At TDL’s members’ meeting in Leuven in March, Professor Bart Preneel from KU Leuven’s imec-COSIC group gave an insightful and ultimately uplifting discourse on the future of security and privacy. Spurred by the Kantian mantra ‘optimism is a moral duty’, he wove a narrative through a series of ‘themes’ that ranged from observations about the intrusive, unavoidable stealthiness of IOT in the public sphere. Firstly he observed that IoT security risks are due to the low cost of devices that have a large attack surface and are extremely hard to update. Comparing the projected spend on endpoints with the outlay on security suggests that the problem is only going to get significantly worse. Not surprisingly, nobody wants to pay for security. Then he looked at how big data analytics could be used to learn how systems work thereby preventing events occurring.
However, the world’s significant – biggest – data breaches are in fact due to big data, which Bart described in terms of pollution which we’re all responsible for. If we leave or publish stuff on social media, it can harm others. The 1984 ‘Big Brother’ turns out to be our mobile phones provide an untold levels of mass surveillance, which prompted the NSA to term iPhone users as zombies who pay for their own surveillance. Since we lost Nokia, Europe has nothing. Because of PRISM, the Safe Harbor program was replaced and now the NSA shares with GCHQ and so on. There is no end-to-end security for mobile phones and 5G isn’t likely to provide it. According to Snowden, the NSA believes they should, “Collect it all, know it all, exploit is all.”
So what is to be done to stop the rise of nation state hacking and cyber arms proliferation? According to Microsoft President, Brad Smith, at last year’s RSA, we need a Digital Geneva Convention. Despite the world believing that, ‘You should not attack civilians in time of war’, why is that ‘nation states are hacking civilians in peace time’. Did NSA keep secret the fact that #WannaCry was hacked for ten years?
In the face of the apparent inevitability of this onslaught, and the affirmation that ‘optimism is a moral duty’, Bart recommended that we should be thinking of moving from big data to small local data. We shouldn’t keep our data in the Cloud, not least because Google and FaceBook use it for advertising. But users aren’t great about looking after their own data as evidenced by the common non-application of Microsoft patches etc.
In reality, the threats from terrorism and paedophiles are marginal: there are greater societal issues about the police getting access to iPhone data, not to mention the availability of meta data from telcos and elsewhere. GDPR is enforcing the requirement for consent but what then? The way round is to only permit what is required for service provision, such as location-based services for Google Maps.
Another viable alternative to big data is encrypted data, preferably through open (source) solutions, which provide both effective governance and transparency for service providers. The EU should go for openness For example, as routers come from the US or China, the EU should stipulate that, if you want to sell a router in Europe, it should be an open system that would prevent the opportunity for US or Chinese backdoors and wouldn’t require millions of lines of code from Microsoft.
ENISAs PSG (Permanent Stakeholders’ Group consisting of Member States representatives, and a few from the Commission) has come up with a set of priorities but the concern is the length of time it would take to develop any of them in Europe. Bart emphasised the need for transparency over user awareness, and that finally, we can (and must) take back control of our data as part of an overall industrial policy in order to preserve Europe’s sovereignty and values.
For a copy of Professor Bart Preneel’s presentation, please contact firstname.lastname@example.org.