As the number of devices that are connected, both to the Internet and to each other, increases, concern has grown that such devices provide an easy backdoor into our lives. It’s a perspective underlined in a recent paper produced by the Parliamentary Office for Science and Technology (POST), who are tasked with providing the UK government with factual and impartial advice.
“Insecure devices can compromise consumers’ privacyand security or be hijacked and used to disrupt others’ use of the internet,” the authors explain.
The number of connected devices on the market is growing rapidly, with industry estimates expecting around 13 billion devices to be in use by 2020. The potential benefits of these devices is considerable, but there remains a sense that security has been something of an afterthought.
This leaves the devices open to hacking, resulting in data loss, privacy infringements and even unwanted access to hardware. Attacks to date have already resulted in widespread disruption of online services, with attackers gaining access via poor passwords, software vulnerabilities and even hardware design flaws.
The authors believe that the current lax state of security has emerged due to a largely fragmented industry whereby insufficient economic drivers exist to encourage safer design and practice.
“A 2017 survey reported that over40% of companies said their customers are either unwilling to pay a premium for security,or expect security costs to decline over time,” the authors explain. “Consumers may be unwilling to pay for attributes that they cannot measure, which mightdiscourage investment in security features.”
Improving cyber security
The authors believe that the first step towards improving matters is to establish a code of practice for the industry that unifies the 50 or so standards and guidance that have been published to date. For instance, in 2018, the Department for Culture, Media and Sport (DCMS) worked with industry and academia to produce a Code of Practice for Consumer IoT Security, and this forms a good start point to build on.
“The guidelines aimto encourage the integration of cyber security into products, reducing the burden onconsumers to ensure that their devices are secure,” the authors explain.
Of course, the ongoing skills shortage in the sector continues to undermine efforts to develop greater security, and the report urges greater investment in training, research and other initiatives to develop the skills and capabilities required to create a more secure sector. Even so, the likes of the Joint Committee on the National Security Strategy worry that such efforts are insufficient, with much more required if the supply of skills is to meet the huge increase in demand.
More can also be done to improve awareness among consumers about the importance of securing their devices. For instance, the authors recommend labelling schemes, similar to those for energy and food products, to encourage companies to compete on the security of their wares.
It’s an area of growing importance, and the paper does a good job of summarising many of the issues surrounding it.