$348 million. That’s how much worldwide security spending on the Internet of Things is set to be worth in 2016, according to Gartner, up 23.7% from 2015 ($281.5 million). On Wednesday 27 April 2016, this was the hot topic at the Partech Shaker. The open innovation campus located in Paris’ second arrondissement invited a number of experts to give keynotes, at the invitation of Digital Business News. What are the issues associated with security in the world of IoT? What’s the economic impact? What best practices should be implemented? We were there, to get the answers to these questions and more…
- Dimitri Carbonnelle is the founder of Livosphère, a startup specialising in creating, transforming and deploying connected devices. He is part of the French government’s “IoT” industrial plan and is an IoT consultant for Bpifrance and Scientipole.
- Yassir Kazar is a “serial start-upper” and co-founder of Yogosha, a bug_bounty platform which won the Bpifrance innovation scholarship.
- Stéphane Petitcolas is an IT expert at the CNIL, (Commission Nationale de l’Informatique et des Libertés, an independent French administrative regulatory body in charge of ensuring compliance with data privacy law, Ed).
“The massification of uses will lead to a strengthening of security”
Dimitri Carbonnelle is emphatic: with customer interactions becoming increasingly direct, manufacturers who can’t provide basic security for their connected products or services are taking huge risks. And yet, as security still represents a hefty budget, a lot of companies prefer to do without.
In some cases, loss of personal data can have extremely serious – potentially life-threatening –implications. The founder of Livosphère gives the example of a diabetes sufferer losing data gathered via a connected device: the overall analyses are corrupted and the patient won’t take the right treatment.
In other words, any company that can collect personal data can potentially affect the user, directly or indirectly. This is obviously particularly critical where healthcare data is concerned – showing a sick person to be healthy, or vice versa, is an obvious risk for patients – but in other areas too. Dimitri Carbonnelle mentions Hello Barbie, Mattel’s smart, Wi-Fi-enabled doll: “Imagine it got hacked into, like Tay, Microsoft’s artificial intelligence bot which went into meltdown on Twitter, spouting racist abuse and conspiracy theories. You could end up with a Barbie that sends out messages that the parents aren’t at all happy with!”
Carbonnelle continues: “Until recently, IoT was the preserve of communities of beta-testers, who are a rather unusual breed and are more tolerant than most of potential defects. The general public isn’t like that. In retail, they have high expectations of products in terms of security, performance and longevity. Innovation isn’t on the top of their list of priorities. Users need to trust the product.”
In the end, Carbonnelle says, it’s the massification of use and the inevitable abuses and disasters resulting from this that will ultimately lead to tighter security.
“Ethical” hackers to secure IoT?
Could hackers be the solution? Yassir Kazar believes so. With Yogosha (which means “defender” in Japanese,), he has “uberised” bug bounty programs. Startups and entrepreneurs can thus call upon a community of “ethical” hackers to develop security protocols – and they only pay if a solution is found. “This model leads to massification,” says the serial entrepreneur. “The ramifications of the Internet of Things are very complex, involving bringing together many different players, and hackers play a fundamental role in this society that’s emerging.”
But who are these hackers? Essentially “tinkers,” according to Yassir Kazar. “People who know where to look for flaws, who aren’t like ordinary people.” He also points out that giants such as MIT, Google and the NSA have already recognised the value of hackers in the fight against cybercrime.
— Econocom France (@Econocom_fr) 27 avril 2016
CNIL: what the IT security experts say
According to Stéphane Petitcolas, an IT expert at the CNIL: “Data security is all about informing people and encouraging responsible user behaviour. Users are the key, unlike traditional IT system security, which focuses on the potential risks.”
“Of course,” he goes on, “Data security means security across the entire data chain: you have to analyse everything, and this is an approach that hasn’t yet been incorporated into IoT security.”
This is where the concept of privacy_by_design comes in, i.e. an approach which takes privacy into account throughout the whole design process of a connected device. “It’s a difficult approach to incorporate in companies,” says Petitcolas. “Some “loyal” startups think about how to do things well. But with a company that’s built an economic model on selling data, negotiation is much more complicated.”
=> Also on our blog: FBI vs. Apple: it’s dangerous to introduce a backdoor into a device