Home Affairs Backs Mandatory IoT Cybersecurity For Consumer Devices.
Home Affairs Backs Mandatory IoT Cybersecurity – Australia’s Home Affairs and Cybersecurity minister Clare O’Neil has backed mandatory cybersecurity standards for IoT devices.
O’Neil, who was speaking at the Quad Tech Network at the Australian National University recently, said cybersecurity of IoT devices should not applied in a piecemeal ways but…that “cybersecurity and national security…are built in at the design stage.”
According to O’Neil, safety by design principles should be adopted in the application of cybersecurity to IoT products – she questioned why “there is no real discussion and accreditation for IoT products…that tell you whether these are cyber secure or not”.
“You shouldn’t be allowed to put things on a shelf for an ordinary Australian to come by and pick them up and buy them if you know those products are inherently unsafe, or if you haven’t bothered to think about it, we can’t be so lax, about how we think about these issues,” O’Neil said.
Home Affairs Backs Mandatory IoT Cybersecurity
O’Neil said software and device vendors such as Microsoft, Apple, Google and Amazon needed to take responsibility for the digital safety of their products, in what she said needed to be a “mindshift change” and implied big tech, and presumably other suppliers of IoT tech, could be liable for cybersecurity of consumer devices.
“We need to use the power of government and the power of big institutions to help protect people better from this problem, and shift responsibility to those who can actually literally change it,” O’Neil said.
O’Neil called for products like internet-connected baby monitors and other IoT devices to be regulated in the same way as products like children’s car seats, which are subject to mandatory product safety standards, as well as mandatory labelling, with penalties for non-compliance.
Australia’s cybersecurity strategy is currently being prepared by the Department of Home Affairs and will be released later this year. It’s thought the strategy will integrate the government’s international cyber engagement strategy. Australia’s IoT cybersecurity framework is currently a voluntary code built around European communications standards adopted from the United Kingdom.
Most pro-grade security and automation IoT systems and devices sold in Australia have latent cyber security functionality, though this is not always activated during commissioning, nor is it always used by consumers.
What impact mandatory IoT cybersecurity would have on the electronic security industry is unclear, though it would be likely to force retailers to elevate product quality, which might lead to a slight increase in their costs.
Good IoT Cybersecurity Implementation
- The device has a unique, unpredictable, complex and unfeasible to guess password for setup and access.
- Where this isn’t possible, the device prompts users to set/change the password at first use
- The default password is not publicly known or published
- Where the user is prompted to set a password for the device or associated online account, the user is required to choose a password of a minimum length and complexity
- All online accounts associated with a device use WebAuthn or multi-factor authentication
- The Wi-Fi access point hosted by the device, and used for setup, requires the user to authenticate.
“Home Affairs Backs Mandatory IoT Cybersecurity For Consumer Devices.”