5 minute read
5.5 Responsible Industry Ecosystem
Common Position on Cybersecurity in Connected Devices The Common Position paper152 by Infineon, NXP, STMicroelectronics and ENISA proposes some key priorities for the European Commission (EC), but these priorities are globally applicable: – Define baseline requirements for security and privacy that minimise risk, are neutral in technological terms, and remain open to innovation. – Introduce a Trust Label, based on various security levels and a related risk assessment. – Ensure that reliable security processes and services are developed and support industry in implementing security features in products (e.g. through providing information and training on state-of-the art security solutions). – Encourage the development of mandatory staged requirements for IoT security and privacy. – Create an equal level playing field for cybersecurity and look into incentives to reward the use of good security practices.
NIS Directive The Directive on security of network and information systems (NIS Directive) was adopted by the European Parliament on 6 July 2016153 and entered into force in August 2016 . The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring – Member States' preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security
Incident Response Team (CSIRT) and a competent national NIS authority. – cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. – a culture of security across sectors that are vital for the economy and society, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by Member States as operators of essential services are required to take appropriate security measures and notify serious incidents to the relevant national authority.
5.4.2 Key Findings – Although there are numerous industry initiatives and best practices in this area, their adoption is voluntary. IoT security legislation is in its infancy and virtually nonexistent outside the US and EU. – Enforcing procurement by governments of secure IoT devices can contribute towards IoT security when large countries participate; smaller economies such as
Singapore and the Netherlands can work together for greater impact. The EU’s single digital market approach can support IoT security as well.
5.5 RESPONSIBLE INDUSTRY ECOSYSTEM The market for IoT devices is global. Within this competitive industry, time-to-market, usability and cost are key considerations. The razor-thin margins for IoT devices leave suppliers with less to spend on security. From the perspectives of cybersecurity and national security, security must also become part of the business equation; the cost of implementing security functionality needs to be offset in some manner. Currently, owing to the lack of enforcement of security in IoT devices, there is no level playing field for IoT device vendors nor a common expectation of security functionality.
5.5.1 Current Landscape and Recent Developments The competitive advantage in the IoT industry is currently focused on time-to-market rather than secure-to-market. This balance should be shifted so that a specific level of security and privacy is required before market release. Defining security frameworks supported by baseline security measures can be a way forward in this direction.
152 https://www.enisa.europa.eu/publications/enisa-position-papers-andopinions/infineon-nxp-st-enisa-position-on-cybersecurity 153 https://ec.europa.eu/digital-single-market/en/ network-and-information-security-nis-directive 49
The use of certification and labelling can encourage better understanding and transparency in terms of IoT security and can additionally benefit end users and consumers by educating them and making them more aware of IoT security. Alternatively and perhaps complementarily, liability laws can be strengthened and modernised to hold manufacturers accountable in the event of a breach.
Regardless of the regulatory approach adopted, it is important for cybersecurity regulators as well as the industry to work together and act as a global community that learns from incidents and vulnerabilities proactively. This requires an open culture of sharing incidents and mutual learning.
Liability Product liability is the area of law in which manufacturers, distributors, suppliers, retailers, and others who make products available to the public are held responsible for damage caused by those products. The Dutch roadmap for safe hardware and software154 has identified liability laws as a key driver for IoT security. Liability litigation historically focused on negligence on the part of the vendor, or a breach of warranty. Under the notion of strict liability, the manufacturer is liable if the product is defective even if the manufacturer was not negligent in making that product defective155. The manufacturer thus becomes a de facto insurer against its defective products, with premiums built into the product's price. Strict liability also seeks to diminish the impact of information asymmetry between manufacturers and consumers: manufacturers have better knowledge of their own products' dangers than do consumers; therefore, manufacturers should bear the burden of finding, correcting, and warning consumers of those dangers.
The 1985 European Product Liability Directive156 created a regime of strict liability for defective products: according to this Directive, a product is “defective” when it does not provide the “safety which a person is entitled to expect” (Article 6). While one may assume that this provides a baseline of liability for IoT devices, the use of the term “safety” is telling – security issues that are not outright safety defects may not be addressed at all unless those security issues can be proven to cascade into safety losses or traditional damage such as harm to human health or property. Even more fundamentally, Article 2 of the Directive states that it applies to “movables” – while this may have seemed perfectly reasonable in the 80s for products such as toasters or lawn mowers, for modern connected devices this terminology may entirely exclude the connectivity and server-side components. A recent EU research report157 identifies that vendors may take advantage of this by simply placing critical functionality on the server in order to escape liability.
Certification
Figure 9: Regulatory Approaches to IoT Security Liability
154 https://www.rijksoverheid.nl/documenten/rapporten/2018/04/02/ roadmap-digitaal-veilige-hard-en-software - Roadmap digitaal veilige hard en software, 2018. By Ministry of Economic Affairs, the Netherlands, in Dutch. 155 https://en.wikipedia.org/wiki/Strict_liability 156 Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, https://eur-lex.europa.eu/ LexUriServ/LexUriServ.do?uri=CELEX:31985L0374:en:HTML 157 Standardisation and Certification of Safety, Security and Privacy in the ‘Internet of Things’, JRC Technical Report, Leverett et al.
