IGF 2020 WS #325 Internet of Things: Trust, Trick or Threats?

Time
Friday, 13th November, 2020 (14:00 UTC) - Friday, 13th November, 2020 (15:00 UTC)
Room
Room 3
About this Session
This WS will discuss IoT security and privacy for domestic networks. We will compile a set of good practices, new technologies and standards that support improving Trust in the IoT ecosystem.

The debate includes youth and women from Africa, Americas, Asia-Pacific and Europe in our team.

Audience previous and simultaneous interactions through questions, suggestions and comments are highly encouraged on Twitter using the hashtags #IoThreats
Subtheme

Organizer 1: LUIS GUSTAVO DE SOUZA AZEVEDO, Universidade Federal do Acre
Organizer 2: Sávyo Vinícius de Morais, Federal University of Rio de Janeiro
Organizer 3: Cindyneia Cantanhede, UFMA
Organizer 4: Mark Datysgeld, Governance Primer

Speaker 1: Adeel Sadiq, Private Sector, Asia-Pacific Group
Speaker 2: Olga Kyryliuk, Civil Society, Eastern European Group
Speaker 3: Aisyah Shakirah Suhaidi, Civil Society, Asia-Pacific Group
Speaker 4: Sávyo Vinícius de Morais, Technical Community, Latin American and Caribbean Group (GRULAC)

Additional Speakers

Moderator: Mark Datysgeld, Governance Primer

Online ModeratorLUIS GUSTAVO DE SOUZA AZEVEDO, Universidade Federal do Acre

RapporteurJaewon Son, Korea Internet Governance Alliance

Speakers:

  1. Martha Teye, Zlitch Technologies
  2. Edgar Ramos, Ericson
  3. Sávyo Vinícius de Morais, Federal University of Rio de Janeiro

 

Moderator

Mark Datysgeld, Private Sector, Latin American and Caribbean Group (GRULAC)

Online Moderator

LUIS GUSTAVO DE SOUZA AZEVEDO, Civil Society, Latin American and Caribbean Group (GRULAC)

Rapporteur

Cindyneia Cantanhede, Civil Society, Latin American and Caribbean Group (GRULAC)

Format

Round Table - U-shape - 60 Min

Online duration reset to 60 minutes.
Policy Question(s)

1) Technologies and standards are being developed by big players of the industry to enforce IoT security, but neither small players, end users, and governments know about the solutions. What type of policies can be applied to make effective the efforts employed by the stakeholders?

1. In spite of the high interest on the subject, different stakeholders are yet to agree on a set of standards that incorporate views from varied sectors and could therefore be better incorporated by different actors from this broad ecosystem. This has generated a state of passiveness that fosters anxiety and distrust around the subject of IoT; 2. Discussions are often carried out either within a technical environment between engineers or from a mostly civil society angle, without much progress being made on bridging perspectives. Proactive actions need to be taken for ideas to be circulated and mutual understanding to be found; 3. The way in which products are developed makes it so that even if substantial changes are made at the policy level, it can take years for devices to incorporate them, which makes swift action necessary, seeing as in the next few years it is anticipated that this market will accelerate even further.

SDGs

GOAL 3: Good Health and Well-Being
GOAL 9: Industry, Innovation and Infrastructure

Description:

The core ideas of this Workshop originate from studies being carried out at the Federal University of Rio de Janeiro (UFRJ), in Brazil, focused on developing technological solutions to improve IoT Security for Domestic Networks. This is part of an ongoing master’s research, and aggregates knowledge acquired in academia and Internet Governance environments over the course of the past few years. The Internet of Things (IoT) is a socio-technological phenomenon resulting from the human need to monitor and control their environment, which has been allowed to progress to never before seen proportions due to the digital technology developments that took place in recent decades. As a consequence, progressively more IoT devices are being deployed to automate tasks and replace manual labor, increasing the number of Internet-connected devices on the planet. Currently, the most common use of IoT is the automation of domestic tasks. In this context, the user’s daily routine can be captured by the devices in their homes, and these vulnerability points increase the risk for the user's security and privacy, specifically considering that attackers may be able to obtain remote access to these devices, including the possibility of controlling cyber-physical systems and causing material harms. The IoT associated risks can also affect the Internet’s stability, something demonstrated when devices are infected and incorporated into botnets. These botnets are commonly used to take down online services with Distributed Denial of Service (DDoS) attacks, consuming the bandwidth of ISPs with unwanted traffic, and most of the time using the DNS systems to amplify the attack. This Workshop intends to discuss the IoT security question as it relates to the domestic environment, taking into consideration different points of view, including technical, legal, and social, to compile a set of good practices on the usage of these systems and understand the different sides of the problem. It is all too common for discussions on the subject to remain isolated and not be taken into a broader context, resulting in collective inaction in the face of a real growing issue. The results arrived at will be incorporated into ongoing research on the technological and regulatory approaches to IoT security, and delivered back to the community in the form of a peer-reviewed document. It is our hope that it will be the first of a series of discussions carried out by the organizers in the coming years.

Expected Outcomes

1. Understand what are common behaviors in relation to the installation, configuration and operation of IoT devices, and how gaps in those setups weaken the security of the end user; 2. Review the different solutions that are being developed in different regions from an Internet Governance perspective, including the approach taken by institutions such as the IETF, broader academia, local governments, and the industry; 3. Based on our multistakeholder findings and subsequent discussion with the audience, suggest guidelines for policies to reduce the impact of insecurity on the ecosystem of the Internet originating from domestic IoT devices.

In the first 30 minutes, each one of the 4 speakers will have approximately 7 minutes to give a general overview of their respective specialty, considering the guiding question made by the moderator. The guiding questions must address at least one of these lines: 1. Which are the difficulties and risks faced by your stakeholder group? 2. What are you doing to face the problems that you are exposed to? 3. What policies you adopt, or do you think should be adopted, to mitigate the problems? After the initial speeches, the audience will understand the context of each stakeholder group, and then the interaction floor will be open. This moment will take 25 minutes, where each intervention has a maximum time of 2 minutes. To the interactions, 3 types of the audience are considered: (1) onsite participants; (2) remote participants from the official IGF interaction channels; and (3) Twitter user's engaged by the hashtags #IGF2020 and #IoThreats. As the intention is to treat all types of public equally, the multiple attendances in the session will be interspersed. The last 5 minutes will be used by the speakers and moderator for final comments.

Relevance to Internet Governance: IoT security has been a theme of growing importance within Internet Governance institutions, including the IGF, IETF and ICANN. One example of this is RFC 8576, a document published by the Internet Research Task Force that explains the state of the art challenges of IoT security, discussing the problems related to technological limitations faced by industry, and how it impacts the end user. During IGF 2019, the main session “The Future of IoT: Toward More Secure and Human-Centered Devices” was a landmark discussion that involved speakers from different stakeholder groups in an earnest manner, furthering richer discussions on the subject. The BPF on “IoT, Big Data and IA” highlights security and privacy as important points of attention on the development of the IoT ecosystem, and in relation to IoT Cybersecurity, there is a clear need for “education of developers, consumers, policy makers, and vendors to ensure that the Internet is protected from IoT attacks”. TLD operators are also important actors in the chain of IoT security improvement, seeing as the DNS is being used to amplify most part of the DDoS attacks, with a consequent degradation of the quality of their service. TLDs such as “.nl” and “.ca” have started publishing technical reports and developing systems to enforce security for IoT in domestic networks. All of these factors combined point to the need to address these topics from different perspectives, with collaborative dialogue and challenging multiple stakeholders to identify the associated issues and actively contribute towards decision-making processes that will ensure security and stability.

Relevance to Theme: When we consider that the expansion of IoT devices is still in its early days, with a lack of a proper 5G network to support its optimal operation, it becomes fairly clear that any issue being experienced now will only be magnified in the coming years. While there is still time, actors need to congregate around coming up with best practices and carry discussions at different levels and institutions to further best practices. Consumers need to be able to trust their devices and the Internet ecosystem needs to trust them back, in order for all actors to be able to thrive within this environment. However, if guidelines come only from a single source (such as the industry) and are not thought from a broad perspective, the likeliness of widespread adoption of best practices becomes questionable.

Online Participation

 

Usage of IGF Official Tool. Additional Tools proposed: Interactions made by Twitter using the hashtags #IGF2020 and #IoThreats will be considered as part of the interaction of the session.

 

1. Key Policy Questions and related issues
What type of policies can be applied to make effective the efforts employed by the stakeholders?
What are common behaviors in relation to the installation, configuration and operation of IoT devices, and how gaps in those setups weaken the security of the end user?
We expect to review different solutions from an Internet Governance perspective, including the approach taken by institutions including the IETF, broader academia, local governments, and the industry. In addition, the session aims to suggest guidelines for policies to reduce the impact of insecurity on the ecosystem of the Internet originating from domestic IoT devices based on multistakeholder findings and subsequent discussion with the audience.
2. Summary of Issues Discussed

The security and privacy issues of IoT home devices have been discussed with the practical use cases of IoT within the home context as a starting point. Lei Geral de Proteção de Dados (LGPD), the Brazilian data protection law has been introduced and the origin of the problem and design flaws within the IoT devices which might cause security issues have been identified while touching upon privacy, and cloud interaction. The panels evaluated the sustainability of the current model and discussed the possibilities of distributed intelligence as an alternative to keep it synchronized and interoperable. The solutions to address the challenges have been reviewed including the best practices in IoT deployment with maintenance themes being emphasized. One of the challenges that has been pointed out is that the IoT technologies and security related guidelines are mainly addressed by the major firms but not government or consumers. With the multistakeholder perspective, the panel touched on the ways for diverse stakeholders to have a collective action on the issue.

3. Key Takeaways

Ensuring the security and privacy is essential for the IoT ecosystem to thrive while the guidelines and related decision-making process have to involve diverse stakeholders including civil society and policy makers.

6. Final Speakers

Moderator: Mark Datysgeld, Governance Primer

Online ModeratorLUIS GUSTAVO DE SOUZA AZEVEDO, Universidade Federal do Acre

RapporteurJaewon Son, Korea Internet Governance Alliance

Speakers:

  1. Martha Teye, Zlitch Technologies
  2. Edgar Ramos, Ericson
  3. Sávyo Vinícius de Morais, Federal University of Rio de Janeiro
7. Reflection to Gender Issues

This subject affects people of all genders and identity, and should be considered a common good.

8. Session Outputs

The main output provided by this session was the spread of information about the current and future security and privacy issues regarding IoT. The speakers also highligted the following recommendations for the community:

  • The is need for a descentralization of the IoT applications, allowing more control of the end-users over their data and more reliability for the systems;
  • The end-users still need more awareness about good security practices on deploying their applications and devices to provide a securier Internet ecosystem;
  • Manufacturers must to pay more attention for the development of their devices, following the security best practices for software development, and implementing the open and available security standards;
  • Support the implementation of appropriate criptography and authentication methods.
9. Group Photo
IGF 2020 WS #325 Internet of Things: Trust, Trick or Threats