many regulated industries; it is not
just the obvious ones like aircraft and
railway signals, but even kids’ toys—
they must not have lead paint, and if
you pull a teddy bear’s arms off, they
must not leave sharp spikes.
So what is the strategic approach?
We looked at three verticals—road
vehicles, medical devices, and smart
meters. Cars are a good example to illustrate what we learned—though the
lessons apply elsewhere too.
Security and Safety for Cars
Car safety has been regulated for
years. In the U.S., the National Highways Transportation and Safety Administration was established in the
1960s following Ralph Nader’s campaigning; Europe has an even more
complex regulatory ecosystem. Regulators discovered by the 1970s that
simply doing crash tests and publishing safety data were not enough
to change industry behavior. They
had to set standards for type approval, mandate recalls when needed,
and coordinate car safety with road
design and driver training. Insurers
do some of the regulatory work, as
AS WE START to connect du- rable goods such as cars, medical devices, and elec- tricity meters to the Inter- net, there will be at least
three big changes. First, security will
be more about safety than privacy.
Certification will no longer mean testing a car once before selling it for 10
years; safety will mean monthly software updates, and security will be
an integral part of it. Second, we will
have to reorganize government functions such as safety regulators, standards bodies, testing labs, and law enforcement. Finally, while you might
get security upgrades for your phone
for two or three years, cars will need
safety and security patches for 20
years or more. We have no idea how to
patch 20-year-old software; so we will
need fresh thinking about compilers,
verification, testing, and much else.
Privacy, Availability, or Safety?
The early security scares about the
“Internet of Things” have mostly been
about privacy. There have been re-
ports of the CIA and GCHQ turning
smart TVs into room bugs, while the
German government banned the Cay-
la doll whose voice-recognition sys-
tem could be abused in the same way. 3
Yet privacy may change less than we
think. Your car knows your location
history, sure, but your phone knows
that already. It also knows where you
walk, and it is already full of adware.
Denial of service has also been in
the news. In October 2016, the Mirai
botnet used 200,000 CCTV cameras
(many of them in Brazil and Vietnam)
to knock out Twitter in the Eastern U.S.
for several hours. ISPs know they may
have to deal with large floods of traffic
from senders with whom they cannot
negotiate, and are starting to get worried about the cost.
But the most important issue
in the future is likely to be safety.
Phones and laptops do not kill a lot
of people, at least directly; cars and
medical devices do.
In 2016, Éireann Leverett, Richard
Clayton, and I conducted a research
project for the European Commission
on what happens when devices that
are subject to safety regulation start
to contain both computers and communications. 5 There are surprisingly
Privacy and Security
Can there be an Internet of durable goods?