[Read more session reports and live updates from the 13th Internet Governance Forum]
The Internet of Things (IoT) security is not only the responsibility of an end-user, but a joint effort between regulators/government, manufacturers, the technical community, civil society and other parties interested in IoT. The session focused on the alignment for improving the security of IoT devices, and was moderated by Mr Joost van der Vleuten, Senior Policy Officer Internet Economy, The Netherlands Ministry of Economic Affairs and Climate Policy.
Ms Sandra van der Weide, Senior Policy Officer, the Netherlands Ministry of Economic Affairs and Climate Policy, stated that more and more devices are now connecting to the Internet and that it is not easy to secure these interconnected devices. She shared five principles that have been developed by the Netherlands Ministry of Economic Affairs and Climate Policy that focus on product life-cycle:
- joint responsibility in handling IoT security
- balancing public interest
- a portfolio approach which includes prevention, and
- detection of threats
- building blocks for a complementary approach, which include: standards and certification, monitoring digital security, cleaning up infected products, testing digital security, cybersecurity research, awareness campaigns and policy.
Mr Byron Holland, President and Chief Executive Officer, Canadian Internet Registration Authority (CIRA), mentioned that CIRA does not only handle .ca, the Canadian country code Top Level Domain (ccTLD), but also operates the underlying infrastructure running .ca in Canada and around the world. He referred to the Distributed Denial of Service (DDoS) attack to Dyn in 2016, a company that controls a lot of the Internet's Domain Name System (DNS), noting that the DDoS attack disrupted the Internet. He noted that Canada had adopted a multistakeholder approach and was working with the Internet Society (ISOC), CIRA - a law clinic at the University of Ottawa, and the Canadian Network for the Advancement of Research, Industry and Education (CANARIE), for the development of Canadian processes in enhancing IoT security.
Mr Maarten Botterman, Director, GNKS Consult BV, highlighted that there are different tracks: technical and innovation, though the technical track is moving faster than the others. He emphasised that human beings should be the focal point of the IoT discussion because humans use devices, and even children will use connected devices. He added that basic security is needed and users should be allowed control of personal data on connected devices, as well as the opportunity to make clear choices. He called for joint responsibility, which he said is essential, and the responsibility for security should not only be left to end-users. He concluded that we should make the best use of technologies in a responsible way.
Mr Jasper Pandza, Assistant Director, Department for Digital, Culture, Media and Sport (DCMS), UK, mentioned that a lot of devices in our homes are not secure, and many on the market have default passwords. He added that it is important to set out what good IoT security looks like and also important to work with different stakeholders when developing security standards. He referred to the United Kingdom's 13 guidelines in the code of practice for consumer IoT, which manufacturers of connected devices are encouraged to use. Pandza added that these guidelines will be developed into a standard for the European Telecommunications Standards Institute (ETSI), an independent organisation for the telecommunications industry in Europe. Responding to a question from a participant on focusing on only software and not hardware, he said that it is important to know how long vendors will support devices in terms of security updates.
By Sarah Kiden