Professional Documents
Culture Documents
Regulating The Security of The Internet of Things
Regulating The Security of The Internet of Things
1
Brass, I. & Sowell, J.H., ‘Adaptive governance for the Internet of Things: Coping with emerging security crisis’
(2021) 15, Regulation & Governance <https://doi.org/10.1111/rego.12343> accessed 02 December 2021
4
Lessig, L. ‘The New Chicago School’ (1998) 27 (2), The Journal of Legal Studies https://doi.org/10.1086/468039>
accessed 02 December 2021
5
ENISA, ‘IoT security standards gap analysis: Mapping of existing standards against requirement in security and
privacy in the area of IoT’ (2018) < https://www.enisa.europa.eu/publications/iot-security-standards-gap-analysis>
accessed 02 December 2021
6
Youm, H. Y., ‘An overview of security and privacy issues for Internet of Things’ (2017) 100(8), IEICE TRANS.
INF. & SYST. <https://www.jstage.jst.go.jp/article/transinf/E100.D/8/E100.D_2016ICI0001/_pdf> accessed 02
December 2021
7
Ibid.
1
Law
According to the European Convention on Human Rights8 and the EU Charter9, respect for one’s private
& family life, home and communications is seen are a universal right. In addition, Article 8 of the EU
Charter lays down the fundamental right to data protection.
GDPR
The General Data Protection Regulation10 regulates the protection of data and as such also addresses the
security of data.
Article 24&25 give data controllers the responsibility to implement the appropriate technical and
organisational measures to ensure they are following the regulation and have the obligation to ensure
privacy by design and by default . This means that by default they may only collect the minimum necessary
data and they must ensure that the data cannot just be accessed by anyone. Article 32 states that measures
that ensure a security level appropriate to the risk, including risk of unauthorized disclosure, should be
implemented.
e-Privacy Directive
The e-Privacy Directive11 in its current form is not very powerful. As such this paper will consider the new
proposed version12 instead. Article 5 simply states that all communication data shall be confidential and
any interference except by the end-user is prohibited unless expressively allowed. The use of terminal
equipment such as IoT devices by anyone except for the end-user is generally prohibited under Article 8.
Article 17 gives service providers the obligation to remedy any new security risks or inform end-users of
the measures they must take themselves.
According to these laws, a breach of an IoT device is illegal and the data controllers (in this case the device
manufactures) can be held liable for it, if it was known security vulnerability.
Market
The market is riddled with non-mandatory security standards such as standards by various organizations13.
These are not necessary for device interoperability and are not legally required, however could increase
consumer trust in devices14. The European Union Agency for Cybersecurity (ENISA) is working with
various stakeholders to create an EU wide standardisation and certification scheme which in the future
will provide a harmonised framework for security standards and allow for an easy comparison of security
specifications15.
8
European Convention on Human Rights as amended by Protocols Nos. 11, 14 and 15 supplemented by Protocols
Nos. 1, 4, 6, 7, 12, 13 and 16 [1950], art 8
9
Charter of Fundamental Right of the European Union [2000] 2000/C 364/01), art 7
10
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 127
11
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and
electronic communications) [2002] OJ L 201
12
Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and
the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on
Privacy and Electronic Communications) [2017] 2017/0003(COD)
13
Youm
14
ENISA
15
Ibid.
2
Social Norms
Consumers desire to keep their data safe especially from malicious intent. It is questionable though how
strong this desire is considering the number of insecure devices currently on the market. Furthermore,
there are many challenges to the security of the IoT that will be addressed below.
Challenges
Law
The existing law largely addresses security from a privacy standpoint. While consumers technically have
the right to hold a company liable for a breach, few do. Often production companies come from Asia,
which can make it hard for the law to effectively reach them. In addition, the quickly evolving nature of
the IoT makes it hard for traditional legal processes to keep up16. These factors lead to an existing, but
ineffective legal framework.
Market
Capitalist market dynamics work against trying to regulate security in IoT devices, because security is
expensive17. Any regulation could make it hard for small companies to enter the market and in turn stifle
innovation. In addition, the companies who are developing these devices are not cyber security companies
which makes it harder for them to ensure proper safeguards on their devices18. As such a proper balance
between regulating security while not stifling innovation needs to be struck.
Social Norms
While many say that they are concerned about the security of their devices and networks, few are willing
to put in the effort to ensure it19. Smart devices are used for their functionality or their convenience, not
because they are secure. If a user must manually install updates, then there is a decent chance that it either
will not happen or happen too late, leaving a security risk in place20. This leaves little space for social
pressure to drive increased security.
With the current standards market, devices can conform to many standards and yet still not be secure, as
certain vulnerabilities can slip through the gaps21. This makes it impossible for consumers to tell which
devices are secure. The average consumer does not have the knowledge to be able to tell the difference22.
Architecture
This lack of technical knowledge leads to problems. For example, a group of technicians installed a set of
smart lights but took the complete network of the house down because the gateway was not configured
correctly. It required network engineer to figure it out23. This type of knowledge cannot be expected from
the average consumer and leads to security risks.
There are many technical challenges to securing IoT devices. For example, the resources such as memory
and processing power on an IoT device are limited24. This can make it hard to run traditional security
16
Youm
17
IEEE, 'Should the Government Regulate Iot Devices?' (IEEE Innovation at Work, 2021)
<https://innovationatwork.ieee.org/should-government-regulate-iot/> accessed 2 December 2021
18
Peppet, S.R., 'Regulating the Internet of Things: First Steps toward Managing Discrimination, Privacy, Security
and Consent' (2014) 93 Tex L Rev 85
19
Ibid.
20
Youm
21
ENISA
22
Sembhi S, 'The Impact of Iot Security for Consumer Devices' (IFSEC Global | Security and Fire News and
Resources, 2021) <https://www.ifsecglobal.com/cyber-security/the-impact-of-iot-security-for-consumer-devices/>
accessed 2 December 2021
23
Anonymous, Lights Story (Personal Communication, 2021)
24
Youm
3
measures such as encryption or firewalling on the devices themselves, making them and their data streams
vulnerable25. However, there are solutions to many of these issues26, but going in depth into them would
be beyond the scope of this paper.
Suggestions
The main suggestion is to implement a mandatory certification scheme for all IoT devices in Europe,
issued by ENISA. This should build and expand on ENISAs current framework for certification27. It
should not be one size fits all but should be developed with different levels depending on the risk and
should take a wholistic approach to devices and networks as whole28. A grading system can be used to show
different levels.
Law
It should be legally required for any IoT device sold in the EU to have an EU cybersecurity certificate. In
addition, the liability of producers of these devices should be increased by defining a minimum threshold
for security by design by law (see architecture). As such the law should only regulate the minimum
requirements using recommendations by ENISA. The higher levels should be set by ENISA in
collaboration with the industry (see market).
Social
This certification scheme should be designed to increase user awareness about the problem of security.
This should hopefully create larger social pressure to increase the security of things because users can
understand what they are buying immediately. In addition, security concerned users should be more
willing to pay for the additional security when they understand what they are getting.
Market
By legally only setting the minimum requirement, this minimises the impact on innovation. In addition,
government should introduce subsidies to help small companies with good ideas afford the security they
require to enter the market. Especially the higher grades of security should be set in collaboration with the
industry and ENISA should continue their work on interconnecting actors and increasing the speed of
certification and standardization.
Architecture
Security by design should be encouraged in the minimum requirements. For example, complicated
configuration should be avoided as much as possible. In addition, the devices and the networks they are
connected to should be considered as a whole. For example, while encryption can secure the data stream
stemming from the device, it does not necessarily protect the device or the connected network from
malicious breach.
Conclusion
The existing framework of regulation around securing the IoT is inadequate and was largely designed to
address privacy, not security. While these spheres overlap, it does not create an adequate framework. The
speed of the developing industry and the specific expertise require to maintain such a framework means
that the day-to-day brute work should be done in a more flexible environment than traditional law. ENISA
offers the perfect grounds for the maintenance of a certification scheme that is reinforced by European
law. Their flexibility and industry contacts will allow them stay on top current developments while having
the legal backing required to enforce minimum standards. Consumers are protected and encouraged to
25
Youm
26
Youm
27
ENISA
28
ENISA
4
invest in the security of their devices while not requiring extensive technical knowledge. The suggested
framework should aid in the proliferation of secure IoT devices.
While this approach does not solve all problems, it should be a step in the correct direction. Completely
defending against cyberattacks will be impossible, but the flexibility in the setup should allow for relative
resilience against the problem while setting up mechanisms for future development.