'Cyber kangaroo' ratings for IoT security? Jump to it, says Australia's cyber security minister
Proposed labelling scheme will try to match similar efforts in UK, USA
Australia's government hopes that somewhere in the world, a vendor of consumer-grade connected electronics is willing to admit it's rubbish at security by giving itself a low score in a proposed safety rating system.
The idea of security ratings for internet things emerged during last year's 360° Cyber Security Game, co-hosted by the Australian National University's National Security College and Rand Corporation. Vulture South's Simon Sharwood was a participant in the games, and was even a member of the team that suggested a star-rating scheme.
The report [PDF] that summarised the Game made detailed the idea as follows:
One proposed solution was to create a check-mark system for quality assurance of cyber devices that is both visible on device packaging and understandable to consumers. Exercise participants colloquially described this as a ‘cyber kangaroo’ logo. Local governments, together with industry, have an opportunity to develop a framework for the cyber kangaroo, including the design of the measurement criteria and enforcement and monitoring mechanisms. This group could also consider how to respond the first time a product with the cyber kangaroo logo is hacked and who would be responsible for responding to such an attack.
(The Register emphasises the “cyber kangaroo” was, we assure you, someone else's idea.)
Fairfax Media now reports that Australian bureaucrats have been in touch with companies like Amazon, Google, Microsoft, Telstra, Optus and others over the scheme.
Dan Tehan, Australia's minister assisting the prime minister for cyber security, has pointed to draft legislation in America and said “this is something we might need to look at”.
He also said talks had begun to try and make sure Australia, the USA and Britain could take a harmonised approach to any legislation. ?
Bootnote: Vulture South saw plenty of comic potential in the idea of product labelling, but moved too slowly. Infosec researcher Troy Hunt summed up the issue nicely here.