IPVM Comments To FCC On Improving Cybersecurity

WH
CH
William Howard-Waddingham and Conor Healy
Published Apr 29, 2024 14:42 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

IPVM submitted comments to the US Federal Communications Commission (FCC) on how it can best serve public interests and cybersecurity by enforcing supply chain transparency under the new US Cyber Trust Mark Program.

IPVM Image

Established in March 2024, the US Cyber Trust Mark program awards labels to products meeting certain FCC cybersecurity standards. Like USDA beef gradings, it can help end-users make informed choices for more secure products that are otherwise challenging. See our coverage for background:

IPVM's comment pertains to FCC proposals (see pg 81) to require that applicants disclose software and hardware origins and to prohibit labels for products from "high-risk countries" like PRC China.

IPVM Image

We expressed support for these proposals generally, and presented several specific points for the FCC to consider.

First, IPVM suggested requiring disclosure of any "past failure to properly disclose or patch known critical vulnerabilities" or knowledge of the risk of "critical vulnerabilities that could go undisclosed or unpatched."

Failure to disclose vulnerabilities occurs often in the video surveillance industry, particularly due to the widespread practice of OEMing; vendors who refuse to disclose the true manufacturer of their products to buyers are less likely to then tell those buyers when vulnerabilities are found in those manufacturers's code, such as with Honeywell or ADI.

We also supported disclosure of software or components originating from "high-risk countries" like the PRC, explaining the risks and pointing to several instances in which end-users unwittingly purchased banned OEMed products, such as allegedly in the 2024 criminal case against Tamer Zakhary, and several occasions with federal agencies (e.g. 1, 2).

We anticipated that manufacturers or industry associations may object to required disclosures, arguing they impose burdensome supply chain investigations. But, as we explain, the FCC should view such objections as unreasonable:

For now, it may well be true that understanding the makeup of one’s supply chain is a complex task. But to the extent that vendors would be ‘burdened’ by the FNPRM’s proposed rules, it is a problem invented by their own willing – and often convenient – ignorance, not by the Commission’s justified interest in providing basic information to consumers.

Ultimately, collecting and disclosing the information contemplated by the FNPRM does not require scientific study or complex cryptography. Investigating supply chain origins is only challenging because agencies have not yet required it, and vendors have not cared...

The Commission will have helped solve a problem that companies have refused to solve themselves.

Finally, IPVM recommended that the FCC should expand the US Cyber Trust Mark program to include wired devices. As currently implemented, the program is only applicable to devices with wireless capabilities, which excludes a significant proportion of video surveillance products.

We explained that, by not including wired devices, the FCC is missing its chance to impact the industry meaningfully and that the exclusion of wired devices is arbitrary. Both wired and wireless IP cameras are networked devices and face similar cybersecurity risks:

What should matter to the Commission is not wireless capability but networking capability. Expanding the labeling program’s eligibility to include wired IoT devices – or, at minimum, wired video surveillance equipment – would, as the Commission seeks, “provide consumers with easily understood, accessible information on the relative security” of surveillance products.

IPVM was one of 14 commenters and the only one from the physical security industry. The others were major industry associations, manufacturers, and civil society groups.

Most argued against the FCC's proposal despite expressing support for the cyber labeling program generally.

For instance, a joint letter from the Consumer Technology Association, National Electrical Manufacturers Association, Information Technology Industry Council, and CTIA (an initialism previously standing for the Cellular Telecommunications and Internet Association) expressed firm opposition, saying they are "gravely concerned" by the proposals:

We are gravely concerned that the proposals in the Further Notice of Proposed Rulemaking (“FNPRM”) could sidetrack implementation and undermine the clear and well-founded approach established in the Order...In addition to diverting focus from these critical implementation activities, the proposals in the FNPRM could undermine the approach set in the Order and deter participation in the Mark, without materially enhancing security or value for consumers.

Further, they argue that manufacturers may struggle to provide disclosures:

In many cases, manufacturers may find it cost prohibitive or even technically infeasible to provide these verifications due to the diverse, global nature of IoT products.

Others expressed full-throated support for the FCC proposals, like Whirlpool, a major US appliances manufacturer. Whirlpool submitted a concise 3-page letter endorsing each of the FCC's proposals, saying, "We believe consumers would benefit greatly from increased transparency around these questions."

Some commenters did not take a position except to advise that whatever the FCC chooses, it should balance the program's goals with its efficacy. Aspen Digital, part of the Aspen Institute, emphasized in its letter, "If it costs more for sellers to get the certification than it would benefit them, they won’t pursue it."

However, Aspen Digital also spoke to the core problem of poor information for consumers:

There is an information problem in the IoT market. In an ideal market, buyers and sellers have the information they need to know how much the product is worth to them. The consumer doesn’t have this information in the market for IoT devices: some companies have knowledge about their security that they do not share with the public; others have placed so little emphasis on security that they have no information to share.

IPVM will continue to update our reporting and advocate for improved cybersecurity.

About IPVM
IPVM is the world's leading authority on physical security technology covering video surveillance, access control, weapons detection and more; delivering unmatched reporting, research, and test results.
How Do I Become a Subscriber?
Learn more about IPVM subscriptions now.
Comments are shown for subscribers only. Login or Join