The current regulatory framework in the IoT space is weak, at best. It is partly because the industry is still experiencing growing pains. On the one hand, there is an exceptional flourishing in demand for connected devices across B2B and B2C sectors. Gartner estimates that by 2020 there will be 20-50 billion connected gadgets in regular use, which is undoubtedly a conservative estimate. The fact is: IoT products represent a substantial potential market for IoT manufacturers.
On the other hand, the increasing number of connected devices poses a unique security threat. As IT experts are well aware, anything connected to the internet doubles as a current platform for bad actors to target. The race is on to develop standards for trust, privacy, and end-to-end security for a range of products that promise to fuse the digital and the physical like never before.
In acknowledging the apparent risks, the European Commission is looking into the possibility of creating an IoT "Trust Label" to strengthen IoT security and end-to-end personal data protection. However, exploring the merits of trusted label raise many questions that remain unanswered.
What is a trust label?
A trusted label is a mark that is supposed to "provide to consumers of IoT products information about the products' level of security and privacy. Such a "Trust Label" could be similar to the labeling system used today to indicate energy-efficiency of various appliances across the EU".
Benefits of a trust label include:
- Security Assurance: Standards security requirements would be set for hardware manufacturers to meet. It would enhance user trust in the products they use, and promote the security of IoT products across the board.
- Transparency: Consumers would have a gauge for the level of security and privacy they can expect for each product. Offering consumers more knowledge will inform their choices and ultimately strengthen the IoT market.
- Surveillance Can Be Avoided: Minimum analysis of the security functions within each system would be needed. The alternative is for manufacturers to collect the behavior data of each user to mitigate risks.
Despite these evident benefits – and the apparent push towards minimum standardization currently underway - the implementation of a trust label comes with apparent drawbacks.
Setting Monolithic Standards Would Hold the Industry Back
Cybersecurity is not static, nor is it easy to prescribe. Bad actors are always adapting their approach to undermine innovations made in hardware capacity, network integrity, and data processing and connectivity. Each market has its own set of challenges, and the solutions are never apparent from the outset. Implementing a trust label runs the risk of oversimplifying the cyber threats to consumers by giving them a false sense of security in products that may have a label but are no longer equipped to offer end-user protection.
To successfully deal with these concerns, a trust label must be:
- Innovation-friendly
- Flexible in its approach
- Delivering a simple but credible message
- Applicable to different levels of privacy and security (including chipsets, operating systems, connected devices, and cloud compatibility)
- Designed based on a collaboration with government and industry
Meeting Unique Challenges in Each Industry
Another challenge inherent to setting a trust label in the IoT space is the fact that few if any, objective standards are being arranged. Each industry has its problems, both from a hardware perspective and an end-user perspective, and trust labels need to reflect these differences.
In looking to set the groundwork for more in-depth discussion in the healthcare app industry, the US Federal Trade Commission has put forward a list of best practices to inform developers and businesses looking to improve their data security strategy. There are essential questions about authentication and data sorting – and new solutions offered.
For trust labels to gain traction in B2B or B2C interactions, best practice guides similar to the one published by the FTC need to be crafted.
Conclusion