Standardisation and Certification of the ‘Internet of Things’
16th Annual Workshop on the Economics of Information Security (WEIS 2017)
MetadataShow full item record
Anderson, R., Leverett, E., & Clayton, R. Standardisation and Certification of the ‘Internet of Things’. 16th Annual Workshop on the Economics of Information Security (WEIS 2017). https://doi.org/10.17863/CAM.35286
We report on a research project for the European Commission into what will happen to safety regulation once computers are embedded invisibly everywhere. The European Union already regulates many aspects of the safety of vehicles, medical devices, electrical equipment, domestic appliances and even toys. As these devices and systems are recruited to ‘The Internet of Things’, their vulnerabilities (whether old or new) may be remotely exploited, with consequent risks. Many regulators who previously thought only in terms of safety will have to start thinking of security as well. The systems and devices that are starting to expose their security and safety vulnerabilities to the whole Internet are certified under a disparate range of European, national, industry and other schemes. In this paper we describe the problems and outline the opportunities for governments, industry and researchers. The EU is already the world’s main privacy regulator, as Washington doesn’t care and nobody else is big enough to matter; it should aim to become the main safety regulator too – or risk compromising the safety mission it already has. To deliver, it will need to coordinate the ‘rows’ of liability, transparency and privacy principles with the ‘columns’ of specific industry regulations on safety and testing. We identify missing institutional resources and suggest a strategy for filling the gap. Above all, the European institutions and regulatory networks need cybersecurity expertise to support safety, privacy, consumer protection and competition, rather than having policy in these areas overshadowed or even pre-empted by Member States’ national security concerns. For industry and practitioners, the main message is that safety and security are merging: safety engineers are going to have to learn all about security, and vice versa. This affects everyone from working engineers to the folks in the test labs and the regulators’ committees that set the standards to which they test. Researchers will have lots of new topics, from the design of the next generation of regulatory institutions to technical topics such as sustainability of software and the toolchains that support it. How do we write code for which security patches must be made available for the next 30 years? This poses many fascinating new combinations of problems in both engineering and economics.
We are grateful to the European Commission, and in particular Gianmarco Baldini of the EC Research Centre, for commissioning the research that underpins this paper, and for permission to publish an abridged account of our findings. We are also grateful to Mike Ellims and Graeme Jenkinson for feedback on vehicle software, as well as to Robert Watson and other colleagues in the Cambridge security group for discussions of security sustainability.
Embargo Lift Date
This record's DOI: https://doi.org/10.17863/CAM.35286
This record's URL: https://www.repository.cam.ac.uk/handle/1810/287966