IGF 2018 WS #364 Global alignment for improving the security of consumer IoT

Organizer 1: Measha Patel, Department for Digital, Culture, Media and Sport
Organizer 2: Mark Carvell, United Kingdom Government - Department for Culture, Media and Sport

Speaker 1: Jasper Pandza, Government, Western European and Others Group (WEOG)
Speaker 2: Daragh Galvin, Government, Western European and Others Group (WEOG)
Speaker 3: Edward Venmore-Rowland, Government, Western European and Others Group (WEOG)

Moderator

Jasper Pandza

Online Moderator

Mark Carvell

Rapporteur

Ed Venmore-Rowland

Format

Flash Session - 30 Min

Interventions

No interventions will be allowed during the presentation but we have allocated 15 minutes of audience participation to allow the presenter to respond to questions and comments from the audience.

Diversity

We will seek to secure participation from another Government - potentially the Netherlands - to talk to our respective approaches to IoT and the work the UK is also doing with other countries on the international stage to align approaches to IoT, to maximise our reach to international supply chain. Much of this work will mature and develop ahead of IGF.

We will also seek to identify a representative from ETSI to speak about the development of an international standard for IoT (this work will be starting imminently but mean we are unable to put forward a named speaker at this stage but they will most certainly be non-UK and potentially non-European but not expected to be from a developing country).

The online moderator - Mark Carvell - will prioritize questions to ensure diversity of views and perspectives are represented, based on geographical representation, gender balance across questions and equal representation of stakeholders views ensuring this includes the perspectives of academia, industry, private sector and international governments.

By the time of the IGF, the UK Government will have already undertaken extensive engagement to stimulate further dialogue with industry, academic institutions and civil society and will have published a final code of practice, guidance and regulator proposals, primarily at IoT manufacturers that sets out thirteen outcome-focused guidelines for IoT security.

We would also set out our approach to working with ETSI to develop a global standard on IoT security. In May, the UK submitted a proposal to ETSI to create a new Work Item to develop a standard for consumer IoT security, based on the UK’s draft Code of Practice. Ahead of the IFG, an ETSI working group will have been initiated, chaired by the UK’s Department for Digital, Culture, Media and Sport and supported by the UK National Cyber Security Centre.

Our presentation at IGF will seek to build support for our Code of Practice and the ETSI standard for consumer IoT security, and its progression into a global standard. The key messages we would seek to deliver at the IGF are:

- The UK advocates a fundamental shift in approach to moving the burden away from consumers having to secure their devices and instead ensure strong security is built into consumer IoT products by design.
- The UK’s approach includes developing a shared understanding of the rights and responsibilities of citizens and businesses alongside a programme of work to put them into practice.
- Set out the UK’s approach and findings from its 2017 review of the key risks associated with consumer connected products and services.
- Highlight the UK’s ‘Code of Practice’ which contains thirteen practical steps for industry to improve the cyber security of consumer IoT and accompanying guidance and regulatory proposals and the development of a labelling scheme.
- Set out how industry, particularly those developing, producing and selling consumer IoT products, and other countries can support the development of an ETSI standard aimed at improving consumers’ privacy, digital security and safety.

We will use remote participation to boost outreach beyond the stakeholders in attendance. The remote and online moderator - Mark Carvell - will check in with the session lead ahead of the Q&A session. The remote moderator will provide a summary of the comments and questions sent online whilst ensuring that these are compiled based on feedback from diverse stakeholders.

We will also seek to follow up on progress at subsequent IGF events to continue the dialogue with the expectation that key partners will be identified at the event. We also expect to participate in other relevant panel sessions at the IGF, where we will seek to develop our narrative on Secure by Design. Depending on whether this is before or after the flash session, we will seek to ensure the presentation reflects the views expressed on IoT at the IGF to facilitate a diversity of views and encourage audience participation by identifying key themes and relevancy.

Poorly secured IoT devices and services increasingly threaten consumer’s online security, privacy and safety, international supply chains and the global scale of Internet of Things (IoT) security. Governments have already taken steps to engage with industry to develop policy options for the cybersecurity of the IoT.

For instance, the UK Government has developed with industry a Code of Practice which sets out best practices for improving the security of consumer IoT. This work has been undertaken in tandem with the UK Government’s efforts to build international consensus on IoT security practices. As part of this, we are seeking to increase dialogue at an international level on the need to coordinate government’s IoT security policy responses to ensure that there are consistent standards being applied to building of IoT connected devices and associated services across international supply chains.

The UK Government published a report - ‘Security by Design: Improving the cyber security of consumer Internet of Things (products and associated services)’ - in March 2018. The report set out how the Government will work with industry and international partners to address the risks of insecure consumer IoT. The report is part of broader work to develop a Digital Charter in the UK which aims to create the framework in which digital technologies can flourish whilst ensuring safety for consumers and clarity for businesses. The UK Government’s aim is to ensure consumers take full advantage of the benefits that the IoT can offer.

Our proposal does not build on prior workshops or discussions, however we hope to this proposal sets a precedence/trigger for further discussions on IoT security at the UN Internet Governance Forum.

Online Participation

We propose to allow 15 minutes for interaction, contributions and questions from the floor in the closing section of the agenda. The opening of the presentation will seek audience participation throughout the presentation to ensure there is a seamless transition at the end of the presentation to the Q+A section.