In the second in our series of blogs covering our work on cyber security, Dr Madeline Carr, an associate professor at UCL who is part of the PETRAS Internet of Things Research Hub, explores the international policy dimension of Internet of Things (IoT) security. PETRAS has contributed extensively throughout the DCMS Secure by Default review.
One of the big challenges of our time is how to manage technological innovation so it makes our lives better without eroding things we care about – like security and privacy. The extraordinary benefits developments in fields like the IoT offer are exciting and promising, but only if devices and services are adequately secure. Otherwise, problems with data privacy, interoperability and breaches of IoT security threaten to undermine the social and economic benefits which can be derived from the IoT. Gauging where governments should intervene in innovation and where this can be left to the market has always been a difficult balance, but there is now a general consensus forming that market forces alone will not deliver a secure Internet of Things.
Secure by Default
From driverless cars to smart energy meters, the IoT is a field so rich in promise that governments worldwide are working hard to ensure the right conditions are in place to get this balance right. Rethinking how we approach design and development so IoT devices are secure by the time they reach the market is a fundamental shift. ‘Secure by Default’ is an approach that places the onus back on manufacturers and software developers to ensure a much higher level of security before they reach the shops. And to ensure a level playing field in a competitive market, government intervention in the form of guidelines is one important and useful mechanism currently being explored by many states.
Ultimately though, the global nature of the supply chain and the complexity of IoT data systems and services mean nobody’s problems will stop at the border.
Early Efforts at Global Coordination
While governments have taken up and confronted many difficult issues to do with cyber security more generally, there has, to date, been surprisingly little explicit focus in the international community on how to cooperate and collaborate on securing the Internet of Things.
The IoT security landscape is dominated by organisations and forums that focus on technological coordination. Although global policy coordination has been limited, there have been a few important and encouraging initiatives. The OECD facilitated an IoT-related event at the Technology Foresight Forum 2014 in Paris. The World Economic Forum has established a Global Agenda Council on Cybersecurity which includes IoT and, given the anticipated implications of the IoT for the global digital economy, this may well be a suitable forum for IoT security policy. At a regional level, the European Commission’s Internet of Things Unit and Alliance for Internet of Things Innovation (AIOTI) both play an important role in EU policy coordination.
Despite these efforts, there is a worrying lack of dialogue about IoT security policy coordination at the international level. Sharing best practice, coordinating approaches, and of course, resolving disputes about standards, governance and policy of the IoT, all represent important opportunities for supporting growth and innovation in this space. Some governments, like the UK, US and EU, have invested heavily in research to support policy options for the cyber security of the IoT. Given the complexity of the challenge and the rapid pace IoT devices and services are moving into the marketplace, it will be important to share that research as widely as possible. Agreeing where and how this should be carried out is an important first step.
All governments have a deep interest in the ongoing security of the Internet of Things and consequently, agreeing some baseline measures, guidelines and expectations of device and services security should be a priority at the international level. The UK is taking a lead in this area and is now coordinating an event at the March 2018 ‘Living in the IoT’ conference to raise questions on how and where we can tackle international policy coordination on IoT security. It is sure to be the beginning of a long, ongoing and necessary international conversation.