IoT: Economic opportunities and security challenges
9 Jun 2018 02:00h
Event report
The session started with introductions by co-moderators Mr Peter Koch (Senior Polocy Advisor, Denic), Mr Frédéric Donck (Managing Director, European Regional Bureau, Internet Society) and Ms Tatiana Tropina (Senior Researcher, Max Planck Institute for Foreign and International Criminal Law).
The interactive format of the session was explained and the audience was split into three groups representing the perspectives of the manufacturer, the user, and the policymakers when discussing the different aspects of the Internet of Things (IoTs);privacy, security, and economics.
The group on policymakingunder thefacilitation of Tropina, built their discussions around the experience of the UK government in supporting the research and development of IoT and engaging with businesses and citizens to advance UK leadership in IoT applicability. The goal of their initiative is to propose commercial incentives for manufacturers to ensure the development of IoT for healthcare services, transportation and smart cities. The group came to the idea that privacy and security by design should be a priority for IoT devices and software. However, policymakers should work with the industry to set standards at the global level to ensure a cross-border flow of IoT technologies and devices, and most importantly, to prevent counterfeit which would endanger security and privacy tremendously. For this reason, it would be good to involve international standardisation organisations. Finally, the group agreed on the necessity to find reliable metrics for checking the progress of IoT deployment and how it really contributes to economic growth.
The second group’s discussion was led by Koch and focused on the manufacturer’s perspective, with most of the discussion being on security. However, as businesses, their foremost priority is to sell products, and it was roughly agreed that economics was the driving factor behind having security or privacy on the agenda for IoT manufacturing. Following the roll-out of the General Data Protection Regulation (GDPR), privacy and security became an economic consideration as well. Since businesses mainly run on consumer/user demand, the group also argued that demanding security was the consumer’s responsibility at the end of the day. The layers of security, from the design and manufacturing of the microchips to software, were discussed, and companies who take on all layers of production were mentioned as examples of efforts to increase product security. Another point made was that the IoT was not only there for end users and was not always connected to the Internet, but a big part of the industry was built upon business to business applications for logistics, manufacturing, transportation, environmental monitoring, industries and so on.
The third group focused on the user’s perspective andstarted the discussion by trying to formulate the questions that they saw as relevant to making informed decisions relating to connected products and devices, whether security was a concern, and how a consumer can learn about quality and security when it comes to devices whose technical functioning is not necessarily intuitive. Some of the other points raised by the discussion group include:
- One of the key topics was whether users were ready to pay more for secured IoT devices, and participants agreed that price was a relevant component but not the only issue to be considered.
- Information regarding the safety and security of connected devices need to be clear, objective and intelligible for non-experts,an excessive burden on vulnerable users who normally lack the necessary expertise will not improve the overall cybersecurity environment.
- Whether through formal certification or informal mechanisms, users want devices to be tested and the results publicised, so as to ensure diversity and confrontation of views, as well as diversity of sources that are independent and, if possible, officially verifiable.
- Children’s toys and devices may be a good starting point to raise awareness regarding the importance of privacy and security of connected devices, since people to tend to raise their concerns and awareness efforts when these interests are at stake.
The session continued with discussions comparing the messages and perspectives of policymakers, users and manufacturers. The question of the responsibility for security was debated in depth. Users put economics over security, which determine sector trends in IoT so education and awareness should be a priority. A solution can be that governments impose security by design on manufactures which would solve the security issue. Another important point to consider is imported products; is it a solution to tightly regulate imported IoT and have certifications? Participants from a technical background stressed that security is not a state, it constantly evolves, which poses an issue on who is responsible of security issues. In 10 or 20 years, if a manufacturer is long gone but the products are still in use who will governments and users address? Industry set standards can be a solution to these issues just like the CE standards for various products.
Final remarks included that current disclosures and disclaimers that come with connected devices were not sufficient. Additional regulation to the existing privacy regulation will likely be needed for the IoT. And in the near future, if there is a lack of consideration for privacy and security in the IoT, they may simply not be allowed on the European market.