produces educational kits and resources.