Last updated: 
3 days 8 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

The Big Bad Smart Fridge

Thursday, July 11, 2019 - 10:23

Leonie Tanczer's FIRST 2019 keynote (recording now available on YouTube) looked at more than a decade of European discussions of whether/how to regulate the Internet of Things (no, I didn't realise, either) and how we might do better in future. This is particularly relevant to an incident response conference as – as Mirai and other incidents have revealed – CSIRTs are, and will continue to be, strongly impacted by whatever incentives regulators may (or may not) create.

There's little question that the IoT involves many complex issues – in particular lack of knowledge, lack of incentives, and lack of monitoring of the results of the previous two – however it seems odd that consumers can (if they choose) rely on regulators to deliver a safe bottle of milk, but are left to themselves to assess the safety of the internet-connected fridge they store it in. In a global supply chain liability – either of vendors or distributors – may not be an effective way to internalise the external costs of insecure devices. And such discussions as have taken place in the past have tended to concentrate on only the first half of the IoT lifecycle – design, purchase and setup – and omitted the much longer, and more hazardous, questions of maintenance and disposal.

However in recent years there have been more promising signs. ENISA's Baseline Security Recommendations for IoT come highly recommended. Also, whereas older studies suggested that consumers seem not to have understood that it might be worth paying extra for a more secure device or service, in recent years there has been both much stronger interest in security labels, and a (probably demographic) shift to devices being bought in physical shops than online. This suggests that even a simple labelling scheme such as that recently consulted on by the UK Government (no default passwords, a reporting channel for vulnerabilities and a date until which patches are guaranteed) may have some beneficial effect. If the fridge, like the bottle of milk, has a "best before" date then that might provide a helpful signal in purchasing choices.

Finally, although discussions on IoT Governance may not seem to be moving forward, they are definitely moving upward, with the WTO, OECD and World Economic Forum all expressing an interest. Security and Incident Response teams – not just those directly associated with product security – should take any opportunities to provide input and experiences.