Canberra Proposes IoT 'Star Ratings' and Mandatory Cyber Standards for Large Business

The federal government wants to improve Australia's cybersecurity laws. It has proposed seven policy changes, including mandatory governance requirements for bigger companies, a code for how personal information is handled, and a mechanism for regulating smart gadgets.

The government is proposing [PDF] either a voluntary or obligatory set of governance guidelines for bigger companies that would "define the duties and offer assistance to boards" to "better safeguard the economy from cybersecurity risks."

While the core of both alternatives is the same, the obligatory code would compel the businesses covered to achieve compliance within a certain period. Therefore, a required code would also have to be enforced. On the other hand, a voluntary option would not need to implement particular technological restrictions and would instead be regarded as a recommendation.

The government, on the other hand, would like the code to be optional, stating that "on balance, a mandated norm may be too expensive and onerous given the present state of cybersecurity governance, and in the middle of an economic recovery, compared to the advantages it would offer."

It also said that no current regulator had the necessary skills, knowledge, and resources to establish and implement a required norm.

Meanwhile, a "cyber health check" feature for small companies has been proposed.

A small company that participates in a voluntary cybersecurity health check program will get a trust mark that they may use in marketing. According to the document, businesses asking for the health check would self-assess their compliance with a minimum degree of due diligence supplied by the government or a third party. It would also have a 12-month expiration date.

This concept was inspired by the UK government's Cyber Essentials initiative.

To promote the adoption of cybersecurity standards, the report also recommends establishing an enforceable code under federal law. According to the report, the Privacy Act has the greatest potential to establish comprehensive cybersecurity requirements for personal information.

This concept was inspired by the UK government's Cyber Essentials initiative.

To promote the adoption of cybersecurity standards, the report also recommends establishing an enforceable code under federal law. According to the report, the Privacy Act has the greatest potential to establish comprehensive cybersecurity requirements for personal information.

On the other hand, a cybersecurity code would have certain restrictions and would solely apply to the protection of personal information. In addition, a code would also only apply to organizations subject to the Privacy Act.

The government is also contemplating regulatory methods to improving responsible disclosure standards, with both voluntary and obligatory options being considered.

The government would provide advice or toolkits for the industry to establish and implement responsible disclosure policies under the voluntary option. In addition, according to the report, the obligatory option may be included in a future cybersecurity standard for personal information.

The report also addresses the implementation of clear legal remedies for consumers after a cybersecurity event since there are presently few legal alternatives for customers to seek remedies or compensation.

It asks respondents what changes to the Privacy Act 1988 and Australian Consumer Law may be made to adequately address cybersecurity, as well as what additional measures the government should consider.

Regulating IoT devices is also proposed.

To address this, the government issued the voluntary Code of Practice: Securing the Internet of Things for Consumers last year, which includes 13 principles or expectations the government has on manufacturers regarding the security of smart devices.

The discussion paper goes on to propose that the code be made obligatory. Manufacturers would be required to adopt baseline cybersecurity standards for smart devices under the standard.

It also thinks that customers presently lack the skills to readily determine if smart gadgets are "cyber secure" due to a lack of clear, accessible information.

Proposals such as adopting a voluntary star rating label or an obligatory expiration date label may help address this.

Details on how the former would be implemented are few, although the discussion paper mentions comparable the United Kingdom and Singapore systems. Singapore's cybersecurity system is divided into four tiers, with each signifying a greater degree of security and extra security testing.

Meanwhile, the required expiration date label would indicate the amount of time that security updates would be supplied for the smart device. According to the government, this kind of label would not need an independent security assessment and would be a lower-cost option than a star rating label. Thus, the administration emphasizes the expiration date option as its preferred path ahead in its "pros and cons" table.