The Cyber, Digital and Technology Policy Division of the Australian government has proposed to regulate IoT devices to prevent cyber threats. The suggested standard requires manufacturers to implement baseline security requirements for devices through the induction of star rating label or a mandatory expiry date. However, the details of the new labels are not explained.
A discussion paper “Strengthening Australia’s cyber security regulations and incentives” discusses methods to enhance regulations, provide incentives to business for investing in IoT and security. The paper eyes to set clear expectations to manage security risks, increase transparency and protect consumer rights in case of cyber attacks.
“We believe that one reason that many smart devices are vulnerable is because competition in the market is primarily based on new features and cost. Unfortunately, consumers often aren’t able to tell the difference between a secure and insecure device, which limits commercial incentives to compete on cyber security and leads consumers to unknowingly adopt cyber security risk,” states the discussion paper.
It suggests in making the government’s voluntary Code of Practice: Securing the Internet of Things for Consumers’ that it released in 2020 as mandatory. The code has thirteen expectations of the government on manufacturers over the security of IoT products. This new paper suggests to take this forward, making the code mandatory. The Australian Cyber Security Centre has also developed complementary IoT guidance on the use and dispose of smart products.
While it suggests the use of star rating and mandatory expiry date label, it does not show details of its working. But it refers to a similar system in place in Singapore where four cybersecurity levels indicating levels of security and testing. The mandatory label is noted as the government’s preferred way for the future. It would display the maximum time the security updates will be provided for a device without need for independent security testing.
“Like all labelling schemes, a cyber security label would have the limitation of displaying the security of a device at one point in time. Some labels include the date they were awarded to make sure that consumers understand this limitation,” the report stated.
According to the paper, a mandatory label could take the form of an expiry date label, which would display the length of time that security updates will be provided for the smart device (as a proxy indicator for the device’s overall level of security). “This kind of label would not require independent security testing, and therefore would be a lower cost approach compared to a star rating label…However, Australia would be the first country to mandate this in the form of a specific label,” the paper stated.
The paper also calls for views and submissions to work on the design of any new policy.