IGF 2021 WS #239 The Internet of Things is a Ticking Clock: Secure Design Now

Time
Wednesday, 8th December, 2021 (12:50 UTC) - Wednesday, 8th December, 2021 (13:50 UTC)
Room
Conference Room 4

Organizer 1: Sávyo Vinícius de Morais, Federal Institute of Education, Science, and Technology of the Rio Grande do Norte State (IFRN)
Organizer 2: Jaewon Son, Korea Internet Governance Alliance
Organizer 3: Mark Datysgeld, Governance Primer
Organizer 4: Jaqueline Pigatto, INTERNET SOCIETY [email protected]

Speaker 1: Sávyo Vinícius de Morais, Government, Latin American and Caribbean Group (GRULAC)
Speaker 2: Edgar Ramos, Private Sector, Western European and Others Group (WEOG)
Speaker 3: Martha Teye, Private Sector, African Group

Moderator

Mark Datysgeld, Private Sector, Latin American and Caribbean Group (GRULAC)

Online Moderator

Jaewon Son, Civil Society, Asia-Pacific Group

Rapporteur

Jaqueline Pigatto, Civil Society, Latin American and Caribbean Group (GRULAC)

Format

Round Table - U-shape - 60 Min

Policy Question(s)

International standards: How should international standards address the different requirements and preferences of governments and citizens in different countries?
Roles and responsibilities in protecting against cyber-attacks: Which stakeholders hold responsibility for protecting national governments, businesses and citizens against cyber-attacks?

Additional Policy Questions Information: Standards and recommendations for IoT are being developed at different fora and their adoption is uneven. What are some of the solutions that can be developed to enhance stakeholder cooperation to advance security by design?

1. In spite of the high interest on the subject, different stakeholders are yet to agree on a set of standards that incorporate views from varied sectors and could therefore be better incorporated by different actors from this broad ecosystem. This fosters anxiety and distrust around the subject of IoT; 2. Discussions are often carried out either within a technical environment between engineers or from a mostly civil society angle, without much progress being made on bridging perspectives. Proactive actions need to be taken for ideas to be circulated and mutual understanding to be found; 3. The way in which products are developed makes it so that even if substantial changes are made at the policy level, it can take years for devices to incorporate them, which makes swift

action necessary, seeing as in the next few years it is anticipated that this market will accelerate even further.

SDGs

9. Industry, Innovation and Infrastructure
10.5
10.6

Targets: It is our belief that we are strongly aligned with Goal 9: “Build resilient infrastructure, promote sustainable industrialization and foster innovation”. Our proposal is to facilitate the generation of Internet security at a fundamental level to increase the well-being of populations. We also dialogue with 12.5 (“Encourage companies, especially large and transnational companies, to adopt sustainable practices and to integrate sustainability information into their reporting cycle”) and 12.6 (Promote public procurement practices that are sustainable, in accordance with national policies and priorities), in our subjacent discussion of manufacturing equipment that is less discardable and more resilient, with self-updating capabilities and better operation protocols.

Description:

This Workshop is a continuation of previous efforts carried out during 2020’s WS #325 “Internet of Things: Trust, Trick or Threats?”. From the fruitful dialogue between panelists and the audience, it was recognized that an important next step in regards to the Internet of Things is the establishment and adoption of security-related standards and best practices, which are currently falling behind in relation to the pace that the technology is being deployed, generating gaps that progressively become a greater threat to public safety. IoT presents a new paradigm both in the dimensions of communication and interaction, but its associated issues are remarkably similar to the ones the Internet Governance community already faces, such as the deployment of IPv6, which took over 20 years from its officialization to catch on in a meaningful way. The difference is that the scale of IoT and the potential for its massive adoption in the next decade opens up many new attack vectors and makes it an even more significant challenge, especially considering its potential to translate digital damage into physical damage to structures and people. At a fundamental level, however, the problem remains the same: there is need for the adoption of community-reviewed open standards and for best practices to be followed. This involves a coordinated effort between the manufactures from the private sector and the academics advancing research and codeveloping best practices, as well as a demand from civil society and governments for better standards to be put into place. The speakers assembled for this round table session are up to date with the progress of these themes and have themselves contributed to their advancement, participating in industry bodies and relevant IETF discussions. As a follow-up to the previous year’s topics, the INXU protocol being developed by one of the returning speakers, which creates a flow-based Intrusion Prevention System (IPS) that reduces the threat surface of IoT devices, is reaching maturity and has incorporated feedback received from the IGF and IETF communities. INXU will be presented for further community evaluation. This session’s goals are both to inform and to take in ideas, updating the community on subjects that they might not be exposed regularly to, while at the same time benefiting from the diverse knowledge of the IGF’s attendants to aggregate material that can be taken back to ongoing research projects in an effort to keep them relevant and in touch with the needs of the global technology public.

Expected Outcomes

The main expected outcome from this workshop is to further the knowledge on the subject of security by design both for the interest of the research being carried out by the speakers and for the studies presented by attendants, continuing to enhance ongoing investigations into the subject and finding partnerships for future collaborations, as has been successfully been done with the output from 2020’s WS #325 “Internet of Things: Trust, Trick or Threats?”.

In the beginning of the session, each one of the speakers will give a general overview of their focus issue for up to 7 minutes, considering the guiding question made by the moderator. The guiding questions must address at least one of these lines: 1. Which are the difficulties and risks faced by your stakeholder group? 2. What are you doing to face the problems that you are exposed to? 3. What policies you adopt, or do you think should be adopted, to mitigate the problems? After the initial interventions, the interaction with the floor will be open. This will take up to 25 minutes, with each intervention having a maximum time of 2 minutes. 3 types of the audience members will be monitored: (1) onsite participants; (2) remote participants from the official IGF interaction channels; and (3) Twitter users engaged by means of the hashtags #IGF2021 and #IoThreats. All interventions will be valued equally, with no preference for online or offline. The remaining 5 minutes will be used by the speakers and the moderator for final comments.

Online Participation

Usage of IGF Official Tool.

Key Takeaways (* deadline 2 hours after session)

Citizen-centric approach solutions. Need for IoT especially in the context of pandemic, however, IoT devices are expensive and economic incentive policies would also be interesting.

Initiatives about security in IoT are being taken by other stakeholders - which should be private sector initiatives - but which are happening in the IETF and even the IGF through the debates. People can also make their own policies, in order to customize their uses and know what is most appropriate for their needs.

Call to Action (* deadline 2 hours after session)

Need for more flexible policies between the product/company and the user, as well as greater communication and transparency efforts by the private sector.

Measures proposed in IETF that tries to tackle the issue of managing vulnerabilities in heterogeneous IoT networks with a small security team. Also, there's the need for interoperability between IoT devices.

Session Report (* deadline Monday 20 December) - click on the ? symbol for instructions

This panel is a continuation of another workshop from last year, where the main conclusion was the need for security by design in IoT.

 

One of the panelists from the private sector, Edgar Ramos, pointed out the problem of consent based on the practice of "take it or leave it". Thus, there is a need to negotiate, apply or monitor such policies, demanding new business models that are customizable and interoperable.

 

Another representative from the private sector, Martha Teye, spoke about the impact of Covid and how it has driven the use and success of IoT. In this scenario, there is a need to address economic policies as well, as IoT devices are not cheap. Teye also spoke about smart cities and innovations enabled by 5G, which increase data collection and security uncertainty for users (data subjects). Bringing a more positive look, Teye spoke of the uses of IoT and Edge computing, in improving AI predictions and the very functioning of IoT, which demands greater collaboration between actors.

 

Speaking from the technical perspective, the Brazilian Sávyo Morais made an introduction of the lifecycle of an IoT device, and the need for secure design for handling threats during the device's whole life. The main point pointed out by Morais was the issue of managing vulnerabilities in heterogeneous IoT networks with a small security team. Presenting ongoing efforts to address this issue, Morais spoke of his draft in the IETF that tries to tackle this problem - in the sense of sharing knowledge - and explained a little about INXU: taking care of the network based on well-known attacks. He referenced his work to RFC 8520 - Manufacturer Usage Descriptions (MUDs).

 

The debate that followed with other participants in the session addressed the issue of having more transparency for the consumer and how to encourage them to take care of their IoT devices (doing a simple update, for example). There was talk about awareness, about privacy and security, while there is a mentality for the common user that if it's not broken it's better to leave it as it is. The debate ended with the reflection by Mark Datysgeld, that a greater communicative effort on these points and others discussed in this forum should be in the mainstream media, in order to reach the common user, which, in the final analysis, is the focus of IoT devices that seek to facilitate the day-to-day user’s life.