We Live in Progress
ChatGPT may say “Absolutely not!”, but can we learn any lessons from the rush to control IoT in the past?
11 Dec 2023
3 min. read
The rapid pace of technological development is challenging for any of us to keep up with, especially public policy makers who traditionally follow rather than lead. Last week, the Black Hat Europe The conference held in London, provided the opportunity to hear directly from many UK government employees and others, who are responsible for advising the UK Government on cybersecurity policy.
Late regulations and lost horses
All governments seem to suffer from reactivity – closing the stable door after the horse has bolted is a good expression to describe most policy making. Take for example the current conversations about artificial intelligence (AI); Politicians have expressed the need to regulate and legislate to ensure that AI is used ethically and for the benefit of society. But it comes after AI it’s already around for many years and used by many technologies in some form. So, why wait for it to come out and become widely available to a mass audience to start a discussion of ethical standards? Shouldn’t we have done this before?
Another, and perhaps better, example is the legislation surrounding consumer-oriented Internet of Things (IoT) devices. Published by the UK government a 2023 regulation that set specific cybersecurity requirements for device manufacturers to comply with, similar laws are emerging the European Unionand California manufacturers’ requirements were implemented in 2020. Setting standards and guidelines for manufacturers of IoT devices to follow could have happened in 2010 when there were less than a billion devices connected to the IoT – wait until there will be 10 billion devices in 2020, or worse, when there will be close to 20 billion devices in 2023, making the implementation of what is on the market impossible.
Lessons learned or mistakes made?
The discussion with the UK government team at Black Hat includes that they are currently focusing on the standards required for business IoT devices. I am sure that most businesses have already made significant investments in connected devices classified as IoT, and that any standard adopted today would be impossible to impose retrospectively and would have no impact on the billions of devices already in use. .
Standards and policies serve a purpose and an important element is the education of the population on the proper use and adoption of technology. Using the first consumer IoT example, I’m sure most consumers today understand that you need to set a unique password on each device and that frequent software updates may be necessary to ensure security. I’m curious to see if they take that advice!
The policy issue and the horse that has been bolted may not make voters understand why their government is focusing on things they have never heard of. Imagine if policymakers started legislating IoT or connected devices in 2008, before many thought we could fill our homes with connected devices in real time. The media and voters would have considered lawmakers wasting taxpayer dollars on something we’ve never heard of. In a perfect world though, 2008 would be a good time to set standards for IoT devices. In the same way, the ethical use of AI should be discussed when technology companies start developing solutions that take advantage of the technology, not once they start releasing products and services to the market.
Last minute thoughts
This conference session is divided into two parts; the first half was used to explain what policies and areas the UK government is focusing on, while the second half was an open question-and-answer session with attendees. This latter half is considered ‘in the room’, allowing policymakers to have open discussions with attendees without the threat of what is being discussed entering the public domain. Therefore, in accordance with the wishes of the speakers and other attendees, I will refrain from commenting on what was discussed after the statement was made ‘in the room’.
For the record though, and since I didn’t say it in the room, I don’t agree with implementing an encryption backdoor.
Before you go: RSA Conference 2023 – How AI is penetrating the world