The federal government has promised to make baseline cyber security standards for consumer-grade IoT devices a legal requirement, replacing voluntary recommendations in existence since late 2020.
However, it has opted against creating a “mandated expiry date sticker” that shows how long a smart gadget will receive security updates.
Karen Andrews, the Minister of Home Affairs, made the election promise this week, promising additional steps to protect IoT devices at a time when their use in homes is increasing.
“The smart device market is rapidly expanding, but devices are not always safe,” she stated on Thursday.
“By remotely accessing the identical gadgets victims bought to protect their houses, overseas hackers were able to collect personal information.”
Since July 2021, when the Department of Home Affairs initially proposed it as part of a survey, a required code of practise for IoT devices has been on the table.
Following a review, it was discovered that device manufacturers were having difficulty following “high-level principles” in the voluntary code and would like to achieve a “internationally recognised standard.”
For its domestic framework, the department advocated using the internationally recognised ETSI consumer IoT security standard, known as ETSI EN 303 645.
“We could mandate the entire ETSI standard or we could follow the UK’s lead and impose simply the top three requirements,” the discussion document adds.
On Thursday, Andrews stated that the basic cyber security requirements would be harmonised with those in the United Kingdom in order to “lower the expense and regulatory burden on companies.”
Meanwhile, like in other nations, the voluntary labelling approach will be “co-developed with industry.”
Any mandatory requirements would have to be established in new legislation, according to the department.
