In mid-October, Dan Tehan, the minister assisting the prime minister on cyber security, announced that the Australian government is considering introducing new legislation on the internet of things (IoT; for an introduction to this topic, see my previous post). Under the proposed legislation, IoT device makers would have to include a security rating on their products. The concept is similar to an energy efficiency rating, which became mandatory for certain appliances in Australia in 2012. Introducing a ‘cyber kangaroo’ (PDF) rating is an appealingly practical measure that, if it’s done well, could improve consumer awareness of cybersecurity issues and encourage industry to adhere to minimum security standards. But there are several reasons why it would be more difficult to implement than an energy rating and could potentially increase consumers’ susceptibility to attack.
First, the vulnerability of an IoT device is likely to vary over its lifetime as weaknesses are discovered and then patched. The energy efficiency of a refrigerator or washing machine, by contrast, is relatively fixed. When UK police chief Mike Barton suggested a security rating for IoT devices earlier this year, tech editor Samuel Gibbs correctly noted that ‘a device’s resilience to attack from cyber criminals can change over time’. Cybercrime is an ever-evolving discipline and new vulnerabilities are constantly being exposed. At best, a security rating would only reflect the security information about a device at the time of manufacture.
The firmware in modern cars is one example of a product whose security may change over time. In 2015, Charlie Miller and Chris Valasek hacked a 2014 Jeep Cherokee and were able to remotely control the steering and brakes and drive the car into a ditch. A notionally safe car had been rendered provably insecure. The vulnerability was then patched, making the car ‘safe’ again, until Miller and Valasek hacked the same car a year later (albeit not remotely). This cycle of hacks and patches could render an initial security rating meaningless and shows that the vulnerabilities of a particular device (or set of devices on wheels) can’t accurately be defined by a manufacturer’s sticker.
Another obstacle that the cyber kangaroo would need to hop over is the variation in IoT products. A Jeep Cherokee and a baby monitor present vastly different dangers, but compromise of either can have serious consequences. While there’s no doubt that the IoT needs security standards, some categories of devices that are safety-critical probably require commensurately robust security features. It will be difficult and expensive to come up with a cyber roo that appropriately rates all the different categories of IoT devices.
Finally, a cyber rating might lull consumers into a false sense of security by negating their own role in protecting themselves from attack. Knowing that they purchased an approved device could make consumers less likely to download updates or change the original password. Humans are often the weakest link in the cybersecurity chain. The idea of placing warning labels on IoT devices has been raised and amusingly compared to the warnings on Australian cigarette packages. While increasing the public’s cybersecurity awareness is important and this idea has merit, it would need to be done in a way that doesn’t create legal loopholes for industry to forgo built-in security.
With these concerns in mind, there seem to be four possible avenues for the cyber roo:
- a pass/fail score that assesses compliance with baseline standards. For example, a product could receive a tick of approval if it has changeable passwords, uses encryption, and uses only approved communication protocols (or whatever the agreed-upon standards are)
- a pass/fail score that assesses compliance with baseline standards and also tries to assess whether device security will be acceptable in the future. That could include assessing updateability, support lifetimes and a company’s commitment to providing regular and timely updates
- a graded score that assesses manufacturers’ preparedness to meet basic security principles. For example, 0 = device cannot be patched, 1 = manual capability to patch exists but has never been used in practice, 2 = manufacturer patches occasionally, 3 = manufacturer investigates and patches vulnerabilities promptly
- a security database that is combined with a warranty repair and recall system. This would involve assigning a virtual rating to a device that is adjustable through its lifetime to take account of the latest vulnerabilities. Customers could be notified of updates or recalls by a subscription service. While it would be expensive to implement, a changeable security rating would encourage manufacturers to provide lifelong security for their devices.
The cyber roo concept is so fresh that details about how it might work are scarce, which makes it challenging to definitively support or oppose the move. An advisory committee composed of industry representatives has until the end of 2017 to present ideas to the government about how the security rating system could be adopted.
Ultimately, a well-reasoned IoT rating system has the potential to add value to the cybersecurity domain in Australia. Consequently, though, a simplistic rating system that fails to differentiate between manufacturers’ and consumers’ responsibilities will have a negligible impact and waste resources. Estimates indicate that 20.4 billion devices will be connected globally by 2020, so the longer it takes to implement a security rating system the more insecure devices we’ll have in our lives. There are numerous ways that this concept could be executed, but not all paths lead to the same destination. A well-thought-out security rating system will require research and funds, and will involve much more than simply slapping a kangaroo sticker on our kitchen appliances.