Inside the White House's plans for an "Energy Star for cyber"
The Biden administration is barreling ahead with the rollout of a new consumer product label by the spring that measures the security of smart devices — but affected companies still don't know what to expect.
The big picture: The administration is trying to rein in the rising number of cyberattacks and espionage campaigns that rely on insecure internet-connected devices, such as routers and smart cameras.
- While it's still unclear what the label will look like, the idea is that it will educate consumers about what security practices manufacturers are using to keep them safe.
- The U.S. is following Singapore and the U.K. in exploring a consumer cyber label for internet-connected devices.
Driving the news: The White House led an hourslong meeting on Wednesday with people across industry, government and academia to discuss the ins and outs of what they've dubbed an "Energy Star for cyber" program.
- Attendees included the Federal Trade Commission, the Department of Energy and other government offices, as well as Amazon, AT&T, Google and more.
Five nongovernment attendees told Axios that, while they praise the White House for convening such a discussion, they walked away with few definitive answers about what the program will look like or who will run it.
- Lingering questions include whether the program will be mandatory and how exactly the label will measure device security.
Details: The White House shared its own "straw-man" model for how it envisions the program working, according to two people in attendance.
- The National Institute of Standards and Technology (NIST) would hypothetically publish a set of standards for what factors the rating system would rely on, according to one source at the meeting.
- A third-party licensing body, not yet created, would then use NIST's standards to rate products. The government would oversee the program, while the FTC would be the enforcement muscle, the source added.
- At the meeting, discussion groups covered the government's potential role in this program; ways to make this label effective and improve device security; building consumer awareness about the label; and appropriate enforcement mechanisms.
Between the lines: Given the quick timeline, attendees who spoke with Axios anticipate the White House will make only small tweaks to its plan and will lean heavily on the presented research to answer lingering questions.
- "They don't usually put something on the table without it being baked," a source at the meeting told Axios.
What's next: Justin Brookman, director of tech policy at Consumer Reports and another meeting attendee, told Axios that the White House estimated they'd have feedback within the next six to eight weeks.
- A senior administration official told reporters that the White House plans to bring an updated proposal to both government and industry stakeholders soon before the administration settles on the initial scope of the program this spring.
- However, some attendees said they weren't aware of the spring timeline until they read it in the administration's public statement released on Thursday.
Sign up for Axios’ cybersecurity newsletter Codebook here.