Is it time for the UK government to regulate the IoT?

14 June 2018

Marco Hogewoning, senior external relations officer, RIPE NCC

Marco Hogewoning, senior external relations officer, RIPE NCC

The IoT is here to stay and will only keep growing in size.

While IHS Market expects the number of connected devices worldwide to  increase by 12 per cent on average annually, reaching 125 billion by 2030 globally, Intel is more ambitious and predicts there will be 200 billion by 2020.

Regardless of whose research you go with, the stats remain big.

However, IoT’s rapid growth has mostly come at the expense of security. As the number of potential endpoints for cyber criminals to exploit grows, attacks have increased. 

We therefore find ourselves at a crossroads with a challenge that needs to be addressed: how do we boost security for IoT devices and who is responsible?

Security often is sacrificed to other business priorities, such as being 'first to market’ with a new product. The complexity of IoT security often means it is considered last, as manufacturers develop new skills around creating connected devices. But this situation has opened the door to devastating IoT cyber attacks, such as the Mirai botnet.

Manufacturers clearly have a responsibility to properly address IoT security, but what happens when the sale is completed? Should we expect consumers to continuously download patches? Consumers need to be protected from cyber incursions and this could mean that IoT regulation is inevitable. 

However, this would take time to develop and implement and may already be outdated by the time it’s ready. Moreover, a single regulatory body is unlikely – the IoT is just too vast. 

A sectoral approach could be beneficial, where current regulators and manufacturers collaborate to share values with a view to agreeing on standards and actions.

GDPR is a great example of topical guidance being harmonised across varying IoT verticals.

But regulation could negatively impact smaller industry players and act as a potential barrier to innovation. 

The other option is self-regulation where stakeholders are encouraged to share experiences, and best security and privacy practice.

Through a collaborative process, such as how the actual internet was built, universal (but voluntary) security standards could be agreed.

This cooperative framework could solve the pressing security issues, while allowing companies to continue to compete with one another in the marketplace. 

Commercial and security issues considered, self-regulation provides the opportunity to develop safer devices and a more robust IoT network.

It’s encouraging to see the UK government taking steps to implement this type of solution, with the introduction of a new IoT code of practice. We need to answer the question of IoT security together and this code of practice could be the start of that approach.