No stars for Australia's missing IoT cyber stars

Voluntary codes of practice aren't good enough. Australia needs a cybersecurity rating system for the Internet of Things, and it needs to have teeth.
Written by Stilgherrian , Contributor

Australia should think about implementing some sort of cybersecurity quality rating system for Internet of Things (IoT) devices, according to a range of submitters to the review of the nation's Cyber Security Strategy 2020.

"Perhaps something similar to [the] energy star rating on white goods," wrote the Queensland Government Cyber Security Unit in a typical comment.

"Customers are unable to make choices if they are not able to get the information they require."

Deloitte said much the same: "Consumers often make decisions within a bounded length of time and a ratings system would give clarity to their decision making. It is important to avoid long reports that are difficult and tedious to read."

The Australian Communications Consumer Action Network (ACCAN) took a more cautious approach, calling for the idea to be "carefully considered".

"While this could support consumers to differentiate between connected devices based on security features and may offer manufacturers clearer incentives for better security features, it may be difficult to maintain," ACCAN wrote.

"Indeed, enforcing a 'trust' label is made even more difficult given that security threats are continuously evolving and emerging."

PwC suggested "exploring and testing a way to provide 'Cyber Security/Safety Star rating'," again so people can "make more informed choices".

The IoT Alliance Australia (IoTAA) is already operating the Security Trust Mark (STM) for the "higher impact levels", in such areas as transport, health, agriculture, industrial control systems, and smart cities.

Their scheme could be extended to consumers.

As the IoTAA wrote: "Voluntary accreditation schemes provide compelling commercial incentives for suppliers to participate when consumers and businesses actively seek products carrying the label."

A ratings system, or at least some sort of stamp of approval with compulsory minimum standard, was also proposed by a range of commercial businesses, non-profits, and private individuals.

In your writer's view, this represents solid support.

Alas, the concept of such a system has been "dead" under previous prime ministers and ministers, according to Michelle Price, chief executive officer of AustCyber, the Australian Cyber Security Growth Network.

"I'm keen to see the concepts for a cyber star or similar rating system," Price told ZDNet.

"We should explore it but properly and openly debate how a system would operate. If done well, ratings could be a key mechanism for raising the bar."

The idea of a cybersecurity rating system has been around for at least three years.

IoT security is essentially a commercial problem, so it needs a commercial fix, said Andrew Jamieson, technology and security director at safety science company UL, in May 2016.

Jamieson's proposed solution was a "Security Star" rating, along the lines of the energy and water-use ratings for household appliances, or the US Department of Transportation's 5-Star Safety Ratings for cars.

Then in December 2016, a similar Cyber Kangaroo of approval was proposed during the so-called "360° Cyber Game" conducted jointly by RAND Corporation and the National Security College (NSC) at the Australian National University (ANU) in Canberra.

A rating system wouldn't be without its problems, of course. Price says it's "an interesting and highly complex endeavour" that "gives rise to many questions". Here are just a few.

What is being measured, exactly? What is being communicated? What is the intended outcome?

Does a rating get reviewed if there is a breach? Do the stars get stripped if there's a compromise?

What standards are used, and how do they relate to concurrent standards and regulations domestically and, for exports, internationally?

Then there are jurisdictional issues.

Are the stars only for the Australian aspects of cybersecurity operations? Does one star in one environment equate to the same one star in another environment, for the same product or service?

Who's even running the system, government or private sector?

Some nations are tackling these problems, but not Australia. The recently released draft IoT cybersecurity code of practice goes no further than suggesting a voluntary set of best-practices.

The 2020 strategy discussion paper [PDF] mentions IoT only twice, however. One is just waffle, "The internet of things will continue to transform the way we live, work and interact with each other". Wow. The other is reporting that the Australian Signals Directorate (ASD) has set up an IoT test lab.

In my view, and that of so many commenters on the 2020 strategy, there needs to be a solid focus on IoT, and the system needs actual teeth.

Disclosure: Stilgherrian was one of the participants in the RAND/NSC 360° Cyber Game in 2016.

Related Coverage

Renewed calls for dedicated Australian cyber minister and cyber leadership

Australia's cybersecurity is too important to struggle along with part-time attention, say submitters to the Cyber Security Strategy 2020. The public no longer trusts the government's computer skills.

Australia releases draft IoT cybersecurity code of practice

The government wants the tech industry to secure the Internet of Things through a voluntary code, and the states and territories to join it in 'an aligned and harmonious approach'.

Parliament House hack report reveals poor password practices

It took eight days to flush February's cyber attackers from Australia's parliamentary network. A procedure to authenticate staff asking to reset their boss' passwords only came another week later.

Cyber Security Strategy 2020: Civil society experts slam 'national security' agenda

The goal of an 'open and free internet' has been dropped from Australia's proposed national cybersecurity strategy. Job done, apparently.

'No such thing' as cyber warfare: Australia's head of cyber warfare

Warfare is warfare, espionage is internationally normal, and cyber is just one of a suite of potential capabilities for a military response, says Major General Marcus Thompson.

Editorial standards