By 2020 there will be a staggering 200 billion of the IoT devices in operation, according to Intel. This high number of end-points will change the way we communicate with each other, interact with our surroundings and will have a significant impact on the UK marketplace. However, with so many connected devices out there sending data over the internet, there is the growing prospect of serious security issues.
If the IoT is not handled with care, the number of cyber attacks and data breaches will increase markedly. The steps that are taken by the authorities and other stakeholders over the next period will be crucial to ensuring a safe, efficient and successful IoT network that drives development and growth.
Bizarrely, it’s the accelerated growth in the IoT space that is raising the spectre of greater security problems. The commercial pressures that manufacturers are under have sparked a race to be first-to-market with new IoT products. Of deep concern is that manufacturers often overlook security when developing new devices. This is typical because they may lack institutional experience around working with connected devices or might not be able to afford the extra time or budget to build-in adequate security. From a security perspective, the implications of this can be dire.
This somewhat ad-hoc approach to security, along with a lack of any defined IoT security standards, has resulted in damaging cybersecurity events, such as the Mirai Botnet incident in October 2016. This crippling attack saw enormous blocks of IoT devices infected with malware, which were then used to attack core Internet infrastructure. Mirai was a stark reminder of how serious cyber-attacks on vulnerable IoT devices can be. Alongside a lack of widely-adopted IoT security standards, there is the huge question of who is responsible for the security of these connected devices.
Most IoT devices are designed to remain active for years, perhaps even decades. Can we really expect consumers to ensure their devices are kept patched and up to date? Unlike a home PC, connected devices generally lack a user interface, so even the question of how to notify customers about updates remains a challenge.
In the past, if a product met standards and the terms of its guarantee, it ceased to be the responsibility of the manufacturer. But IoT devices are different, as they are linked to the Internet, meaning the vendor must continue to provide security updates. It’s also not yet clear who is ultimately responsible for making sure an individual device is updated, or what happens when an IoT manufacturer goes out of business and is unable to support their product. This is not a clear-cut situation.
Pros & cons of regulation
It is heartening to see the UK government take steps towards making the IoT a safer space for everyone concerned. In March, the Department for Digital, Culture, Media and Sport (DCMS) announced a new IoT Code of Practice, focused on driving up the overall security of the IoT ecosystem. These measures will help to ensure that all stakeholders, including manufacturers, take security seriously. Laying out clearer roles and responsibilities for manufacturers and others operating in this space will help businesses to better understand their own role in protecting the end user.
Moreover, it will help along the realisation that security needs to be built into devices from the beginning. While this is positive, caution should still be exercised towards any approach that introduces formal regulation of the IoT.
Initiatives like the IoT Code of Practice will play a key role in education around IoT security – but should not negatively impact innovation and dynamism in the IoT space. On the other hand, if the UK government were to establish a centralised regulatory body for the IoT, it would likely face some tough challenges. Firstly, such a regulator would need to bring together a huge array of different competencies from a range of different fields, which is not an easy thing to do. It’s therefore unlikely such a body would be able to do its job without threatening competition or vibrancy in the market. On the other hand, an approach based on sectors, where existing industry regulators work with IoT stakeholders to discuss shared values, could be worthwhile.
Collaboration across sector boundaries and between different stakeholders is what the Internet was developed on and could see firm IoT security standards come into operation. Self-regulation could see that the IoT market remains secure, flexible, dynamic and successful. A great example of this is the Department for Digital, Culture, Media and Sport establishing its code of practice in direct collaboration with a range of manufacturers, retailers and the National Cyber Security Centre.
This approach, not built on control or authority, but around genuine cooperation between regulators and other businesses and organisations, has worked for the Internet. This type of effort promotes trust, openness and collaboration to establish a series of shared values and standards, which could be of huge benefit to the IoT.
Looking to the future
The security of consumers matters, but there is a long way to go until this is seriously addressed. It is encouraging to see collaborative initiatives around IoT security being launched onto the market. A healthy debate is the first step in establishing the voluntary IoT security standards that could see the network thrive.
However, a change in mindset is also required, and while commercial pressures and objectives are important, all organisations involved in the IoT ecosystem must consider them even-handedly with the need for security. Everyone must work together towards a unique framework for a very unique network.
Written by Marco Hogewoning, Senior External Relations Officer, RIPE NCC