We should all care more about the Internet of Things (IoT). In fact, IoT is
already shaping the way that we live and work. Beyond the host of ingenious and
colourful applications -- from connected toasters to home security systems --
Intel has predicted that by 2020 there will be 200 billion connected devices
across the globe. That is a staggering number.
Yet, because of its accelerated growth, IoT has developed without clear
security standards. Today, with the number of endpoints for cyber threat actors to target increasing, the question of who is responsible for the overall
security and maintenance of these devices remains unanswered.
The potential for compromised IoT devices to wreak havoc is enormous and
already a reality, following a series of high-profile attacks against end users
and even the core infrastructure of the Internet itself. The Mirai Botnet attacks of October 2016, which saw huge numbers of IoT devices infected with malware,
showed to devastating effect how insecure IoT devices could be leveraged into
botnets to instigate large-scale DDoS attacks.
Why should businesses take notice? It's been predicted that around half of businesses will have implemented an IoT solution by the end of the year. With so many organizations continuing to innovate with IoT
technology, we're going to see a wider range of businesses entering and making
use of this space. In fact, when a recent Forrester Consulting survey asked
businesses about the IoT, over half said they were very anxious about the
security concerns it presented.
Network security is of utmost importance, as the number of connected devices, and therefore potential exploits, increases. (Image: Roy Niswanger, Unsplash)
Out of this confusion a grey area has emerged around responsibility. Should
companies creating IoT devices be held accountable for their safety? Is it
reasonable to expect businesses operating in the IoT space to continue
supporting devices which may be in use for a decade or more?
Traditionally, as long as a product functions correctly under guarantee, it
is no longer the manufacturer's responsibility. With a home PC, it's the user
who is responsible for installing security patches and keeping things up to
date. People download viruses or malware at their own risk. IoT devices are
different in this respect -- while people purchase a physical device, the
software is an integral part of the device and yet is out of their control. The
manufacturer will typically need to provide security patches and updates over
the course of the product's life.
With the UK government last month announcing a new "Code of Practice" to help boost the overall security of the IoT space, it appears that steps are being taken to help make the IoT safer for users. By more clearly defining the roles and responsibilities of those involved in the creation of these devices,
businesses should be better placed to understand their role when it comes to
protecting the customers they serve -- whether directly or through an associated
Yet the issue of educating and regulating this space is not necessarily one
for a sole regulator or entity, like the UK government, to manage alone. If the
government attempted to establish a centralized regulatory body, it is unlikely
that it would be able to bring together all the various competencies needed to
manage this complex ecosystem.
It is encouraging to see that initiatives like the Code of Practice have
been developed in collaboration with organisations already operating within the
cybersecurity space, as well those helping to produce and sell IoT devices.
This latest initiative, for example, was the culmination of a collaborative
effort that saw manufacturers, retailers and the National Cyber Security Centre
supporting and informing the government.
The sort of ethical responsibility inherent in sectoral approaches like this, which are built upon cooperation between regulators and others in the IoT space, are comparable to the culture of openness which the Internet itself grew out of. Such efforts could, therefore, help bring about an agreed set of shared values. The ideal scenario would see all parties involved understanding what is expected of them; in essence self-regulating the IoT sector.
Developers need to code with security in mind, as hackers will quickly find exploit opportunities, which could be disastrous. (Image: Markus Spiske, Unsplash)
Wherever possible, actors involved in this process should engage with other
businesses, regulators and key Internet stakeholders on constructive solutions
for IoT security. An agreed set of values (born out of cooperation) could then
be adopted under a voluntary but universal set of common standards. Such a
scenario would result in safer products for users, and help businesses to
protect the customers they serve while also bringing organizations together in a healthy, open dialogue.
Conversation will be key to the success of any solution, and businesses
entering the IoT world must set aside market pressures when working to tackle
this challenge: cooperate on security but compete on features and services in
the marketplace. As has proven true for the Internet itself; standards can be
voluntary, but they are essential. The trust and dialogue required to make this
a reality is a challenge, but critical if we want to achieve a safe IoT
ecosystem for everyone.
— Marco Hogewoning, Senior External Relations Officer at the RIPE NCC