Headlines continue to abound about data breaches which threaten not only our institutions and economies but also consumer trust in the digital society. They also put new business models and product offerings at risk, suggesting that the market’s dynamics fail to work as they should when it comes to security.
What we need is greater awareness of the relevance of security in connected devices at the consumer level. But this will hardly emerge overnight.
If we really think about it, we as an industry have not even begun to educate consumers about the importance of security or identifying a product’s security level. Security is not a marketed feature today.
Yet the example of the energy transition proves that such a change can succeed. Energy efficiency was not on the minds of consumers years ago, and few knew what to do with “kilowatt hours” until the EU energy label for electrical appliances became established, making it easy to grasp the concept. Today, no one would buy a fridge with a red energy label denoting high power consumption.
So, what can we do to start a similar development with regard to data security? It’s the task of manufacturers and policymakers alike to strengthen people’s trust in secure products while creating greater transparency for consumers. While this will not eliminate all cyber risks, it will improve consumer perception and make security a visible and easily understandable product and quality feature – and it will make sure consumers ask for it.
As cybersecurity is of national if not geopolitical importance, policymakers have a special responsibility to create this awareness among consumers while at the same time supporting the development and marketing of secured products and systems. To achieve this, a security label is just as sensible an idea as the EU energy label for electrical appliances.
The challenge is that it must be easy to grasp while indicating the security level of the device, which demands a transparent, well-defined and meaningful certification process.
The EU Commission published a Cybersecurity Act (CSA) for IoT devices, processes and services in September 2017. The proposal denotes three levels of staged security for connected products and fosters new EU security certification schemes, at least for level “high” and “substantial”. It is expected, that the trilogue on CSA between EU Commission, Council and Parliament will find a consensus by December 2018 and the new regulation would then be adopted in the EU Member States.
The ‘Trust in the Internet’ initiative by French President Macron introduced at Paris Digital Week early November also aims at developing common principles for securing the cyberspace and to enable infrastructures and organizations to improve their cyber protection.
How can we achieve this as an industry? Let me give you some hints.
Manufacturers of connected home appliances and consumer electronics should consider security features as early as the product planning and development stage (“security by design”). It must also be possible to update the devices while in use in response to risks that were not yet known during their development.
It is the security industry’s responsibility to provide easy-to-integrate security components that help manufacturers meet their security objectives. This can be achieved by leveraging tried-and-tested security technologies. Future-proof authentication, encryption or hardware-based trust systems already used in banking or on ID cards can be integrated just as effectively into e.g. smart home devices.
With my many years of experience in the industry, I am convinced that we can help the plethora of IoT device manufacturers lacking either the security expertise or the resources to develop adequate security measures on their own. They benefit from turnkey solutions, which combine security chips with OS, applets and even reference designs to address a wide variety of very specialized use cases.
Besides the increased security level compared to purely software-based solutions, hardware-based security also allows manufacturers to simplify production and logistics processes and realize financial savings while protecting their brand and image.
Cybersecurity is a must for digitalization and the connected economy and society. We should therefore stop seeing it as cost driver but rather a quality feature and enabler for an Internet of Trusted Things.
About the author:
Thomas Rosteck is Division President for Digital Security Solutions at Infineon Technologies – www.infineon.com