The Australian government has introduced its first-ever standalone cyber security act. Along with two other cyber security bills, it's currently being reviewed by a parliamentary committee.
Among the act's many provisions are mandatory "minimum cyber security standards for smart devices".
This marks a crucial step in defending the digital lives of Australians. So what devices would it apply to? And what can you do right now to protect your smart devices from cyber criminals?
Smart devices are everywhere
The new legislation aims to cover a wide range of smart devices - products that can connect to the internet in some way.
This includes "internet-connectable" products - think smartphones, laptops, tablets, smart TVs and gaming consoles. It also includes indirect "network-connectable" products, which can send and receive data. This means things like smart home devices and appliances, wearables (smart watches, fitness trackers), smart vacuums and many more.
Simple electronic devices that don't connect to the internet or can't store or process sensitive data are not included.
According to one study, 7.6 million Australian households - more than 70% - had at least one smart home device by the end of 2023, and 3 million of those households had more than five.
To work as well as they do, smart devices typically collect, store and share data. This can include sensitive personal information, health data and geo-location data, making them attractive targets for cyber criminals.
A notorious example is the Mirai botnet in 2016, when cyber criminals infected more than 600,000 devices such as cameras, home routers, and video players globally to use them in massively disruptive network attacks, known as a distributed denial-of-service (DDoS).
Even implantable medical devices, such as pacemakers and insulin pumps, can have security flaws that could be exploited.
Just last week, the ABC reported that one of the world's largest home robotics companies has failed to address security issues in its robot vacuums despite warnings from the previous year.
The consequences of such vulnerabilities can be even more dangerous when smart devices are part of critical infrastructure. As these devices become more interconnected, a breach in one can compromise entire networks, amplifying the security risks.
What will be the 'minimum' security standards?
The new cyber security act provides for "mandatory security standards" for smart devices. It establishes the legal framework for enforcing these standards, but doesn't explicitly outline the technical details smart devices must meet. In the past the Department of Home Affairs has suggested that Australia consider adopting an international security standard, such as ETSI EN 303 645.
The bill's focus is on securing connected devices to protect users from internet-based threats, vulnerabilities and risks.
In practice, this means manufacturers will have to ensure their products meet these minimum security standards and provide a statement of compliance. And suppliers will have to include statements of compliance with the product, and will be forbidden from selling non-compliant products.
All this will be enforced through the Secretary of Home Affairs, who can issue compliance, stop, or recall notices for violations of these rules.
You can do your bit to stay safe
The proposed cyber security act is a significant step forward in protecting Australians from the growing threat of cyber attacks on smart devices.
But this may only apply to new devices or ones still receiving updates from manufacturers. Exact details on how the legislation will apply to existing devices will be determined by the government agency responsible for its implementation.
"Legacy" devices with outdated software - older products that are no longer supported and don't receive the latest security patches - are particularly vulnerable to cyber attacks.
While the government works on introducing the new cyber security laws, there are several things you can do to protect your smart devices:
- set up a strong wifi password to prevent unauthorised access to your home network
- create a dedicated, more secure wifi network for smart home devices
- always install security patches and updates promptly
- create unique and complex passwords for each account
- where possible, use two-factor authentication to add an extra layer of security
- disable unnecessary features or permissions, and be mindful of the information you share with apps and devices
- make sure you understand how your data is collected and used by apps and devices.
By mandating minimum cyber security standards and providing for effective enforcement mechanisms, Australia's new cyber security act will help keep consumer devices safer.
However, it's important to note that as technology continues to evolve rapidly, the cyber crime ecosystem is also expanding. The global cost of cyber crime is projected to reach US$9.5 trillion in 2024.
Given the dynamic nature of cyber threats, relying solely on standards may not be sufficient to address all potential risks. New vulnerabilities are discovered regularly, and it's essential for every one of us to remain vigilant and practice good cyber hygiene by following the tips above.