As the U.S. government pushes forward with initiatives to secure Internet-of-Things (IoT) devices, the U.S. Cyber Trust Mark program has emerged as a cornerstone of this effort. Today, we’re joined by Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, cybersecurity strategies, and network management. With years of experience navigating the intersection of technology and policy, Rupert is uniquely positioned to shed light on the challenges and opportunities surrounding this program, especially in light of recent developments at the Federal Communications Commission (FCC). In this conversation, we explore the goals of the Cyber Trust Mark initiative, the impact of leadership changes and ongoing investigations, and the broader implications for cybersecurity and consumer trust in connected devices.
Can you walk us through what the U.S. Cyber Trust Mark program is and why it’s such a big deal for IoT security?
Absolutely, Sebastian. The U.S. Cyber Trust Mark program is essentially a government-backed certification designed to improve the security of Internet-of-Things devices—think smart thermostats, cameras, or even connected appliances. It was created because, for years, many IoT products have been shipped with glaring security flaws, making them easy targets for hackers to build botnets or launch cyberattacks. The idea is to give consumers and businesses a clear, trustworthy label that shows a device meets certain security standards, like data protection or secure default settings. It’s meant to create a “race to the top” among manufacturers, encouraging them to prioritize security while helping buyers make safer choices. It’s a big deal because it could fundamentally shift how security is valued in this space.
How has the recent change in FCC leadership influenced the rollout of this program?
Well, the program was launched with a lot of momentum during the previous administration, but the transition to a new FCC chairman has introduced some turbulence. The new leadership has taken a harder stance on national security concerns, particularly around ties to foreign entities, which has slowed things down. We’re seeing delays in finalizing testing standards and getting the certification process up and running. The shift in priorities at the top has created uncertainty about how quickly—or even if—the program will move forward as originally planned. It’s a reminder of how much political changes can impact technical initiatives.
What can you tell us about the FCC’s investigation into the company chosen to oversee this program?
The FCC is currently looking into UL Solutions, a long-established testing firm based in Illinois, which was selected to be the lead administrator for the Cyber Trust Mark program. The investigation centers on UL Solutions’ connections to China, specifically a joint venture with a government-owned entity there and the fact that they operate labs in the region. While details are sparse, the concern seems to be whether these ties could pose a security risk or allow undue influence over the certification process. UL Solutions was chosen because of their extensive experience in testing and certification across industries, but this probe has raised questions about their role. So far, they’ve emphasized their commitment to transparency and integrity but haven’t detailed specific responses to the investigation.
What risks do you see if this investigation stretches on for too long?
A prolonged investigation could have a ripple effect. First, it risks eroding consumer trust in IoT devices—if people don’t see a reliable security label soon, they might assume nothing’s being done to address vulnerabilities. Second, it could discourage manufacturers from participating. Companies need certainty to invest in meeting certification standards, and endless delays might make them question whether it’s worth the effort. On a broader scale, this could stall progress in U.S. cybersecurity, leaving us more exposed to threats from poorly secured devices at a time when cyberattacks are only getting more sophisticated.
Why do you think some experts and former officials are skeptical about the FCC’s approach to this investigation?
There’s a fair bit of frustration out there. Some experts and former officials feel the investigation is overreaching or poorly timed, especially since the program had bipartisan support and went through rigorous legal and public review processes. They argue that focusing on UL Solutions’ ties to China—particularly just a joint venture—might be overblown unless there’s concrete evidence of wrongdoing. There’s also concern that this could derail a critical initiative for reasons that aren’t fully justified, especially given UL Solutions’ established track record in testing for safety and security across many sectors. It’s seen by some as more of a political move than a practical one.
How is the tech industry reacting to the Cyber Trust Mark program amidst these delays?
The tech industry has generally been supportive of the concept behind the Cyber Trust Mark—they see the value in a standardized security label, especially for building consumer confidence. However, the delays and uncertainty are testing their patience. Some companies are still eager to get on board, including major players in the IoT space, but others are weighing whether to commit resources while things are up in the air. Additionally, international pressures, like the European Union’s Cyber Resilience Act, are pushing vendors to prioritize security certifications globally, which might keep them engaged with the U.S. program despite the hiccups. It’s a mixed bag, but there’s still a lot of interest if the FCC can resolve these issues.
What do you think could be done to address the concerns around UL Solutions and get the program moving forward?
There are a few paths forward. One straightforward option is for UL Solutions to commit to conducting all testing for the program outside of China, which could alleviate concerns about potential interference or coercion. Another possibility is reevaluating or even ending their joint venture if it’s seen as a sticking point, though that’s a bigger decision. If the FCC remains uneasy, they could shift leadership of the program to another approved administrator, though that would likely cause further delays as the process restarts. The key is finding a balance between addressing legitimate security worries and keeping the program’s momentum alive.
What’s your forecast for the future of the Cyber Trust Mark program given these challenges?
I’m cautiously optimistic, Sebastian. The program addresses a real and urgent need for better IoT security, and there’s broad support from both industry and policymakers to make it work. However, its success hinges on how quickly the FCC can resolve this investigation and finalize the standards and processes. If delays persist, we might see a fragmented approach where companies turn to other certifications or international standards instead. My forecast is that we’ll see progress within the next year if there’s a concerted effort to mitigate concerns and prioritize rollout, but it’s going to require strong leadership and collaboration. The stakes are high, and I hope the focus stays on protecting consumers rather than getting bogged down in politics.
