The accelerated pace in the advancement of technology is challenging for any of us to keep up with, especially for public sector policymakers who traditionally follow rather than lead. Last week, the Black Hat Europe conference held in London, provided an opportunity to hear directly from several UK government employees and others, held responsible for advising the UK Government on cybersecurity policy.
Late regulations and missing horses
All governments seem to suffer from being reactive – to close the stable door after the horse has bolted is a good expression to describe most policy making. Take as an example the current conversations about artificial intelligence (AI); politicians are being vocal on the need to regulate and legislate to ensure that AI is used ethically and for the benefit of society. But this comes after AI has already been around for many years and used in many technologies in some form. So, why wait for it to emerge and become widely available to a mass audience to begin a discussion on ethical standards? Shouldn't we have done that before?
Another, and maybe better, example is the legislation surrounding consumer-focused Internet of Things (IoT) devices. The UK government published a regulation in 2023 that sets out specific cybersecurity requirements for device manufacturers to adhere to, similar laws have emerged from the European Union, and California implemented requirements on manufacturers back in 2020. Setting out standards and guidance for manufacturers of IoT devices to follow should probably have happened in 2010 when there were fewer than a billion IoT-connected devices - to wait until there were 10 billion devices in 2020, or even worse, when there are close to 20 billion devices in 2023, makes enforcement on what is already in market impossible.
Lessons learned or mistakes to be made?
The discussion by the UK government team at Black Hat included that they are now focusing on the standards needed for enterprise IoT devices. I am certain most enterprises have already made significant investments into connected devices classed as IoT, and that any standard now adopted is impossible to impose retrospectively and will have little to no effect on the billions of devices already in use.
Standards and policy do serve a purpose and one important element is the education of the population on the correct use and adoption of technology. Using the earlier example of consumer IoT, I am sure most consumers now understand that you need to set a unique password on each device and that it may need frequent software updates to ensure security. I am curious to see whether they adopt the advice!
The issue of policy and the horse already having bolted could be that voters would not understand why their government focuses on things they have never heard of. Imagine if policymakers started to legislate on IoT or connected devices back in 2008, before most of us had even considered that we might fill our homes with devices that are connected in real-time. The media and the voters would have considered the legislators as wasting taxpayer dollars on something we had never even heard of. In a perfect world though, 2008 would have been a great time to set out standards for IoT devices. In the same way, the ethical use of AI should have been discussed when tech companies started the development of solutions that take advantage of the technology, not once they started releasing products and services to the market.
Last minute thoughts
This conference session was split into two parts; the first half was used to explain what policies and areas the UK government is focusing on, while the second half was an open question-and-answer session with the attendees. This latter half was deemed to be ‘in the room’, allowing the policymakers to have open discussions with attendees without the threat of what was discussed entering the public domain. So, in accordance with the wishes of the speakers and the other attendees I will refrain from commenting on what was discussed after the ‘in the room’ statement was made.
For the record though, and as I did not voice this in the room, I disagree with the implementation of an encryption backdoor.
Before you go: RSA Conference 2023 – How AI will infiltrate the world