Canberra proposes IoT 'star' ratings and mandatory cyber standards for big business

The government has made a handful of proposals, some requiring regulatory reform, on how to strengthen cybersecurity in Australia.
Written by Asha Barbaschow, Contributor

The federal government wants to strengthen Australia's cybersecurity regulations and has suggested seven areas for policy reform, including the introduction of mandatory governance standards for larger businesses, a code for how personal information is handled, and a system for regulating smart devices.

In a bid to "further protect the economy from cybersecurity threats", the government is proposing [PDF] either a voluntary or mandatory set of governance standards for larger businesses that would "describe the responsibilities and provide support to boards".

While the crux of both options is similar, the mandatory code would require the entities covered to achieve compliance within a specific timeframe. A mandatory code would also see enforcement applied. A voluntary option would not require specific technical controls to be implemented and would rather be treated as a suggestion.

The government would prefer the code be voluntary, however, saying "on balance, a mandatory standard may be too costly and onerous given the current state of cybersecurity governance, and in the midst of an economic recovery, compared to the benefits it would provide".

It also flagged there was no existing regulator with the relevant skills, expertise, and resources to develop and administer a mandatory standard.

Small businesses, meanwhile, have had a "cyber health check" function suggested.

A voluntary cybersecurity health check program would see a small business be awarded a trust mark that they could use in marketing. Businesses applying for the health check would self-assess their own compliance, with a basic level of due diligence provided by government or a third party, the paper poses. It would also expire after 12 months.

This idea was pulled from the UK government's program called Cyber Essentials.

The paper also proposes the creation of an enforceable code under a federal piece of legislation to increase the adoption of cybersecurity standards. It said the Privacy Act has the greatest potential to set broad cybersecurity standards in relation to personal information.

"Establishing a code under the Privacy Act could drive the adoption of cybersecurity standards across the economy by creating regulatory incentives for uptake," it said.

This code would specify minimum, rather than best practice approaches, but said it was unrealistic to mandate the Australian Signals Directorate's Essential Eight through a cybersecurity code.

See also: ACSC introduces Essential Eight zero level cyber maturity and aligns levels to tradecraft

A cybersecurity code would have some limitations, however, and would only apply to the protection of personal information. A code would also only apply to entities that are covered by the Privacy Act.

The government is also considering regulatory approaches to increasing responsible disclosure policies, again posing a voluntary and mandatory option.

The voluntary option would see the government release guidance or toolkits for industry on the process of developing and implementing responsible disclosure policies. The mandatory option, it said, could be incorporated into the potential cybersecurity standard for personal information.

The paper also discusses the introduction of clear legal remedies for consumers after a cybersecurity incident occurs, as currently there are limited legal options for consumers to seek remedies or compensation.

It asks respondents what amendments can be made to the Privacy Act 1988 and Australian Consumer Law to sufficiently cover cybersecurity, as well as what other actions should the government consider.

Regulating IoT devices is also proposed. 

"We believe that one reason that many smart devices are vulnerable is because competition in the market is primarily based on new features and cost," the paper says. "Unfortunately, consumers often aren't able to tell the difference between a secure and insecure device, which limits commercial incentives to compete on cybersecurity and leads consumers to unknowingly adopt cybersecurity risk."

In a bid to mitigate this, the government last year released the voluntary Code of Practice: Securing the Internet of Things for Consumers that contains 13 principles, or expectations the government has on manufacturers, about the security of smart products.

The discussion paper suggests taking this further and making the code mandatory. The standard would require manufacturers to implement baseline cybersecurity requirements for smart devices.

It also believes consumers do not currently have the tools to easily understand whether smart devices are "cyber secure" as there is often a lack of clear, accessible information available to them.

Potentially remedying this are proposals that would include the introduction of a voluntary star rating label or a mandatory expiry date label.

Details on how the former would take shape are slim, but the discussion paper details similar schemes underway in the UK and Singapore. The Singapore scheme consists of four cybersecurity levels, with each indicating a higher level of security and/or additional security testing.

The mandatory expiry date label, meanwhile, would display the length of time that security updates will be provided for the smart device. This kind of label would not require independent security testing, and therefore would be a lower-cost approach compared to a star rating label, the government said. In its "pros and cons" table, the government highlights the expiry date option as its preferred way forward.

Submissions on the discussion paper close 27 August 2021.


Editorial standards