A wide but cozy net - IoT security standards in the Cyber Security Bill

The Cyber Security Bill 2024 and its related legislation have received significant attention over the past few months; and more eminent minds have written high-level summaries of what can be expected by stakeholders and security practitioners.

However, as a person who has become increasingly curious about legislative phrases requiring “compliance” with a standard (more on that in another post, or a paper, at a later date), I became curious about the “Security standards for smart devices” in Part 2 of the Bill (Standards Part). I was surprised by what I found. I’ve sought to summarise my thoughts, and what I've been able to discern about how the bill will operate, below.

In my opinion, the effect of the Bill should be considered by any entity that involved in manufacture, rental, importation or other dealings involving electronic devices of any variety (not just manufacturers of “classic” or “commonly recognised” IoT devices).

A consultation period in relation to the Rules will be opened for a minimum of 28 days at some stage soon, and manufacturers should begin preparation to engage to ensure that their interests are not jeopardised. Commencement of the Bill is set at a 1 year maximum from assent, so we can expect consultation on the Rules to occur soon (so that they can be drafted before the automatic commencement).

Key takeaways

• The Minister for Home Affairs has a broad power to make rules that create security standards for (1) “specified classes of relevant connectable products” that will be acquired in Australia in (2) “specified circumstances”.
• The specified classes of products are yet to be determined. The Minister must consult on this point, and this appears to be one of the main ways for manufacturers to keep low risk products out of the limelight.
• The meaning of ‘relevant connectable product’ is very broad, and appears to initially capture everything from extremely low-risk products to highly sensitive components of critical infrastructure.
• The “specified circumstances” are yet to be determined. The Minister will also consult on this point. Given the legislative history of the Bill, there appears a reasonable chance commercial supply will be exempt.
• Covered entities - manufacturers and suppliers: the Bill adopts the meaning of 'manufacturer' and 'supplier' used in the Australian Consumer Law. As a result, equipment hire entities, importers, and white-labelling retailers might be captured by the scheme.
• Obligations: There is a requirement for manufacturers and suppliers to comply with any security standards specified in the Rules. For the avoidance of doubt, obligations apply to the entity and the product. There is also a requirement for manufacturers and suppliers to provide a “statement of compliance”.
• Penalties and enforcement: There is no penalty for failure to comply at this time. However, the Minister may, after a few steps, publish a notice which draws attention to the failure. In contrast, the equivalent scheme in the UK provides for monetary penalties in excess of ￡10m.

There’s more detail below for those who seek it.

Scope – relevant connectable product

The Standards Part of the Bill applies to any “relevant connectable product”, which, in simplified terms, captures two types of products.

First, it captures ‘internet-connectable products’ which are any products you can connect directly to the internet (think anything from a home internet router to an internet connected mailbox).

Second, it captures ‘network-connectable products’. The definition is complex, but it can be roughly simplified to include:

• any device you can connect to an internet-connectable product using normal networking (Wi-Fi/Ethernet/Fibre);
• any device which can connect to two or more devices at one time using a communications protocol which is not in the internet protocol suite (this would capture high end bluetooth speakers and smart watches);
• any device which can connect to an internet-connectable product using a communications protocol which is not in the internet protocol suite (this would capture devices as “dumb” as, say, a Bluetooth heart rate monitor, a keyboard, a webcam, or a barbecue thermometer).

There is also a provision which interacts with the last definition, designed to capture devices which indirectly link to a computer (which probably covers things like wireless USB receivers, USB hubs, and so-on).

As I’ve alluded to, I’m of the view the definition is bordering on overbroad – but the Rules should, for practical purposes, greatly reduce the number of products which give rise to obligations.

The Rules

Section 87 of the Bill gives the Minister the power to make rules. Section 14(1) provides that the Rules may “make provision for, or in relation to, security standards for specified classes of relevant connectable products that will be acquired in Australia in specified circumstances.” Notably, sections 87(3)–(4) provide for a minimum 28 day notice period during which submissions can be made, and any submissions received in that period have to be considered before making rules.?

I am of the view the consultation phase will be very important for manufacturers and suppliers of relevant connected products for the following reasons.

As to consultation on coverage, given the enthusiasm (I use that word with no ill meaning) to secure IoT products, it is possible that manufacturers will basically have one narrow shot at ensuring their products are carved out of the class of “specified products” under the Bill. I would expect to see significant discourse on:

• the types of specified circumstances included (e.g., whether to cover consumer retail only, or whether to capture business-to-business sales) – the consumer protection policy background in the Explanatory Memorandum suggests this might be the case; and
• specified classes of products (noting that the UK only carved out a very limited list of products such as medical products and electric vehicle charge points).

As to the content of the security standards, there are remarks in the Explanatory Memorandum which suggest an intention to broadly align with the Product Security and Telecommunications Infrastructure Act 2022 (UK) (UK Act). On that basis, one might initially expect that the Standards will be minimal and require:

1. unique passwords which are not easily guessable, and which are not susceptible to reverse-engineering (precise guessing – my words);
2. publication of a point of contact for “security issues reports” relating to hardware, pre-installed software, and software which must be installed to use the product for the manufacturer’s intended purpose; and
3. publication of a “minimum support period” during which security patches will be available.

(See Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (UK), Sch 1)

However, the power to make “security standards” is broadened by section 14(3) which basically allows for a reference to an external document. ?And sections 15(2) and (4) provide that “The entity must comply with any other requirements of the security standard that apply […]” Conceivably, the Minister could go further than the UK, and bind manufacturers or suppliers to an entire ISO/IEC Standard (such as ISO/IEC 30141 – Internet of things – Reference architecture), which might have operational impacts. I can see the power being used in that way where an IoT product has a near-permanent link to its manufacturer.

Ultimately, the position remains unclear until consultation gets underway.

Obligations

There are, broadly speaking, two obligations. One relates to the supply/manufacture of products, and the other relates to certificates of compliance.

It should be noted that the definition of "supplier" and "manufacturer" are the same as under the Australian Consumer Law. This may broaden the scope of application beyond the ordinary meaning of those words. Organisations involved in things like equipment hire, importation of goods from overseas, and white-labelling of generic products should get advice about whether they are a manufacturer or supplier.

Supply and Manufacture

Under s 15(1) relevant connectable products must be manufactured in compliance with security standards if they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in the specified circumstances.

Under s 15(3), suppliers must not supply a relevant connectable product which does not comply with security standards in the specified circumstances if they are aware, or could reasonably be expected to be aware, that the product will be acquired in Australia in those circumstances.

As noted above, sections 15(2) and (4) have the effect of allowing the Minister to bind the manufacturer and supplier to other security standards which don’t directly concern the product in question.

As a side note, I’ve seen some discrepancies in how the obligation in 15(3) has been described. Some firms have described it as a simple obligation for manufacturers. I think that’s related to the fact that there’s a sub-heading which reads “manufacturers must comply” above the whole of section 15. In my view, section 15(3) also captures suppliers who have nothing to do with the manufacture of the product. I think there should have been a sub-heading which read “suppliers must comply” between sections 15(2) and 15(3). That’s supported by:

• the Explanatory Memorandum (at [109]) which provides that “Section 15 of the Bill when enacted provides the broad obligations on entities who intend to supply or manufacture a relevant connectable product […]”; and
• the drafting in section 16, which includes a subheading which refers to suppliers between sections 16(2) and (3).

There is also an exception to this obligation, covered below.

Certificates of compliance

Under section 16, manufacturers have to provide a statement of compliance with any applicable security standard (sub-s (1)), and retain a copy of that statement for a period specified in the rules (sub-s (2)).

Similarly, a supplier must supply the product with a statement of compliance (sub-s (3)), and retain a copy of that statement for a period specified in the rules (sub-s(4)).

The Rules will contain specifications for the content of the statement of compliance, and the retention period manufacturers and suppliers must abide by.

Exception for certain suppliers and manufacturers

Presumably for constitutional reasons, the Bill has a partial exception which appears to be which I am sure will become an important area for legal advice given to foreign and multi-national companies.

The thrust of the exception is as follows:

• if an entity is (a) a corporation within the meaning of the corporations power of the Constitution; or (b) engaged in international/interstate trade or commerce, they’re covered (using the international affairs / interstate trade and commerce power); and
• if they’re neither of the above, the Standards only apply to the extent that a relationship to the telecommunications power in the Constitution can be established (such as where the product uses a carriage service to connect to the internet).

Two points of morbid curiosity arise:

1. It seems as though this might have the effect of completely excepting products sold by overseas corporations (non-Constitution corporations) which exclusively rely on satellite communications (think StarLink). Perhaps a matter for another day… And if anyone knows the answer off the top of their head, I’d welcome it.
2. The way that section 16 (regarding the statement of compliance) is drafted, it looks to me as though the manufacturer/supplier would still have to supply a statement of compliance, even if they were not required to comply with section 15…

Powers and enforcement

The Secretary is granted a 4-phase process for risk reduction, and not much more. It works as follows, at a high level:

• The Secretary has a discretion to issue a “compliance notice” if they are reasonably satisfied an entity is not complying with the obligations in sections 15 and 16. ?Before issuing a notice, there’s a minimum 10-day procedural fairness period (sub-s (3)).
• After issuing the compliance notice, the Secretary may issue a “stop notice” (section 18).
• If, still, the entity does not comply, the Secretary may issue a “recall notice” (section 19).
• Finally, if the entity does not perform a recall, the Secretary is granted a power to publish information identifying the non-compliant entity, the product, details of the non-compliance, and risks posed by the product.

Somewhat surprisingly, a contravention of the obligations in the Standards Part of the Bill does not give rise any of the usual provisions for regulatory issues such as fines, civil penalties, injunctions or otherwise. However, monitoring under Part 2 of the Regulatory Powers Act is available.