Proposer's Name: Ms. Farzaneh Badiei
Proposer's Organization: Georgia Tech
Co-Proposer's Name: Ms. Tatiana Tropina
Co-Proposer's Organization: Max Planck Institute for Foreign and International Criminal Law
Co-Organizers:
Ms. Tatiana Tropina,Senior Researcher at Max Planck Institute for Foreign and International Criminal Law (in personal Capacity) Ms. Farzaneh Badiei, Executive Director at Internet Governance Project
Session Format: Debate - 90 Min
Proposer:
Country: United States
Stakeholder Group: Civil Society
Co-Proposer:
Country: Germany
Stakeholder Group: Civil Society
Speaker: Arthur van der Wees
Speaker: Tatiana Tropina
Speaker: Milton Mueller
Speaker: Maarten Botterman
Speaker: Mr. O'Donohue, European Commission
Moderator: Arthur Rizer
Content of the Session:
The massive deployment of networked devices and sensors, many of them aimed at the consumer market, has created new kinds of security risks for the Internet. These risks were revealed following the 2016 Mirai botnet. Mirai is malware that scans the Internet for devices running default usernames and passwords and then controls these devices to make them participate in massive distributed denial of service attacks. Since many of the IoT devices are cheap, distributed en masse, and deployed by consumers who are not experts in ICT management, the rise of Internet of things is causing concern.
These IoT problems have prompted several computer security experts to call for government regulation to solve the problem. Bruce Schneier has written that “government is the only solution” and believes that “the government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care.” Richard Clayton and Ross Anderson have also done work for the European Commission advocating an approach based on safety regulation. On the other hand, these calls for regulation are coming not from experts in political economy or regulatory institutions and processes, but from technical experts, who may not be familiar with some of the dilemmas, challenges and pitfalls of asserting government regulation. Regulatory initiatives pose many of the problems of jurisdictional fragmentation and cross-border divergence that often undermine the effectiveness of government on the internet. Regulation is also challenged by the “moving target” problem, i.e. rapid technological change in this area; it would not be unusual for regulations to be put into place that address a problem that no longer is relevant, while overlooking the new ones. Advocates of regulation also tend to fail to distinguish accurately between different legal and regulatory mechanisms. Liability lawsuits, for example, would not be classified as “regulation” by political economy experts, yet Schneier and security experts such as Brian Krebs put them both in the same basket. The application of liability laws to IoT vendors has certain parallels with the earlier debate over software liability, and is an issue to be explored.
This workshop would be framed as a debate between advocates and opponents of IoT “regulation.” However, the positions represented would not be divided into two simple, polar opposites (yes regulation or no regulation) but rather would explore a broader range of governance options for the emerging Internet of things. The workshop would bring together a range of expertise on cybersecurity-related technical issues; IoT business and technology development; political economy and policy related to regulation and regulatory institutions; and law and economics expertise related to liability in high-tech sectors.
Relevance of the Session:
There is a little doubt that IoT security - and the question of achieving it - is one of the key issues for the Internet development in the short and medium term, and, therefore, one of the very important topics for the Internet governance. The challenge of IoT security is not only a problem of securing cheap mass distributed devices, but as we explained in the proposal also a bigger issue of the choice between less or more regulation - and therefore, the issues of multi-stakeholder participation in this choice, - the question of consumer trust and user-centric security approaches. Therefore, IoT security touches many dimensions of the Internet governance from a broader perspective and has a potential to shape many of the debates in the future .
Tag 1: Cybersecurity
Tag 2: IoT
Tag 3: Regulation
Interventions:
The panel will include experts in regulation and tech, who will represent different stakeholder groups - business, civil society, technical community and others. This will allow us to discuss different dimension of the problem and explore more options than just bipolar question “yes or no to IoT security regulation”. The session would rely on the strong Q&A moderation with the moderator setting the scene and asking questions related to the perspectives of a particular panellist. Some discussants believe that IoT regulation is needed, some believe it is not needed and some believe it might be needed in the future. These perspectives will be discussed and the participant's views will be included as well. We aim to open the session for wider participation from the very beginning, asking everyone to make an intervention on IoT security and regulatory options. This will allow for an interactive discussion.
Diversity:
The proposed set of panelists represents geographical, gender and stakeholder balance: the submitters of this proposal invited representatives from the technical community, civil society organisations, business (we are going to invite representatives from Dyn), and European Commission. In addition to stakeholder diversity, we have a gender diversity, as at least three of the invited speakers are female, and there will be more invited. The panel represents a geographical balance with panelists invited from different regions.
Online Moderator:
Rapporteur: Karim Farhat
Online Participation:
Internet Governance Project will use Twitter for disseminating information about the workshop and the available remote participation facilities provided by IGF. It will also provide a remote participation sign up sheet on its website to give information to the participants that want to attend remotely. It will encourage the remote participants of the workshop to sign up to a Skype group to discuss the workshop topic before, during and after the workshop. During the session, the remote participants comments will be given priority over those participating in person. Following the design of other successful and effective remote participation facilitation, all the participants in the room are encouraged at the beginning of the workshop to log into the WebEX room and follow remote participation discussion in WebEX chat. This way remote participants will be able to interact with various people present in the room. The people in the room will be encouraged to queue up to make comments in the WebEX room.
Discussion facilitation:
As explained in details in the other parts of this proposal, the discussion facilitation will strive to achieve the most interactivity of the session and to bring together different perspectives in the intense debate by:
Strong moderation of the debate with moderator asking questions to both panel and the audience, trying to summarise the discussion at different points and provoke both the speakers and the audience to address different aspects of the issue
Inclusion every participant into the debate
Asking all the participants - including both speakers and audience members - to intervene with statements that reflect position on the issues being discussed or to address earlier interventions. All those who participate can ask questions not only to the panel, but to each other as well
Conducted a Workshop in IGF before?: Yes
Link to Report: https://www.intgovforum.org/multilingual/filedepot_download/4098/295
1. Moderator sets the scene and introduces the participants and mentions the issues that will be discussed
2. IoT implications for cybersecurity and why it should be regulated?
The debaters who are "for" regulatiton of IoT and believe there is need for regulation will put their arguments forward
3. The debaters that do not think regulation is the optimal solution for IoT put their arguments forward
4. The moderater briefly mentions the "for" and "against" arguments and then asks the "against" regulation debaters how cybersecurity should be maintained in IoT devices if regulation is not in place and asks the "for regulation" debaters to discuss what regulations should be in place.
5. Both sides debate the shortcomings of each others solutions
...
