Report about the Greens/EFA hearing on 7th June
How to improve security for the internet of things (IoT)? When we are moving into an age where our light-bulbs, our cars, our factories, and our heating controls are connected to the internet, a lot of things can go wrong. The recent “wannacry” ransomware attack showed this when prime-time TV news reported the functional shut-down of hospitals in the UK or the closing of car factories in France. But ransomware is still only about encrypting and holding to ransom the data that is needed to work. The IoT also is about physical actuators that can potentially harm us directly.
The European Commission is preparing a new cybersecurity strategy for this autumn. Right after the wannacry attack and shortly before the summer break, it was therefore perfect timing that the Greens/EFA group in the European Parliament held a hearing on how to improve IoT security on 7th June. And we learned a lot. The programme, including the presentations, and the video recording are available at our group’s website. The event was co-organised by MEPs Jan Philipp Albrecht, Julia Reda, and Reinhard Bütikofer.
The scale of the problem
Prof. Dr. Udo Helmbrecht, director of the EU Network and Information Security Agency (ENISA), in his keynote gave an overview of what ENISA and other EU bodies are already doing in this field. The focus so far is on preparation for reactions to attacks, e.g. through managing the EU Computer Emergency Response Teams (CERTs). But Helmbrecht was also very clear that we need a more comprehensive approach, including stricter incentives for manufacturers and service providers, such as product liability for IoT devices and also finally for software.
Despina Spanou, Director for Digital Society, Trust and Cybersecurity in the European Commission (DG CNECT) informed about the state of discussions in the Commission. So far, they are thinking about two avenues: 1) a new (and finally permanent) mandate for ENISA, and 2) product certification. The question if such certification should be mandatory, and if there should also be liability for the manufacturers, is still open for discussion.
Lucie Krahulcova from digital rights NGO Access Now made clear that governmental hoarding of IT vulnerabilities is bad for all our security. Any approach to IT security needs to take human rights as a base-line.
Ninja Marnau from the University of Saarbrücken showed impressive recent data on botnets such as Miraj that are using physical devices. She also pointed out that many IoT devices are not replaced every two or three years like computers of smart-phones, but could be operating up to 15 or 20 years in the case of smart fridges. Also, the most wide-spead botnets have clients in Vietnam, Iran, Brazil and India and other countries, with control computers in the U.S. and other Western countries, therefore we need a global approach.
Frederike Kaltheuner from Privacy International pointed out that IoT devices can also be used to snitch on their users. Connected toilets and pace-makers can now be used against a person in legal proceedings, therefore we need to think about extending the right to remain silent to these. Kaltheuner also pointed out the information asymmetry between manufacturers, attackers, and end-users. She argued that the EU product liability directive should be updated to take IoT security into account.
Tim Philipp Schäfers and Sebastian Neef from Internetwache.org showed live on stage how you can find the control panels for wind energy installations by a simple internet search. Loads of these and other infrastructure control devices are online, but the security is often very weak, and their experience shows that often, neither the operators nor the manufacturers respond to messages that their infrastructure is vulnerable. Going through government-operated CERTS seems to help, but not in all cases, and more needs to be done.
Regulatory options: Liability - and what else?
At the second panel, Jan Neutze, cybersecurity policy director for Microsoft EMEA, gave some insights into the wannacry attack. The vulnerabilities were based on the NSA-owned exploits that had been leaked by the still unknown hacker group called “Shadow Brokers”. Microsoft decided in this case to even make available software updates for versions that are no longer supported, such as Windows XP. As a policy approach, he suggested a new international “Digital Geneva Convention” to ban malicious cyberattacks by governments.
Dr. Andreas Schmidt, IT consultant and author of “Secrecy vs. Openness. Internet Security and the Limits of Open Source and Peer Production”, reminded us of the history of product safety regulations. He presented three basic approaches: 1) Tackling the information deficit of regulators, manufacturers and other agents, 2) product certification as a means to establish trust on the market, 3) type approval certification that takes place before the product hits the market. He also emphasised the need to bring different communities together, such as the product safety engineers and the IT security engineers.
Dr. Leonie Tanczer from the PETRAS IoT Hub research consortium in London pointed out that the IoT is a very heterogeneous network that ranges from small sensors to factory and supply-chain devices. Currently, there are not enough security specifications and not enough incentives for the manufacturers. When regulating, one should reflect the different levels of criticality. Safety engineers also need to learn IT security. Software updates are sometimes complicated, if the patch might crash your physical set-up. Tanczer also said that rules for public procurement like in the UK could be a first step. Also, the insurance sector could be a useful risk-management facility.
Walter Van Holst, an IT lawyer from Dutch consulting firm mitopics, also supported the idea of product and software liability. He however warned to not over-do it, because software will always have errors and therefore be insecure to a certain extent. For sure, however, liability should kick in if the vulnerability is known to the manufacturer, and is not fixed for products that are sold afterwards. If a company used free and open source software in commercial products, it should also be held responsible for ensuring that bugs in that software are fixed.
Linus Neumann, spokesperson of the German Chaos Computer Club, the largest hacker organisation in Europe, suggested that any IoT device that is internet-enabled should carry a warning label saying “contains internet” or even “may contain traces of malware”. He also argued for an expiry date for such devices. The manufacturers should clearly indicate until when they will provide security updates, and after that date, the software should fall into the public domain.
Designated new "Digital" EU Commissioner in favour of liability rules
Two weeks after this hearing, another hearing took place in the European Parliament: The designated new EU Commissioner for the Digital Society, Mariya Gabriel from Bulgaria, was heard in a joint committee meeting (video) on 20 June about her qualifications and plans. She underlined that in order to improve IT security, she will support the introduction of product liability for IT products. As she will be ruling over the Directorate-General CNECT, the upcoming cybersecurity strategy of the Commission just became much more interesting! It might well be that our hearing helped a bit.