The internet of things (IoT) is at an inflection point. Years of high-profile cyberattacks, growing complexity and widespread adoption have left consumers weary and households vulnerable. Now, governments and standards bodies are stepping in. Around the world, several security and privacy initiatives for consumer IoT devices are in flight — most notably the Cyber Trust Mark in the United States.

A new era offers device makers an opportunity for new business, but not without cost. For example, Cyber Trust Mark certification will likely require manufacturers to certify devices against security standards like ETSI EN 303 645 and NIST IR 8425. Facing similar criteria from other international standards and regulations, it’s tempting to take a “wait and see” approach — especially with voluntary standards like the Cyber Trust Mark.

After all, what if consumers don’t embrace the new standard? What if other device makers reject certification and the program never reaches critical mass? Is all this legwork — searching for new vulnerabilities, disclosing potential issues, and remediating problems quickly — really worth it?

Those are reasonable questions to ask. However, the consequences of inaction may prove far more costly in the long run.

What is the Cyber Trust Mark?

The Cyber Trust Mark is a labeling initiative for consumer IoT devices in the United States that builds on work undertaken by the Federal Communications Commission (FCC) and The National Institute of Standards and Technology (NIST). It establishes data privacy and cybersecurity standards for connected devices.

The certification covers update mechanisms, incident detection pathways, data security and passwords. In addition to passing these tests, the program may require manufacturers to disclose how their devices collect and use data.

Early Adopters Can Close the Consumer Trust Gap

There’s a gulf in how customers and manufacturers perceive device security, and it’s getting wider. McKinsey recently reported that 60% of customers see security as a critical component of IoT devices — a sentiment shared by only 30% of device makers. Consumers want to make more informed decisions about the security and privacy of the devices they bring into their households. They just haven’t had that opportunity until now.

With users signaling their intentions and preferences, first movers can win new market share and differentiate themselves from an increasingly clogged field of competitors. Consumer devices are becoming increasingly commoditized. As a rash of low-cost devices flood the market, the absence of security-related standardization and transparency has hindered customer awareness. After all, anyone can claim a device boasts “world-class security” without backing it up. The Cyber Trust Mark, however, forces manufacturers to prove it. That’s bad news for companies who don’t invest in building safe, secure, high-quality products — and a huge opportunity for everyone else.

Retail Giants Tipping the Scale

Never underestimate the power of the free market. There’s a reason why every consumer product company wants to hawk their wares in major retailers like Amazon, Rakuten, Walmart and AliExpress. They’re epicenters of commerce.
But what happens when one of those major retailers starts restricting the types of IoT devices they sell? It’s not inconceivable that major retailers will make a Cyber Trust Mark label a prerequisite in the U.S., and this could kick off a race for certification. This creates a window of opportunity for a period where early adopters would be the only devices on shelves.

Retailers aren’t the only vendors who exert an outsize influence. App stores manage the other end of IoT, the mobile software services that control the devices. Even if retailers don’t act, there’s a real possibility that one or more of the major mobile app stores do. After all, it doesn’t matter how many stores stock a device if half the mobile phones in the world cannot configure or control it.

International Harmonization: The Great Accelerator

The Cyber Trust Mark program has garnered considerable support in the U.S., however, it isn’t the only cybersecurity standard for connected devices. Similar efforts are underway in the UK, EU, Singapore, Japan and elsewhere.

However, while the certification is voluntary (for now), some regulations are not; For example, after April 29, 2024, all consumer IoT devices sold in the UK must comply with the Product Security and Telecommunications Infrastructure (PSTI) Act or abandon the market.

This presents issues for manufacturers. How do you sell devices across multiple international markets without having to run an array of region-specific certification and conformance tests? The answer lies in casting a wide net.

A good starting point is building a best-of-breed test plan encompassing the full breadth of IoT security standards like ANSI / CTA 2088A, ETSI EN 303-645 and NIST IR 2485. These standards comprise the bulk of international security regulations. The final Cyber Trust Mark specifications are expected to draw heavily from the latter two. Testing devices against all three standards can make widespread international compliance a near-foregone conclusion while paving the way for early Cyber Trust Mark adopters.

Conclusion

Market inflection points are rare. No one wants to miss a cresting wave or bet the wrong horse. However, history has long validated the unparalleled power of the purchaser’s purse. When coupled with the invisible hand of the free market — manifested through device and software retailers it’s a near-unstoppable force.

At the same time, a surge of international regulations only serves to make the headwinds stronger. One or two countries standardizing device security could be construed as an anomaly. But concurrent efforts across four continents? That’s more like a movement.

No forecast can ever be made with 100% confidence. But all signs point to the Cyber Trust Mark and its brethren, signaling a new era in device security. For customers, that’s something to believe in. For manufacturers, that’s a horse worth betting on.