IPVM Advocates Disclosing Made in China on US Cyber Trust Mark

IPVM urged the FCC to require vendors applying for the new US Cyber Trust Mark cybersecurity standards label to disclose any software originating in "high-risk countries" like China, Russia, Iran, or North Korea, or be barred from the program, and shared our view that "manufacturers are bluffing with warnings of low participation" due to such standards.

Our position is that companies that "cannot confidently attest...basic information about the makeup of their products and their supply chains" should not be eligible. IPVM also supported an exemption for open-source under a narrow definition we proposed.

The US Cyber Trust Mark program hopes to be a major new source of information for digital product end-users. Like USDA beef gradings, it can help buyers select a level of quality that they could otherwise not assess, in this case, for cybersecurity.

See our background coverage:

• "U.S. Cyber Trust Mark" For IoT Devices Examined
• Enterprise IP Cameras Ineligible for US Cyber Trust Mark Program
• US Cyber Trust Mark Program Bars Dahua and Hikvision + Proposes Restrictions for PRC China Products

The comment, filed on May 24, 2024, is copied below and publicly-available on the FCC's site. It replies to initial comments on the FCC's proposal filed a month earlier - including our own - by industry organizations, corporations, and think tanks.

Below is an abbreviated version of the comment filed with the FCC:

Re: Cybersecurity Labeling for Internet of Things, PS Docket No. 23-239

In crafting these rules, FCC Commissioners and staff should contemplate whether they themselves would feel confident in relying on the US Cyber Trust Mark to select products for their own homes and families. This is the rubric by which the Program will succeed, and the FNPRM passes muster.

We believe manufacturers are bluffing with warnings of low participation wrought by high standards, or a requirement that false declarations of truthfulness may have legal consequences. The FCC should recognize it has tremendous power to shape this Program as it sees fit. Corporations will participate because they know that many of their competitors will; a mark conveying US government trust, given tremendous public anxiety around cybersecurity, will be a significant competitive advantage. Manufacturers are hoping the FCC will blink, but we assess they will participate either way, and change their practices if the FCC is bold enough to require it.

Conversely, the Mark cannot deliver for our increasingly cybersecurity-conscious public, or for national security, if it is watered down with weak requirements favoring lethargic private interests, as some comments request. Success requires public confidence above all other considerations. The Mark is only as meaningful as the standards it requires; if the FCC’s standards are lacking, so too will be public confidence. Will the public really have confidence in a program that certifies trust for software built in North Korea, Iran, China, or Russia?

Specifically, the Commission should adopt the proposed country-of-origin disclosures, a fundamental necessity, and exclude products with high-risk country software or updates. However, fair points have been made about the practical limitations of such disclosure for open-source software. We believe the Commission should adopt an exemption from country-of-origin disclosures that is carefully crafted to avoid loopholes, as we propose.

I. The Commission Can and Should Go Beyond NIST Standards

If the US Cyber Trust Mark Program is to effectively protect consumers and national security, it cannot ignore the specific problems raised by equipment or components originating from high-risk countries. IPVM fundamentally disagrees with arguments made by CTIA, NEMA, and USTelecom that the FNPRM’s proposed restrictions on products from high-risk countries exceed their preferred scope of the labeling program. They point to NISTIR 8425 standards that contributed to the program’s formulation, which do not mention high-risk countries.

Such comments suggest that the Commission has neither the ability nor mandate to build on NIST’s work, when the opposite is clearly true. The Commission is particularly well-positioned to build upon NIST’s work by addressing software from hostile countries given its history of successful national security policymaking, such as the equipment authorization program’s restrictions on covered entities, and practical experience with high-tech industry. In other words, if the Commission can address problems, it should. Protecting cybersecurity is not an exercise in deference to the work of other agencies.

Indeed, the Communications Act⁶ empowers the Commission to “regulat[e] interstate and foreign commerce in communication … for the purpose of the national defense.” [emphasis added] Furthermore, the Commission is an independent agency with its own national security mandate and should not be expected to always align with agencies such as NIST.

Courts have affirmed that mandate. The US Court of Appeals for the District of Columbia Circuit ruled in April 2024 that “[w]e cannot second-guess the FCC’s judgment that allowing China to access this information poses a threat to national security.” Yet commenters “second-guess the FCC’s judgment” that high-risk country manufacturing and software development “poses a threat to national security” and question the Commission’s right to regulate such activity. They further imply that NIST is better positioned to make such judgments, when that is clearly a job for the the Commission. We contend that the veiled crux of their concern is that reliance on China is profitable in the short term, but so is a mark of US government trust, and they wish to have both.

By not addressing the considerable cybersecurity threats associated with high-risk countries, the FCC risks not only disregarding an important issue, but also undermining the labeling program’s ability to promise “Cyber Trust.” The public will understand that if North Korea, Iran, Russia, or China could be writing software in “trusted” products, that the label is meaningless. The public recognizes why and how these countries pose a risk amid regular cyberattacks covered widely in the media, and stark public warnings.

Regarding China, as we argued in our comment:

All PRC companies are subject to the CCP’s national security whims, like the National Intelligence Law requiring private sector cooperation with intelligence gathering efforts. Knowing whether devices, their software, or their components originate from the PRC is clearly relevant to the cybersecurity interests of American consumers and the federal government.

CTIA and NEMA also assert that the FNPRM’s proposed restrictions are unnecessary because the labeling program “is not designed to eliminate all risk, nor can/should it be used to try to address every cybersecurity and national security concern present across the connected ecosystem” and that the program “cannot indicate that a product is 100 percent secure.”

These inane points could be made about any aspect of the labeling program. Obviously, no scheme can guarantee cybersecurity or address every possible security concern. But that is no reason for the Commission to omit important proposals it has already drafted. This is akin to concluding that because no rules would seek to prevent all possible injury in all possible car accidents, that seatbelts are gratuitous. Just as seatbelts enhance but do not ensure passenger safety, the proposed restrictions on equipment and components originating from high-risk countries will improve IoT cybersecurity even though they cannot guarantee it.

II. Disregard Comments re: Purported Manufacturer Disincentives

The FNPRM’s proposed requirement for vendors to disclose country-of-origin information under penalty of perjury is an appropriate move that would strengthen US cybersecurity given endemic deception about such information. The Commission should disregard concerns from commenters like Aspen Digital, ITI, and NEMA that doing so would disincentivize manufacturer participation.

These concerns are not well-founded. Fundamentally, this is a question of whether companies know or choose not to know basic information about the makeup of their products and their supply chains. If a company cannot confidently attest that either (a) it does not use software developed or deployed by a high-risk country or (b) it is not aware of “any backdoors or other sabotage,” it is clearly unqualified to attest to the security of its products and should be ineligible for the program. The Commission cannot incentivize vendor participation by pandering. As we argued in our comment, requiring such disclosure under penalty of perjury is an effective way to tackle country-of-origin concerns:

Requiring such an affirmation is sensible in light of the unique risks raised by high-risk countries of origin, which are particular to that national origin, not just generally associated with it. Companies located in high-risk countries like the PRC can face national imperatives – and even be legally required, as under the National Intelligence Law – to cooperate in intelligence-gathering efforts. When such companies sell products featuring backdoors or other sabotage risks, those products provide potential unauthorized access points from which a high-risk government could intercept or extract information. Requiring the proposed affirmation would strengthen consumer and government confidence that products bearing the US Cyber Trust Mark are not at heightened risk of foreign data seizure.

It is telling that Whirlpool, a major manufacturer of consumer IoT goods, broadly supported the FNPRM and called for the Commission to “ensure that consumers have access to important information, including:”

• Whether the software and/or firmware in their IoT product was developed, or could be developed, in a high-risk country;
• Whether their products could be at any risk of hidden vulnerabilities from software and/or firmware from these countries; and
• Whether the data collected by their IoT products is at risk of being transmitted to or stored in a high-risk country, or whether there is a possibility for a high-risk country to obtain their data or even remotely control their product.

The Commission’s goal should not be to recruit as many manufacturers as possible while turning a blind eye to the dangers associated with high-risk country manufacturing and software development. The goal should be to create a trusted label, not a marketing badge. In any case, it is positive to create a commercial incentive for companies to (a) better understand their supply chains and (b) potentially re-route manufacturing and development away from high-risk locations like the PRC.

Watering down the Commission’s standards would be a win for companies that believe that understanding their own supply chains is unimportant, but it would be a loss for consumers and US national security.

III. Country-of-Origin Should Be Dispositive

Commenters like Aspen Digital, USTelecom, and TIC Council argued that country-of-origin should not by itself disqualify products from participating in the labeling program.

We disagree. Cybersecurity concerns associated with high-risk country software development and data storage are so considerable that they should be dispositive. Along with the variety of specific cybersecurity concerns raised elsewhere in this and extensively documented by the US government and in the public domain, we pointed in our comment to:

a long history of hackers from the PRC and other high-risk countries stealing sensitive US data. The US is hard-pressed to take proper regulatory measures to counter such theft by these companies because they operate in jurisdictions that tend not to recognize or enforce US laws. For instance, PRC companies have routinely stolen intellectual property from the US without significant consequence, often with tacit or direct support from the PRC government.¹⁷ With sensitive data theft a strategic imperative for high-risk countries like the PRC, the US cannot expect to have better luck with cybersecurity.

The Commission’s proposal to broadly exclude equipment here would address risks and create a commercial incentive to relocate operations, potentially pushing some manufacturers to move activities to jurisdictions that are more aligned with US interests. That would be a major victory.

IV. Exempt Open-Source Software From Required Disclosures of High-Risk Country

Development

IPVM supports protecting and informing Americans who rely on the label by requiring disclosure of software developed in or updated from high-risk countries. However, we acknowledge that vendors may not be able to affirm the origin of open-source software components in every case, as raised by CTA, CTIA, NEMA, TIC Council, and USTelecom.

Open-source code offers the advantage of public scrutiny - among the most effective means of discovering vulnerabilities - and its use should not necessarily disqualify applicants who cannot attest to its origins with full certainty.

The Commission’s final rules can make reasonable allowances here, but they should not – as some commenters suggest – make the perfect the enemy of the good. Applicants can and must attest to the origin of all code that is not open-source.

The Commission could adopt a narrowly-defined exemption for attestations regarding open-source code but otherwise retain the requirements as drafted. Such an exemption is justified by the practical and cybersecurity benefits of open-source software, including its transparency and the security facilitated by community review. For instance, in the xz Utils example cited by TIC Council, a third-party researcher discovered a potentially devastating backdoor in time to prevent serious repercussions.

To protect against any exemption becoming a loophole to origin disclosures, and to ensure the FCC is not burdened with making determinations as to what qualifies, the Commission should adopt a tight definition of “open-source software” as software that is stored and publicly available in a widely-used repository, has not in any way been created by or for the applicant, and has not been in any way modified by or for the applicant. The latter requirement is critical as open-source code loses the advantage of community review when modified, and applicants should know and disclose if such modifications occurred in a high-risk country.

Specifically, we propose the following definition:

Open-source software. Software published in a global, publicly-accessible repository without restriction on review by any third-parties, which is deployed in systems without modification. Such software does not include anything specifically developed by or for the US Cyber Trust Mark Program applicant, or any business partner, subsidiary, or affiliate of the vendor. High–risk country modifications of open-source software are subject to disclosure requirements.