“Those who don’t want to join the ‘best practices’ group will end up paying”
Interview with lawyer Paloma Llaneza, reference in the new technologies sector in Spain.
According to the European Commission, the Internet of Things (IoT) represents the next step in the inevitable digitalisation of our economy and society. It’s where objects and people interconnect and talk to each other; where, according to the aforementioned European organization, the physical and virtual worlds merge “creating smart environments” that, by the way, should make our lives easier, more efficient and safer. That’s the theory and the bright side of a tale, in which there is a great deal of science, a little fiction and many concerns.
People such as Paloma Llaneza, one of the references in this field in Spain, are taking care of answering all these doubts and questions around IoT. She is a lawyer, with more than 24 years of experience in new technologies, Internet, digital communications and security, and is in charge of the less romantic (but, in fact, more realistic) part of this hyperconnected world we are diving into: security. And so a big chunk of her work focusses on how to minimise and deal with the risks associated to a fridge becoming smart or a driverless cars circulating on our streets. A complex task, as you can all imagine.
“We have all kinds of devices connected to the network; from smartgrid sensors in big cities to AI-driven cars”, explains Mrs. Llaneza, who is also a partner and director of Razona Legaltech, a law firm specializing in technological law. “In this ecosystem, except for some areas, products are being manufactured with a complete lack of security. This is because the end user is not demanding it, because time-to-market is far more important than adapting it to security standards, or because, sometimes, devices are so small that implementing security measures is challenging…”.
Faster than we can assimilate
The EU foresees that the number of IoT connections will reach 6 billion in 2020 (with 1,8 billions in 2013), worth 1 trillion euros. Another study, the Visual Networking Index report, by CISCO, states that, within 2 years, M2M (machine-to-machine) connections will represent the 26,4% among all mobile connected devices.
The novelty that IoT brings and, as a consequence, its greatest challenge regarding security, is its connection with the physical world. According to Llaneza, even devices such as your home’s thermostat that may not seem critical at first must be observed from other perspective: What would happen if it was attacked to increase the temperature to a level that caused harm to the house or its occupants?
This, that may look unlikely, already happen back in 2012, when a group of attackers managed to raise the temperature in a federal building and a factory in USA. This event made security experts wonder what would have happened if the attacker had targeted a data processing center or a room with critical technical infrastructure; worth mentioning others like spy-TVs, toys collecting private data from unaware users or trucks whose brakes and other controls can be remotely hacked.
Like it or not, “we’ve had recent attacks and we’ll keep having increasingly severe attacks in the future”. We have to be prepared, specially companies developing and producing this kind of products.
When dealing with IoT devices, security weaknesses may be in the device itself, the cloud infrastructure or in the network they use to communicate. Some of the main failures cybersecurity experts have detected on these products are: default usernames and passwords and the lack of mechanisms reinforcing users to change them by more secure ones; unsecure control and management webpages; non-encrypted communications; or the absence of updates and support during the lifecycle of the product. And the responsibility lies mostly (if not completely) on companies.
“We can no longer allow that unsecure software and products are launched to the market”
Paloma Llaneza, who is also an arbitrator for technological issues in the Arbitration Court of Madrid Bar Association since 2000, recommends companies to apply the security measures that good practices already dictate. She herself works in this kind of recommendations as member of the Mobility Studies Center’s executive committee (a center within the Spanish Association for the Promotion of Information Security, ISMS Forum Spain). This organization presented on October 2017 a study called State Of The Art and Implications of Security and Privacy in the Internet of Things, analyzing the risks, usual attack vectors in IoT and security measures to minimize these threats.
Mrs. Llaneza is advantaged in this field. During her studies at Law School, she also studied a Master in Computers Programming at the Universidad Pontificia of Salamanca, in Madrid. She has a tech-legal mixed profile that entitles her to state that “security must be considered from the very beginning phases when designing a new product”. However, how come it’s not a common practice? Is it so much work and money for companies? Is it really an obstacle for innovation? “It will depend on the work each company does but the sentence ‘it’s too expensive for me’ is no longer a valid excuse”.
“It’s much cheaper to integrate security at a design phase of a product than incorporating it afterwards; everybody knows that”.
In that sense, Mrs. Llaneza is convinced that integrating security from the beginning is cheaper: “If you incorporate a security chief to your design team, adding cryptography and security measures to your device is much easier than doing it when you are just about to launch it onto the market. I always use the analogy of building a house without the piping; its occupants would still need the piping when using the toilet or drinking water. However it will be much more difficult to make the renovation works to include them once it’s already been built than doing it at the beginning.”
A specific regulation for IoT
“Current regulation does not help”, explains Mrs Llaneza. “the European Directive for defective products and the Spanish bill where this is included (the Consumers and Users Rights) establishes responsibilities for known defects at the moment the product is commercially launched. In IoT, the problem is the device may comply with that regulation when launched, but not throughout its lifecycle, for instance if it is unable to be updated or fails after a certain time of operation”.
Some steps are been taken though.
USA goes ahead. In 2017 a new bill was presented (S.1961 — Internet of Things (IoT) Cybersecurity Improvement Act of 2017) to establish a minimum security standards that these devices must comply with so they are allowed to be purchased by federal agencies.
In the EU, IoT is considered a key piece in the Digital Single Market’s strategy and the Horizon 2020 program. Additionally, The European Commission, launched in march 2015 the Alliance for IoT Innovation (AIOTI) and published, in 2016, a document called Advancing the Internet of Things in Europe, where they defined the pillars, risks and opportunities of IoT in the EU.
Furthermore, IoT devices are also affected by the Data Protection General Rule (that will be effective on May 25th, 2018), the ePrivacy Rule and the Cybersecurity Act, already in process, that establishes a security-by-design approach including guarantee seals for any product or service under the scope of this legislation.
These guarantee seals connect with the biggest challenge for IoT regulation: unifying and establishing applicable criteria to the huge variety of devices and industries affected: “It’s not the same a driverless car, a car-sharing service or a smartgrid that turns on lights as people walk by in a city. There are common elements [within these devices] but each of them has a huge operational complexity”.
Initiatives such as Anastacia or Predictive Security for IoT Platforms and Networks of Smart Objects (SecureIoT) are already doing it. In Spain, Paloma Llaneza coordinates the first Spanish seal of guarantee for IoT devices. As an expert in European Laws, she assures: “The path of regulation goes in that way. On one side, by establishing measures ex ante, i.e. mandatory security standards for IoT products in general and by sectors; on the other side, by keeping a security system for commercialized devices in case that, despite the previous measures, there’s been any damage caused. Those who don’t want to join the ‘best practices’ group will end up paying”.
According to the State of the IoT Security report by Forrester (2017), IoT Security is the biggest concern for the 32% of Business Managers. It affects not only those who create this kind of devices but also to any business using them (or with employees using them).
Public administrations have to face similar or even bigger challenges. And end-users have also an important role here, as they — we — are using those technologies in several aspects of their — our — daily lives. “Being aware that we face a world where the lack of security goes from the physical to the digital, and that we will never be fully safe unless we establish a system where each one knows what they have to do”, concludes Llaneza.