Several weeks ago, the Federal Communications Commission (FCC) embarked on one of the most far-reaching regulatory gambits in its 90-year history. It is formally known as a Notice of Proposed Rulemaking in the matter of Cybersecurity Labeling for Internet of Things, Docket 23-239. The FCC offers ICT product developers the use of its FCC trademarked cyber trust mark placed on their products in exchange for accepting open-ended Commission cybersecurity jurisdiction and a potentially vast new cyber security regulatory regime that has significant global implications and antithetical to the Zero Trust Model strategy. The scheme relies on a NIST advisory that includes 64 initial mandated requirements with certification lab review—many of them very costly if not impossible to achieve.

The proceeding also raises an array of significant concerns about transparency and the way it is going forward. The concerns include the Commission’s choice of jurisdictional devise and model being used, the potentially enormous scale and cost with minimal benefit to consumers, the adverse impacts on technology innovation, and the duplication of similar mature implementations that already exist. Three outstanding examples of the last concern include ETSI standards prepared and evolved by industry implementing the EU IoT equivalent, the CTIA industry labeling scheme that implements both ETSI and NIST standards, and the Cloud Security Alliance (CSA) IoT security framework—all discussed below.

The FCC comment period has been extended to 6 October 2023.

Jurisdictional Devise

The FCC began its existence as an essential radio regulatory agency almost a century ago, and its complex authority derives primarily from this role. Its authority to regulate in the non-radio computer communications domain has been generally constrained both by legislation and policy choice dating back to the three Computer Inquiries beginning a half-century ago that focussed largely on competitive and strategic technology considerations, and the reality that the actual security expertise exists at the National Security Agency (NSA) which went public in 1967 as to what was feasible and worth pursuing, and what was not. I was personally part of the FCC staff dealing with the latter two Inquiries.

This new proceeding is essentially the first time the FCC has ever broadly attempted to assert jurisdiction over computer device cybersecurity. It does so in a curious manner, occupying two and a half pages of citations and analysis of the outer boundaries of its radio device authority. The jurisdictional devise the FCC uses is clever, although problematic. It argues that because almost every network product and device have a radio interface or can cause radio interference, the Commission can hypothetically stretch the radio jurisdiction rubber band to encompass the entire world of digital element cybersecurity.

The FCC attempts to sweeten its assertion of authority by noting that its rules are voluntary because the action is only for obtaining a consumer confidence label on products, and it is simply helping NIST implement some of their generic IoT security guidelines. The reality of what is being rolled out is quite different.

Choice of Cybersecurity Model

One of the most significant concerns about the NPRM is the failure to disclose the rather fundamental choice of security model the Commission is making. The FCC is basically adopting a Common Criteria (CC) scheme using an extensive array of relatively onerous, extensible product conformance standards derived from a NIST advisory with conformance evaluations by undefined CyberLabs. The development of the CC model was initiated in the early 1990s among several national security agencies in North America and Europe and expanded to other countries in the pre-Internet era to provide for a more open communication security equipment market among the participating countries. The model rests on a largely discredited belief that a combination of common a priori technical standards and certification laboratories would satisfy the cybersecurity needs for the partners in enabling a more global market.

The pursuit of the scheme three decades ago was especially ironic because the RAND-NSA analysis in the mid-1960s indicated rather definitively that such schemes were a waste of resources, could not eliminate vulnerabilities, and deflected from the need to implement other capabilities, notably controls, including penetration testing. Whatever marginal value the national security communities saw in a CC model in the early 1990s for communication devices among themselves, quickly disappeared in the reality of endless formal standardisation meetings attempting to gain a consensus among all the parties on detailed equipment specifications and certification processes for technologies and services changing every day, and ultimately provided no significant security benefits. That the model is now being applied to the vast public Internet device and service product market makes little sense.

However, a politically strong combination of vintage nation-state standards bodies and certification laboratories entered the cybersecurity business two decades ago to pursue the large potential revenues from standards and certification sales and promoted the CC scheme for the entire universe of ICT product cybersecurity. These cross-subsidized heritage bodies emerged from a world of conformance with relatively static and simple machine screw and electrical plug specifications and saw their methods somehow applicable to the enormously complex cybersecurity ecosystem. The scheme was accepted by the EU three years ago in the form of the EU Cybersecurity Act, and now potentially the FCC in the form of the new NPRM.

The regulatory regime in the NPRM is almost identical to the EUCC scheme adopted in Europe and the basis for a similar label scheme and QR code. The EU has recently gone significantly further with the CC model in drafting a Cyber Resilience Act that has far-reaching consequences. The potential for regulatory creep by the FCC, similar to what is occurring in the EU is concerning.

Even more paradoxical, the U.S. national security community, together with industry, has adopted a fundamentally different if not diametrically opposed approach known as the Zero Trust (ZT) Model. It is the core strategy adopted by the Executive Office of the President, recommended by NSTAC, and being pursued rapidly by CISA and NSA in multiple venues, including major industry international standards bodies. The ZT Model has also been adopted by multiple other national security agencies globally, and a related workshop among key players was recently held by the International Telecommunication Union’s Security Standards group in Korea.

The ZT Model eschews the CC Model and assumes that all IoT and other digital elements are inherently untrustworthy the moment after they are powered up - with required cybersecurity risk levels determined by the application context, available resources, and sets of controls. The model recognizes the basic tenets articulated by NSA Chief Scientist Bernard Peters at Atlantic City in 1967 and subsequently approved among the U.S. national security community in 1970. Yet inexplicably, the Zero Trust Model, the associated U.S. strategy, and all the related contemporary cybersecurity developments are not even raised in the NPRM.

Onerous and Costly Requirements with Minimal Real Benefits

The FCC in Appendix A of the NPRM enumerates a total of 64 requirements in ten clusters with no apparent concept of the feasibility, efficacy, or costs. It attempts to justify the requirements by inserting a “cybersecurity utility” sentence for each of the ten clusters.

IoT and other digital products today are highly varied, and the security requirements are highly contextual and the security status ephemeral. Even in the relatively simple world of national security digital products of the 1960s, NSA’s Peters noted that a priori certification of products was difficult and had minimum value.

The 64 initial FCC prescriptive requirements are simply a collection of best practices—many of them generic, abstruse, potentially enormously costly, and necessarily weighed against impediments to innovation and market entry. Indeed, even changes to improve the security of a product would invoke a need to run through all the requirement processes again.

Almost none of the requirements would apply to all products. A few are basically impossibilities, such as “to ensure the IoT product and its product components are free of any known, exploitable vulnerabilities.” Most requirements provide capabilities that would not be implementable by most users. The distribution of the requirements among the clusters is heavily skewed in the direction of bureaucratic processes with 28 documentation requirements, many of which would be impossible to comply with.

The implementation of the EUCC has itself been problematic, but a sage choice was made by the European Commission to look to ETSI’s industry cybersecurity committee to prepare the harmonised IoT normative standard for requirements known as EN 303645, and a companion for conformance assessment which have been refined over the past four years. By comparison to the FCC’s NPRM Annex A requirements, those prepared by ETSI industry experts are focused on capabilities that have actual potential value for consumers with very flexible, less onerous impact on product vendors, and minimal bureaucratic overhead.

The bureaucratic overhead considerations are significant. The FCC’s label requirements extend not only to product vendors but also to the ancillary accreditation, conformance, and enforcement processes that overlay the scheme. In the NPRM, Section C, discussing oversight and management of the program, occupies nine pages; Section D, treating the development of cybersecurity criteria and standards, occupies eight pages, and Section E, on administering the labeling program, occupies seven pages. The NPRM proposes an “IoT registry”—potentially for all the digital products in the world. Those participating in the scheme are being required to fund the bureaucratic construct with diverse imposed fees. Proposed enforcement would include a sweeping array of new policing and investigative powers.

Lastly, and perhaps most importantly, the actual benefits to end-user customers of the FCC a priori CC regime is not only not demonstrable but largely proven over many years to be unmanageable and yielding minimal real benefits compared to a posteriori controls widely used by the cybersecurity community which produce measurable cybersecurity improvement.

Bad International Precedent

The NPRM largely ignores international and extraterritorial considerations and concerns beyond noting that there is some other similar activity occurring in other jurisdictions and some form of mutual recognition may be necessary.

The FCC’s IoT scheme also does not scale—given the potential for 192 other nations developing similar schemes. The only attempt to pursue a global solution was undertaken under the Common Criteria Recognition Agreement (CCRA) which the NPRM ignores, and which has not proven successful even among a small closed community, for a limited set of products, over many years.

Collateral Damage

A significant, rapidly growing problem today is the emergence of cybersecurity regulatory proceedings driven by efforts to expand jurisdiction, authority, government institutional roles and processes, believing that magical standards and certifications solve cybersecurity challenges. Subject matter experts who understand what actions are feasible, effective, and judicious—and largely exist in the industry—are lacking in the regulatory proceedings. Indeed, knowledge of the rather diverse global ecosystem of cybersecurity bodies which has emerged over the past two decades is also lacking. No entity has the competence anymore to understand all the cybersecurity requirements, capabilities, and solutions for IoT and other digital products.

The ITU-T has tracked and recognized the challenge—including certification schemes. Mystifying is the failure of the NPRM to recognize a major elephant in the IoT room, the existence in the U.S. of the CTIA IoT certification program. It is not known how many products have been certified, but the CTIA initiative is comprehensive - even certifying products under the ETSI IoT standard. The Commission’s failure to recognize an existing, established program of the largest industry wireless organization for IoT labeling and potentially harming its efforts is concerning.

Indeed, the efforts of an extensive array of diverse industry security standards and bodies that have produced effective embedded IoT solutions are diminished by the NPRM’s approach. Large legacy standards and certification bureaucracies cannot begin to deal with the technology and cybersecurity dynamics now in play. One of the more obvious examples in the NPRM was the failure to even mention one of the most fundamental ICT transitions underway today—virtualisation of products and services in cloud data centres. Here, industry bodies like the Cloud Security Alliance (CSA) have long taken the lead with its freely available IoT Security Controls Framework and extensive array of conformance platforms.

Perhaps the most significant NPRM collateral damage is to technology and security innovations that become potentially stymied by the Commission efforts to advance its huge, bureaucratic labeling scheme. It was one of the principal reasons why the Commission staff responsible for Computer II recognized the institutional limits and refrained from significantly regulating technology where it had no competence.

In Conclusion

Every company and organisation concerned about cybersecurity, regulatory overreach, innovation, and misdirection, including Congress, other Federal agencies and offshore allies, should express their views in this proceeding. The Commission needs to revector to a Zero Trust Model. The companies from around the world who participated in the developing and evolving the ETSI IoT standards over the past several years are especially relevant. Anyone can easily file using the FCC Comments site.

Disclaimer: The views expressed in this article are solely those of the author, who has worked as an engineer-lawyer in the regulatory, strategic analysis, and technical standards fields for sixty years and should not be attributed to any organisation in which he works or participates.