The Internet of Things (IoT) is here. With it comes some pretty cool sci-fi sounding applications, along with the more humdrum talk of connected toasters and thermostats. But the rapid pace of change also packs some hefty security and privacy risks, which could lead to serious reputational and liability issues for manufacturers. Compromised IoT devices have even been used to attack the underlying infrastructure of the internet. Informed action from a range of different stakeholders and standards development organisations is needed if we want to prevent the worst scenarios from becoming a reality.<\/p>\n
Light bulb manufacturers used to produce light bulbs. Today they\u2019ve become Internet companies and most don\u2019t even realise it yet. This shift has introduced a whole host of new requirements in terms of privacy, security and technical interoperability that need to be met quickly. Unfortunately, many companies haven\u2019t yet woken up to the fact that these are even things they need to be thinking about.<\/p>\n
This shift introduces massive new liability risks for manufacturers. Imagine an internet-enabled thermostat that relies on a connection with the manufacturer\u2019s network to operate. If a network outage coincides with severe low temperatures \u2013 suddenly there could be a lot of people stuck in the cold. Many IoT manufacturers appear to be sleepwalking into a crisis here. And legislation is quickly catching up, with the European Commission currently drafting new cybersecurity requirements and the recent reform of EU data protection rules.<\/p>\n
Internet companies have different business models than manufacturers. What does it mean to sell a product that will need security patches for its entire lifetime? Software as a service may work for many technology companies, but it remains to be seen whether a subscription model can be applied to home appliances. And if a company goes bankrupt or a product line is no longer supported \u2013 what happens to the millions of increasingly vulnerable devices that could remain online for decades? To the average user, a web-enabled CCTV camera that\u2019s part of a giant botnet looks and mostly acts the same as one that is not.<\/p>\n
The ISPs, content providers, large academic and enterprise networks at the core of the internet have a long-established tradition of cooperation on areas affecting the digital commons. This is driven by the demand for interoperability that is needed to make the Internet work. The requirement that networks peer to exchange packets has over time created a myriad of both formal and informal interpersonal networks that in many ways mirror the physical infrastructure. Network operators know one another personally and interact as part of a community to share ideas and experiences. This dynamic is lacking between IoT manufacturers who are typically in direct competition and working in isolation from one another.<\/p>\n
Shared standards will no doubt prove to be an important part of any solution. However, there are a few issues here as well. The broad scope of the IoT industry results in a complex landscape of different standards development organisations (SDOs). Where a number of different areas intersect, such as smart cities or networked cars, cooperation between different SDOs can prove to be a challenge. SDOs are used to drawing on their expertise and authority for a specific field \u2013 suddenly they\u2019re faced with externalities that require expertise in fields ranging from ICT security to privacy and Internet Protocol-based communications. Similar issues are faced on the regulation side. When an IoT smart meter is developed that communicates over the Internet \u2013 is it the electrical regulator or the telecommunications regulator that is responsible?<\/p>\n
Meanwhile, driven by demand and a need to quickly enter these emerging markets, manufacturers and service providers can\u2019t afford to wait for standardisation efforts to catch-up. Instead, they are often choosing to develop their own proprietary solutions. In this context, building-in security and privacy costs time and money. Solutions that are developed are often not well tested and can present significant risks to the IoT devices and their users.<\/p>\n
There are no silver bullets here, and probably there will never be a point where we can say that all of the issues with IoT have been \u201csolved\u201d. There will always be issues that need to be addressed. If there is<\/em> a solution, it will likely come in the form of a process and a mode of working that allows the IoT industry to quickly adapt and address the many different concerns of customers, regulators and other stakeholders in a timely fashion. Here it may be instructive to look at how the traditional Internet community has worked over the years.<\/p>\n Through necessity, the internet industry has developed novel approaches to setting standards and addressing stakeholder concerns. This has resulted in the so-called \u201cmultistakeholder model\u201d that is built on openness, transparency, and participation from all stakeholders. There is also a kind of flexibility inherent in this model. While a perfect solution may be elusive, there is usually a compromise that can be found. \u201cWe believe in rough consensus and running code,\u201d states one infamous Internet Engineering Task Force document, which underscores the fact that many Internet standards were developed \u201con the go\u201d with consensus decisions based on the results of working prototypes.<\/p>\n When there is a security incident, there is an expectation that it will be followed by appropriate and transparent disclosure. This is key not only to maintaining trust but also to safeguard other network operators who may share the vulnerability. No doubt there are similar approaches to the responsible disclosure of security and safety incidents in the airline industry, for example, and these working examples could be applied to parts of the IoT landscape, where small design mistakes or manufacturing errors can have serious and far-reaching consequences. All of this is in stark contrast to today\u2019s reality, where attempting to reveal a security vulnerability to IoT manufacturers will often generate legal threats.<\/p>\n Finally, in as much as the IoT is about things that are connected to the Internet \u2013 many of the associated issues may not be quite as novel as they first appear. There are established, open communities that have been working on network and ICT security, privacy, network abuse and related issues for decades, including RIPE, the IETF, IEEE and W3C. These communities have developed a base of standards, documentation and knowledge that will help developers who are working at the intersection of these issues. They also welcome the unique perspective of people working in the IoT field to inform their policy and standards development discussions.<\/p>\n Written by\u00a0Marco Hogewoning, External Relations Officer – Technical Advisor, RIPE NCC<\/p>\n","protected":false},"excerpt":{"rendered":" External Relations Officer at RIPE NCC, Marco Hogewoning, questions what happens to the millions of increasingly vulnerable devices that could remain online for decades?<\/p>\n","protected":false},"author":2,"featured_media":13871,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","pmpro_default_level":"","footnotes":""},"categories":[2,1158],"tags":[297,3159,3158,111,3155,3160,3157,3153,3156,3154],"yoast_head":"\n