Europe vs Asia vs US: who reigns supreme in IoT security?Carsten Rhod Gregersen, CEO and founder of Nabto, the company providing a peer-to-peer (P2P) based platform to IoT device, explores which region reigns supreme in IoT security
It’s a battle for your security – and a battle which each continent is approaching in different ways. Data and device security for the Internet of Things (IoT) has been a hot topic across the world in recent months at trade shows like ISC West in Las Vegas and IoT Asia in Singapore.
One thing is for certain: There is not just one way to protect your data when it comes to IoT. Vendors and companies around the world are releasing inventive solutions to the publicised holes in IoT security. It is a topic which needs to be addressed as the world only increases IoT devices – with more than 30 billion predicted to be in use by the year 2022.
Between Europe and Asia and U.S: which region is best prepared to protect your data and put users first?
First off the blocks is the European Union — which has a strong track record for IoT implementation and security protection. Three of the world’s top 10 smart cities are in Europe, including the winner of the list compiled by the Eden Strategy Institute, London. Furthermore, the bloc’s approach to digital user rights is second to none.
Case in point: The General Data Protection Regulation (GDPR). Passed by European parliament in 2018, GDPR literally rewrote the rulebook on data protection and privacy for all individuals citizens while simultaneously legislating against the exportation of such data in other parts of the world.
The suite of digital protection laws look to give control back to individuals over the rights of their personal data and to simplify the regulatory environment for international business by unifying regulation within the EU. The legislation was wide-ranging across tech types and felt immediately, with many companies and websites changing their privacy policies and features worldwide directly prior to GDPR’s implementation. Furthermore, the bloc has not been shy to prosecute those who do cross the line, as evidenced by fines totalling €56 million and 200,000 reported cases in the first year.
Cyber security and IoT: skills shortage hampering development
Ironically enough, the majority of those GDPR fines came from companies who reside in our next continental contender, the US Global behemoth Google accounted for €50 million of that total after being identified by French data watchdog CNIL. Perhaps one of the world’s biggest tech brands thought they could get away with it as there are much more lenient laws in their home country.
Yes, in comparison to the EU’s tough data regulations, the approach taken by the US in terms of IoT data protection is minimal. Privacy and tech guidelines for US IoT devices remain largely unregulated, something that the national government attempted to amend this March with The Internet of Things Cybersecurity Improvement Act. The rules, which would only apply to tech used by the government, sought to force device manufacturers to continue post-sale support for any given device and remove hard-coded credentials — or “skeleton keys” — in such devices.
While regulating government devices is likely to set a precedent to follow for public tech, this remains to be seen. The US is home to some of the world’s biggest and most powerful companies in this field so it is understandable that change is slow and careful. Nonetheless, there remain no minimum security standards for public IoT devices and leaves much to be desired in terms of government regulation.
This is where companies appear to be filling the gap. Microsoft, for example, has launched the Azure Sphere to promote device security through crossover MCUs, secure OS, and turnkey cloud security. This safeguards every Azure Sphere device to deliver end-to-end IoT security that responds to emerging threats. No doubt an advancement, but one only offered by the private sector rather than the public sector.
The Internet of Things: The next security crisis?
Finally we come to Asia, which seems to lack neither public nor private initiatives for IoT security. The continent is focusing its IoT efforts rather on smart city technology and international collaboration. In a way this makes sense, as the region grapples to account for one-third of its total population living in urban areas and two-thirds of its Gross Domestic Product generating from such areas.
Overurbanisation is acutely felt across the region, and as such there is a mentality of teamwork that exists from city to city and country to country when it comes to IoT solutions. For example, The Association of Southeast Asian Nations created the Smart Cities Network in 2018. This agreement between the 10-state body works toward the common goal of smart and sustainable urban development. Nonetheless, this means IoT device security has taken a backseat to smart city development.
The continuing rise of mobile edge computing, 5G and IoT security, hot topics for 2019
Battle for best is good for all
Every continent has made big steps to bettering their IoT systems. However, the clear winner in terms of legislative protection has to be the EU. The GDPR sets a strong precedent for digital protection and what happens when they are infringed. One only needs to look at Google to see that the EU means business when it comes to online rights.
Compare the US and EU solutions. The EU law on data protection secures the end user while the US bill focuses solely on device protection. This is where the connection type of any given IoT device becomes important. For example, peer-to-peer connections are direct, with data never leaving its intended path. In this instance, the U.S. bill protects the user as it protects the integrity of the device. However, problems arise with cloud connections which use a third-party server to relay information. This is where regulation like GDPR becomes much more protective as it sets rules for the right of user data and who can access it.
Whatever the ranking and whatever the region, competition breeds innovation and excellence. Competing solutions from competing continents creates a better security environment for everyone — and that is positive as the world only becomes more digitised. More online devices make for more susceptible security situations, therefore a global push for heightened standards can only be a good thing.