IGF 2018 OF #25 Global alignment for improving the security of IoT devices

Session Time: Wednesday, 14 November, 2018 - 10:10 to 11:10

Room: Salle IX

Online moderator: mr. Arnold van Rhijn, Senior Policy Officer, Ministry of Economic Affairs and Climate Policy of the Netherlands. 

1. Mrs. Sandra van der Weiden: Introductory presentation on the Roadmap for Digital hard and Software Security of the Netherlands

With the example of a smart washing machine some important issues of IoT-security are demonstrated. Vulnerabilities can occur in all components and the connections between those and e.g. the app to control them, or the router to distribute their signals to the internet. A second aspect is that the risks and potential impacts of security problems are largely context dependent, as demonstrated by comparing a washing machine in a home setting with the same in a hospital or powerplant.

From this example several principles for the digital security of IoT are developed:
1: Follow a product life cycle approach to establish IoT-security: from the design and development stage, via distribution, installation and usage to the disposal stage of the IoT-product.

2: IoT-security requires joint responsibility: there is no exclusive responsibility for e.g. the producer or vendor. All have to play a role. Given the limited rationality and acting capacity of users also government parties and civil society organizations have a role to play.

3: The balance of public interests needs to be taken into account. One-sided focus on safety and security may not go at the cost of freedom or economic growth.

4: A portfolio approach is needed: not ‘just’ legislation, but a broad range of policy instruments must be applied, from legislation to awareness raising, and from certification to security testing.

5: Room must be left for a complementary digital security approach e.g. for specific sectors or domains.

As relevant policy instruments are highlighted: awareness campaigns and user empowerment; national government procurement policies; liability/accountability based measures, e.g. standards and certification; product monitoring; testing and cybersecurity research; and the cleansing or removal of contaminated products. 

Disclaimer: the Netherlands’ Roadmap for Digital Hard and Software Security offers an approach, in the end we will need a program.
 

2. Panel discussion: What could IGF do to help promote security of the IoT?

moderated by Joost van der Vleuten

Panel members in alphabetical order:

1. Maarten Botterman, Netherlands: Director of ICANN / Global Future Internet Authority / Independent Strategic Advisor for GNKS (Global Networked Knowledge Society); Chair of the IGF Dynamic Coalition on IoT security.
2. Byron Holland, Canada: President and CEO of the Canadian Internet Registration Authority (CIRA); responsible for the legal and policy environment for the domain name space in Canada and one of the voices advocating Canada’s interests in the global Internet environment.
3. Mr. Jasper Pandza, United Kingdom: Assistant Director Culture, Media and Sports - DCMS) and driving force behind the Code of Practice for Consumer IoT Security.
4. Mrs. Sandra van der Weide, senior policy advisor of the Ministry of Economic Affairs and Climate Policy of the Netherlands / Project Manager Roadmap Digital Hardware and Software Security.

Byron Holland:  

• In 2016 we saw the first large scale attack abusing IoT devices. Since the exponential increase in IoT devices connected to the internet, that sort of attack has the potential to be more influential. Good security of IoT devices is therefore critical. Canada has started a multi stakeholder community with participants from civil society, academia, government and private sector, that came together in Spring 2018 and divided itself into 3 working groups: one on consumer education (how to ensure that the consumer without skills is also safe), a second one on labeling standards (how to do effective labeling) and a third one on network resilience (technical group) what can network managers do to reduce their risks?
  Manufacture usage description (MUD profile).

  Discussion: Challenge the idea we don't have ways to protect websites.

Maarten Botterman

• Technical innovation is moving fast, complications for innovation increase and good practice are needed. You may e.g. have your tools being certified, labeled or even regulated within one country, but tools will also come from abroad. Also a pragmatic approach is required regarding transparency. I suggest meaningful transparency. That does not mean providing all data out there, but above all ensuring the user understands what he or she needs to understand. basic security, privacy. Let’s make sure we do it in a responsible way.

Jasper Pandza:

• Overall message: we need to focus on the basics, get the basics right and move forwards swiftly. You need to know what it looks like in order to develop regulatory options. Do this in a multi stakeholder process with industry, society, academia. That’s what we did in UK. We will be developing them into a global standard through ETSI, hoping to finish by February 2019. We have asked companies to implement the code.
  We should take Lifecycle into account. Software updates the important thing is transparency.
• Discussion: we need to factor in much more complex scenarios. For instance when smart washing machine is being bought 2^nd hand or when someone is hiring a house (and thus not the owner of the washing machine etc.).
  • Jasper: Communicating the outcome of the insurance to the consumer. This is setting the baselines and developing the certification scheme.
  • Walter: if something goes wrong, people will knock on the door of the government. So many fixes already have been developed, but not implemented for some reason. Incentives for industry are not sufficient, but if it would be obligatory then the industry would have to. Government should have a role in this. Autos are when used moved to other countries and then to other countries. So is this a sustainable model...
    Comment government Canada: incentives some manufacturers not aligned. But we do bring them in our initiative. The beauty is in engagement. Key is having this conversation about what works.
  • Comment: we don’t have the potential to build the internet of secure things, but we can build a secure cloud of things. You don’t want to securitise avery single pacemaker, fitbit or smart light switch. But you can secure routers and thus anything ‘behind’ that router. Much cheaper, much more flexible.
  • Question: are there any ideas on how a change of culture would be possible? Especially small companies are not going to invest in these 13 points. Is there an active role for IGF in making the suggestions on what to do and what not to do work?
• Maarten: we cannot secure the devices, but we need standards and informed choice (labeling, certification). The aim is to get consumers to make smarter choices. You cannot rely on the safety of the devices alone. Role of IGF: do not wait for the IGF, continue doing your thing.

  Comment from audience: continue to work on these issues. We got good examples and points from the IGF. Focus on their implementation within your different jurisdictions. Then exchange good practices, share successes and lessons learned, as all IoT-issues are cross technology and cross country. That is the biggest challenge.

• Jasper: We have to move forward. While doing so keep all informed about relevant initiatives.

---