Consumer 'Internet of Things' (IoT) devices, also known as smart devices, are products that have the added functionality to connect to the internet (e.g. smart lightbulbs, smart TVs, smart watches) and equipment that actually connects the devices to the internet (like Wi-Fi routers). These devices are present in many aspects of our lives, and their security is a significant issue for both consumers and businesses to be aware of. In 2019, almost half of Australian organisations had implemented at least one IoT solution, and in 2020, over 60% of Australian households had adopted at least one IoT device. Globally, cyber attacks on IoT devices have increased, almost tripling in 2019 when compared to the previous year.
In September 2020, the Australian Government implemented its voluntary, principles-based Code of Practice: Securing the Internet of Things for Consumers (IoT Code). At the time we questioned the sufficiency of a voluntary code, given that other jurisdictions, such as the UK and the US have adopted mandatory cyber security standards for IoT devices. The Government has now indicated that a shift towards a mandatory standard is on the horizon in Australia, with the publishing of its discussion paper on 13 July 2021: Strengthening Australia’s cyber security regulations and incentives (Discussion Paper), opening consultation on regulatory reform to strengthen cyber security standards and inviting stakeholders to make submissions.
Shift towards a mandatory IoT standard
The shift towards favouring a mandatory IoT standard is likely the result of industry research conducted by the Department of Industry, Science, Energy and Resources and Department of Home Affairs in March 2021 (six months after the voluntary code was released), which found that the voluntary, principles-based IoT Code was largely failing in achieving its objectives. The research, which is set out in Annex A of the Discussion Paper, found that major manufacturers had not been basing decision-making on the IoT Code, and expressed difficulty in meeting the requirements of the IoT Code, suggesting a preference for following internationally aligned standards. Lower-cost manufacturers were also not engaging with the IoT Code. Moreover, even those manufacturers that attempted to follow the IoT Code were facing difficulties implementing 'low cost, high priority' parts of the IoT Code, like implementing a vulnerability disclosure policy.
Recommendation for a mandatory industry-recognised standard
The Discussion Paper recommends a mandatory standard to guarantee a base level of cyber security for a significant portion of the growing IoT devices market. In making this recommendation, the Discussion Paper looks to international examples - the UK, Singapore, and California and Oregon in the US - that have mandated minimum cyber security features that manufacturers of IoT devices must include, such as unique passwords.
The Discussion Paper proposes that Australia should adopt the internationally recognised European Standard ETSI EN 303 645, which outlines baseline requirements for cyber security for consumer IoT devices. However, whether Australia adopts the entire standard, or, as in the UK, adopts only the top three requirements (no universal default passwords, implementing a vulnerability disclosure policy, and keeping software updated), is left open for feedback, with the former approach offering greater comprehensiveness and the latter approach focussing on high-priority principles while minimising the compliance burden on industry. The scope of the term ‘IoT device’ (or 'smart device', as it is referred to in the Discussion Paper) and whether it should extend to smartphones, as it does in the UK, is also left open for feedback.
If a mandatory standard were to be adopted in Australia, the Discussion Paper notes that this would require new legislation, and an existing regulator (to be determined) would be responsible for industry education and enforcement. Manufacturers would be expected to face a slightly higher cost of manufacturing - though, if the UK's modelling is anything to go by, the cost increase for manufacturers would be relatively low - a one-off cost of 1.35% and an annual ongoing cost of 0.31% of product value. The Discussion Paper also highlights potential implementation issues that could arise due to the vast majority of IoT devices being sold online. Retailers and wholesalers would need to play a part in ensuring that security standards are being met by their suppliers, including online marketplaces. While online marketplaces currently voluntarily remove products that do not meet Australia's product safety standards, the Discussion Paper specifically seeks feedback from online marketplaces as to whether this approach would be viable with respect to a new cyber security standard.
IoT Device Labelling
A closely-related issue with IoT devices is the 'information asymmetry' between manufacturers and consumers. Consumers are not easily able to differentiate between secure and insecure devices, and their buying decisions regarding IoT devices are generally based on cost and features, rather than security. To remedy this information asymmetry, and to help change consumer behaviour to take into account security issues, the Discussion Paper recommends that a labelling scheme be implemented for IoT devices in Australia, either in the form of a voluntary star rating or mandatory expiry date label noting when security updates for a IoT device will end.
Voluntary star ratings for IoT devices essentially provide a visual representation of the level of cyber security assurance associated with a smart product - not unlike energy ratings for whitegoods. Such schemes for IoT devices are already present in Singapore and Finland, while the UK has implemented a 'trust mark' for manufacturers who engage in voluntary assurance schemes and the US is piloting a graded cyber security labelling scheme. The main issue with this approach, as with any voluntary scheme, is uptake, and the Discussion Paper calls for submissions from stakeholders on whether there is likely to be sufficient industry uptake.
On the other hand, the option of a mandatory expiry date label is novel - no other country in the world has mandated this type of label. This option has the benefit of not requiring independent security testing, and is therefore lower cost for manufacturers than a star-rating label. If there is a lack of industry support for a voluntary star-rating label, then the Discussion Paper notes this option as the favoured approach.
Watch this space
It is clear that a mandatory standard for IoT devices in Australia is on the horizon, aligning with other global approaches, and spurred on by the burgeoning market for IoT devices. The form the standard will take will undoubtedly be influenced by industry response to the Discussion Paper.
The Australian Government is seeking submissions from stakeholders until 27 August 2021. Have your say here: Strengthening Australia’s cyber security regulations and incentives - submission form (homeaffairs.gov.au)
Authors: Lesley Sutton, Jen Bradley and Meaghan Powell