The EU has floated a new idea to boost the security of Internet of Things (IoT) products – get manufacturers to stick labels on them telling buyers how secure they are.
It sounds simple enough. Products such as fridges, washing machines and ovens are already sold in the EU with mandatory energy efficiency ratings, so why not something similar for security?
In comments made at a weekend press conference, EU deputy commissioner for digital economy and society, Thibault Kleiner, spelled out some of the organization’s worries about the state of IoT.
Ever greater numbers of products were being sold with an IoT connectivity as a standard feature, he said.
That’s really a problem in the Internet of Things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification.
The EU is also worried about data privacy as IoT devices gather information of the sort that could put consumers at risk from data breaches or snooping.
It’s not about data as something you monetize, it’s about dignity, something that’s personal to an individual.
Form an orderly committee
Despite there being at least five billion devices in service with IoT capability – Gartner reckons that this is expanding by 5.5 million new devices every day – security standards are only just emerging. Meanwhile, default security is often weak.
A warning of the potential for trouble came with the recent record-breaking DDoS attack on cybersecurity blogger Brian Krebs. The ‘Mirai’ botnet that generated this huge wave of traffic came from an army of poorly-secured network cameras, digital video recorders (DVRs), routers and printers.
The Commission believes that labels guaranteeing adherence to basic security standards would encourage manufacturers to work together more closely in the spirit of common interest.
The EU is in the process of introducing the General Data Protection Regulation (GDPR), a major privacy overhaul that all large firms will have to comply with, including firms that want to use and build IoT devices.
However, getting to a situation where products are sold with labels that promise an agreed level of security seems some way off.
One hurdle is simply the diversity of products that are IoT-enabled, including motor cars, TVs, smart watches, home thermostats, smart meters, lighting systems, and home security. The IoT is suddenly everything and that will slow down the creation of common privacy and security standards.
The EU is doing its best to speed up development, investing €192 million in IoT research as part of its Horizon 2020 programme.
Unfortunately, IoT devices need better security now, not years from now when the EU has agreed what the labels should look like – and mean.
What consumers and businesses will think about having another label to peel off shiny new IoT products when pulling them out of the box remains an unknown.
Will they have faith in them? Or will they end up feeling disappointed should securing IoT devices from real-world threats turn out to be more complex than the label suggests?