Transcription

1 Security versus Privacy Finding the Middle InfoSec and Data Storage Conference September

2 Colombia 2

3 Famous for Coffee, Shakira, and 3

4 A story about Motivation Once upon a time in 1997, there was a war going on. Colombian Drug Lords were Chicago NYC Philly San Francisco Los Angeles Atlanta Dallas Houston Tampa Orlando Miami 4

5 IT Executive From 1992 to 1999 Social Engineering C.A.R.T. (Computer Analysis Response Team) National Cyber Center Fighting the drug war with IT 5

6 CIO From 2002 to 2005 Enable the WH business The Worm called Sasser Target The President will be? 6

7 Corporate World: 2005 to 2012 To breach or not to breach? Staggering degree of exposure A target rich environment Intellectual Property theft Many CIOs don t security. 7

8 My lessons from this past? Dependency is deep in every sector Civil unrest by cyber Digital presence IS your brand Everything / one is hackable 8

9 It gets worse in the world of Web 2.0 the world we are making The ICT future looks like this Wireless Broadband + Web 2.0 Applications The Internet of Things is Arriving Ubiquitous Un-Constrained Un-tethered capacity wireless Is Security in everywhere these Things addressed? Confidential Alcatel-Lucent Information CQR Conference MaY 2009 All Rights Reserved Alcatel-Lucent 2009, - DRAFT - 9

10 Trying to fight this problem With this kind of thinking. Not winning now worse in the future. 10

11 Governments Moving Services Online 24 by 7 They call it Smart Government 11

12 How many security engineers are here? 12

13 How many [auto] engineers are here? The Answer: Zero 13

14 Security in a Web 2.0+ World (Wiley 2009) Year 2019 will come Security by Design! Yes, but how? Proposed a standard to follow (ITU /T X.805) Discipline in the supply chain 14

15 Interests versus Privacy Example 1 Business and Government Interests Personal Freedoms 15

16 Security versus Privacy Example 2 National Security And Personal Freedoms 16

17 Security versus Privacy Example 3 National Security Personal Freedoms Balance 17

18 Government: Balance Two Interests Security Privacy Intelligence To vote free of coercion Counter-Terrorism To express opinion Laws To assemble Regulations To participate in politics Justice To criticize 18

19 Listen to M.O.M. Means Opportunity Motivation 19

20 Directing our future by controlling the O in M.O.M. What Is What Should Be 20

21 Idea: a Bill of Privacy Rights (BoPR) Items Meta-Data What it Means is System and transaction meta-data is personal Location Tracking Location-based apps must routinely alert not remain hidden. I can always opt out at any time. Opt-In By default, every service is opt-in. Cannot just deny service if willing to pay for privacy. Time-to-Keep I Pay Site Tracking I Generate the Key You Pay Data cannot be kept for a period longer than I am given the option to pay for private use Some degree of end-user control Encryption key - I generate and I keep Violations of the BOPR are fined 21

22 Security by Design: a standards-based approach The ITU/T X.805 Security Standard Power Environment Software Payload Layers Human Design for Security and Privacy Hardware Networks Policy Infrastructure Services Applications ITU / T X.805 Security Recommendations Control / Signaling 2 Layers 5 8 End User Management Planes Access Control Non-Repudiation Authentication Data Confidentiality Comms Security Availability Data Integrity Privacy Confidential Alcatel-Lucent Information CQR Conference MaY 2009 All Rights Reserved Alcatel-Lucent 2009, - DRAFT - 22

23 Design for Security and Privacy Part of the solicitation 4G/LTE, Apps, Cloud ITU/T X

24 Europe is Focused on Privacy There s a bigger threat ENISA begins its largestever Cyberwar stress test 24

25 Government Alone Cannot Solve This Problem Infrastructure is commercial The problem is ours Managing risk way we manage quality Militaries fight wars not good at defending vulnerable infrastructures. Only we can. 25

26 With good, there is also bad Cyber War Cyberbullying Censoring Propaganda Attack on Personal Freedoms 26

27 So What About Orlando? 27

28 Motivations Can Change in an Instant (remember M.O.M.) Intelligence National Requirements Security Personal Privacy 28

29 What you saw What you read What you ate What you bought Who you talked to Where you went Who you saw What drugs you take What health problems What debt What family Who you voted for Who you criticized 29

30 We are identified by our digital activity No Privacy No Freedom of Speech No Freedom of Opinion No Democracy All is Lost 30

31 We also need Cultural Wisdom Without the right of privacy, there is no real freedom of speech or freedom of opinion, and so there is no actual democracy Brazilian president Dilma Rousseff speaks at the United Nations general assembly. Photograph: Spencer Platt/Getty Images 31

32 Thank You!