IGF 2018 - Day 3 - Salle IX - OF25 Global alignment for improving the security of IoT devices

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR:  Thank you and welcome to the global alignment for improving security for IoT.  It has been going on for the last days.  What we share is an understanding of how hairy the problem is, how hard it will be to come up with solutions and the urgency to do something about it.  So to do that, we have first the presentation of the ditch initiative on the security of the Internet of things.  It will be presented by Sandra van der Weide and then they will go into questions and there will be two questions that will guide the discussion.  I really hope you join in.  And the first question would be:  What concrete policy options can you suggest to improve that will bring tangible improvements to IoT security.  And the second one would be what approaches to IoT should be avoided given potential negative effects and tradeoffs.  I think that one is very important too because what we don't want to do is start the innovation to block access to certain services or content or order negative aspects.  And finally, I would like to addressed question and I hope we can get that within the hour that we have gotten of what IGF could do to help promote the right approach in the Internet of things.

First I would like to give the floor for digital hardware and security.  Thank you.

>> Yes.  The Dutch road map hardware and software security.  I would like to start with animation.  This animation will take you through the outlying and guiding principles of her road map.  I will tell you more about our road map and the approach on my presentation.

>> MODERATOR:  The classic case of the generation playing ‑‑ you see?  It's a generational thing.

>> Can you hear this or not?

>> MODERATOR:  No.

>> It's a good microphone.

>> There are also risks involved.  Devices can be hacked to steal victims.  Or it attacks other people's computers.  To address the threats, we have devised the road map the digital hard and software security.  This is a work in progress.  We invite you to participate.  How do we develop solutions that protect our security today and also in the future?  We have already taken the first step by formulating five future brief principles to test solutions.  One from design to installation, digital security faces all digital life cycle.  Dividers, users, governments and others all stakeholders must be on board.  Three, strike the right balance.  Freedom of innovation can be helped by too much focus on security.  Four, different types of prevention, detection and mitigation measures are needed.  Think about monitoring, research and standards of certification.  The first step has been taken that we're not there yet.  We will continue to develop and implement these measures.  What are you doing?

>> Any animation more and more devices are connected to the Internet.  They are that 20.4 billion will be part of those things in 2020.  It is not an easy task to promote the security of airline those devices.  The environment is complex.

Let me show a smart example.  The smart washing machine at my home.  You can see a lot of compliments are involved to do it on a distance.  My washing machine connected to Wi‑Fi and two of my Clouds have a smart machining machine to start a long way.  Pushing it in the app or my Smartphone is really easy to use.  In all continents, abilities can disappear.  In the machines and the Clouds and also everywhere in between.  And this is just my smart washing machine.  Think of how this works for 20.4 billion prizes.  What would that do to the measures that are needed?  If you talk, this is not complex enough.  Imagine this wishing machine at my home is used and moved to a hospital.  A powerplant or a military facility.  What would that do to the measures that are needed.  With this complexity in mind, we are formulating five principles for a road map that shows the animation.

The first principle is product life cycle approach.  There are states for every product.  And then it says product developer, for example, this is with my smart washing machine.  Blue states and figure on the screen.  You can see on the screen there is also a little life cycle.  I update the software of my machine, this update has its own large life cycle.  The disposal or ‑‑ it is important to keep all stations in mind when thinking about the measures we take.  To illustrate, if a designer never talked about possibilities of vulnerabilities in a huge state, it would be really difficult, if not impossible to update the software.  Yes, your responsibility is not only the government having a place to play.  It should play an important role in this matter.  Our parties are very responsible.  The responsibility is determined by the context.  Are we talking about a, to business or business to consumer relation.  In general, four distinctions damage one.  First, they put fibers.  Manufacturers and retailers offer.  Second we're users radiating to ‑‑ we also ask our family and friends to join us.  We would get a normal response to sell these kinds of products.  Also, you have responsibility to keep the product secure; however, this is easier said than done.  Also when I look at myself, for example, my first reaction when I see it suffer a bit is if I'm quite honest here not to install it straight away, but to swipe it away because I want to finish a YouTube movie I reach. 

In a state second, I made this decision.  I didn't think about the long‑term effects.  That is easier to access and thereby also my personal information or the Smartphone will know used for a deck to insure the business operations so for the measures we take.  It is important to keep this so called ‑‑ also the government can demand secure products and the government is responsible for upholding public failures.  Four, other parties.  Just ask consumer organizations and sign this.  They contribute to the security of our products. 

The third principle is public interest.  Between security, freedom and economic growth is needed when promoting digital hardware and software security.  It is not easy to find it.  Show it in a concept going in the frame.  This shows the difference between dilemmas between security, and think, for example, the ethical dimension.  Should I always be in the final control to make this final decision?  We find it essential to make this kind of tradeoffs more visible to discuss this with stakeholders and to find to balance measures we take.  In the case you wanted to learn more about this consensual framework, you can always give me or (?) a call.  A blind aspect is needed.  Only liability will not work and only requirements for that will also do lots of tricks.  I end in the product life cycle.  Therefore, it does that.  Keep non‑secure products from the market.  The taxi measures just ask dusting for those security to check for disabilities through outsource no life cycle and liability law to claim the demonstrates caused by insecure products. 

This brings me to the fifth and last principle on the road map, room for a complimentary approach.  Our road map, vista way to increase the district.  We support the option of ‑‑ there is expansion to all products. 

Second, moves are in those securities.  I hope you will join us in monetary mechanism to share information on security of the products.  They are cleaning up effective products.  You exploit options for service providers to come that unsecured with GD devices.  Dusting for hotel security.  We work on a cross sector.  Amongst other, this research simulates interfaced solutions for insecure products. 

Six, liability.  Amongst other Netherlands is an active participants in EU and new technologies bad work.  The Dutch government is investigating how on the European radio equipment, minimum security can be set for a specific UT devices.  Campaigns and empowerment will be organized in coordination with the loss of our EUL policy it will increase their impact. 

Nine, national government for human policies.  In the Netherlands, the government is of the largest buyer of deep see products and services.  Do you we will investigate with additional measures for hard and software security can be set in the human policies; however, besides the nine blacks, it is (?) if not already taken.  One of the reasons for this is that each domain in each sector has its own risks.  The road map‑for‑additional measures.  The road map is work in progress.  We will continue to default and implement this along with us join.  Thank you very much for your attention.

[APPLAUSE]

>> MODERATOR:  Thank you, sand remarks for clearly outlining what's the road map is about.  It's more about an approach than about a program.  Yet, it should yield eventually the program with concrete measures.  That's what we would like to discuss with our panelists also.  Mr. Byron Holland from Canada.  He is President and CEO from the registration authority.  He's also one of the key voices that is in the environment.  Then Mr. Maarten Botterman, director of ICANN and consultant for the global network and all chair of the Dynamic Coalition on IoT or IGS.  You may have heard him.  Then from the UK, he's assistant director for digital coach, media and sports.  One of the prizes for consumer IoT security which he will tell you more about shortly.  Leave the best order to pick, but that just started to write.  I would like to put the two questions in communication on the table for you.  What would be feasible to do the options?  Reach, we haven't taken to stay to the rope metaphor.  If you have a very statement on that, that will be he is saying something that you should react to, don't hesitate and raise your hand so we're not blocking this and you have to wait till five minutes before they close.  In the mean time, I will be the time keeper and don't get mad at me if I shut you up.  Okay.  Very good.

>> Okay.  Thank you very much.  Yes, I am Byron Holland with the organization that operates the ccTLD in Canada.  Most people know us for the domain names that end with .CA. 

Probably the biggest part of the work that we do and certainly I think the most critical is operating the domain end system infrastructure.  So we have a large network of nodes around the world.  They're all across Canada, but also around the world.  That's the perspective from which is I think.  Many of you will remember back in 2016, there was an attack on a large and sophisticated provider of DNs services called Dime which took out much of the internet across the North America.  It is some of the largest sites on the Internet.  And that was a right of the moray bought net which time unfields and we understood more, that was the first scale bought using IoT devices.  Particularly cameras need to be. 

As we heard just in the previous presentation, the exponential increase in devices, IoT probably will be connected to the Internet in the coming years.  That has the potential to be more and more prevalent.  Maximum attacks now are at 1.2 terabytes per second.  There really is no infrastructure that can withstand a sustained and direct attack.  No infrastructure.  The biggest and the best of us cannot withstand that.  We basically rollover and die and we hope it ends soon.  That's the scale of attacks that are being enabled by IoT devices.  So it's very critical to the operator opportunity and the Technical Community that we have good security on IoT devices because it is very real. 

In Canada, I think there is some good news here that we really started to bring together a multi‑stakeholder community.  I have my interests that I share with you, but there are many others that also have interest of how do we improver and earlier this spring, a number of stakeholders came together to kick off a multi‑stakeholder process to help develop standards around IoT security.  And to make security a pillar that we all will share in the beginning with all of the IoT devices that are coming.  That Group was facilitated and coordinated who I thought took a good leadership role.  My organization is part of it.  Certainly the government of Canada is an active government through renovation science and economic development who holds this smile.  Canadian policy and legal clinic, canary the main research candidate as well as over 90 other participants from across what I would call sectors and multi‑stakeholder world.  Academia, Private Sector and so on.  And essentially what's happened is that Group has come together to wrestle with these issues and we have aided ourselves into three working Group.  I think we're probably on the right talk because we mare someone of the same issues that we just heard about in the previous presentation from the Dutch government.  We have broken it down into three working Groups.  The first around consumer education.  Is that working group is focusing on now do you educate Canadians.  How do we take it to the average end user who has no interest and very limited Sal.  They're the ones who have to be requesting safe computing for the network to be safe.  How do we create that shared responsibility?  Environment in a way that's accessible to the end user and very easy to use.  That's been spear headed by America and other departments in Canada.  It is very much a multi‑stakeholder process.

The other element is labeling.  This group is concerned with devices.  We think of it as ‑‑ think about nutrition or safety standards.  Are the type of thing for how do we do labeling for IOS.  Just this morning there are changes of foot and how they might be approaching that not from Canada.  One Group the one of many participants in that group, they're the Group that does labeling standards for most things in Canada whether says ‑‑ you cannot buy a hockey helmet in Canada if it doesn't have a SCA camp on it.  How do you do labeling and how do you tabling in a very fast moving and evolving space that needs software updates on a regular basis.

The third and final Group is around technical operators.  It's responsible for recommendations for network level defenses and actions that ISPs or network managers of various stripes can take to reduce their risks.  One of the things they're working on has universal applicability is.  Whether the fridge, toaster or let alone all your actual devices such as iPads and such, every one of them is a security risk.  So the other of a home gate way is essentially a move, protection with a long draw bridge.  And all your devices are hidden by that one sure.  This is based on Internet engineering task force spec known as the manufacturer, usage description or a mud profile.  And essentially what this does is use the ITF spec to create this meet and draw bridge single points of authentication to the Internet.  So essentially all your devices behind it, white label, the IP address and are only allowed to speak to that.  That means your likelihood of your IoT got reduced because it is behind this secured gate way.  So that's one of the things that the network resilience working Group is working on.

So maybe I'll leave it there and give you what is happening similar in nature to some ever what we have seen.

>> MODERATOR:  Thanks.  Three clear pathways has been brought down.  We are taking the right direction.  Maarten, would you ‑‑ yes.  Fine.

>> MAARTEN BOTTERMAN:  I wanted to challenged idea we don't have ways to protect websites.  You're it if you say one website is going to be knocked off.  If you sign up for our free service, your data will be put in 155 different places and nobody will be able to knock you off.  This is ‑‑ this is the approach that people are taking because as you say, one side is vulnerable.  If you are spread out, you're a much broader Atam service.  We have a 25‑terrabit network.

>> MODERATOR:  Okay.  Thank you for that.  Maarten?

>> MAARTEN BOTTERMAN:  Yes.  Thank you.  It would be nice if all my devices in the Cloud network I don't have to worry anymore.  Thank you.

So basically what's clear here is that there's multiple checks that's beneath towards the innovation speck.  It's a deployment trick.  It's how we deal with it in terms of awareness and how we make things together to make things work.  All the checks have their life course.  You see at the moment the technical innovation check is the one that's moving so enormously fast.  Mew things come on the market all the time and there is so many more things you can make money with.  So one of the things that we can do to make sure that this is developing in a way that is sustainable in the long run.  It is to mostly move away some.  But to really move towards an awareness that this development need to take days in an ethically way.  I've been working on interpret of things for several associate global level we find that teach ‑‑ they started being ethical and it is important to consider on the global level because you talk about global technology and various, you may have ‑‑ your tools being certified to label within maybe a regulation of that country.  There will always be tools coming from the United States.  Besides we can thank ourselves to know more about the economy.  Economy it is meant that you actually take to the vast as the focal points.  What we do is be used to by humans and basically it means you need to lock into things as meaningful transparency and also internet meaningful means not giving old data out there, but it is to communicate in terms that the user at a certain level understands. 

The second thing is to also allow control particularly of a personal data.  Clear choices to be part of that.  And the search thing is indeed, been the emphasis of the platform sitting here.  Basic security will get anything up to a standard that we can make agreements on what we want and don't want.  If you can show there is basic security, it won't happen.  These are the points the coalition is pushing forward.  I think also the responsibility is essential.  Let's not dump the responsibility to the end user.  But let's make sure Cloud providers and application providers do their thing and I think awareness is coming up as well.

So the frameworks they're developing as demonstrated there is really building up from the bottom.  There you seeing their a multi‑stakeholder sketch and policy.  It is all about the same thing.  Let's make sure that we can make best use of these technologies.  Welcome them because we need them and we can have fun with them, but let's make sure we do it in a responsible way.

>> MODERATOR:  Thank you very much.  Very clear statement on the human centered approach which calls wide on them.  You can save technical security.  I would like to hand it over to Jasper and we'll put ‑‑ you had one slide and please explain.

>> JASPER:  Thank you for the introduction.  I have an academic background and I would like to start on the responsibility.  It's a question.  Which policy options should we be pursuing to take the option of insecure IoT.  I think the answer is all of the options you have able to us, ever wrote and play.  Guidance, certification and standards. 

In the UK, we are pursuing all of them, but not overall message and overall conclusion would be what need to focus on the basics.  We need to make sure we get the there are many people that are without homes and so many devices that are on the market today, which you can buy did fault passwords and no one of the that's been updated and we need to most safely.  So let me talk about good practice regulation and certification in a bit more detail.  I think auto the in IoT C.  This is the ‑‑ even with certification, you need to test against the baseline and kind of standard.  When you, it is also important to through this with industry.  You need to do it with scientists and consumer associations and ‑‑ what we have done ‑‑

>> (low voice).

>> MODERATOR:  Let me go ‑‑ we ‑‑

>> We get that thing.

[Laughter]

>> MODERATOR:  Maybe that was.

>> Also destruct.

[Laughter]

>> MODERATOR:  So in our efforts to set out what good looks like, about 18 months ago, we have started a process ever bringing all the stakeholders together which is then culminated in the code of practice.  We published it in October at this year, so just months ago.  What the code practice is doing it sets out in 13 high level outcome focused guidelines.  What good looks like it brings together the most important insights and guidelines.  You published it in eight leaves and it was excellent.  Thank you very much. 

In October, it is when manufacturers, um ‑‑ top 3 guidelines on no default passwords and implement disclosure policy in order to help security researchers with problems and vulnerabilities and it keeps it up to date.  So we accomplished this.  We will be developing this into a global standard through websites, the standardization institute.  We heard that standard development is important and I welcome you to join us in the process.  You have to finish in January or February of next year.

In the UK, we have published the code and engaged with industry and we have invited (inaudible) to implement the code.  To a large industry organization to implement, it is HP and eccentric (inaudible) who starts and ‑‑ I think this is what we have done in setting out what good looks like.  I have sent a hand up to charge.  Yes.

>> SPEAKER:  I'm a software performer in the Netherlands.  It is keeping software up to date.  How do we deal with things.  You with not keep devices stay like that.  There is the latest security standard or if they make a law you need to keep left up to date.  Somehow, it forts us to update to any device.

>> SPEAKER:  You need to take a life cycle approach to this and I agree with Sandra and there are different stages and think about security and the at some point, it will be handed over to another user.  When it comes to soft updates, I think the important is to make it clear for the ‑‑ it is very hard to know how long you're Internet connected.  It may only be one or two years, but what happened after that?  It needs to be careful the consumer. 

>> SPEAKER:  If I look at company road map that was outlined, there might be another credit.  The other one is clarity and consumer information. 

The third is whether you can disconnect your appliance and it would still function.  So at some point in time, you can do I want to do my work because it is excellent, but it is no longer safe.  I it will have four basic functions.  There is no the life cycle of appliances hardware is longer than software.  Yes?

>> SPEAKER:  University College, London.  Often when everybody speaks, this is ideal user and the ideal story of the ideal user.  And I didn't like the life cycle approach saying a Washington machine gets to put one from the UK.  Somebody picks up it and then they start using it.  Notice you can't take the user in the same way.  If you are the owner of the machine, you rent the house.  You don't own that machine.  You don't really the heating in that particular building or houser whatever because you're not the owner.  You are plugging it.  There is different scenarios that are much more complex.  When you look at the missing, you need to factor in a lot more complexity of different scenario.

>> MODERATOR:  I think we all agree.  We're talking about a kind of, you know, we're still talking about the basics here.  We have to find out how to do different scenarios within the road map for this additional approach.

>> SPEAKER:  Right.  If I bring us back to my attempt to address the exam question, that was the first part.  Setting out what it looks like.  It gives us an opportunity to radicate the best practice they're seeing at the moment is to get rid of devices being overloaded.  Let's get rid of devices that are being sold that we're in a sweet software that are known and it is to align on the approach.  I think there's a road.  There is a way of communicating the insurance to them with a mark up and a label.  It's hard to get it right even if you look at consumer and what may be appropriate in securing a connected door lock, it may not be appropriate in (inaudible).  Preparing a certification scheme that leads to us in a range of devices.  Yes.  You test con‑‑ you are looking at this into as well. 

I leave it here.  These are my views on the three things that are most important.  Again, I thank you for the questions that have already come in.  I think looking back to the presentation, et cetera, I think they're lined.  We will place the emphasis differently.  There's a lot of overlap.

>> MODERATOR:  Thank you.  I go back to the two questions hovering around the room.  Yes, please.

>> SPEAKER:  We see that the rumor was that certain entities on the Internet was flexing his muscles with the mega, mega attached and then the sport side away.  It won't go into the Internet provider or domain host or whoever is involved.  It will say why didn't you fix this in time.  So there are so many fixes already that help me develop and somehow do not get implemented for whatever sort of reasons.  IGF Internet mentioned that a session with them will reach out.  So how come the fixes are not implemented in time by industry you can see there were very perverse incentives because simply they make more money by not doing it.  It is I know it is the leading role to get that discussion going and again, I have to think we can only look at the government to take the leading oil because probably will never do it.  Why is the incentive to do that if there's no regulation and no incentive I will end up with an example that was provided by the automotive industry recently by car builders.  Something came up and they would have to update all the systems.  It would have to update them for at least seven years and be responsible for that update.  So whoever manufactured the software.  They just said we will make cars that run no longer than seven years.  And then I thought who can afford to drive cars that will only be around for seven years?  50% of the population probably can't.  And then Africa we can see.  Do I have any around.  That is not a sustainable model and that is an example where I think things will go wrong if there's no sustainable model created by somebody and again I say the government.

>> Hi.  I am with the Government of Canada.  I sit on the planning committee and I support my director general who is on the planning committee.  I lead the governor of Canada on coordination of this.  I am happy to say we have at least 12 different departments and agencies involved. 

To your point, yes.  Thankfully we have not had life threatening instances of attacks.  If we had, then there would be several post‑market mechanisms in which governments can levee on these types of manufacturers.  There is safety and deceptive marketing, practices.  But the time peso basically the clock is ticking.  The incentives for some manufacturers are not quite aligned especially ones that are not within our borders.  But what we do is we bring them into our initiative and we say listen.  The looks talking.  We need to prey if that instance happens, it will go to the highest reaction and you will get a reaction fog.  We need to do the works now with everyone on board, the beauty is engagement and buy in.  You're talking to everyone who would be open for implementing.  So it definitely comments your questions on what would work as a sustainable option.  That seems like it hits the right balance of all the different ‑‑ you're right.  The key is having this conversation about what works in the long‑term and what pre‑emps the need for a thank you very much.

>> I am Mike Neton and I wanted to bring up on a couple really important points they heard Sandra make and Maarten make.  You both said we have to have new approaches and we have to realize it is not just about fixing the thing.  It is about building security.  But the slogan.  Every device updatable, no default pass words once against that.  Unless you are thinking about the whole VRS.  We have the potential not to build an Internet, but a secure Cloud of things where the gate way is where the security is added.  The gateway is where the upsets are done and the gateway (inaudible) and airplanes and tanks, but if I have a 40 sensors, I want that as simple as can be and I want it connecting to a gateway again using our own company.  There's a wired magazine article.  Other companies are doing the same thing and it's much cheaper get size fits all.  It is materially going to eliminate some very exciting opportunities to be 5 Euros and 10 Euros.

>> Maarten, I would like to go there first and then you get the floor.

>> My name is Christian.  I would like to continue on the last sheet with 13 best practices for IoT devices and they have been best practices inside the software city.  The reason that they are not being ‑‑ some IT devices or other solutions, um, can be related to company culture time constraints or other things.  And I think that if we want to enforce or at least continue with best practices, it will change culture.  Especially small companies are not going to invest in all those 13 points even when they are best practices.

>> MODERATOR:  I think that might be an excellent step up to rounding off this discussion.  Maarten, you wanted to react and then I will go to Byron and to Jasper and please take into account my why,y with whether there would be making all the inches about what to do and what not to do work or at least spread.

>> Yes.  Thank you.  And thank you for that question.  I will leave Jasper to respond to.  More widely on the point that Mike said, of course.  We can't just secure devices.  They're not there yet and under developments and standards only makes sense if they can make an informed choice.  You have to have certification and labeling so people can know who it is.  It hasn't been mentioned, but the core of the Canadian project so far is to get consumers to make smarter choices.  So we have better information and we'll figure out.

Just make sure you don't misunderstand Mike.  He didn't say just secure the gateways and you're done.  I mean, that's all security thinking.  We secured the front door and once in, you can do whatever you want.  There are some devices like electronic toothbrush.  So that's also that part.

Now, the role of IGF, I would say don't wait for the IGS and don't wait for Berlin to happen.  Continue doing your thing and contributing to what we're doing here and then next year at the IGF, let's compare notes again and see what they got.  That's the best as I tell you the place can offer.

>> SPEAKER:  Thank you.  I will pick up on the last point and I agree with Maarten.  Don't wait for the next one.  Go back to whatever environment you're on and continue to work on these issues and you heard some examples and stories and contrasting points, which I think we cull learn about it.  That is the ability to come and participate in the kinds of conversations we have here with people who are doing different things in different jurisdictions that perhaps can be applied.  When I listen to this case three different countries experiences, um, they do share a lot of similarities and paths that are beg marched down at this point.  I think we can already start to see the shape of the future. 

Now the question is cross cuttingly across the industry.  So IGF is a good place for those conversations, but really it is about going home and implementing them in a way that is consistent with your jurisdictions requirements while recognizing this is a cross cutting technology, across silos and across countries.  How do we make sure we maim good consistent decisions?  That's one of the great challenges about this space.

>> SPEAKER:  Thank you.  Please be short otherwise people will think the next presentation has started.  We need to move forward with national initiatives.

On the 13 points, in IT, they're not.  We hope to be getting those out.  We can move the conversation.  We want them to inform the all the relative initiatives to improve IT security.

>> MODERATOR:  Okay.  Thank you all for your attention and your contributions.  Thanks to all panelists and thanks to Daphne and Arnold in reporting.  And with that, I would like to conclude this session.  Thanks.