What Significance Does the "Measures for the Administration of Cybersecurity Identification" Hold for the Internet of Things Industry?

The consumer Internet of Things may see a Chinese version of safety labels.

Recently, three departments including the National Internet Information Office jointly issued the "Measures for the Administration of Cybersecurity Labels" (hereinafter referred to as the "Measures"), which will come into effect on July 1st. In the past few years, countries and regions such as the United States, the European Union, Japan, and Singapore have vigorously promoted the Internet of Things (IoT) security label system. The industry has also called for the establishment of a Chinese version of the IoT security label system as soon as possible. Now, although the release of the "Measures" is not specifically targeted at IoT products, IoT products account for a large proportion of products with Internet connectivity. Therefore, to a certain extent, it can be considered the release of the preliminary version of the Chinese version of the IoT security label system, which will further enhance the competitiveness of IoT products.

Consumer IoT products will be typical objects applicable to the "Measures"

The "Measures" point out that "products with Internet connectivity are applicable to these measures, and specific products are managed through a catalog." In November last year, the first batch of product catalogs for implementing cybersecurity labels was attached to the draft for comments of the measures. The consumer network-connected cameras included in the first batch of the catalog are typical consumer IoT products.

Most IoT products have Internet connectivity. In particular, consumer IoT products, as intelligent connected devices, are targeted at a large consumer group. Many products have hundreds of millions or even billions of users. However, consumers do not have professional knowledge and capabilities in cybersecurity. Therefore, implementing cybersecurity labels in the consumer IoT field is of great significance for protecting the legitimate rights and interests of consumers. This means that in the future, a large number of products such as smart cameras, smart speakers, smart door locks, and smart home appliances in the market may be included in the scope of application of the measures.

Although the specific product implementation catalog has not been released in the "Measures", by analyzing products with Internet connectivity, it is not difficult to find that consumer IoT products currently account for a large proportion of such products. Therefore, it can be said that the "Measures" are actually a system for consumer IoT security.

Emphasize both international alignment and unique features in designing the product trust system

Previously, countries and regions such as the United States, the European Union, and Singapore have vigorously promoted their own IoT security label programs. Compared with these countries and regions, the institutional design concept of our country reflects the characteristics of both international alignment and unique features.

1. The principle of voluntary participation, promoting product producers to improve security capabilities through consumers' "voting with their feet"

Article 3 of the "Measures" clearly states that the management of cybersecurity labels adheres to the overall consideration of development and security, and product producers participate on a voluntary basis. Product producers are encouraged to improve the network security capabilities of their products in accordance with these measures and mark cybersecurity labels. Consumers are encouraged to give priority to products marked with cybersecurity labels.

Adopting the principle of voluntariness ensures to the greatest extent that this system adheres to the market-oriented approach, provides consumers with products with better security performance, gives consumers more choices, forms a market selection mechanism of "high quality at a high price", further guides enterprises to increase investment in product security performance, and ensures the effective implementation of the system. This model aims to balance security and development, respect the autonomy of enterprises, and let the market play a role in resource allocation through transparent information.

The principle of voluntariness has also been adopted by many countries and has become a consensus. For example, the United States' IoT security label program has been clearly defined as a voluntary program, relying on public-private cooperation, supervised by the Federal Communications Commission (FCC), and specifically operated by a third-party label administrator. However, this program in the United States has received extensive support from leading manufacturers and key links in the industrial chain, making it have certain "quasi-mandatory" requirements in the market.

However, the European Union's cybersecurity label program is mandatory, mainly implemented through the "Cyber Resilience Act" (CRA). It requires all products with digital elements to meet cybersecurity requirements before being put on the market and throughout their entire life cycle. Violators will face high fines.

2. Grade classification based on technical standards to ensure implementation through classification

Our country's "Measures" have established a clear three-level classification system, namely the basic level (one star), the enhanced level (two stars), and the leading level (three stars), and put forward different security requirements for each level. The basic level meets the bottom-line requirements of national standards (such as no weak passwords, vulnerability management, etc.); the enhanced level requires the network security capabilities of products to reach the advanced level of similar products; the leading level requires the network security capabilities of products to reach the leading level of similar products, and at the same time, it should also pass the penetration testing method to detect the ability to resist high-level network attacks. This classification method can accurately match the security needs and market positioning of different products.

For the label carrier, transparent management is adopted. The label must contain the filing information code. Consumers can scan the code to obtain detailed information such as the test report, key indicators, and the producer's compliance statement, enhancing the information content and credibility of the label.

The "Measures" emphasize that the security requirements should be well connected with current national and international standards, and fully draw on the relevant experience of other countries and regions implementing the cybersecurity label system. Horizontally, similar systems in relevant countries and regions also adopt the methods of quick information acquisition and classification.

For example, the United States' IoT security label program also has a QR code on the label. Scanning the code can obtain detailed information such as the product's security support period and update strategy. Its standards are mainly based on the relevant guidelines of NIST (National Institute of Standards and Technology); Singapore's IoT cybersecurity label also uses a star (Tier) classification, from one star to four stars, with the security requirements increasing step by step. Higher-level products require testing by a third-party laboratory; while the European Union's CRA does not use star labels, but conducts compliance assessment through coordinated standards, classifies products by risk, and implements stricter conformity assessment procedures for important and critical products.

Our country's system is similar to Singapore's in terms of the classification concept, but in terms of specific level definitions and requirements, it focuses more on connecting with the domestic industrial level and national standards, and clearly proposes that the "leading level" needs to pass a more rigorous verification method of penetration testing. At the same time, the design of QR code traceability is similar to the practice concept of the United States in terms of information transparency and quick accessibility for consumers.

3. The implementation process and division of responsibilities for full-process supervision

By analyzing the relevant provisions on supervision and management in the "Measures", it is not difficult to find that our country has constructed a full-process supervision system of "pre-filing - in-process supervision - post-accountability" with a clear division of responsibilities.

In the pre-filing stage, enterprises conduct online filing through the unified platform built by the filing agency, and the filing agency completes the formal review within 10 working days. At the same time, the testing process is also relatively flexible. Products with one or two stars can be tested by in-house laboratories or third-party institutions, while products with three stars are required to undergo mandatory third-party penetration testing.

In the in-process supervision stage, the National Cyberspace Administration, the Ministry of Industry and Information Technology, the Ministry of Public Security, and their corresponding local departments are responsible for supervision and inspection, and emphasize cross-departmental information sharing and coordination.

In the post-accountability stage, detailed circumstances for revoking the filing are stipulated, and measures for punishing producers who violate regulations and testing institutions that issue false reports are set. Violations will also be included in the national credit information sharing platform.

At the same time, the "Measures" also clarify the requirements for collaborative governance of vulnerabilities. That is, when security vulnerabilities are discovered during testing, they must be reported and repaired in accordance with the "Regulations on the Management of Network Product Security Vulnerabilities", realizing the connection between label management and vulnerability management systems.

In comparison, countries and regions such as the United States, Singapore, and the European Union also adopt a similar pre-in-post supervision system. Among them, due to the mandatory nature of the European Union's system, there are stricter punishment measures for acts of dishonesty.

Internationalization work needs further improvement

Although the "Measures" have formed a complete system for label management, there are no relevant regulations yet regarding the management of security labels during the process of product export and the entry of overseas products into China.

In the past few years, countries and regions such as the United States, Singapore, the European Union, and Japan have accelerated the international mutual recognition of IoT security label programs and promoted international cooperation in product security governance. Against the background of the large-scale "going global" of China's intelligent connected products, product manufacturers need to further meet the requirements of overseas IoT security label programs and conduct relevant testing, certification, and filing. If China's cybersecurity label system can achieve cross-border cooperation with overseas relevant programs, it will significantly reduce the cost of enterprises going global and enhance their overseas competitiveness. Therefore, promoting internationalization is a key direction for the next step of the cybersecurity label work.

In summary, the introduction of the "Measures for the Administration of Cybersecurity Labels" marks that China's security management of consumer IoT products has shifted from relatively extensive to refined and market-oriented. Through graded labels to guide product upgrading, transparent information to empower consumers' choices, and full-chain supervision to strengthen the main responsibilities, and through designs such as centralized filing, credit punishment, and collaborative governance of vulnerabilities, a governance model with Chinese characteristics has been formed, aiming to internalize cybersecurity as an inherent attribute of consumer IoT products. Although the specific implementation details need to be improved, this system will undoubtedly provide a strong institutional tool for the high-quality, safe, and reliable development of the consumer IoT industry, and ultimately make the cybersecurity label a trustworthy business card for consumers.

This article is from the WeChat official account "Internet of Things Think Tank" (ID: iot101), author: Zhao Xiaofei, published by 36Kr with authorization.