The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from “significant national security risks.”
It’s no secret that IoT devices generally have weak security postures. Weak default passwords have allowed botnet operators to hijack insecure routers to pummel victims with floods of internet traffic, knocking entire websites and networks offline. Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside.
As American consumers continue to fill their homes with more of these potentially insecure devices, from routers and smart speakers to internet-connected door locks and security cameras, the U.S. government wants to help educate them about the security risks.
Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the “highest-risk” devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers.
Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others.
The initiative, described by White House officials as “Energy Star for cyber,” will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC).
Though specifics of the program have not yet been confirmed, the administration said it will “keep things simple.” The labels, which will be “globally recognized” and debut on devices such as routers and home cameras, will take the form of a “barcode” that users can scan using their smartphone rather than a static paper label, the administration official said.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation.
The announcement comes after the White House last year ordered NIST and the FTC to explore two labeling pilot programs on cybersecurity capabilities for IoT devices. It also comes after the U.K. government last year introduced an IoT security bill in Parliament, requiring device manufacturers, importers, and distributors to meet certain cybersecurity standards.
Is the UK government’s new IoT cybersecurity bill fit for purpose?
