As the use of Internet of Things (IoT) devices in Australia continues to climb, the last few months have seen a flurry of activity from the Australian Government regarding IoT regulation. First, in late October 2019, Australia signed a Statement of Intent regarding the security of IoT with the Five Eyes nations (an alliance between Australia, Canada, New Zealand, the United Kingdom and the United States) committing to collaborate with industry and standards bodies to provide better protection to users through better device security design. Following that commitment, in November 2019 the Department of Home Affairs, Australian Signals Directorate and Australian Cyber Security Centre together released a Draft Code of Practice titled Securing the Internet of Things for Consumers (Draft Code).

The Draft Code – Principles

The Draft Code is intended to be a voluntary suite of measures that set certain standards for consumer IoT devices. It contains 13 principles that apply to different entities in the IoT supply chain – device manufacturers, IoT service providers and mobile application developers.

The Government has stated that the first three principles are the highest priority to achieve the greatest benefit:

1. No duplicated default or weak passwords – passwords should be unique, unpredictable, complex and unfeasible to guess, and not resettable to a common factory default.
2. Implement a vulnerability disclosure policy – entities should implement a vulnerability disclosure policy, have a public point of contact for reporting issues for this policy and act on vulnerabilities in a timely manner. 
3. Keep software securely updated – software should be securely updateable, updates should be timely, not affect device functionality, be distributed by secure IT infrastructure and should not change user-configurated preferences, security or privacy settings. Consumers should be made aware of end-of-life policies and the necessity of updates for their devices. 

The other principles include:

4. Securely store credentials and security-sensitive data.
5. Ensure that personal data is protected.
6. Minimise exposed attack surfaces.
7. Ensure communication security.
8. Ensure software integrity.
9. Make systems resilient to outages.
10. Monitor system telemetry data.
11. Make it easier for consumers to delete personal data.
12. Make installation and maintenance of devices easy.
13. Validate input data.

How will it apply?

The Draft Code is a voluntary code. Even where an industry participant agrees to comply with the code, that party’s failure to comply will not carry direct consequences under the code (although it may trigger other potential legal remedies, for example, where the party has otherwise represented to the market or particular counter-parties that it will comply with the code).

Given the great number and significant variation among companies involved in the development and supply of IoT devices, software and services, it’s unlikely that all supply chain entities in the Australian market will subscribe to the Draft Code. That said, the Draft Code has the potential to set a benchmark for good practice and become a de-facto standard despite its non-mandatory nature.

A bigger piece of the puzzle

The Draft Code is one part of the Government’s wider moves to shore up Australia’s approach to cyber security. Some of the Government’s other recent publications include:

• In November 2019, the Australian Government Signals Directorate and Australian Cyber Security Centre, co-authors of the Draft Code, published and released a guidance on Cyber Supply Chain Risk Management; and
• The Department of Home Affairs’ Critical Infrastructure Centre, the centre responsible for considering the security of Australia’s critical infrastructure from the risks of sabotage, espionage and coercion across eight critical infrastructure sectors, has also published a Best Practice Guidance for securing supply chains.

The Government is welcoming comments on the Draft Code until March 2020.

Authors: Andrew Hii, Erica Chan, Sophie Bogard