Internet of Things is the key driver of the digital revolution. More and more devices are becoming connected to the Internet. This development creates new opportunities for our society such as new products and services, but also creates vulnerabilities. These vulnerabilities could undermine our trust in digitalization. This does not only harm trust of individual users. Because of the increase in interconnectedness this could also harm trust of our society as a whole. Cybersecurity is a basic requirement for our trust in the Internet of Things. For example, a hacked teddy bear could be used for a DDoS attack to disrupt business activities. That’s why it is important to keep the internet-connected devices as secure as possible. A joint approach is needed as the Internet of Things is a cross-border phenomenon. This Open Forum aims to contribute to a joint approach by sharing best practices in how to secure IoT devices. At the Open Forum, the Netherlands government will present its Roadmap for Digital Hardware and Software Security. This Roadmap offers a cohesive set of measures for eliminating gaps in hardware and software, detecting vulnerabilities and mitigating their consequences. The organizers of this Open Forum aim to have an interactive debate with the audience on this actual and political issue. Speakers will be asked to give their views on these dilemmas, and present their solutions. Participants at this Open Forum will be involved on an interactive way.
The Netherlands Ministry of Economic Affairs and Climate Policy
The Netherlands Ministry of Economic Affairs and Climate Policy
Sandra van der Weide, Project Leader Roadmap for Digital Hardware and Software Security, The Netherlands Ministry of Economic Affairs and Climate Policy of the Netherlands Maarten Botterman, Chairman, Dynamic Coalition on IoT; ICANN Board Director TBC Industry TBC Technical Community TBC UK government TBC Government TBC Government Moderator: Joost van der Vleuten, The Netherlands Ministry of Economic Affairs and Climate Policy
Arnold van Rhijn, The Netherlands Ministry of Economic Affairs and Climate Policy
Session Time: Wednesday, 14 November, 2018 - 10:10 to 11:10
Room: Salle IX
Online moderator: mr. Arnold van Rhijn, Senior Policy Officer, Ministry of Economic Affairs and Climate Policy of the Netherlands.
- Mrs. Sandra van der Weiden: Introductory presentation on the Roadmap for Digital hard and Software Security of the Netherlands
With the example of a smart washing machine some important issues of IoT-security are demonstrated. Vulnerabilities can occur in all components and the connections between those and e.g. the app to control them, or the router to distribute their signals to the internet. A second aspect is that the risks and potential impacts of security problems are largely context dependent, as demonstrated by comparing a washing machine in a home setting with the same in a hospital or powerplant.
From this example several principles for the digital security of IoT are developed:
1: Follow a product life cycle approach to establish IoT-security: from the design and development stage, via distribution, installation and usage to the disposal stage of the IoT-product.
2: IoT-security requires joint responsibility: there is no exclusive responsibility for e.g. the producer or vendor. All have to play a role. Given the limited rationality and acting capacity of users also government parties and civil society organizations have a role to play.
3: The balance of public interests needs to be taken into account. One-sided focus on safety and security may not go at the cost of freedom or economic growth.
4: A portfolio approach is needed: not ‘just’ legislation, but a broad range of policy instruments must be applied, from legislation to awareness raising, and from certification to security testing.
5: Room must be left for a complementary digital security approach e.g. for specific sectors or domains.
As relevant policy instruments are highlighted: awareness campaigns and user empowerment; national government procurement policies; liability/accountability based measures, e.g. standards and certification; product monitoring; testing and cybersecurity research; and the cleansing or removal of contaminated products.
Disclaimer: the Netherlands’ Roadmap for Digital Hard and Software Security offers an approach, in the end we will need a program.
- Panel discussion: What could IGF do to help promote security of the IoT?
moderated by Joost van der Vleuten
Panel members in alphabetical order:
- Maarten Botterman, Netherlands: Director of ICANN / Global Future Internet Authority / Independent Strategic Advisor for GNKS (Global Networked Knowledge Society); Chair of the IGF Dynamic Coalition on IoT security.
- Byron Holland, Canada: President and CEO of the Canadian Internet Registration Authority (CIRA); responsible for the legal and policy environment for the domain name space in Canada and one of the voices advocating Canada’s interests in the global Internet environment.
- Mr. Jasper Pandza, United Kingdom: Assistant Director Culture, Media and Sports - DCMS) and driving force behind the Code of Practice for Consumer IoT Security.
- Mrs. Sandra van der Weide, senior policy advisor of the Ministry of Economic Affairs and Climate Policy of the Netherlands / Project Manager Roadmap Digital Hardware and Software Security.
- In 2016 we saw the first large scale attack abusing IoT devices. Since the exponential increase in IoT devices connected to the internet, that sort of attack has the potential to be more influential. Good security of IoT devices is therefore critical. Canada has started a multi stakeholder community with participants from civil society, academia, government and private sector, that came together in Spring 2018 and divided itself into 3 working groups: one on consumer education (how to ensure that the consumer without skills is also safe), a second one on labeling standards (how to do effective labeling) and a third one on network resilience (technical group) what can network managers do to reduce their risks?
Manufacture usage description (MUD profile).
Discussion: Challenge the idea we don't have ways to protect websites.
- Technical innovation is moving fast, complications for innovation increase and good practice are needed. You may e.g. have your tools being certified, labeled or even regulated within one country, but tools will also come from abroad. Also a pragmatic approach is required regarding transparency. I suggest meaningful transparency. That does not mean providing all data out there, but above all ensuring the user understands what he or she needs to understand. basic security, privacy. Let’s make sure we do it in a responsible way.
- Overall message: we need to focus on the basics, get the basics right and move forwards swiftly. You need to know what it looks like in order to develop regulatory options. Do this in a multi stakeholder process with industry, society, academia. That’s what we did in UK. We will be developing them into a global standard through ETSI, hoping to finish by February 2019. We have asked companies to implement the code.
We should take Lifecycle into account. Software updates the important thing is transparency.
- Discussion: we need to factor in much more complex scenarios. For instance when smart washing machine is being bought 2nd hand or when someone is hiring a house (and thus not the owner of the washing machine etc.).
- Jasper: Communicating the outcome of the insurance to the consumer. This is setting the baselines and developing the certification scheme.
- Walter: if something goes wrong, people will knock on the door of the government. So many fixes already have been developed, but not implemented for some reason. Incentives for industry are not sufficient, but if it would be obligatory then the industry would have to. Government should have a role in this. Autos are when used moved to other countries and then to other countries. So is this a sustainable model...
Comment government Canada: incentives some manufacturers not aligned. But we do bring them in our initiative. The beauty is in engagement. Key is having this conversation about what works.
- Comment: we don’t have the potential to build the internet of secure things, but we can build a secure cloud of things. You don’t want to securitise avery single pacemaker, fitbit or smart light switch. But you can secure routers and thus anything ‘behind’ that router. Much cheaper, much more flexible.
- Question: are there any ideas on how a change of culture would be possible? Especially small companies are not going to invest in these 13 points. Is there an active role for IGF in making the suggestions on what to do and what not to do work?
- Maarten: we cannot secure the devices, but we need standards and informed choice (labeling, certification). The aim is to get consumers to make smarter choices. You cannot rely on the safety of the devices alone. Role of IGF: do not wait for the IGF, continue doing your thing.
Comment from audience: continue to work on these issues. We got good examples and points from the IGF. Focus on their implementation within your different jurisdictions. Then exchange good practices, share successes and lessons learned, as all IoT-issues are cross technology and cross country. That is the biggest challenge.
- Jasper: We have to move forward. While doing so keep all informed about relevant initiatives.