Internet of things and cyber security: Will ‘regulation’ save the day?

19 Dec 2017 11:45h - 13:15h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

This session raised several key points on whether cybersecuirty risks of Internet of Things (IoT) devices can be prevented by regulation. The main point of the discussion, moderated by Mr Arthur Rizer, Director of Criminal Justice and Security Policy for the R Street Institute, was if more of less government regulation is needed. The panelists also focused on which type of regulation is preferred (international or national), who would be subject to regulation (industries or consumers) and if global standards and certification can be a solution for risks posed by IoT devices.

Mr Arthur van der Wees , Managing Director at Arthur’s Legal, noted that for more resilience and protection, IoT regulation should be principle based and not rule based. He said rules do not keep up with new technologies fast enough. ‘Build fast, fix later is our current motto’, he said, adding that privacy and security suffer from our needs to be digital and live in the ‘state of the art’ world. Van der Wees emphasised that minimum baseline requirements for the industry are possible and can potentially have a positive effect in reducing risks.

Prof. Milton L. Mueller, Georgia Tech, said that in everyday life the legal system is marked by liability, rather than by regulation, and IoT liability is a better legal terminology. According to Mueller, it is wrong to emphasize government regulation or free market, one over the other. He said safety updates for IoT devices, sometimes cost three times more than the device itself, making it a slippery slope for centralised governmental regulation which could damage the industry, if the current business models stay the same. He noted his belief that people learn from past mistakes, such as with not using default passwords, and that this might make centralised regulation unnecessary.

From the legal perspective, Ms Tatiana Tropina, Senior Researcher at Max Planck Institute for Foreign and International Criminal Law, focused on defining the subjects and objects of regulation. She noted that ‘two different toolboxes will be needed’ to approach regulation from both consumer and network safety perspective. Tropina emphasised that ‘we need a targeted solution’ that transcends sectors, industries and borders.  She expressed her disagreement that the market industry will act responsibly and that consumers will make safer choices independently. Labeling and certifying IoT products, she agreed, could make consumers aware if a certain product carries more risks. Enforcing safety and trans-national regulation on IoT devices that have crossed borders from producers to consumers, is according to Tropina the biggest discussion point. In conclusion, she said that regulation carries regulatory certainty and the IoT is not there yet.

Mr Pearse O’Donohue, acting director of the Future Networks Team in DG CONNECT, presented the two contradictions of the governmental perspective. A balanced regulatory approach needs to both encourage industries, but force them to face responsibilities, perhaps with threat of sanctions via regulation. On the other hand, governments should educate citizens on their cyber hygiene so that their online rights, privacy and security are safe. O’Donohue added that transparency, labeling, and implementation are necessary. He also referred to the EU’s framework on strengthening regulation through General Data Protection Regulation (GDPR).

Mr Maarten Botterman, Director of the board of ICANN, expressed his hope that the multistakeholder community has learned from past mistakes, and that GDPR regulations will help in starting the new taxonomy of IoT governance and risks. He supported calls for more transparency, and proposed a global creation of certifications by governments that would be enforced by independent agencies. Botterman also added that we should look at different levels of sensitivity of IoT, privacy, and security, as they are not necessarily a unified concept.

By Jana Mišić