On 19 May 2016 Osborne Clarke held the final event in a trilogy focussed on the Internet of Things, aka ‘IoT’, contemplating the security of IoT devices and the security challenges being faced. This final event followed on from the previous successful events on IoT I: Light and Power and IoT II: Connected Homes and Healthcare.
We heard from two perspectives, firstly the technical perspective from Andrzej Kawalec, Chief Technology Officer at Hewlett Packard Enterprise, Enterprise Security and secondly the legal and regulatory perspective from Mark Taylor, a Partner at Osborne Clarke LLP.
Andrzej Kawalec – CTO, Enterprise Security Services, Hewlett Packard Enterprise – the technical perspective
Andrzej highlighted how the issue of security is becoming an ever increasing challenge for the development of IoT as connectivity is built into traditional products. Take the humble refrigerator. Invented 100 years ago, but now smart. Such devices are not necessarily being developed and designed with sufficient security in mind. This was demonstrated by the security flaw discovered in August 2015 in the Samsung smart-fridge that enabled Gmail credentials to be accessed without authorisation.
According to the World Economic Forum we are on the verge of a fourth industrial revolution, which has IoT very much at the heart. Andrzej described how the IoT devices that will create this revolution have three main components: 1. Sense, 2. Connectivity and 3. Reaction. Any one component in isolation is a clever device or a helpful data point, but the combination of all three is what creates smart systems and IoT and hence the security challenges.
Andrzej highlighted that there are a number of well-established use cases for IoT, such as smart cities, transport, home and healthcare. However, in Andrzej’s view, the next stage is ‘compound services’ where the IoT devices in each use case begin to interact with each other. Andrzej used the example of a connected car:
“You are driving to work and your car recognises from your email notification that your dry cleaning is due to be picked up today so it re-routes you via the dry cleaners, however due to traffic from knowing your GPS position you are going to be 10 minutes late for your next meeting, so the car concierge pushes back your meeting to enable you to make it.”
What do these compound services have to consider about security? To enable this to work Andrzej described how all the IoT devices, systems and applications need to interoperate and share significant amounts of data, often sensitive personal data. To enable this interoperability most IoT devices will be hosted in the cloud and accessed through a mobile app, and when considered in light of the fact that 76% of mobile apps display critical security design flaws, the “attack surface” for IoT is increasing. And what is more, this increase is happening at an exponential rate.
Andrzej finished with an IoT security check-list of the areas to consider when implementing security by design: 1. Aggregated services and applications, 2. Sensors and devices, 3. Data and connectivity and 4. People and processes. The latter includes the consideration of the lifecycle of devices or so-called ‘life-cycle obsolescence’. Connectivity is being brought to devices that have traditionally had long life-spans, often 20 years plus, however technology does not yet have the same life-cycle. It will be a challenge for IoT providers to keep the technology up to date on older IoT devices to ensure they remain secure throughout their lifetime.
Mark Taylor – Partner at Osborne Clarke LLP – the legal perspective
Mark began by looking into what IoT means. When looking for definitions, he regularly came across the same unattributed quote:
“if one thing can prevent the IoT from transforming the way we live and work, it will be a breakdown in security”
However, modern society appears to have an inherent trust in technology, and Mark delved into whether the regulation that sits behind IoT supported this view through a number of topics: laws, people, emerging themes, cross-border concerns and viable claims.
Laws – there are a number of laws that impose either criminal or contractual liability. These cover those areas that you might expect, such as hacking offences under the Computer Misuse Act 1990. However, Mark highlighted that some legislation may also catch IoT which may not be so immediately obvious. For example, the Consumer Rights Act 1987 imposes strict liability for product defects. Would a failure in the security of an IoT device be considered a defect and therefore imposing strict liability on the manufacturer? The answer will naturally depend on the facts but it is feasible that it would.
People – Mark highlighted how most IoT devices will have a raft of components, each with a different provider and how it is important to ensure that the allocation of responsibility is dealt with contractually through this chain of parties. However, Mark pointed out that some responsibility may sit with the user and posed the question of whether users should be absolved of responsibility for ensuring their devices are secure? Should they be forced to apply security patches for example?
Emerging themes from legislation – across Europe there are a few broad emerging themes of information sharing obligations, security breach notifications and increased sanctions when security fails.
Cross-border concerns – it goes without saying that the connectivity crosses borders, as do people with their devices. Whilst there is a degree of harmonisation across Europe, the US will often take a supra-national approach and there is therefore a challenging landscape of differing approaches to regulation throughout the world and conflicts of law that need to be considered. Mark considered whether international harmonisation of security regulation might occur but remains doubtful that this is likely to happen in the short-term.
Viable claims – in reviewing the regulatory and legal landscape, Mark also considered what the liability risk is for IoT players. He pointed out that as the attack surface for security breaches grows exponentially, so will the ‘liability surface’ flowing from that.
Mark concluded by commenting that the technical interconnectivity is driving legal interconnectivity. We aren’t there yet as most of existing regulation is not adapted to IoT. However, these legal gaps are unlikely to prevent the further development and adoption of IoT products and solutions.