Why International Governance is important in securing the IoT Industry ?

  • Home/
  • cyberspace/
  • Why International Governance is important in securing the IoT Industry ?

Why International Governance is important in securing the IoT Industry ?

IoT security is a complex and multifaceted issue that affects various aspects of society. Under the circumstances of geopolitical rivalry, IoT security issues are not only technical problems, but also strategic and political ones. Therefore, the security and reliability of IoT devices and systems are not only important for protecting the data and privacy of users and consumers, but also for ensuring the stability and prosperity of nations and regions.

RCGCG organized the conference "Cyber Norms: Legal, Policy & Industry Perspectives" in Washington, D.C., on July 26, 2023, to better understand the state of the global IoT security trend at the time. The conference brought together a group of cyberspace and international relations specialists from universities, businesses, and groups like the Massachusetts Institute of Technology, the U.S.-China Business Council, Hathaway Global Strategies LLC, and Tuya Smart. Participants discussed their perspectives on the current state of cybersecurity, emerging technology norms, and the most effective ways for the private sector to address cyber risks.

At the forum, Tuya Smart presented its holistic approach to cybersecurity leadership. Recognized in the 2022 Global IoT Security White Paper for their IoT practices, they offered insights from the private sector on best practices to enhance cybersecurity.

Why We Have to Set up Rules

First of all, IoT security is not only a technical issue, but also a social, economic, and political issue. IoT devices are used in various domains and sectors, such as healthcare, transportation, energy, agriculture, manufacturing, and smart cities. These devices collect, process, and transmit large amounts of data that can have significant impacts on people’s lives, well-being, safety, privacy, and rights. Therefore, IoT security is not only about protecting devices from cyberattacks, but also about ensuring the trustworthiness, reliability, and accountability of the data and services that IoT devices provide.

Secondly, IoT security is a global challenge that requires international cooperation and coordination. IoT devices are often interconnected across borders and regions, creating a complex and dynamic ecosystem that involves multiple stakeholders, such as device manufacturers, service providers, network operators, regulators, users, and consumers. These stakeholders may have different interests, incentives, capabilities, and responsibilities for IoT security. Moreover, IoT security is affected by various factors that transcend national boundaries, such as geopolitics, trade wars, cybercrime, terrorism, human rights, and environmental issues. Therefore, IoT security cannot be effectively addressed by individual countries or regions alone. It requires a common understanding and agreement on the rules and principles that govern the design, development, deployment, and operation of IoT devices and systems. It is encouraging to witness the progress of initiatives such as the U.S. cybersecurity labeling program and China's Global Initiative on Data Security in the field of security. Moreover, we also look forward to greater international collaboration.

Thirdly, IoT security is an evolving and dynamic field that requires adaptive and flexible rules and principles. IoT devices are constantly changing and improving in terms of functionality, performance, complexity, and diversity. New technologies and innovations are emerging that enable new applications and services for IoT devices. These changes pose new challenges and opportunities for IoT security. For example, artificial intelligence (AI) can enhance the capabilities of IoT devices to learn from data and make decisions autonomously. However, AI can also introduce new risks and uncertainties for IoT security. For instance, AI can be used to launch sophisticated cyberattacks against IoT devices or manipulate the data or behavior of IoT devices. Therefore, IoT security rules and principles need to be updated and revised regularly to keep pace with the changing technological landscape.

What Are Those Major Obstacles

One of the major obstacles is the heterogeneity and diversity of IoT devices and systems, which make it difficult to apply uniform security standards and policies across different domains and sectors. IoT devices and systems vary in terms of functionality, performance, complexity, and architecture. They also operate in different environments and contexts, such as healthcare, transportation, energy, agriculture, manufacturing, and smart cities. These variations pose challenges for defining and implementing common security requirements and best practices for IoT devices and systems. Moreover, they create interoperability and compatibility issues among different IoT devices and systems, which may affect their security and functionality.

Another major obstacle is the lack of awareness and education among IoT users and consumers, who may not understand the risks and implications of IoT security and may not follow the best practices and guidelines for securing their devices and data. IoT users and consumers are often unaware of the potential threats and vulnerabilities that IoT devices and systems face, such as unauthorized access, data breaches, malware infections, denial-of-service attacks, and privacy violations. They may also lack the knowledge and skills to configure, update, monitor, and protect their IoT devices and systems. Furthermore, they may not be informed of their rights and responsibilities regarding IoT security and privacy. Therefore, they may not be able to make informed decisions or take appropriate actions to safeguard their IoT devices and data.

A third major obstacle is the legal and ethical issues of IoT security, such as data ownership, consent, privacy, liability, regulation, compliance, and governance. IoT devices and systems collect, process, store, and transmit large amounts of data that may contain sensitive or personal information about users and consumers. However, there are many uncertainties and ambiguities regarding who owns the data, who can access the data, who can use the data, who can share the data, who can delete the data, who can modify the data, who can protect the data, who can benefit from the data, who can be harmed by the data, who can be held accountable for the data, who can enforce the rules for the data, who can resolve the disputes over the data. These issues raise ethical dilemmas and legal challenges for IoT security governance. Moreover, they may create conflicts and inconsistencies among different jurisdictions and regions that have different laws and regulations for IoT security.

How the Twelve initiatives Address the Problems

The 12 initiatives proposed by RCGCG and ioXt in the 2022 Global IoT Security White Paper respond to the above-mentioned standards, awareness and legal issues that hinder international IoT security issues by addressing the various challenges and threats that IoT devices and systems face, and narrowing differences and gaps among countries.

Building Trust and Cooperation

The first and ninth principles rightly emphasize building trust and cooperation between nations and stakeholders. As proposed by regime theory in international relations, cooperation on transnational issues like IoT security requires common interests between actors to create regimes based on norms and rules. By establishing shared norms and values, trust and cooperation can foster a collaborative and constructive environment for addressing IoT security issues. In the private sector, Tuya Smart has made a notable mark. Their commitment to high security standards has gained international recognition, and they actively seek to work with global partners in constructing a safe, open, and resilient IoT ecosystem. Such endeavors showcase how trust and cooperation can also facilitate information sharing and coordination among different actors, from device manufacturers to users and consumers.

Comprehensive Legal Frameworks

The second guideline calls for progressive legal frameworks that proactively address IoT security concerns. As recommended by scholars like Irina Brass and Jesse Sowell, adaptive governance is needed where regulations co-evolve with new technologies.[1] By updating laws and regulations to keep pace with the changing technological landscape, comprehensive legal frameworks can boost compliance and enforcement of IoT security standards and policies. Comprehensive legal frameworks can also protect the rights and interests of IoT users and consumers, such as data ownership, consent, privacy, liability, regulation, compliance, and governance.

Technical Standardization

Standardization of IoT technologies is encouraged to promote interoperability and baseline security requirements, just as mentioned in the third, eighth and eleventh principles. As argued by academics like Tim Maurer and Garrett Hinck, technical standards that account for security can act as a form of pre-competitive governance.[2] By defining common technical specifications and protocols for IoT devices and systems across different platforms, networks, and regions, technical standardization can enhance the functionality and compatibility of IoT devices and systems. Technical standardization can also improve the security of IoT devices and systems by setting minimum security criteria and best practices that can prevent or mitigate potential vulnerabilities and weaknesses.

Secure IoT Ecosystem

A secure IoT ecosystem through supply chain coordination and third party audits is proposed in the forth, sixth and tenth guidelines. As analyzed by researchers like Myriam Dunn Cavelty, this can counter IoT vulnerabilities emerging from complex systems interactions.[3] By ensuring the security of each component and process in the IoT supply chain, from design to production to distribution to installation to operation to maintenance to disposal, secure IoT ecosystem can reduce the attack surface and the risk exposure of IoT devices and systems. Secure IoT ecosystem can also verify the security of IoT devices and systems by conducting regular audits and assessments by independent third parties.

Given the significance of such comprehensive security measures in the IoT ecosystem, industry leaders are forging partnerships to ensure maximum security. Take Tuya as an example ,it has partnered with independent third-party security services as well as auditing and consulting organizations. These collaborations enable it's IoT ecosystem to consistently meet and often surpasses global security benchmarks.

Risk Management Regimes

The fifth principle calls for collaborative risk management mechanisms which involve collaborative risk assessment, mitigation, and response mechanisms are vital for IoT resilience. By identifying, analyzing, and prioritizing the potential threats and impacts of IoT security incidents, risk management regimes can help prepare and plan for effective countermeasures and recovery actions. Risk management regimes can also involve public-private partnerships that leverage the resources and capabilities of both sectors to enhance the protection and restoration of critical infrastructure and services.

Capacity Building

There is emphasis on awareness and talent development of all stakeholders in the seventh and twelfth principles. As matter of fact, capacity building helps ingrain security practices and mindsets by educating and training IoT users and consumers about the risks and implications of IoT security and the best practices and guidelines for securing their devices and data, capacity building can help them make informed decisions. Furthermore, capacity building can foster innovation and development of IoT technologies by nurturing skilled and knowledgeable workforce and researchers.

International Cooperation 

Given the transnational nature of IoT, multilateralism is essential to IoT international governance. Even though it is not explicitly mentioned in the principles, it can be inferred from the overall tone and context of the 12 principles. It could be implied in promoting global dialogue and coordination on IoT security issues, sharing best practices and experiences, and supporting developing countries in building their IoT security capabilities.

So in summary, the guidelines cover key focus areas for improving international technology governance. These 12 principles provide direction and ideas for the international community and nation-states to solve the problems of IoT security and development, and consolidate the key role of the private sector and technical communities from the perspective of technological ecological development. In addition, these 12 principles also provide solutions for the international community to remove the obstacles faced by IoT security governance, and provide a great boost for the development of international IoT governance.

[1] Irina Brass, and Jesse H. Sowell, “Adaptive Governance for The Internet of Things: Coping with Emerging Security Risks,” Regulation & Governance, Volume 15, Issue 4, October 2021, pp:1007-1479.

[2] Tim Maurer, and Garrett Hinck, “Cloud Security: A Primer for Policymakers,” Carnegie Endowment for International Peace, August 2020.

[3] Myriam Dunn Cavelty,and Jennifer A. Giroux, “Complexity and Security Governance: A Tale of Two Systems” in Myriam Dunn Cavelty and Victor Mauer (eds.), The Routledge Handbook of Security Studies, London and New York: Routledge, 2012, pp:312-323.

Categories: cyberspace, Data, 未分类

Leave a Reply

Your email address will not be published. Required fields are marked *