The Internet of Things or IoT is a broad term for the billions of connected physical devices including vehicles, appliances and other electronics that can communicate and exchange data with each other. These devices are everywhere and by 2020, there are likely to be anywhere from 3 to 7 such connected devices for every living person!
IoT devices are not just restricted to personal use though. Infrastructure services like power plants, railways, streetlights and even some military vehicles fall into the same category. This makes the IoT perhaps the most useful as well as the most vulnerable asset of modern civilizations. Increasingly, this vulnerability is being taken advantage of by state actors or criminal elements for their own benefit.
The criticality of the threat to us, as a result of IoT, perhaps gets enhanced due to the fact that it can affect the physical world rather than just impact digital data or records. A bad actor can hack into a car and cause it to lose control or hack into a power grid and cause an outage. All of this has put a new emphasis on closing loopholes and erecting barriers against potential breaches.
The need to bring “trust” to the Internet of Things
The vulnerabilities of the IoT and its criticality means that certain improvements need to happen immediately. The eIDAS regulation goes a long way in ensuring trust in digital services and it is something that is needed for the IoT as well.
The primary way in which a standardized regulatory framework can make the IoT more secure is by providing “Proof of Identity”. This is the first and most important step in securing access to the dozens of connected devices that we use every day. As our dependence on such devices increases, so does the need for a common framework like eIDAS which can provide a minimum guaranteed level of security based on standard procedures and protocols across jurisdictions. There is an important need for providing secure and trustworthy electronic identification, authentication and authorization for IoT devices. Without this, the system will be vulnerable and the potential for abuse will keep rising with time.
Another way in which regulations like eIDAS can help is the legal and liability framework. eIDAS ensures the legal compliance of services which are provided using its framework. Something similar is needed for the Internet of Things - a universally accepted framework that defines the legal requirements for compliance and then ensures compliance with that legal framework. It needs to address the issues of cross-jurisdiction disputes and issues and set the standard for regulatory/ legal compliance in the IoT world.
eIDAS and other such regulations will go a long way to ensure that digital transactions are secure, and users are protected. However, this same level of security and trust needs to be extended to the other network as well – the Internet of Things. The IoT needs a strong framework that ensures user’s identity, provides privacy and strong authentication capabilities and a rock solid legal and liability framework to protect users.
References and Further Reading
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission