In a rare move, an FCC commissioner is calling on the public to weigh in on a proposed cybersecurity label for Internet of Things (IoT) products to prevent device makers from watering down the potential regulation.
The request comes from Commissioner Nathan Simington, who’s trying to strengthen an FCC proposal that would issue an easy-to-understand cybersecurity label for eligible IoT products, such as smart home appliances.
The system is meant to be voluntary for participating companies. But even so, the FCC’s goal is to issue the labels to products that follow “widely accepted cybersecurity standards.” As a result, the labeling system promises to drive consumers to purchase safer IoT gear while encouraging both device makers and retailers to sell “market secure devices.”
Still, Simington fears electronics vendors could end up undermining the labeling system as it faces scrutiny during the FCC’s official rule-making process. So on Tuesday, he took to Hacker News, a social site popular among software developers, urging them to submit their own comments on the proposed program.
“Many manufacturers oppose making any commitments about security updates, even voluntary ones,” he wrote.” These manufacturers are heavily engaged at the FCC and represented by sophisticated regulatory lawyers. The FCC and White House are not likely to take a strong stand if they only hear the device manufacturer's side of the story.”
The risk of electronics vendors dominating the public comments for the voluntary cybersecurity labeling system is why Simington is asking for concerned citizens, such as programmers, to offer their own feedback.
“You have experienced insecure protocols, exposed private keys, and other atrocious security,” he added. “You have seen these problems persist despite ample warning. People ask, ‘why aren’t there rules about these things?’ This is your chance to get on the record and tell us what you think the rules should be.”
Indeed, it’s no secret that IoT devices often come saddled with poor cybersecurity. Over the years, we’ve seen smart garage door openers, internet cameras, and home routers end up hosting unpatched vulnerabilities, which can put owners at risk of hacking. So in response, Simington has been advocating for the voluntary cybersecurity label to require the participating device maker to disclose how long the product will receive security updates.
“I hope that, besides arming consumers with better information, the commitments on this label (including the support period) will be legally enforceable in contract and tort lawsuits and under other laws,” he added.
But if you have your own thoughts on IoT security, Simington says you can submit your comment using the FCC’s website dedicated to the proposed labeling program. “Click to file either an ‘express’ comment (type into a textbox) or a ‘standard’ comment (upload a PDF),” he added. “Either way, the FCC is required to consider your arguments. All options are on the table, so don’t hold back, but do make your arguments as clear as possible, so even lawyers can understand them.”
