Leverett, E., R. Clayton & R. AndersonStandardization and certification of the 'Internet of Things'

Recommended reading

Eireann Leverett, Richard Clayton & Ross Anderson

Release date:
May 2017

Weis 2017, Econinfosec

The authors report on a research project for the European Commission into what will happen to safety regulation once computers are embedded invisibly everywhere. The European Union already regulates many aspects of the safety of vehicles, medical devices, electrical equipment, domestic appliances and even toys. As these devices and systems are recruited to ‘The Internet of Things’, their vulnerabilities (whether old or new) may be remotely exploited, with consequent risks. Many regulators who previously thought only in terms of safety will have to start thinking of security as well. The systems and devices that are starting to expose their security and safety vulnerabilities to the whole Internet are certified under a disparate range of European, national, industry and other schemes. This paper describes the problems and outline the opportunities for governments, industry and researchers. The EU is already the world’s main privacy regulator, as Washington doesn’t care and nobody else is big enough to matter; it should aim to become the main safety regulator too – or risk compromising the safety mission it already has. To deliver, it will need to coordinate the ‘rows’ of liability, transparency and privacy principles with the ‘columns’ of specific industry regulations on safety and testing. The authors identify missing institutional resources and suggest a strategy for filling the gap. Above all, the European institutions and regulatory networks need cyber security expertise to support safety, privacy, consumer protection and competition, rather than having policy in these areas overshadowed or even pre-empted by Member States’ national security concerns. For industry and practitioners, the main message is that safety and security are merging: safety engineers are going to have to learn all about security, and vice versa. This affects everyone from working engineers to the folks in the test labs and the regulators’ committees that set the standards to which they test. Researchers will have lots of new topics, from the design of the next generation of regulatory institutions to technical topics such as sustainability of software and the tool chains that support it. How do we write code for which security patches must be made available for the next 30 years? This poses many fascinating new combinations of problems in both engineering and economics.

Link to publication