Proposed law in U.S. seeks to stamp ‘Cyber Shield’ label on IoT device packaging

A new bill put forth by Democratic lawmakers in the U.S. seeks to establish a benchmark for the security of Internet of Things (IoT) products and stamp a label onto the product’s packaging, indicating that it’s certified under the Cyber Shield Act.

IoT deployments are taking both industry and households by storm, with some analysts projecting 60 billion such devices online by 2025. Acknowledging this trend, Senator Edward John Markley said in a statement that, “the IoT will also stand for the Internet of Threats until we put in place appropriate cybersecurity safeguards.”

The bill (PDF), recently submitted to both the Senate and the House, seeks to “establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes.”

The bill would create an advisory committee including:

• representatives from the products industry, including small, medium, and large businesses
• cybersecurity experts, including independent researchers in areas such as cryptanalysis, hardware and software security, wireless, and network security, cloud security, and data privacy
• public interest advocates
• a liaison from the Information Security and Privacy Advisory Board
• Federal employees with expertise in certification, covered devices, or cybersecurity, including employees of the Department of Commerce, the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the Consumer Product Safety Commission

Another seat to fill is that of “an expert who shall ensure that, subject to subsection, the Advisory Committee conforms to and complies with the requirements under the Federal Advisory Committee Act (5 U.S.C. App.).”

Labels applied to covered products under the Cyber Shield program could be digital (i.e. advertised on the vendor’s website or other marketing materials) and / or physical (if feasible) and affixed to the product packaging. Interestingly, legislators propose that the label take on different grades showing how thoroughly a covered product meets the security standards.

Program members are prohibited from establishing any cybersecurity and data security benchmark that can be considered arbitrary, capricious, an abuse of discretion or otherwise not in accordance with law.

The committee and IoT vendors will share the responsibility of educating the public about the Cyber Shield program.

“With more than 60 billion IoT devices projected to be in our pockets and homes by 2025, cybersecurity continues to pose a direct threat to economic prosperity, privacy, and our nation’s security,” Markley added. “By creating a cybersecurity certification program, the Cyber Shield Act will give consumers a seal of approval for more secure products, as well as encourage manufacturers to adopt the best cybersecurity practices so they can compete in the marketplace for safety.”