The IoT has been promoted as an enabler of a digital transformation leading to increased productivity for business and improvements in quality of life for consumers. Policy makers around the world seem to agree that the ability to benefit from the IoT is tied to the quality of broadband deployments and the capacity of societies to develop and execute on national ICT strategies.
The transition to IoT is well underway, and this marriage of automation, the Internet and big data promises a coming wave of smart everything; from smart homes and digital assistants (eg. Amazon's Alexa), to smart factories, hospitals and utilities, and from smart wearables to smart cars and smart cities. The scale of the anticipated transformation is unprecedented. Estimates vary significantly but there is a widely held view that by 2020, the IoT could result in some 20 to 40 billion Internet Protocol (IP) connected devices and sensors. Further, according to Forbes, IDC has estimated that by 2025, the number of connected devices and sensors could reach 80 billion.i]
However, this transition is accompanied by challenges around privacy and security. Addressing these challenges will need not only increased action by the market, but will also likely require action and intervention by policy-makers and regulators.
Policy support is strong for advanced broadband deployment, increased adoption of ICT into economies and related transformations like the IoT, with these developments seen more as opportunities rather than as threats. Thus measures to advance related agendas by encouraging investment, promoting competition and/or deploying more spectrum continue to be priorities for policy-makers and regulators. However unleashing the full benefits of the IoT and other transformative technologies (eg artificial intelligence) will ultimately depend on user trust in the system, particularly with respect to privacy and security.
To build user trust, privacy and security must become leading priorities as well.
With respect to privacy, it seems clear that there are substantial risks associated with the immense capture and manipulation of data collected by 10s of billions of devices and sensors. Without adequate protection, there could be significant negative impacts on the privacy of personal information and the protection of consumers from fraud.
If there is a will to do so, countries can make privacy protection a priority. One need only look at the EU and the General Data Protection Regulation (GDPR), perhaps the most ambitious attempt yet devised to give personal data protection the full force of law. The GDPR, all 87 pages and 99 Articles, becomes enforceable as of May 2018[ii]and applies to businesses not only in the EU but also to global corporations doing business with consumers living in the EU. Penalties for non-compliance can be severe, reaching up to 4% of global revenues for firms that breach the new regime. Whether these rules are too draconian and may actually impede efforts to innovate, and whether the GDPR can be effectively enforced, particularly with respect to extra-territoriality, remains to be seen. However, these efforts prove that nation states can address issues like privacy if they have the will to do so.
Privacy is a major challenge, but even more troublesome is the very real possibility that inadequate security around the IoT can result in serious threats from hacking and denial of service attacks. These attacks can crash the Internet, undermine financial markets and even accelerate cyberwarfare between nations.[iii]
Whether the number of IoT devices turns out to be 80, 40, or even only 20 billion, it seems clear that, based on denial of service and other attacks to date, billions of these IP-connected devices will not be secure. The security challenges are immense given the vulnerabilities that will be created by billions of points of interconnection that may have inadequate password protection or no capacity to be updated by the latest security patches. And even the most securely designed system can fail if users do not ensure security is enabled and updated on a regular basis.
From the perspective of security, we are talking about an exponential increase in vulnerabilty to hacking and denial of service attacks. Security vulnerabilities in the home or consumer market is of particular concern because the consumer market demands lowest priced options to achieve scale and the consequent low margins for profit can result in products that do not prioritize security in order to reduce cost. Vulnerabilities in the consumer space can be used to launch attacks that can affect all segments of the economy. And in the corporate space, the hacks on Yahoo, Sony and Equifax prove that even the systems of the largest corporations are vulnerable.
Given the risks and costs to nations of insecure networks, particularly risks to attacks of critical infrastructure, a compelling argument can be made that privacy and security solutions cannot be left wholly to the markerplace. One of the bigger issues to be determined is whether any device or sensor that connects to the internet should meet certain minimum technical standards and related security protocols. Setting these types of standards will not be easy and some interested parties may balk at increased regulatory intervention in the IoT if these parties perceive such regulation to be a threat to innovation and commercial success.
Many jurisdictions already have some privacy policies in place or can look to other jurisdictions such as the EU for guidance on best practices. But increasingly, privacy cannot be enforced without improved security. And even if suppliers, users and regulators can effectively collaborate on security protocols and standards, these may prove ineffective without clear measures to ensure compliance, including penalties for failure to comply. Privacy and security is becoming an increased focus in the Middle East, and a 2017 article on the impact of the implementation of the GDPR suggested that it“…could serve as a catalyst for nations in the region to enforce stronger privacy protections and breach disclosure requirements…” The article also noted a related compliance problem due to the fact that “Middle Eastern countries's privacy and breach notifications, in general, are less strict and detailed than GDPR.” As an example the authors noted how even though, for example, Dubai's International Financial Centre (IFC) is already enforcing a privacy policy, local enterprises doing business with the EU could face challenges because the IFC policy is less onerous than the GDPR.[iv]
It should be noted that this issue is not specific just to the Middle East, but would apply equally to many other countries outside the region, and underscores a growing need for harmonization to assist digital trade. However adopting a more holistic approach to privacy and security will also prove difficult from a legal and procedural perspective. Many telecom regulators have only limited jurisdiction to address security issues. Even if national responsibilities are worked out, solutions will require clear procedures for collaboration, not just at the national level but increasingly at the regional or international level.
Therefore, a first challenge for regulators and policy-makers is to determine not just what to do, but also who should do it: determining which agencies are responsible for what parts of the problem and then determining which fora (eg. the ITU) in which to participate to give effect to international solutions.
Security and privacy regulation, including compliance and enforcement, will require increased resources for regulators. Regulatory budgets are constrained and shifting more resources to privacy and security will put pressures on many regulators to reduce intervention and resources elsewhere. Looking at regulatory tradeoffs would be timely given the scope and scale of digital transformation.
A profound transformation is upon us, bringing both opportunities and threats. In our final article in this series we will look at the need for a new regulatory framework to respond to this transformation in ways that address priorities such as preventing anti-competitive behavior and protecting users and infrastructure, while still promoting innovation and attracting investment in broadband and ICT.