Canada’s innovative approach to securing the Internet of Things marks an important shift in policymaking by using a multistakeholder process.
We live in an increasingly connected world, where a growing number of everyday objects are going online. Thanks to the Internet of Things (IoT), today cars can drive themselves, crop sensors can report when fields need watering, swimsuits can control your UV exposure and bracelets can monitor vital signs.
IoT is an exciting field with virtually infinite potential to solve everything from personal health care challenges to global environmental problems. It’s also likely to give Canada a welcome boost in economic development. The Information and Communications Technology Council recently predicted that once Canada upgrades its communications infrastructure to the 5G speed many IoT devices will thrive on, it could infuse up to $26 billion into the economy and up to 82,000 jobs by 2030. Figures like that lend credence to the idea that Toronto could surpass Silicon Valley in its number of innovation jobs within two years.
But such promise equally poses perils. Terrifying accounts of cyberattacks via compromised Internet-connected devices, as well as surveillance and privacy violations, have galvanized public attention. According to a joint survey, just released by Consumers International and the Internet Society, 68 percent of Canadians who own connected devices think they are “creepy” in the way they collect data about people and their behaviours. And with the number of connected objects growing exponentially — some experts project up to 1 trillion by 2035 — it’s little wonder that privacy and security concerns are increasingly top of mind.
But there’s hope. In fact, we can find great comfort in one of the lesser-known ways Canada is emerging as a digital innovator: a highly collaborative policymaking process that is revolutionizing how we develop tech policy around the world. Collaboration is especially crucial when it comes to addressing security online.
Strength in numbers
Multistakeholder consultations have been en vogue for years. Governments hold meetings or round table discussions with selected key players from industry and civil society to hear their perspectives. Think of the CRTC’s recent public inquiry about shady telecom industry sales practices, for instance.
While consultations can help give citizens a voice at the decision-making table, multistakeholder policy development takes collaboration a step further. Essentially, it puts a group of non-governmental actors in the driver’s seat alongside government players.
The multistakeholder model has been applied to policy development — albeit primarily with global, cross-border issues like Internet governance and climate change. Even Prime Minister Justin Trudeau expressed Canada’s support for multistakeholder models at the North American Leaders’ Summit in 2016, where he stressed “the importance of an open, interoperable, resilient and secure Internet, underpinned by the multistakeholder model of Internet governance.”
However, using a truly collaborative approach to policymaking is still rare. It can be risky. You need to trust organizations that don’t necessarily share your views. At the same time, doing so can yield much richer results. Drawing on the expertise and perspectives of various stakeholders makes the process more inclusive, representative and democratic. The outcomes are also much stronger and more widely embraced because they carry more integrity.
We’re at an inflection point in Westminster-style democracies. There’s growing recognition that to solve complex problems, you need to draw on diverse expertise.
Canada’s multistakeholder policymaking experiment
In Canada, Innovation, Science and Economic Development (ISED) is one of the departments with responsibilities for IoT security. In early 2017, it had the foresight to opt for a collaborative approach to address the complex current and potential challenges with IoT security. It recognized that bringing diverse perspectives, expertise and backgrounds to the decision-making table could produce stronger, more informed results. ISED officials also lead Canadian participation in multistakeholder venues such as the Internet Corporation for Assigned Names and Numbers and the Internet Governance Forum, so they understood the value of applying this proven approach to a domestic policy process.
Recognizing the complexity of IoT security issues, the Internet Society, in partnership with ISED, the Canadian Internet Registration Authority, the Canadian Internet Policy and Public Interest Clinic and CANARIE (the organization that runs Canada’s National Research and Education Network), launched a voluntary multistakeholder process. The Canadian Multistakeholder Process: Enhancing IoT Security was led by an oversight committee with representatives from each of the project partners to support the development of a made-in-Canada approach to secure our connected future.
A transparent multistakeholder group of over 100 representatives from government, civil society, the technical community, academia, the private sector and other relevant stakeholders was also formed. The group’s meetings were open, public and live-streamed, with recordings posted online. The fluid, flexible process was informed by three self-selected working groups (on network resilience, device labelling and consumer education) as well as reports submitted on youth and IoT, a French-language consultation in Quebec and input from the 2018 Indigenous Connectivity Summit.
The objective was to develop a shared set of definitions and benchmarks around the security of Internet-connected devices; shared guidelines to ensure security over their lifespan (including development, manufacturing, communications and management); and recommendations on IoT security for Canada. Over a year, six in-person multistakeholder meetings and a dozen virtual meetings were held to develop recommendations. The oversight committee’s draft outcomes report was released in late February 2019 and opened for public input until early April. The multistakeholder group held its final meeting on April 18 in Ottawa to wrap up the report, which will be released late May.
A model for success?
ISED has supported the process as an essential first step to evidence-based policy on IoT. In its comments on the draft outcomes report, it said: “The government has benefited from information sharing and collaboration with the community on IoT security issues. The network built by this initiative is a model for further collaboration in and outside government to foster adoption, build trust, and mitigate risk of IoT and other transformative technology applications.”
Participants also acknowledged the importance of a collaborative approach to security online. The draft report stresses that “given the Internet’s global reach and impact, it is critical that its security be addressed collaboratively.” It further emphasizes that the meetings provided “an opportunity to begin planning and implementing a bottom-up, organic process to remedy existing and potential security challenges in Canada’s national IoT ecosystem.”
Canada’s leadership in collaborative regulation is already resonating abroad. The Internet Society has been consulted by countries including Senegal and France, which are keen to develop similar models to approach IoT regulation. Canada is also sharing its best practices and recommendations on IoT security as part of a global policy platform kicking off at the 2019 Consumers International Summit.
With IoT security threats evolving just as quickly as new connected products, the world has good reason to demand better safety practices online. If fact, 88 percent of Canadians believe manufacturers should only produce connected devices that protect privacy and security.
The key to rebuilding trust online is working with the same collaborative process on which the Internet’s success was founded. The Canadian Multistakeholder Process: Enhancing IoT Security is a great example of how we can build on each other’s strengths and diversity to ensure security is at the heart of innovation in Canada. But the real work has just begun.
At the multistakeholder group’s final public meeting, it created an action committee to carry out its IoT security recommendations. This is a pivotal moment to show the world we’re stronger together than we are apart. For Canada to truly benefit from its innovative approach to building a safer connected future, we must all pledge to champion security, hold each other accountable and lead by example.
Do you have something to say about the article you just read? Be part of the Policy Options discussion, and send in your own submission. Here is a link on how to do it. | Souhaitez-vous réagir à cet article ? Joignez-vous aux débats d’Options politiques et soumettez-nous votre texte en suivant ces directives.