IGF 2019 WS #307 Transparency and Control for the Internet of Things

Information

Session

Theme:

Security, Safety, Stability and Resilience

Subtheme(s):

International Norms
Cyber Security Best Practice

Organizer 1: Sunil Abraham, Centre for Internet and Society
Organizer 2: Ben Petrosky, Google

Speaker 1: Chris Kubecka, Private Sector, Western European and Others Group (WEOG)
Speaker 2: Estelle Massé , Civil Society, Western European and Others Group (WEOG)
Speaker 3: Sunil Abraham, Civil Society, Asia-Pacific Group
Speaker 4: Thomas Schildhauer , Civil Society, Western European and Others Group (WEOG)
Speaker 5: Maarten Botterman, Civil Society, Western European and Others Group (WEOG)

Policy Question(s):

Review of the current landscape: What are the best existing frameworks that can help drive security standardization for the consumer Internet of Things? How do we empower users to make choices about the world of devices around them? - How should / can users understand their threat models? - How can users make decisions about security capabilities? Can they assume certain risk? Must there be certain minimum requirements? - How do users make decisions about product functionality? What options for “dumb” devices? What can users know / control about sensors and device capabilities? - For devices that are not apparent to users (or under their control), how can users understand them and interact with them? What are the most promising mechanisms to drive international standardization across stakeholders and supply chains? Can we agree on alignment around certain aspects of devices where standardization makes sense? - Device type? (e.g., security camera, television, home appliances) - Sensor type? (e.g., microphone, camera, accelerometer, thermometer) - Type of data collected? (e.g., personally identifiable data, environmental data, medical data) And do you go by device or sensor capabilities or intended use?

Relevance to Theme: The number of Internet-connected devices now exceeds the world’s population. And by 2021, Gartner estimates that the number of Internet-connected devices will triple to 25 billion. It is perhaps unsurprising that the volume and sophistication of IoT threat has consequently grown to identify and exploit vulnerabilities. And while there are embryonic efforts to foster a marketplace for safe and secure IoT products, those efforts require international consensus, standardization, and commitment across a broad universe of government and industry stakeholders. A recent report found that internet of things attacks doubled between 2017 and 2018. Many of the attacks rely on weak/default credentials, and unpatched vulnerabilities. We would aim to build off of the work from last year's convening: https://www.intgovforum.org/multilingual/content/igf-2018-dc-internet-of...

Relevance to Internet Governance: Securing the IoT marketplace will require the participation and collaboration of stakeholders across the globe. Although many of these devices are purpose-built to operate in a local environment, their connectedness means that they can often be accessed and/or controlled remotely. If not secured, some devices may be used to improperly collect and share data, or may be used as bots by an attacker. To address these issues, we must consider global supply chains in global market and how the diverse stakeholders in the ecosystem can organize, monitor and govern their security/quality standards. Standards and protocols that provide baseline security for IoT consumers should apply regardless of where devices are made or where they are used. Further, the interconnected nature of global commerce means that the adverse effects of security vulnerabilities in Internet-connected devices will not be confined to particular countries and regions. Thus requiring a transnational multistakeholder framework of incentives and governance practices. Work on national-level solutions might help to pioneer the state of the art for Internet governance, but experiences have to be “internationalized” to ensure the development of a long-term, safe and secure IoT marketplace.

Format:

Birds of a Feather - Auditorium - 90 Min

Description: Intro to challenge and opportunity (per policy questions above) - Overview of current state of the art (e.g., The Digital Standard, other frameworks) - 2 minute overviews by speakers to “pitch” particular frameworks. What form of scheme? - Some breakout to discuss: Labeling? NRTL model? - Some breakout to discuss:: What attributes of devices need to be regulated (see 5 above) Lead group to consider which of the existing frameworks makes the most sense to pursue. - Discussion / Agreement of next steps

Expected Outcomes: Organizers would seek self-nominations from participants to integrate with existing IoT security framework efforts and assist them with coordinating input and bootstrap a multistakeholder community of practice (potentially connected to the IGF IoT Dynamic Coalition).

Onsite Moderator:

Sunil Abraham, Civil Society, Asia-Pacific Group

Online Moderator:

Ben Petrosky, Private Sector, Western European and Others Group (WEOG)

Rapporteur:

Ben Petrosky, Private Sector, Western European and Others Group (WEOG)

Discussion Facilitation:

As noted above, we will feature breakouts as well as an opportunity at the end for groups to weigh in on a recommended set of next steps.

Online Participation:

Usage of IGF Tool

SDGs:

GOAL 9: Industry, Innovation and Infrastructure

Report

1. Key Policy Questions and Expectations:

This goal of this session is to identify the best ways to ensure consumers can make informed security choices about consumer IoT devices (and concomitant services). While different initiatives are focusing on identifying core security standards for consumer devices, there is less collaboration on mechanisms that can surface this information to consumers in a meaningful way, recognizing that security is one of many issues a consumer considers in deciding whether to purchase an IoT device. Below are three policy questions that can guide this discussion:

How can we help consumers understand more about the security features of IoT devices, and how can this information be standardized and surfaced in both screened and screenless environments?
What core security information is essential for consumers to know about before they purchase an IoT device?
How might consumers make more informed security choices based on security-related information that is surfaced to them?