Call to regulate the IoT sector
Santosh Devaraj: Government must be proactive on IoT security challenges
Australia risks lagging other jurisdictions in the regulation of Internet of Things devices to improve cybersecurity, according to Secure Logic chief executive Santosh Devaraj, and government should be considering enforcing standards sooner rather than later.
Last week the UK government unveiled a voluntary IoT Code of Practice, which aims to improve baseline security for smart connected devices, and to ensure they are compliant with the General Data Protection Regulation.
The Californian state government also passed legislation covering smart devices. Laws coming into effect from 2020 will require any manufacturers of an IoT device to equip it with “reasonable” security features to prevent unauthorised access, modification or information disclosure.
This includes requiring a unique password for each device.
The Australian government needs to follow these jurisdictions and introduce legislation requiring all IoT products – made in Australia and imported – to have strong cyber protections, Mr Devaraj said.
“We want to be proactive, especially around IoT. What we’re trying to do is to work with other industry peers to promote awareness within government,” Mr Devaraj told InnovationAus.com.
"We have some plans we would like to see employed at a much stronger level for service providers as well as manufacturers."
“There are countries that are far more advanced in the adoption of IoT, and we are a little behind on that. And we will definitely be behind if we don’t do something now.”
At a minimum, the legislation must require manufacturers to give each device a unique password, ensure customers are adequately prompted to install software updates and patches, and to invest in an IoT security education program, Mr Devaraj said.
“At the top of the government’s list should be mandated password protection. Too often manufacturers are letting customers use a blanket password which is easily sidestepped by hackers.
"If the proper investment is made in the product development phase, security can be managed without a detrimental impact on cost or customer experience,” he said.
“The risks are definitely there and the impact of that is major. The progression of implementation is not there yet in Australia, but we’re seeing now that adoption is going up enormously.”
The federal government has previously floated the idea of a ratings system for IoT program, similar to the health tick of approval for food.
The “cyber kangaroo” rating would be used to advise consumers of the risks involved with IoT devices. The government tasked the sector itself to come up with the rating, and it’s currently unclear where these plans are at, and if it is still going aheads.
Mr Devaraj said this would be a positive start.
“We should definitely start from something that people understand already. Everyone knows what the star rating means. A simple implementation of that would be a really good start,” he said.
The federal government recently provided more than $200,000 for a research project to explore “opportunities, risks and consequences of IoT”.
It would explore the economics of IoT, its social and cultural perspectives of deployment, the educational needs, governance requirements and technological standards.
Mr Devaraj said he would now look to meet with other figures and companies in the industry to work together to lobby government for the legislation.
“It all starts with the industry. We’re talking to industry peers and trying to have them all support the idea of approaching the state government and federal government to assist in forming the framework and policy subset to them. We’re at the beginning of the journey,” he said.