The federal government has knocked back industry calls for mandatory cybersecurity guidelines for the Internet of Things, unveiling a voluntary code which manufacturers can choose to meet all, some or none of the principles.
The Home Affairs department on Friday released the Internet of Things voluntary Code of Practice, with 13 principles representing the recommended minimum level of security industry should provide with its IoT devices.
The government has been working on the code for nearly a year, with a draft version released for public consultation last November. The finalised code is nearly word-for-word the same as the draft version, with key recommendations including for no duplicated default or weak passwords, a vulnerability disclosure policy, and software being securely updated.
But throughout the consultation process, the government was repeatedly told by a range of industry figures and companies that there should instead be mandatory security standards for any manufacturer selling IoT devices in Australia.
“We received a number of calls for the Australian government to introduce mandatory security standards for internet-connected devices. From across the nation, stakeholders told us that minimum standards need to be put in place as it is often the consumer, rather than the manufacturer, who suffers the greatest loss from these devices,” Home Affairs said.
“A large number of stakeholders called for stronger regulation which would enforce devices to be security-by-design. Many respondents suggested that compliance with these minimal requirements would need to be publicised clearly and transparently on products for consumers.”
Such a mandatory scheme could involve a labelling system for IoT devices sold in Australia, clearly outlining the level of cybersecurity the product has.
But the federal government has opted to make the Code of Practice entirely voluntary, with companies encouraged to at least follow the top three recommendations, but not required to abide by any of them.
The voluntary nature of the Code and a lack of detail in it may hamper the government’s ability to uplift security in IoT devices, Smart Cities Council Australia and New Zealand executive director Adam Beck said.
“The Code sits in an implementation vacuum. Where’s the roadmap for how this voluntary code can contribute to building a thriving IoT marketplace that promotes security, privacy and ethics?” Mr Beck told InnovationAus.
“The Code is voluntary – which we support – however, whether this will be effective is challenging to predict with little to no information on how the Code should be applied for the various audiences,” he said.
“Further, with no broader national roadmap on data leadership for the nation what success looks like is unknown.”
“With little supporting guidance on implementing the Code and its role in what would be classified as market transformation practices, knowing if and when a demand-side organisation or consumer should mandate, the Code’s application becomes difficult.”
The Code is a “first step” for improving cybersecurity in IoT devices, the government said.
“Your feedback could not have been clearer – the Code of Practice is a good first step to lifting the security of internet-connected devices for consumers. While noting the cybersecurity in the IoT is a global challenge, you also told us that there are more steps that the Australian government and industry can take to better protect Australian consumers from insecure internet-connected devices,” it said.
But the lack of detail on what further steps may involve make it difficult for the industry, Mr Beck said.
“The Code clearly states that it is the first step, which is promising, but does not offer any insights into additional steps. This is important for industry to ensure that the Code can be embraced and have full effect,” he said.
The explosion in popularity and availability of IoT devices is expected to rapidly continue in the coming years, presenting significant cyber risks, Home Affairs said.
“Many of these devices are developed with functionality as a priority, and security features are often absent or an afterthought. It is essential that these devices in our homes and businesses have cybersecurity provisions that defend against potential threats and malicious cyber activity,” it said.
The Code will help raise awareness of security safeguards associated with IoT devices, build confidence and allow Australians to reap the benefit of further adoption of the technologies, the government said.
Other principles in the voluntary Code include to securely store credentials, ensure personal data is protected, minimise exposed attack surfaces and make the installation and maintenance of devices easy.
The government received 39 written submissions on the draft code and conducted a series of virtual workshops on it. A number of respondents said the Code should go further.
“Some felt that the Code of Practice could be strengthened by adding more weight to consumer privacy, increasing public awareness on cyber hygiene and device security, and giving more consideration to security at the network level, providing more clarity on roles and responsibilities of device manufacturers and service providers, adding a principle on a security trust mark, as well as increasing supply chains security,” the government said.