Finding the path to a secure Internet of Things (IoT) is like the old joke about a tourist asking for directions, according to Tom Uren. "Well if I were you, I wouldn't start from here."
"If you said to me, 'Let's create a world where people sell really insecure products that can be used to attack the very fabric of the internet, let's do that,' I think most people would say 'No, no, that's probably not a good idea.' You should probably step in and do something and stop that kind of world. And yet this is the world we're in," Uren told ZDNet.
"We're almost certain that things are in the wrong place now, but it's really hard to tell what the right next step is. But we should probably do something."
Uren is a visiting fellow at the International Cyber Policy Centre (ICPC) at the Australian Strategic Policy Institute (ASPI), and is co-author with research intern Eliza Chapman of the issues paper, The Internet of Insecure Things, released on Monday.
The key messages of this brief paper are that an insecure IoT is a threat to Australia's critical infrastructure; that it isn't entirely clear who's responsible for defending what; and that it isn't clear how standards and regulation would work or even help.
"Digital weapons are being used intentionally by nation-states to inflict physical destruction or compromise essential services," Uren and Chapman wrote, noting the presumed Russian attacks on Ukraine's power grid.
As an example of how a similar attack could affect Australia, they offered the severe storm that cut power to 850,000 customers in South Australia in 2016.
"Trams stopped working, as did many traffic lights, creating gridlock on flooded roads. The storm, together with the failure of backup processes, resulted in the death of a number of embryos at a fertility clinic in Flinders Hospital. The total cost for South Australian businesses as a result of the blackout was estimated to be AU$367 million," they wrote.
"Disrupting utilities that power an entire city could cause more damage than traditional terror tactics and can be done externally and with more anonymity. Again, severe storms demonstrate that a loss of power can cause more deaths than the physical destruction of infrastructure."
Australia's structures for dealing with cyber attacks are "complex", Uren and Chapman wrote.
"Government cybersecurity responsibilities have recently been reorganised through the establishment of the Department of Home Affairs and structural changes to the Australian Signals Directorate [ASD] and ACSC [Australian Cyber Security Centre]. Getting a clear picture of roles and responsibilities was difficult, and it would be beneficial to identify any gaps in roles and responsibilities after these recent organisational changes have been properly implemented."
The paper casts doubt on the utility of a security rating for IoT devices -- dubbed the Cyber Kangaroo in Australia -- a concept that the then minister assisting the prime minister on cybersecurity supported in October 2017.
The energy efficiency of a refrigerator or washing machine can be tested once, and it'll stay the same for the life of the product. But the security of an IoT device can suddenly drop to zero if a new vulnerability is discovered and the manufacturer has gone out of business.
"People really need to think about what you're trying to rate," Uren told ZDNet.
"Maybe you're trying to rate the trustworthiness of the company, or whether the company issues patches, or whether it's got a long track record of producing rubbish," he said.
"So much of it is related to the global economy. People buy these devices because they do have some value. You're trying to weigh up the value a device has to the purchaser, versus a cost it might have to someone else for its security and so forth."
As the paper put it: "It's the authors' view that our current policy and regulatory settings are almost certainly suboptimal, but effective management of the IoT from a government policymaking perspective requires many difficult trade-offs, and easy answers aren't immediately apparent."
While the paper does highlight the threat to critical infrastructure, Uren said that so far Australia has been "almost a backwater" in this regard. He also thinks we should move on from the image of a massive cybergeddon that shuts down society, to something more subtle.
"People often think of IoT very narrowly as consumer-level devices, but some of, I think, the real big and serious problems are in the industrial space, and also the medical space," Uren told ZDNet.
"I think the scenario of just randomly somehow everything going bad, and cars crashing into each other, was never very realistic. What makes me really worried is when we actually have proof that really well resourced organisations are actually working on these problems. Then it moves from the theoretical 'That makes a nice story' to the 'Oh shit, actually someone could do that [and we'd] better do something to make sure it doesn't happen," he said.
"I think losing your electricity networks would be really bad."