Do We Need Smart Home Security Ratings? - Cyber Trust Mark Overview

With 2023 coming to a close, 2024 brings some optimistic approaches to cybersecurity for consumers. One of those was this news of a Cyber Trust Mark, which we now know is planned to be implemented next year. Right now, this initiative is seeking comments, and could become our new reality next year. So what is it? Why does it exist? And why might you start hearing more about this in 2024?

Speaking of cybersecurity - DeleteMe is sponsoring this episode. If you want to find out how to remove your data from data broker sites to help combat identity theft and personal data leaks, then I’ve got a great deal to share with you - hit up joindeleteme.com/morsecode for 20% off any of their consumer plans.

So, what the heck is this Cyber Trust Mark? The US Biden Administration announced it back in the summertime, and it’s kind of like an Energy Star rating that you see on home appliances - but instead of Energy Star it’s a cybersecurity rating for smarthome gadgets and products. So you’d be walking around Best Buy and see these special icons on packages, which essentially could help you identify which products have the best cybersecurity.

What would that include? Well it could be anything that’s connected, really. A smart fridge, thermostat, fitness trackers or machines, microwaves, tvs, smart lights, shades, baby monitors, cameras, etc.

It was announced earlier this year by the FCC and is a voluntary program. It’s a certification that signifies a digital product meets specific cybersecurity standards. It’s supposed to guarantee security by ensuring that the product has undergone things like testing based on predefined criteria including vulnerability assessments, encryption protocols, and adherence to best practices, whatever those may be. It’s supposed to assure consumers that a product has been evaluated for potential security flaws with a standardization of security expectations, which could help consumers have confidence in their purchases.

It’s vague right now, and that’s because the FCC is currently asking for industry affiliates to provide comments on how the Cyber Trust Mark could be improved before it’s actually set into motion. But the basic idea is that this will use the NIST (National institute of standards and technology) set of criteria to approve a devices acceptance into the initiative.

The NIST criteria include: asset identification; product configuration (how are products configured); data protection (is data encrypted? how?); interface access control (like user authentication); software updates (and not just do they update but how often?); cybersecurity state awarenessn (like does the company have an incident response plan?); documentation; information and query reception; information dissemination; and product education and awareness.

If a business can answer to all of these criteria, they could earn a Cyber Trust Mark. And tbh, that could have a lot of really positive effects. For a business, it could build consumer trust with that visible symbol that they take cybersec seriously. And it could give a business a competitive advantage in whatever market their device falls within with a good brand reputation. Many consumers don’t prioritize security but if you put it front and center on packaging, it could lead to better consumer awareness and consumers may choose security first if they know what to look for.

One perspective I have is that a mark might help consumers with preventing data leaks. Maybe i’m being super optimistic in that approach, but a cyber trust mark could help consumers make better buying decisions, bring security awareness to the front of mind, and as such, possible teach consumers to think about security while setting their products up.

But the problem is a Cyber Trust Mark doesn’t guarantee 100% security. Threats change. Just because a product earned a Cyber Trust Mark when it was first packaged and distributed to store shelves does not mean it would still match those certifications months down the line. Cyber threats evolve all the time and businesses would have to keep up with that by continuously updating their products.

So in a real world perspective, it’ll be great for newly released products. But as those products age and collect dust on store shelves, you would still have to do your own research to find out if any recent exploits were made public. In my opinion, I love the idea of having a cyber trust mark, but the difference between energy star and cybersecurity is that a new vulnerability could be discovered tomorrow. Should they add date markers to the icon? The original docs explain having a QR code that customers could scan to read up on the product online, but would customers do that? And would that same data be accessible in either buying format - whether you buy online or in a retail store?

I have lots of unanswered questions but given this is just in it’s infancy, we probably won’t see this initiative set in stone for quite some time. So I leave this video kind of open ended for conversation and discussion. Do you think a cyber trust mark will help?