Does the UK need an IoT regulator?

Written by Marco Hogewoning on 15 February 2018 in Opinion

Marco Hogewoning of RIPE NCC examines what the government can do to ensure the internet of things sector has the right regulations and standards

There’s no doubt that the British government appreciates both the opportunity and the challenge that the internet of things (IoT) presents. 

In 2015, it announced a £40m research fund for IoT, which supported several smart city initiatives in London and Manchester, among others. It has also committed to working with the National Cyber Security Centre and the Centre for the Protection of National Infrastructure to minimise the threat posed by IoT security breaches. Yet the conversation around specific security standards for the IoT, or the establishment of a dedicated regulatory body, has been muted. 

This is not a straightforward issue and not necessarily one that the UK government should answer alone. By its very nature, IoT is incredibly diverse. If the government were to establish a single regulatory or standards-setting body, it is unlikely that it could combine all of the competencies needed to successfully manage IoT security. 

However, a sectoral approach could work, where existing industry regulators collaborate with everyone in the IoT ecosystem to discuss a shared set of values. Cooperation like this is how the internet was originally built, and it could lead to the agreement of firm security standards for IoT and self-regulation. Documents like the Organisation for Economic Co-operation and Development’s Security Guidelines, and even the General Data Protection Regulation are examples of topical guidance that can be harmonised across different sectors.

Related content

However, even in a scenario where industry regulators and government cooperate with IoT device manufacturers and developers, there is still a grey area as to who has the ethical responsibility to protect IoT devices. Most products, provided they work as advertised while under guarantee, usually cease to become the manufacturer’s responsibility in the long term. 

But IoT devices are different. 

The end user or organisation may own the device, but third parties often need to remain in the loop for it to work. The manufacturer will typically need to provide security updates, and continue supporting the network infrastructure that the device runs across. With computers and technology in the workplace, the IT department downloads patches and updates to keep devices working and secure. 

With IoT devices that have limited interfaces, often only a few buttons and lights, this process becomes less clear – can we really expect regular users to download the latest security updates? And what does it mean to support a device when it might have a lifespan that’s measured in decades?

Increasingly, people may not even know when or if certain devices are connected to the internet. As IoT connected devices continue to proliferate, this complicated world will become harder to tackle. If we want IoT to succeed, we need to start finding the answers to these sorts of questions. Security is something that everyone has a stake in. 

While regulation will always remain an option, no single regulatory body could manage an area as vast and complex as IoT. However, if the government facilitated conversations with parties in the IoT ecosystem, it could help to identify constructive solutions to the issue of IoT security. 

The outcome could then be adopted under a flexible regime of industry self-regulation and voluntary, but universal, adherence to common standards and norms. If the government could encourage this kind of collaboration, everyone would benefit. 

A cooperative approach could ensure safer products and a more stable and secure IoT network. It is only through a robust IoT infrastructure that public sector bodies will be able to successfully take advantage of the IoT. 

The government could play a key role in bringing the industry together. 

About the author

Marco Hogewoning is external relations officer – technical advisor at the RIPE Network Coordination Centre – one of the world’s five regional internet registries. It covers Europe and parts of Asia.

Share this page

Add new comment