Project Title

Roundtable on IoT Cybersecurity Labeling 

Project Year

2024   

Project Number

TELWG_202_2024A 

Project Session

Session 2   

Project Type

Standard 

Project Status

Project in Implementation   
View Budget TableView Budget Table
|
PrintPrint

Project No.

TELWG_202_2024A 

Project Title

Roundtable on IoT Cybersecurity Labeling 

Project Status

Project in Implementation 

Publication (if any)

 

Fund Account

APEC Support Fund 

Sub-fund

ASF: Digital Innovation 

Project Year

2024 

Project Session

Session 2 

APEC Funding

142,144 

Co-funding Amount

Total Project Value

142,144 

Sponsoring Forum

Telecommunications and Information Working Group (TELWG) 

Topics

Telecommunications and Information; Digital Technology and Innovation; Conformance; Standards 

Committee

SOM Steering Committee on Economic and Technical Cooperation (SCE) 

Other Fora Involved

 

Other Non-APEC Stakeholders Involved

 

Proposing Economy(ies)

United States 

Co-Sponsoring Economies

Australia; Indonesia; Japan; Singapore; Chinese Taipei 

Expected Start Date

01/03/2025 

Expected Completion Date

30/06/2026 

Project Proponent Name 1

Nathaniel Moulton 

Job Title 1

ICT Industry Analyst 

Organization 1

US Department of Commerce 

Postal Address 1

Not Applicable 

Telephone 1

+12027342158 

Fax 1

Not Applicable 

Email 1

Nathaniel.Moulton@trade.gov 

Project Proponent Name 2

Emma Handel 

Job Title 2

ICT Industry Analyst 

Organization 2

US Department of Commerce 

Postal Address 2

Not Applicable 

Telephone 2

Not Applicable 

Fax 2

Not Applicable 

Email 2

Emma.Handel@trade.gov 

Declaration

Nathaniel Moulton 

Project Summary

Internet of Things (IoT) connected devices are bringing new levels of convenience, functionality, and efficiency to the consumer ICT market. The rapid proliferation of IoT applications and products has made them attractive targets for threat actors. Efforts are evolving in several member economies for more robust security protocols for IoT devices. A dialogue focused on understanding various cybersecurity labeling schemes for IoT devices being considered in different economies would be a timely effort to promote best practices and standards development and adoption across APEC members. This dialogue would take place through research and a background paper, an in-person workshop for representatives and stakeholders from APEC economies and relevant institutions to promote engagement and knowledge sharing among officials and industry stakeholders on cybersecurity labeling for IoT devices, and a summary paper to present key takeaways from the event. The summary paper will be minimum 12 pages in length excluding annexes and is intended to be an APEC Publication.

Relevance

Region
The number of IoT products on the market is increasing at a rapid pace. As the technological applications and availability of devices grow, so do the opportunities for exploitation by threat actors. Many IoT connected devices are not designed or manufactured with cybersecurity in mind and are not sufficiently protected against cyber threats. To address this, economies across the APEC region are considering practices and policies to strengthen IoT cybersecurity, including device certification and labeling schemes. In recent years, many countries have developed standards for IoT cybersecurity. Both voluntary and mandatory cybersecurity labeling schemes for IoT devices have been released with the intention of raising consumer awareness and trust in products and strengthening the IoT ecosystem. The workshop will further discussion and collaboration across APEC economies on IoT cybersecurity and draw specific attention to the benefits of a cybersecurity labeling scheme for IoT consumer devices. The workshop will highlight avenues for alignment of IoT cybersecurity standards and labeling schemes across the APEC region and promote best practices to strengthen IoT device security and the trustworthiness and resiliency of IoT software and hardware supply chains.

Eligibility and Fund Priorities
This project falls under the Digital Innovation sub-fund and supports the criteria on aligning with APEC’s digital economy priorities and capacity building. The Digital Economy Roadmap identifies enhancing trust and security in the use of ICTs as a key focus area. This project directly relates to that initiative as it aims to enhance cybersecurity of the IoT ecosystem.

Capacity Building
The workshop will emphasize the need for unique cybersecurity policies for IoT connected devices and highlight the impacts of a cybersecurity certification scheme for IoT connected devices on consumer confidence, market competitiveness, and supply chain security. The workshop will also identify areas for deeper cooperation on IoT cybersecurity best practices and standards development and adoption among APEC economies. The workshop will highlight industry perspectives on adoption and implementation. Finally, the Summary Paper with key takeaways from the Background Paper and Workshop will be published as an APEC Publication to serve as a resource for capacity building.

Objectives

The project aims to highlight the benefits of certification schemes for IoT products and facilitate discussion around coordination among these schemes. It will highlight developed cybersecurity certification programs as effective practices for IoT device security. APEC member economies can incorporate knowledge from this project in developing cybersecurity standards for IoT products. The project will also seek to showcase industry perspectives on how alignment of IoT cybersecurity standards and certification schemes promote cross-border trade and supply chain security.

Alignment

APEC
This project is aligned with multiple APEC priorities, most notably, the promotion of cooperation and information sharing on best practices for trusted, secure, and resilient ICT and alignment on standards and policies for cybersecurity. A key objective of the Putrajaya Vision 2040 (PV 2040) is regional trade and investment. The project aligns with this priority as strengthened IoT cybersecurity through labeling schemes for IoT devices will enhance trade across the APEC region and globally by reducing unnecessary barriers to trade and strengthening business competitiveness. A key objective of the Aotearoa Plan of Action (APA) is connectivity, supply chain resiliency and business conduct. The project’s focus on standards and best practices for IoT cybersecurity will promote IoT software and hardware supply chain security. The project is also in alignment with several of the key objectives outlined by APEC’s Internet and Digital Economy Roadmap. Specifically, the project supports AIDER’s goals of promoting interoperability and coherence and cooperation of regulatory approaches between APEC member economies. The project also supports AIDER’s goal of enhancing trust and security in the use of ICTs as enhanced cybersecurity for IoT consumer devices will increase consumer trust in products and raise the bar for IoT cybersecurity among manufacturers and sellers.

Forum

As part of their mission to improve ICT cybersecurity across the APEC region, the Telecommunications and Information Working Group’s (TELWG) Strategic Action Plan (2021-2025) cites the promotion of regular cybersecurity collaboration between governments, the business community, and consumers and the promotion of consumer confidence and trust in ICT products and services as key objectives.

Promoting trusted, secure, and resilient ICT across the APEC region is a key objective of the TELWG. Relatedly, the Sub-Committee on Standards and Conformance (SCSC) aims to promote good practices in the adoption and development of standards and align regional standards with internationally accepted standards. Collaboration around the development of IoT standards has been a theme in recent APEC workshops, with discussions centered on IoT device security in 2018 and 2019. In SOM 2 of 2024, the TELWG met to discuss updates in global regulation, including the U.S. FCC’s Cyber Trust Mark. Continuing the discussion of cybersecurity labeling for IoT devices through both these forums will grow channels for collaboration on policy initiatives, reduce negative effects of conflicting standards and policies for IoT security, and promote cross-border trade.

TILF/ASF Justification

Not Applicable.

Beneficiaries and Outputs

Output

1) Background Paper
A background paper will be drafted by contractor prior to the workshop to provide a survey of global IoT cybersecurity practices. The background paper will provide an overview of current IoT cybersecurity policies and labeling schemes to highlight areas for further development and potential coordination among APEC members on IoT cybersecurity policies and labeling schemes. The background paper will serve as a reference document for the workshop discussion. The background paper will be a minimum of 12 pages in length, excluding annexes, and will be distributed to participants ahead of the meeting. Contractor will present on background paper findings as session 1 on day 1 (see rough agenda below).

2) Workshop

A two-day workshop will take place during the second TELWG meeting of 2025 (SOM 3) in Incheon, Korea. 

The workshop will gather member economy representatives, experts, and stakeholders to discuss the state of IoT cybersecurity policy and pathways for progress. The discussion will aim to highlight the benefits of certification schemes for IoT products and avenues for coordination among APEC member schemes. Speakers from APEC member economy public sectors will present on cybersecurity certification programs (implemented or under development) as effective practices for IoT device security. Industry speakers will showcase their perspectives on how consistency of IoT cybersecurity standards and certification schemes promotes cross-border trade and supply chain security. Discussion will center on how APEC member economies can incorporate knowledge from these presentations in developing cybersecurity standards for IoT products as well as mechanisms for interoperability between member economy schemes. The workshop will also cover topics such as implementation and interoperability. The workshop will include activities to encourage active capacity building which will be built into the agenda over the two day workshop. 

The workshop will close with the dissemination of a post workshop evaluation to ensure maximum responses from participants. The evaluation will gauge the usefulness and value of the workshop for participants. 

Rough Agenda Day 1

- Session 1: Scene Setting: A Survey of IoT Cybersecurity Policies and Practices across APEC Economies

- Session 2: Presentations: Best Practices for IoT Cybersecurity Frameworks for IoT Cybersecurity Certification Programs

-  Session 3: Standard Setting

-  Session 4: Mechanisms for Interoperability

-  Session 5: Networking Session

-  Session 6: Implementation and Accreditation 

Day 2

-  Session 1: Label Design

-  Session 2: Industry Adoption

-  Session 3: SME Perspectives

-  Session 4: Networking Session/Capacity Building Activity

-  Session 5: Consumer Education

3) Summary Paper
A summary paper will be drafted by contractor, combining the information from the background paper with key takeaways from the workshop. The summary paper will be a minimum of 12 pages, excluding executive summary, table of contents, PowerPoint presentations from speakers/experts, and annexes. The summary paper will be published as an APEC Publication.

Outcome

1) We hope to reach APEC consensus on the value of a unique approach to IoT device cybersecurity.

2) We hope to observe an increase in specific IoT cybersecurity polices, approaches, or regulations across APEC member economies following the project's conclusion.

3) We hope to observe further crossover work between APEC fora on digital economy and cybersecurity following the project's conclusion.

Beneficiaries

The primary beneficiaries of this dialogue are policymakers and ICT industry stakeholders in APEC member economies with interest in IoT connected device security. Project participants will be from domestic and international standards and policymaking bodies as well as industry representatives across ICT and cybersecurity sectors. Tentative candidates include the United States Federal Communications Commission (FCC), the United States National Institute for Standards and Technology (NIST), the Cybersecurity Agency of Singapore, the Australian Cyber Security Center and other APEC member counterpart agencies as well as manufacturers and sellers of IoT consumer devices and industry associations such as The Consumer Technology Association (CTA) and the Information Technology Industry Council (ITIC). 

Economies working to develop an approach to IoT cybersecurity or those that are seeing investment in the growth and security of IoT consumer products will be invited to share their views and experiences. The workshop will provide an opportunity for participants to engage with other economies and the business community, which will emphasize the benefits of a multi-stakeholder approach to cybersecurity best practices writ large. Developments in IoT cybersecurity policy are still emerging and are evolving quickly as the technology advances. The workshop will offer a platform to discuss challenges policymakers and industry are facing as well as opportunities for collaboration and tools helpful in addressing these challenges.
 
Secondary beneficiaries such as non-APEC economies looking to develop similar IoT cybersecurity labeling schemes and best practices will benefit from the information presented in the Summary Paper APEC Publication.

Dissemination

The target audience includes APEC officials and regulators, including cybersecurity agencies, telecom agencies, and domestic and international standards bodies, focused on digital trade and digital economy policies and interested in promoting the use of globally-recognized IoT cybersecurity standards in their cybersecurity approaches.

Industry stakeholders, including IoT consumer device manufacturers, sellers, and related industry associations are also a target audience. Meeting documents including agenda and presentations will be submitted to the APEC Secretariat to be uploaded on the APEC website. 

The background paper will be disseminated to participants prior to the workshop and key findings will be presented in session 1 day 1 of the workshop. 

The workshop will be held in person. 

A summary paper will be drafted by the contractor combining the information from the background paper with key takeaways from the workshop. The summary paper will be a minimum of 12 pages, excluding executive summary, table of contents, PowerPoint presentations from speakers/experts, and annexes. The summary paper will be published as an APEC Publication.

Gender

Please see Project Proposal in Supporting Documents folder.

Work Plan

Please see Project Proposal in Supporting Documents folder.

Risks

Please see Project Proposal in Supporting Documents folder.

Monitoring and Evaluation

Please see Project Proposal in Supporting Documents folder.

Linkages

This work is most relevant to the scope of TELWG because of the emphasis on enhancing cooperation and information sharing on best practices for trusted, secure, and resilient ICT. However, the successful promotion of strong IoT cybersecurity across the APEC region relies on the ability of participating economies to align on standards surrounding cybersecurity. Incorporating stakeholders and initiatives driven by the SCSC is an opportunity to leverage cross-fora and cross-sector perspectives. Accordingly, POs will strive to include the participation of delegates from TELWG and SCSC. POs will ensure that the workshops are compliment to existing cybersecurity work within TELWG and SCSC.

Sustainability

POs expect this project to continue to have an impact after APEC funding is completed. For example, we will foster a network among regulators, domestic and international standards bodies, industry, and other stakeholders which can act as the foundation to contribute to an interoperable approach to IoT cybersecurity.

Additionally, participants can share the background paper and information learned during the Workshop with other government officials or relevant agencies and industry in their home economies and apply information gathered to developing IoT cybersecurity policy and labeling schemes and mechanisms for interoperability. 

POs anticipate this project will build off of the outcomes of previous workshops on IoT device security and continued implementation of the APEC Internet and Digital Economy Roadmap. Possible next steps include future workshops on pathways to interoperable IoT cybersecurity labeling schemes between member economies or capacity building for interested economies. The outcomes of this work and potential next steps will also be highlighted at other relevant APEC meetings, including TELWG and SCSC meetings. After the workshop, POs will monitor policy developments in APEC economies to understand which approaches economies are taking towards communicating cybersecurity practices to stakeholders.

Project Overseers

Nathaniel Moulton is an ICT Industry Analyst in the International Trade Administration, a bureau of the United States Department of Commerce. His career has spanned both public and private sectors, with a focus on international trade and public policy problem-solving.

Cost Efficiency

Not Applicable.

Drawdown Timetable

Not Applicable.

Direct Labour

Please see Project Proposal in Supporting Documents folder.

Waivers

Not Applicable.

Are there any supporting document attached?

Yes 
Attachments
Version: 3.0 
Created at 20/03/2025 18:05  by Lucy Phua 
Last modified at 20/03/2025 19:12  by Lucy Phua 
Version HistoryVersion History

Project No.

Project Title

Project Status

Publication (if any)

Fund Account

Sub-fund

Project Year

Project Session

APEC Funding

Co-funding Amount

Total Project Value

Sponsoring Forum

Topics

Committee

Other Fora Involved

Other Non-APEC Stakeholders Involved

Proposing Economy(ies)

Co-Sponsoring Economies

Expected Start Date

Expected Completion Date

Project Proponent Name 1

Job Title 1

Organization 1

Postal Address 1

Telephone 1

Fax 1

Email 1

Project Proponent Name 2

Job Title 2

Organization 2

Postal Address 2

Telephone 2

Fax 2

Email 2

Declaration

Project Summary

Relevance

Objectives

Alignment

TILF/ASF Justification

Beneficiaries and Outputs

Dissemination

Gender

Work Plan

Risks

Monitoring and Evaluation

Linkages

Sustainability

Project Overseers

Cost Efficiency

Drawdown Timetable

Direct Labour

Waivers

Are there any supporting document attached?

hdFldAdmin

Project Number

Previous Fora

Secretariat Comments

Reprogramming Notes

Consolidated QAF

Endorsement By Fora

PD Sign Off

Batch

Forum Priority

Committee Ranking Category

Committee Priority

PDM Priority

Priority Within Funding Category

Monitoring Report Received

Completion Report Received

PMU Field 1

PMU Field 2

PMU Field 3

On Behalf Of

Proposal Status

Originating Sub-Forum

Approval Status
Attachments
Content Type: Standard Proposal
Version:
Created at by
Last modified at by
Go Search