News 07-20-2023

The U.S. Cyber Trust Marks

DigiCert
IoT Whitehouse Blog

There will be an estimated 30 billion IoT devices by 2030. But, how many of those devices are putting our data at risk? Most consumers currently do not know the cybersecurity details when purchasing smart devices. The new "U.S. Cyber Trust Mark" aims to better empower consumers by putting cybersecurity information at their fingertips, similar to a nutrition label. Studies show that consumers will pay more for assurance of device security and 84% would consider switching vendors if they lose trust in a company’s digital security. Thus, IoT security labels could be revolutionary for assuring users of digital trust.

The new Cyber Trust Mark was announced on July 18 in a White House memo on the Cybersecurity Labeling Program for smart devices.

This program aims to:

  • Inform consumer choices: The U.S. Cyber Trust Mark will provide consumers with clear information about the security of Internet-enabled devices, enabling consumers to make informed purchasing decisions.
  • Encourage higher cybersecurity standards: By differentiating trustworthy products in the marketplace, this program incentivizes manufacturers to meet elevated cybersecurity standards, enhancing the overall security landscape.

The program has been in the works since the 2021 Executive Order on Improving the Nation’s Cybersecurity and will implement a U.S. Cyber Trust Mark for devices to help consumers make more informed purchase decisions. Devices will also display a QR code linking to a registry of certified devices to provide consumers with additional security information. This follows as many other countries have legislated for IoT labels. 

Under the program, products meeting specific cybersecurity criteria, such as strong default passwords, data protection, software updates and incident detection capabilities, will display the "U.S. Cyber Trust Mark" logo (view the proposed logo at https://www.fcc.gov/cybersecurity-certification-mark). Both private and public organizations have been involved in developing the marks, including Amazon, Google, Samsung and Yale. This program is anticipated to be in effect in 2024 and the Federal Communications Commission (FCC) is currently seeking comments. 

DigiCert supports the Cyber Trust Mark 

At DigiCert, we are fully committed to supporting the U.S. Cyber Trust Mark initiative. DigiCert has been involved with strengthening cybersecurity for the IoT in various programs including the  Cloud Security Alliance, Matter and NIST. As such, we’ve been working with some of the world’s leading consortiums to advance the security of devices. Thus, at DigiCert we view this announcement as an important step in providing more digital trust for connected devices. Here’s what experts at DigiCert have to say about the new initiative: 

“The “U.S. Cyber Trust Mark” is a reflection of the need to convey confidence and trust to consumers that the device they are purchasing has been tested to meet certain cybersecurity standards. Cybersecurity and privacy are critically important to the adoption of best practices of digital trust. The fundamental practices of authentication, encryption and integrity checking via cryptography are the key components for a strong cyber trust mark utilizing digital trust.” – Jason Sabin, Chief Technology Officer, DigiCert.

“The U.S. Cyber Trust Mark punctuates DigiCert’s ongoing initiative for expanded Digital Trust in every facet of our personal and professional life.  The need for consumer’s’ identity, data, and privacy to be protected by manufacturers is critical to the expanding role of connected devices.  This labeling is intended to give confidence to the individual that proper security measures are being integrated into the innovative products that they select.” – Tom Klein, Senior Director of IoT Business Development, DigiCert.  

“Trust marks backed by rigorous certification or compliance programs are crucial for consumers to know that their identity, data, and privacy are appropriately protected.” – Diana Jovin, VP Product Marketing, DigiCert.

“This is a great first step toward making consumers part of the ‘verification process’ essential to digital trust, but only if that security information is presented in a way that a non-cryptographer can understand it. For example, the padlock users see next to a website in their browser indicates encryption, but users can still be on a phishing website or one containing malware. And if a user clicks on the padlock—which many don’t dare to—the information they see is so technical that even some IT people don’t fully understand it. To really empower consumers, we’ll need less engineer-speak and more approachable language that informs and guides. It will be a process. Even with our decades of experience operating the Internet’s most-recognized trust marks for what was Verisign, then Symantec, now Norton powered by DigiCert, and the DigiCert Smart Seal, we’re constantly testing and learning to make sure a trust mark isn’t just present—it’s understood.” – Ryan Brown, VP of Brand & Creative & Digital, DigiCert.  

“The U.S. Cyber Trust Mark initiative is a significant step in bolstering digital trust for IoT devices. It enables informed consumer decisions on security standards, prioritizing privacy and safety. Widespread adoption and industry collaboration will promote higher cybersecurity standards, fostering a safer digital environment. This initiative empowers users to embrace IoT devices with confidence, enhancing overall digital trust.” - Alex Deo, Senior Product Marketing Manager, DigiCert.

“The recent introduction of the U.S. Cyber Trust Mark marks a leap towards nurturing digital trust within the thriving IoT device community. This initiative revolves around fortifying cybersecurity measures, empowering consumers to make well-informed decisions that place a premium on privacy and safety. As we journey ahead, the collaboration between industry stakeholders and regulatory bodies assumes paramount significance in shaping rigorous labeling requisites. This effort empowers users to confidently unlock the potential of interconnected devices, fostering a digital realm where trust is paramount, inspiring greater peace of mind for all.”– Dean Coclin, Senior Director, Digital Trust Specialist, DigiCert

“Empowering American consumers with cybersecurity labeling for smart devices is a pivotal step in our relentless pursuit to safeguard privacy, security, and trust in the digital era. The US government’s visionary cybersecurity labeling program ensures that every choice made by consumers reflects not just convenience, but also resilience against cyber threats, creating a future where technology and protection go hand in hand." - Avesta Hojjati, VP of Research & Development, DigiCert.

Device manufacturers prepare now

Currently, manufacturers are advised to adhere to the NIST Secure Software Development Framework to enhance the security of their products.

Furthermore, for companies seeking efficient management of IoT devices on a large scale, DigiCert® IoT Trust Manager offers a comprehensive, automated workflow. This solution enables businesses to handle their IoT devices with certificate-based security throughout the manufacturing process and at the edge.

DigiCert IoT Trust Manager embeds and manages device identity at scale, supporting a broad range of certificate types and enrollment methods, meeting the diverse security needs and form factors of the connected device market. Learn more about DigiCert IoT Trust Manager at https://www.digicert.com/iot-trust-manager.

 

 

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min