Information Security and Internet of Things

Transcription

1 Information Security and Internet of Things 2 nd Open China ICT Thematic Workshop On Internet of Things and Future Internet Beijing, 23 August 2013 Contents The growing Internet of Things Internet of Things Policy Challenges Internet of Things Network Security Industry developments of secure protocols Regulatory Environment: China Recommendations

2 The growing Internet of Things The growing Internet of Things the connection of physical devices to the Internet will rapidly expand the number of connected devices integrated into our everyday lives. More Than 30 Billion Devices Will Wirelessly Connect to the Internet of Everything in 2020 * * Source: ABI Research, 2013 Internet of Things: Policy Challenges A number of policy challenges need consideration for the healthy developmentof IoT: [non exhaustive] Network Security; Privacy and data protection; Identity management, naming and interoperability; Fostering innovation 2

3 Internet of Things: Network Security Every smart thing/object could be connected to the global Internet and is able to communicate with other objects, resulting in new security and privacy problems, e.g.: Confidentiality Integrity of data sensed and exchanged by things/objects. Authenticity Ensure secure end to end communications between objects/systems through the use of secure identities and authentication As the Internet is global, a global approach based on international standards and/or best practices is needed Secure connections are enabled by encryption Industry developments of secure protocols (1) Consumer demands have increasingly called for product features such as encryption that better protect security and privacy in and across a variety of ICT products and systems including in the area of Internet of Things The use of encryption has become widespread: as result, the great majority of applications of encryption involve every day commercial products, commonly used & traded in the global marketplace. Regulations that directly or indirectly favor specific technologies, limit market access or lead to forced transfer of intellectual property stifle domestic innovation and, in the case of encryption and the Internet of Things, prevent access to the strongest available security technologies in the market place, resulting in less secure products. 3

4 Industry development of secure protocols (2) As demand for connected devices increases and devices become subject to the [cyber] threats, manufacturers implement solutions to provide secure, tested protocols and algorithms: Encryption Identification Authentication Global or international open security standards, whose details and implementation have been peer reviewed, are more secure than proprietary solutions that rely on secrecy Regulatory environment in China: CERs The Office of the State Commercial Cypher Administration (OSCCA s) current Commercial Encryption Regulations (CER) effectively exclude Foreign Invested Enterprises (FIEs) from some areas of the Chinese market by not allowing FIEs to attain required certification. FIEs are not eligible to apply for various encryption certificates: Require majority Chinese stake in the company applying Use of some national algorithms that FIEs cannot access. Were FIEs to be able to attain certification, security relevant parts of the source code are still required to be disclosed China s Commercial Encryption Regulations are currently revised 4

5 Regulatory environment in China: MLPS The Multi level Protection Scheme (MLPS) aims to impose information security compliance requirements for enterprises and administrations of essential security interest. MLPS states that information security components in critical information systems cannot contain foreign intellectual property, meaning that the procuring the most secure technologies in the global marketplace will be restricted However, the scope of application extends vastly beyond provisions required to protect essential national security interests Risks that development of the IoT in China will be hampered because major IoT application areas will not be accessible for foreign entities Case study: USB Tokens/Keys In 2007, the China national algorithm SM2 was included for USB token/keys used by Chinese Banks Started with the government enforcing greater uptake of SM2 and led to new regulations to stringently implement SM2 Some banks are require to use OSCCA approved USB token/keys, even when not using the China national algorithm By 2012, it was mandated that 2 nd generation USB token/keys to use China national algorithms. 5

6 Recommendations (1) Strongly encourage: Global collaboration Open markets Use of global security standards for commercial encryption technologies, as they inherently promote more secure and innovative ICT products. Recommendations (2) As security functions are growing in most ICT applications including in the Internet of things, interoperability has become more critical and thus international security standards will increase in importance Using standard cryptography as part of common protocols and specifying encryption algorithms to be used (along with making provisions for handling key management, etc.), enables an infrastructure to achieve global interoperability between security functions in products and systems. Global or International security standards are essential to avoid fracturing the global digital infrastructure and creating unnecessary obstacles to trade. 6

7 Recommendations (3) Greater Internationalisation is required: Policies that attempt to provide secrecy through constraining choice have long been demonstrated to lead to weakened products. Robust and internationally peer reviewed encryption solutions are the best way to reduce security risks and ensure cutting edge products Involvement of international stakeholders from Governments and industry in the consultation for the revision of CERs to facilitate an environment and open markets with best in class solutions and international interoperability in China. Recommendations (4) Ensure China has access to the best products in the marketplace through open, transparent and non discriminatory licensing schemes Increase China participation in international standardisation bodies and agreements Open Chinese TCs and WGs developing standards and algorithms to full participation of FIEs and disclose all national commercial algorithms 7

8 Thank You 8