Axios Codebook

The Biden administration is barreling ahead with the rollout of a new consumer product label by the spring that measures the security of smart devices — but affected companies still don't know what to expect.

The big picture: The administration is trying to rein in the rising number of cyberattacks and espionage campaigns that rely on insecure internet-connected devices, such as routers and smart cameras.

• While it's still unclear what the label will look like, the idea is that it will educate consumers about what security practices manufacturers are using to keep them safe.
• The U.S. is following Singapore and the U.K. in exploring a consumer cyber label for internet-connected devices.

Driving the news: The White House led an hourslong meeting on Wednesday with people across industry, government and academia to discuss the ins and outs of what they've dubbed an "Energy Star for cyber" program.

• Attendees included the Federal Trade Commission, the Department of Energy and other government offices, as well as Amazon, AT&T, Google and more.

Five nongovernment attendees told Axios that, while they praise the White House for convening such a discussion, they walked away with few definitive answers about what the program will look like or who will run it.

• Lingering questions include whether the program will be mandatory and how exactly the label will measure device security.

Details: The White House shared its own "straw-man" model for how it envisions the program working, according to two people in attendance.

• The National Institute of Standards and Technology (NIST) would hypothetically publish a set of standards for what factors the rating system would rely on, according to one source at the meeting.
• A third-party licensing body, not yet created, would then use NIST's standards to rate products. The government would oversee the program, while the FTC would be the enforcement muscle, the source added.
• At the meeting, discussion groups covered the government's potential role in this program; ways to make this label effective and improve device security; building consumer awareness about the label; and appropriate enforcement mechanisms.

Between the lines: Given the quick timeline, attendees who spoke with Axios anticipate the White House will make only small tweaks to its plan and will lean heavily on the presented research to answer lingering questions.

• "They don't usually put something on the table without it being baked," a source at the meeting told Axios.

What's next: Justin Brookman, director of tech policy at Consumer Reports and another meeting attendee, told Axios that the White House estimated they'd have feedback within the next six to eight weeks.

• A senior administration official told reporters that the White House plans to bring an updated proposal to both government and industry stakeholders soon before the administration settles on the initial scope of the program this spring.
• However, some attendees said they weren't aware of the spring timeline until they read it in the administration's public statement released on Thursday.

Pursuing an "Energy Star" program measuring the cybersecurity of a smart device could solve a fundamental problem facing manufacturers: consumers don't trust the security of their internet-connected products.

By the numbers: Fewer than 10% of U.S. adults in a new BlackBerry survey said they believe robot vacuums, smart refrigerators, smart air purifiers, smart ovens, pet cameras and autonomous vehicles are safe from cyber threats.

• Only one in five adults thought smart speakers are safe from cyber threats, the highest-ranked device among the 10 included in the survey.
• 80% of adults said a cybersecurity "star rating" system would make them feel safer while using an internet-connected device.

Why it matters: Many companies have raised questions about whether consumers would be willing to pay more for devices that are considered more cyber safe, said Yuvraj Agarwal, one of the Carnegie Mellon University researchers behind the school's cyber label program.

• But, per BlackBerry's survey conducted last Friday, 64% of adults say they're prepared to pay more for a device that has been rated as having the highest cybersecurity "star" rating.

Yes, but: Just like those who attended the White House's meeting this week, U.S. adults are split on what role the government should play in this effort.

• 50% said they think the U.S. government should be in charge of overseeing required cybersecurity and privacy standards for IoT devices.

Texas Attorney General Ken Paxton sued Google on Thursday for allegedly collecting biometric identifiers without user consent, Axios' Ashley Gold reports.

Driving the news: The lawsuit alleges Google "has collected millions of biometric identifiers, including voiceprints and records of face geometry, from Texans through its products and services like Google Photos, Google Assistant, and Nest Hub Max," per a release from Paxton's office.

• That's a violation of a Texas law governing biometric identifiers, which bans using personal information for commercial interests, Paxton argues. Violations could incur penalties up to $25,000 each, and the lawsuit alleges "millions" in Texas have been impacted.

The big picture: As tech giants push into markets like smart security systems and voice assistants, they find themselves in the crosshairs of state-level laws governing biometric privacy, including similar measures in Washington state and Illinois, where Clearview AI recently settled with the state over alleged violations.

What they're saying: "Google’s indiscriminate collection of the personal information of Texans, including very sensitive information like biometric identifiers, will not be tolerated," Paxton, who's made fighting Big Tech a political priority, said in the release.

The other side: "AG Paxton is once again mischaracterizing our products in another breathless lawsuit," said José Castañeda, a Google spokesperson. "We will set the record straight in court."

Flashback: Paxton sued Meta in February using the same law over its now-discontinued practice of using facial recognition for photo tagging.

• In Illinois, where state law allows individuals to sue companies, one suit against Google resulted in a $100 million settlement. The Texas law does not allow individuals to bring suit, only the attorney general.

@ D.C.

🚂 TSA rolled out mandatory cyber requirements for freight and passenger rail systems. (Cybersecurity Dive)

💻 The Biden administration is eyeing potential export controls limiting China's access to quantum computing and artificial intelligence software. (Bloomberg)

🪙 Victims of a 2016 hack at the Bitfinex crypto trading platform are still waiting for the U.S. Justice Department to return the recovered funds to them. (CNBC)

@ Industry

👀 New documents indicate a team at TikTok parent ByteDance planned to use data collected in TikTok to track the location of some U.S. citizens. (Forbes)

📉 Analysts are preparing for a period of rapid consolidation in the cybersecurity market as the market slows down. (Wall Street Journal)

@ Hackers and hacks

✉️ Security experts are urging corporate and government network operators to stop using on-premise, vulnerability-prone Microsoft Exchange servers. (Wired)

🤷🏻‍♂️ Microsoft said an unspecified amount of customer information was left exposed recently due to a server configuration, but it's unclear how many customers have been affected. (Protocol)

👾 Researchers are connecting the new Ransom Cartel ransomware gang to the defunct REvil gang, which was behind last year's attacks on JBS Foods and Kaseya. (BleepingComputer)

Today is also #ShareTheMicInCyber's annual campaign day, where high-profile cyber professionals partner with Black cybersecurity practitioners to share their stories and uplift them in the industry.

• Throughout the campaign, practitioners will take over the accounts of high-profile folks, including CISA Director Jen Easterly and National Cyber Director Chris Inglis, for the day.