Standardisation and Certification of the ‘Internet of Things’

Éireann Leverett, Richard Clayton, Ross Anderson

Research output: Contribution to conferencePaperpeer-review

Abstract / Description of output

We report on a research project for the European Commission into what will happen to safety regulation once computers are embedded invisibly everywhere. The European Union already regulates many aspects of the safety of vehicles, medical devices, electrical equipment, domestic appliances and even toys. As these devices and systems are recruited to ‘The Internet of Things’, their vulnerabilities (whether old or new) may be remotely exploited, with consequent risks. Many regulators who previously thought only in terms of safety will have to start thinking of security as well. The systems and devices that are starting to expose their security and safety vulnerabilities to the whole Internet are certified under a disparate range of European, national, industry and other schemes. In this paper we describe the problems and outline the opportunities for governments, industry and researchers. The EU is already the world’s main privacy regulator, as Washington doesn’t care and nobody else is big enough to matter; it should aim to become the main safety regulator too – or risk compromising the safety mission it already has. To deliver, it will need to coordinate the ‘rows’ of liability, transparency and privacy principles with the ‘columns’ of specific industry regulations on safety and testing. We identify missing institutional resources and suggest a strategy for filling the gap. Above all, the European institutions and regulatory networks need cybersecurity expertise to support safety, privacy, consumer protection and competition, rather than having policy in these areas overshadowed or even pre-empted by Member States’ national security concerns. For industry and practitioners, the main message is that safety and security are merging: safety engineers are going to have to learn all about security, and vice versa. This affects everyone from working engineers to the folks in the test labs and the regulators’ committees that set the standards to which they test. Researchers will have lots of new topics, from the design of the next generation of regulatory institutions to technical topics such as sustainability of software and the toolchains that support it. How do we write code for which security patches must be made available for the next 30 years? This poses many fascinating new combinations of problems in both engineering and economics.
Original languageEnglish
Number of pages24
Publication statusPublished - 26 Jun 2017
EventWorkshop on the Economics of Information Security 2017 - San Diego, United States
Duration: 26 Jun 201727 Jun 2017
https://weis2017.econinfosec.org/

Conference

ConferenceWorkshop on the Economics of Information Security 2017
Abbreviated titleWEIS 2017
Country/TerritoryUnited States
CitySan Diego
Period26/06/1727/06/17
Internet address

Fingerprint

Dive into the research topics of 'Standardisation and Certification of the ‘Internet of Things’'. Together they form a unique fingerprint.

Cite this