Govt to make its voluntary IoT cybersecurity standards mandatory

Denham Sadler
National Affairs Editor

Existing cybersecurity standards for smart devices will be made mandatory by the federal government but device security labels will be voluntary under a Coalition election pledge.

Home Affairs Minister Karen Andrews on Thursday morning announced new cybersecurity protections for the Internet of Things (IoT) market, including minimum cybersecurity standards for device manufacturers, and voluntary cybersecurity labels for these devices.

Ms Andrews said the number of internet-connected devices in Australia, such as smart watches and baby monitors, is expected to double from 2019 to 2024.

“The smart device market is growing rapidly but devices are not always secure. Overseas hackers have been able to steal personal information by remotely accessing the very devices victims bought to protect their homes,” Ms Andrews said in a statement.

“Government and industry cannot face growing threats to cybersecurity alone and that is why our government is uplifting the cybersecurity of all Australians and Australian businesses.”

contact tracing

The Coalition in 2020 opted to not implement mandatory cybersecurity guidelines for IoT devices, instead releasing a voluntary code which manufacturers can choose to meet. This code includes 13 principles representing minimum standards.

At the time, the Coalition decided to not make this code mandatory, despite several industry figures and organisations urging it to do so.

But the federal government has now moved to make the standards mandatory, and will be basing them off new standards in the UK, which will come into effect at the end of the year.

The guidelines require companies to ensure software on security cameras and TVs is up to date, exploitable flaws are fixed and that people are required to change the default passwords on these devices.

The UK standards on which Australia’s will be based include the banning of universal default passwords, transparency measures on efforts to fix flaws and a public reporting system for vulnerabilities.

While the standards will be mandatory, a new cybersecurity label scheme for IoT devices will be voluntary. This label will provide information about the security of devices in an effort to improve consumer confidence.

A discussion paper released by the government in July last year canvassed the potential for a mandatory expiry date label for these devices, but the Coalition has opted to not go down this route, despite saying that the costs would be “low”.

A mandatory scheme had also been recommended by the government’s Cyber Security Strategy Industry Advisory Panel.

The Opposition has regularly attacked the government’s cybersecurity credentials, with the Coalition not having had a Minister responsible for cybersecurity for several years.

“Labor welcomes any action to protect Australians from cybercrime,” Shadow Assistant Minister for Cyber Security Tim Watts told

“Unfortunately, this announcement is too little, too late, with cybercrime exploding under the Morrison government while it languished at the bottom of the Minister’s to-do list for years.”

But Ms Andrews said Labor has not focused on cybersecurity in recent months.

“The Morrison government’s strong track record and well-resourced plan for cybersecurity contrasts sharply with Labor, who don’t have a plan at all,” she said.

“Anthony Albanese’s budget reply speech didn’t mention the word ‘cybersecurity’ once, whereas the Morrison government backed in Australia’s digital future with almost $10 billion of new funding for cybersecurity.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories