On Oct.11, 2022, the White House issued a press release outlining several initiatives to be adopted by the United States government to safeguard its cyber infrastructure. Among those initiatives is the development of a new voluntary certification and labelling program for Internet of Things (IoT) devices.

Under this program, products meeting yet-to-be-determined cyber security standards would be certified and made eligible to use a government-backed label demonstrating their certification. With an initial focus on routers and home cameras, the program will certify products following an extensive testing and vetting process conducted by government-accredited entities.

The project remains in early stages, and a consultation process will be undertaken in October 2022 with industry stakeholders to discuss the development and rollout of the program.

Background

The announcement comes in the wake of a pilot program initiated by an executive order signed by President Biden in May of 2021. The order directed the National Institute of Standards and Technology (NIST) to initiate two cyber security labelling pilot programs: one for IoT devices and the other for consumer software. With the pilot program completed, the NIST issued its recommended labelling program criteria on Feb. 4, 2022, and a report on the pilot was issued on May 10, 2022.

These documents recommend the implementation of a single label indicating a product has met a baseline standard, coupled with either a URL or QR code where the consumer can access additional details on the meaning of the label, product criteria, and other information related to cyber security and the certification program.

While the specific cyber security standards to be met remain to be developed, the NIST report recommends, to the extent feasible, the leveraging of existing standards and harmonization among schemes in the United States and around the world. Harmonization would likely help make program development more expeditious, facilitate compliance by IoT device manufacturers and help generate increased recognition by consumers in the international marketplace.

This program is hardly the first of its kind. Indeed, several labelling programs have been implemented or are similarly being developed across different jurisdictions. For example, Germany, Finland and Singapore have already implemented their own government-backed cyber security labelling programs for connected devices. The UK also announced a similar initiative in 2020, and have supported industry-led pilot projects.

These regimes are largely based on already-developed standards, primarily EN 303 645, developed by the European Telecommunications Standards Institution (ETSI). In addition to this shared foundation, there has also been cooperation among governments to harmonize these initiatives further. Finland and Singapore, for example, have entered into a Memorandum of Understanding whereby a product can become certified under both labelling programs with a single application. It has been reported that the US is cooperating with the EU in the development of their labelling program, with the intention that US products bearing cyber security labels be sold globally.

Is there potential for adoption in Canada?

As these programs increase in adoption worldwide, implementation of a similar mark in Canada - either through cooperation with the US or through a made-in-Canada initiative - may be possible in the future.

Canadian organizations and consumers are likely familiar with a similar voluntary certification mark scheme established by the US Government in relation to energy efficiency. ENERGY STAR, which the White House has indicated that the cyber security project is to be modelled after, is a certification mark held by the US Environmental Protection Agency (EPA). It is also administered in Canada by Natural Resources Canada. It is licenced for use to organizations whose products meet government-defined criteria for energy efficiency, and has since become a highly recognizable consumer symbol. There is therefore precedent for collaboration between Canada and the US on similar certification schemes.

A multi-stakeholder consultation process on a similar IoT cyber security labelling initiative has already taken place in Canada. In partnership with Innovation, Science and Economic Development Canada (ISED), several Canadian institutions engaged in a project titled Canadian Multi-stakeholder Process: Enhancing IOT Security, which issued its final report in 2019. Among its efforts was the formation of a working group tasked with making recommendations for a similar IoT cyber security labelling regime. Many of these recommendations were informed by existing schemes elsewhere in the world, and reference regional standard-development initiatives underway in the UK, EU, Australia, US and Canada.

A cyber security certification mark program like this would also have precedent in Canada. ISED, in collaboration with the Canadian Centre for Cyber Security, implemented a similar voluntary certification initiative in 2019 with respect to enterprise cyber security. The CyberSecure Canada certification program, administered by independent assessment bodies accredited by the Standards Council of Canada, enables small and medium-sized organizations that demonstrate that they meet a baseline set of security practices to make use of the CyberSecure Canada certification mark. The program will be updating its requirements to align with a since-developed national standard on Jan. 1, 2023.

What does this mean for Canadian organizations?

Currently, the development of the labelling program in the US is in early stages and no similar program in Canada is in active development. Further, the voluntary nature of these initiatives means that Canadian organizations that export IoT devices to jurisdictions with programs in place are not required to comply with specific sets of cyber security standards, beyond those otherwise legislated.

The impact these programs will have on buying behaviour remains to be seen. However, given the apparent popularity of cyber security labelling regimes among industry stakeholders and growing adoption by governments, Canadian organizations that export connect devices may wish to explore such programs as a means of fostering goodwill among their consumers and trust in the quality of their products.