In the first of a series of blogs covering DCMS’s work on cyber security, Martin Sadler, Chair of DCMS’s Secure by Default Expert Advisory Group explores the Secure by Default Review, which looks at how the Internet of Things (IoT) market has developed and what impact this has on the cyber security landscape.
As we put our day-to-day devices, and every aspect of our lives, online, we are rapidly turning yesterday’s science fiction into reality. Five years ago, very few individuals would have predicted that driverless cars or digital assistants would have become a reality quite so quickly. Yet for all the fantastic digital opportunities that are opening up, not a day goes by without some story of a device being hacked or our personal data being compromised. We’ve heard through recent media coverage about the risks of connected devices threatening our privacy, security and even now, our safety. For example, you may have heard of smart toys secretly storing records of our conversations; and the potential for devices such as baby monitors and webcams to record our daily routines. So why isn’t the security of our internet connected devices being done properly?
In a global economy, the incentives to be first to market are enormous. In the past we might have seen devices extensively tested, and services trialled, before being released. Today’s winners release early and use their customers to help develop their devices and services into something more substantive.
It is also more efficient and cheaper to re-use existing software. Today’s devices, and associated services, are assembled from components whose security might well be poorly understood. And it is this combination of the pace of development, together with the repurposing of software for tasks it wasn’t originally designed for, that has pushed security into the background. Thinking through all the possible ways someone might subvert an online device, and then checking that the defences will be adequate, is both difficult and time consuming. Building security in would be ideal, but in practice, at best, it is bolted on late in the day. The fear that another company will get to market quicker deters many from spending time and resources on security.
It is also too easy to try and push the burden on to consumers: they should set hard passwords, but not the same ones they use for other services, and they should make sure software is kept up to date. That guidance might have worked in a world of just a few internet connected devices and services. But securing the home is already unmanageable, and as we move to not just dozens, but hundreds of devices, that have to work not just in the home, but on the move, in work, and in other people’s homes, today’s guidance does not scale. And the problem is compounded by those attacks that have little direct consequence for the individual, but might have significant consequences in the large; why should a consumer care if their device is being used as part of a distributed denial of service attack on someone else if it doesn’t affect them personally and their own service isn’t being interrupted?
Companies are incentivised to not prioritise security, and consumers cannot carry the burden. But to enjoy the benefits of our digital world we are going to have to do a lot better. In last year’s Cyber Security Regulation and Incentives Review, DCMS said it would consider what incentives might be needed to build security into internet-connected products and services. This work is looking at what we should be expecting from vendors, consumer IoT manufacturers, retailers, service providers, and users; and just how much security we should expect to be there by default. After all, we want internet connected devices to enhance people’s lives and our digital economy, not to create further cyber security risks. In future blogs, DCMS and other experts who are supporting this work will further outline the challenges and how best they might be addressed.