Administration Poised to Act on “Internet of Things” Devices

The Federal Communications Commission (FCC or Commission) has issued a Notice of Proposed Rulemaking (NPRM) to create a labeling program for Internet of Things (IoT) devices with comments due September 25, 2023, and reply comments due October 10, 2023.

Background on the FCC and IoT
IoT devices connect consumers to the larger network of the internet via their software, sensors and wireless connectivity. These devices range from home office routers and home security cameras to GPS trackers, garage door openers, baby monitors and smart televisions. While most of us have at least one IOT device in our home, these devices can be exploited and hacked, leaving us vulnerable to criminals gaining access to the data embedded in the device or gaining control of the device. The FCC noted that in the first six months of 2021, more than 1.5 billion attacks were perpetrated against IoT devices.

IoT threats risk public, private and critical infrastructure security and safety, as reflected in the recent National Cybersecurity Strategy. The National Cybersecurity Strategy, released in March 2023, emphasized the need for IoT devices to be secured and encouraged the use of a labeling program to indicate which IoT devices are secure (i.e. require complex passwords, integrate regular security updates, encrypt their data and require authentication).

The FCC Notice of Proposed Rulemaking
Responding to the call by the Administration to improve the country’s IoT ecosystem, the FCC issued a Notice of Proposed Rulemaking on August 6, 2023. This NPRM proposes to create a labeling program for IoT products—building on the National Institute of Standards and Technology’s (NIST) report, “Profile of the IoT Core Baseline for Consumer IoT Products,” which identified key elements of a labeling program that would not be overly burdensome on industry but would help consumers identify safer products. This labeling program will be voluntary, but any entities that join will be required to uphold the standards of the program. The labeling program itself will be binary—companies either comply and receive the mark or they do not meet the standards and do not receive the mark. The NPRM proposes that the mark, which would use a QR code or URL so customers can learn more about the mark and the safety it ensures, would be placed on the products and advertisements by the IoT device maker to demonstrate that the device complies with the standards of the mark. The NPRM seeks comments generally on the FCC’s proposal of the labeling program. Some highlights for public input are included below.

Definition of IoT for the Labeling Program
First, the FCC seeks to determine the scope of the labeling program and what types of products will be eligible to receive the mark. The Commission suggests the following definition of IoT devices: (1) an internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world. An IoT device and any additional product components that are necessary to use the IoT device beyond basic operational features would be included in the current proposed definition, not IoT products more generally. Related to the administration of the program, the FCC seeks comment on the following questions:

• Should the program be limited to devices which intentionally emit RF energy? Or should it be expanded to include incidental and unintentional radiators?
• Should the definition be expanded to include IoT products so that the labeling program is more consumer friendly?
• Does this definition account for other components that make IoT devices functional—for example, products that connect to an intermediary hub rather than directly to the Wi-Fi network?
• Should the definition account for the product’s use in a business setting (such as a medical device) as opposed to exclusively consumer products?
• Any entities that have or will be placed on the Covered List (telecom manufacturers deemed to pose an unacceptable risk to S. national security) will not be eligible to participate in the program. To enforce the exclusion of products made by entities on the Covered List, should applicants be required to attest that they are not seeking approval for any covered product? How else might exclusion of these products be enforced? 

Agency Oversight and Third-Party Administrators
The FCC seeks further comment on whether it, another regulatory body or a third-party administrator should operate the labeling program. The NPRM focuses on the need for industry and public sector coordination and collaboration. Considering this, the FCC recommends third-party entities serve as an important part of the administration of the program, either as assessors and auditors or in running the overall scheme. Regarding third-party administrators, the FCC proposes creating Cybersecurity Labeling Authorization Bodies, known as CyberLABs. The CyberLABs would be modeled after the Telecommunications Certification Bodies (TCBs), which currently certify radio frequency equipment based on testing for compliance with technical requirements. Entities would apply to be designated CyberLABs and must prove that they 1) have technical expertise in cybersecurity testing and conformity assessments; 2) have the necessary equipment, facilities and personnel to conduct assessments; 3) employ procedures for conformity assessments; and 4) will submit to occasional auditing to ensure they are complying with IoT security standards and testing procedures. 

In addition to requesting feedback on the proposed framework with third parties, the FCC seeks comment on the appropriate entity or entities to serve in the oversight and management of the labeling program. Specifically, the Commission asks:

• Should the FCC oversee as well as manage the labeling program?
• Should third-party administrators be tasked with certain responsibilities? How much responsibility can be assigned to third-party administrators?
• Are there existing entities that are well positioned to convene and develop the IoT standards among stakeholders?
• If the third-party entity was authorized to assign the mark to IoT devices, how should the FCC provide oversight of the entity so that the integrity of the mark is ensured?
• Are there any types of IoT devices that should be allowed to conduct self-attestation rather than receive third-party assessments?

Standard Setting and Receiving the Cybersecurity Mark
The FCC proposes that the baseline cybersecurity standards for IoT will be informed by the NIST report criteria, which includes: (1) asset identification; (2) product configuration; (3) data protection; (4) interface access control; (5) software update; (6) cybersecurity state awareness; (7) documentation; (8) information and query reception; (9) information dissemination; and (10) product education and awareness. The FCC proposes that IoT security requirements and standards be developed through the following process:

1. Collect information. The administrator will conduct research, consult with experts (such as existing standard setting organizations) and review existing standards.
2. Establish requirements. The administrator will develop requirements that help meet the NIST baseline.
3. Develop the standard. The administrator will create a document outlining the requirements to receive the mark.
4. Review and improve the standard. The administrator will ensure that the standard is clear, comprehensive and testable.
5. Implement the standard. Conduct training, testing and monitoring to ensure the requirements are satisfied. 

Applying the Cybersecurity Mark
Once standards are created, companies would be assessed to determine if their products comply with the requirements. Those companies that pass would be permitted to use the mark and a corresponding QR code that would educate the public on what the mark means and how it ensures the security of the IoT device they are looking to purchase. Companies would also be placed on an IoT registry where the public can search through approved products. Any devices also subject to FCC equipment authorization rules must satisfy those rules before they are eligible to receive the cybersecurity mark. Additionally, companies must apply for the mark annually—this application will have a fee that is determined by the 2020 Application Fee Report and Order, as used by the TCBs. It is not clear yet if receiving the mark will insulate a company from liability in the event of a cyber incident—the FCC is requesting comment on this issue.

Auditing
The FCC is concerned about ensuring the integrity of the cybersecurity mark and proposes auditing and enforcement procedures to bring companies participating in the program into compliance with the requirements and standards. For non-compliance, the Commission proposes a combination of enforcement procedures, including administrative remedies under the Communications Act and civil litigation for breach of contract or trademark infringement. In addition to general feedback on the proposed auditing and compliance process, the FCC included the following questions for public input:

• Should third-party entities be allowed to perform random audits throughout the year? How many should they perform, and should they focus on certain kinds of products (perhaps on a risk-based approach)?
• Should the FCC permit consumer complaints?
• Should the FCC follow the ENERGY STAR model of disqualification procedures, which specify certain steps that companies must take in event of a disqualification but allows them an opportunity to dispute the assessment before the final decision is made? 

The comment deadline is September 25, 2023; reply comments are due by October 10, 2023.

The House Select Committee on the Chinese Communist Party
On August 7, Chair Mike Gallagher (R-WI) and Ranking Member Raja Krishnamoorthi (D-IL) of the House Select Committee on the Chinese Communist Party (Select Committee) wrote to FCC Chair Jessica Rosenworcel with a series of questions regarding the FCC’s ability to track Chinese made IoT modules and the potential risks of Chinese-made IoT modules. The members were concerned about the way in which IoT devices could be remotely accessed and present opportunities for malicious use—specifically, that People’s Republic of China (PRC)-based companies could, under the direction of the government, exfiltrate data from U.S. IoT devices and products or shut them down entirely. To demonstrate the implications of connectivity modules in IoT, they cited an example from the conflict in Ukraine, where tractors were remotely shut off after being captured by Russian forces. Underscoring their concerns about IoT, they asked the FCC chair:

• Whether the FCC can track cellular IoT modules and if so, whether the FCC can share information about the number of PRC-based companies operating in U.S. networks;
• Whether the FCC is concerned about the presence of PRC-based IoT modules operating on the U.S. network;
• Whether requiring certification for modules would effectively counter PRC-based modules from affecting the U.S. network; and
• Whether the FCC needs additional statutory authority from Congress to address this concern.

In the letter, the members thanked the FCC for its work in adding equipment and services from other Chinese Communist Party companies to the Covered List, suggesting that leading Chinese cellular IoT companies could have their products added to the FCC Covered List to restrict their access to the U.S. market. They argued that doing so would not undermine U.S. telecommunications networks because U.S. and allied country companies offer alternative products.

This action is the latest in a flurry of activity from Congress addressing the relationship between the United States and China. The Select Committee held a hearing on the risks of doing business in China on July 13, 2023, and more recently sent letters to a number of companies seeking information on investments in China in order to inform its legislative efforts. Pillsbury expects more investigations from the Select Committee and action from Congress and can assist clients navigating global transactions and the legislative process.