Consumer “Internet of Things” (IoT) devices, also known as smart devices, are products that have the added functionality to connect to the Internet (e.g. smart lamps, smart TVs, smart watches) and devices that actually connect devices with internet (like Wi-Fi routers). These devices are present in many aspects of our lives, and their safety is a significant issue for both consumers and businesses. By 2019, almost half of Australian organizations had implemented at least one IoT solution, and by 2020, over 60% of Australian households had adopted at least one IoT device. Globally, cyber attacks on IoT devices have increased, almost tripling in 2019 compared to last year.
In September 2020, the Australian Government implemented its Voluntary Code, based on the Principles of Practice: Providing the Internet of Things for Consumers (IoT code) At the time we questioned the adequacy of a voluntary code, given that other jurisdictions, such as the UK and US have adopted mandatory cyber security standards for IoT devices. The Government has now indicated that a shift towards a mandatory standard is on the horizon in Australia, with the publication of its discussion paper on 13 July 2021: Strengthening Australia’s Cyber Security Rules and Incentives (Discussion paper), by opening consultations on regulatory reform to strengthen cyber security standards and inviting stakeholders to make submissions.
Switch to a mandatory IoT standard
The move towards favoring a mandatory IoT standard is likely to be the result of industry research conducted by the Department of Industry, Science, Energy and Resources and the Department of the Interior in March 2021 (six months after the issuance of the voluntary code), which found that the voluntary, principle-based IoT Code failed to achieve its objectives. The research, which is set out in Annex A of the Discussion Paper, found that major manufacturers had not based their decision-making on the IoT Code and expressed difficulties in meeting the requirements of the IoT Code, suggesting a preference to follow the international line of standards. Lower cost manufacturers were also not engaging with the IoT Code. Moreover, even those manufacturers who tried to follow the IoT Code were facing difficulties in implementing the ‘low cost, high priority’ parts of the IoT Code, such as implementing a vulnerability detection policy.
Recommendation for a mandatory standard recognized by the industry
The Discussion Paper recommends a mandatory standard to guarantee a basic level of cyber security for a significant part of the growing IoT equipment market. In making this recommendation, the Discussion Paper looks at international examples – the UK, Singapore and California and Oregon in the US – that have mandated the minimum cyber security features that IoT device manufacturers should include, such as unique passwords.
The Discussion Paper proposes that Australia adopt the internationally recognized European standard ETSI EN 303 645, which outlines the basic requirements for cyber security for consumer IoT devices. However, if Australia approves the entire standard, or, as in the UK, approves only the three key requirements (no universal default password, implementation of a vulnerability detection policy and software update), it is left open for feedback, with the previous approach by offering greater inclusiveness and the latter approach by focusing on high-priority principles while minimizing the burden of compliance in the industry. The scope of the term ‘IoT device’ (or ‘smart device’, as it refers to the Discussion Letter) and whether it should be extended to smartphones, as is the case in the UK, has also been left open for feedback.
If a mandatory standard were to be adopted in Australia, the Discussion Paper notes that this would require new legislation and an existing regulator (to be defined) would be responsible for educating and enforcing the industry. Manufacturers are expected to face a slightly higher production cost – although, if UK modeling were to be completed, the cost increase for manufacturers would be relatively low – a one-off cost of 1.35% and an annual cost of continuous of 0.31% of product value. The Discussion Paper also highlights potential implementation issues that may arise due to the vast majority of IoT devices sold online. Retailers and wholesalers will need to play a role in ensuring that security standards are met by their suppliers, including online markets. While online markets currently voluntarily remove products that do not meet Australian product safety standards, the Discussion Paper particularly seeks feedback from online markets on whether this approach would be applicable in conjunction with a new cyber security standard.
IoT device labeling
An issue closely related to IoT devices is the ‘information asymmetry’ between manufacturers and consumers. Consumers are not easily able to distinguish between secure and unreliable devices, and their purchasing decisions regarding IoT devices are generally based on cost and features, rather than security. To correct this information asymmetry, and to help change consumer behavior to consider security issues, the Discussion Paper recommends that a labeling scheme be implemented for IoT devices in Australia, or in the form of a voluntary star rating or mandatory marking of the expiration date label. when security updates for an IoT device will be completed.
Voluntary star ratings for IoT devices essentially provide a visual representation of the level of cyber security associated with a smart product – not unlike energy ratings for white goods. Such schemes for IoT devices are already present in Singapore and Finland, while the UK has implemented a “trust mark” for manufacturers engaging in voluntary insurance schemes and the US is piloting an assessed cyber security labeling scheme. The key issue with this approach, as with any voluntary scheme, is obtaining, and the Discussion Paper requires submissions from stakeholders if there is likely to be sufficient industry involvement.
On the other hand, the option of a mandatory expiration date label is new – no other country in the world has ordered this type of label. This option has the benefit of not requiring independent safety testing, and is therefore a lower cost to manufacturers than a star rating label. If there is a lack of industry support for a voluntary star rating tag, then the Discussion Paper notes this option as the preferred approach.
Look at this space
It is clear that a mandatory standard for IoT devices in Australia is on the horizon, aligning with other global approaches and driven by the growing market for IoT devices. The form that the standard will take will undoubtedly be influenced by the industry response to the Discussion Paper.
The Australian Government is seeking stakeholder submissions by 27 August 2021. Say it here: Strengthening Australia’s Cyber Security Rules and Incentives – Submission Form (homeaffairs.gov.au)