Today will see the publication of a report from DCMS. Part of the report details a Code of Practice – with clear guidance on what we should expect companies to be doing to secure products. It will be the ideal point for many more to join the discussion: whether, and if so when, to regulate, and how the suggested Code of Practice might be improved.
As part of the Secure by Design review, the Department for Digital, Culture, Media and Sport (DCMS) has engaged with a variety of experts over the past fifteen months to understand what needs to happen to ensure consumer Internet of Things devices are secure by design. One of the areas where there is, perhaps surprisingly, a wide variety of views is whether to regulate.
Rules and responsibilities
At one end of the spectrum, there are those who feel manufacturers, retailers, and service providers have all had long enough to get security “sorted out”. Companies are not paying sufficient attention to securing their products, or to the variety and scale of cyber attacks. Consumers continue to be exposed and, in many cases, exploited. It is going to require governments to regulate before anything changes, and that regulation needs to come into force as soon as possible. Companies that do not secure their products should be subject to increasingly severe penalties.
But many disagree with this point of view. Some argue it is more appropriate to direct regulation towards particular kinds of companies, often expecting manufacturers or internet service providers to shoulder more of the responsibility. At the other end of the spectrum are those who feel that because the ecosystem around designing, manufacturing, selling, and servicing new devices is sufficiently complex, we shouldn’t expect companies to know what is needed, or how much security is enough. Therefore, they feel that we are still a long way off understanding what kind of regulation would work best.
Finding a balance
Given the presence of sophisticated attacks that might exploit several small weaknesses in a device and its associated services, some argue we need to be prepared for a lot of shifting of blame – should some particularly damaging complex attack occur. And there is also a fear that any country unilaterally introducing regulation might deter local innovation and inward investment.
As the topic was discussed, consensus grew around the view that regulation will need to happen at some point, although differences persist as to when. There is however strong agreement that we should not regulate until we are clear about what we expect companies to be doing. Which then raises the question as to what form guidance should take.
Guidance that is too abstract or high level allows for different interpretations. Whilst attractive to many companies, it makes the assembling of bigger systems out of parts from different manufacturers that might have approached security in different ways, more challenging. Such a variety of approaches does not help when we have a skills shortage, placing unreasonable burdens on those companies with little security expertise, and resulting in a potentially impossible task for consumers in understanding what they need to worry about for each of their many devices. On the other hand, guidance that is too specific or prescriptive is likely to be made obsolete very quickly with continued rapid advances in technology.
Leading the way
It has been a pleasure to Chair the DCMS Secure by Design Expert Advisory Group and to support the development of the proposals. Madeline Carr has highlighted the need to address the issues internationally, I encourage you to join in and help the UK to continue being a leading voice in ensuring that all of our connected devices are secure by design.