Australia’s IoT industry body, the IoT Alliance Australia (IoTAA), is looking to develop a scheme to indicate that IoT devices meet minimum security levels.

“IoTAA is actively working towards defining what a security mark might look like and how it might work. It's a priority area for us,” IoTAA CEO Frank Zeichner told IoT Hub.

He said that the viability of such a scheme should be tested before any move was made to enforce IoT device security by legislation. “I’m not sure that we need or want legislation for this without first testing and understanding how this works (or doesn't),” he added.

The Zeichner was responding to news that US senators have introduced a bill that would require IoT devices purchased by the US government meet certain minimum security requirements.

Meanwhile, John Stanton, CEO of Australia’s communications industry body, the Communications Alliance, has proposed an initiative to create a safety-classification guide for IoT devices.

Stanton made his suggestion at the Prime Minister’s recent Cybersecurity roundtable. He said the initiative would give Australian consumers a clearer sense of how resistant to external attack were the devices they might choose to connect.

“From discussions with Government I think it is likely to be one of the tasks assigned to the cyber security advisory body that the roundtable agreed should be created,” he added. “Whether we need to move to a legislative approach in Australia is an open question for the moment.”

About the US legislation

The US legislation, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, was introduced by Democrat Senator for Virginia, Mark Warner, and Republican senator for Colorado, Cory Gardner, as co-chairs of the Senate Cybersecurity Caucus, along with Ron Wyden (Democrat Oregon) and Steve Daines (Republican Montana).

“Under the terms of the bill, vendors who supply the US government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements,” Warner said in a statement.

He said the bill had been drafted in consultation with technology and security experts from the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University, also promotes security research by encouraging the adoption of coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers abiding by those policies.

“I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” Warner said.

“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.” 

Specifically the legislation would:

  • Require vendors of Internet-connected devices purchased by the US federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities
  • Direct the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality
  • Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the US Government
  • Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines
  • Require each executive agency to inventory all Internet-connected devices in use by the agency.

The bill has endorsements from the Atlantic Council, the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society, the Center for Democracy and Technology, Mozilla, Cloudflare, Neustar, the Niskanen Center, Symantec, TechFreedom, and VMware.