Summary of a talk by Jim Robbins, EWA Canada, at the IFIPTMA Conference in Moncton.
Let me outline what I would like to talk about.
1. Near-term opportunities. How do I as a paranoid security person deal with all the baggage I bring to the discussion? But also, where we are, where we're going, how this affects our economy.
2. Identity. I see identity management as the real issue that is going to link security and privacy. I cannot engage most security professionals in discussions about privacy. And vice versa.
Personal baggage - I have a defence and security background. DND used to be our primary customer, but now it's global industries. I like to think of ourselves as a 'trusted third party'. But there are various definitions of trust.
The real advancement in the discussion is going to come from the privacy advocates, not the security advocates. Having said that, there is still a need for companies like yourselves. We never talked to media - but when we did we have seen increases in attacks on our site. My home was robbed. It gets very personal, so we don't want to talk about what we're doing.
Recently we have been talking about the need to share. That's primarily between companies. But that's also migrating back to 'need to know'.
Trust: someone said 'trust implies a willingness to be vulnerable'. That's the soft side. 'Trust but verify'. That's more where we are. What is the definition of 'trusted third party'? ISO standard. There are accreditations we have as a company. ISO/IEC 21827. Also ISO 25. Communication Security Establishment (CSE) common criteria. Cryptographic Module Validation Program (CMVP) - they test our people in a random question and answer type session. Personal Identity verification program (FIPS 201). Also Visa and Mastercard testing. It costs us money to go through these exercises - they all charge.
We haven't really talked about organized crime. We see evidence of that on an almost daily basis. Hardware and software attacks. It's not generally known in the community. ("You can't handle the truth!" audio excerpt - funny - "you have the luxury of not knowning what I know.") That is sort of the extreme. Leaning towards that though are a lot of people who are in the security and intelligence field. But how do we take that and create some dynamic tension with the people in the privacy world.
When I interact with people in the blogosophere some of these issues come up. That's where identity comes into it. Identity theft is some of the criminal activity will cement some of those issues. We have to talk about identity, lawful access. We have to talk about an environment where the wrong technology is being proposed by government, eg. drivers' licenses. We need people to know what RFID is, what it does. We need to better inform people.
I found an interesting definition in a discussion of the industrial age. We have moved beyond the information economy and into the intangible economy. How do we talk about what we want to do in relation to knowledge assets, intangible assets, etc?
We've talked all week about the proliferation of sensors and where they're connected and so on. Where we're at. There's been a number of predictions, red pill blue pill, how we're going to connect to this matrix we've built around us. All of this is reality, our buildings, cars, and the like. We're being protected probably in ways we're not even aware of.
There's a migration of startegic focus. The first question was, how do we protect mainframe computers. It was just a matter of checklists. When we moved into client-server, these checklists didn't work. Nobody understood what they meant. We're now in the network era. We have blogs, podcasts, Facebook. It has moved from orgnization-centric to technology-centric to individual-centric.
How we've moved up the stack. We used to do a lot of work in network security, database security. More and more it's application security.
We've got laws. The whole notion of compliying with these laws has in many minds lowered security rather than increased it. That fear of penalties has chanegd attitudes to laws. I'm not sure it's the right approach.
Homeland security - they talk about cyber-infrastrcture, physical infrastructur, critical infrastructure. The financial sector - this whole area is taking on a dramatic change. The roll-out of second-generation standards for credit cards in Europe. This is new. North America is an isolated area, it doesn't have these standards. Personal identity is key infrastructure again.
eCommece crimes are moving from cybercrime to breach of trust. We trusted Matha Stewart, we trusted Conrad Black. Trojans. There is a formula that predicts whether someone will commit a cybercrime. If the money is enough, people will do it. 60 percent of hackers targeted financial institutions in 2003. But there are other gains. We are seeing religions motivations, political motivations. People are seeing fraud as 'not wrong'. If the rewards are enough, then fraud is OK. The vicious circle of cybercrime (image).
I wrote, 'Will identity Management be the 'Tipping Point'"? We talk about cybercrime and all that but nobody's paying attention.
There is a Bi-National Planning group (Canada-US). Homeland security and public safety in Canada. Recommendations about security, planning, training, etc. Their big problem is that there is no over-arching vision between the two countries.
There is the NIAP CCEVS Policy letter about U.S. purchasing policies - there must be testing for cryptography standards, CCEVS evaluations. Canada is considered part of the U.S. defense industrial base. Testing has to occur in the U.S. or Canada. That's great for industries in Canada.
Homeland Security directive 12 - revamping the way individuals are identified for government. Looks like it's going to be accepted. Ontario, for example, is adopting a system. Smart card technology - very well known in Europe and Asia, not sure whether people are bing taught about that in Canada. I do know we're testing them now. Products with smart card sensors in them. We should be building that, but the applications are all coming from overseas.
Government - in the U.S. they've been adding acquisition as part of the solution. We have to have something that's a bit more responsive, some way to train our acquisitions people to know about security and privacy requirements. There's going to be a lot of money spent in Canada to support these programs over the next 20 years. You don't have to be involved in the defense industry to take advantage of this. See the irb website www.irb-rir.gc.ca
We collaborate with a number of labs. There are 47 common criteria labs globally. 24 countries accept them and 12 countries have the labs. The payment card industry has 8 labs in 7 countries. Interact. FIPS identity management, 8 labs including 2 in Canada. These labs exist because products are coming from various countries to service the U.S. market. And there's no such thing as a single-country company any more. We have global countries testing for global markets. Some countries are providing incentives to build and develop evaluative products. I don't think many organizations even know that protection profiles exist. I would exncourage academic to look at the language of the common criteria - it's horrible!
Chip migration - there will be rollout problems. Rejection of mag stripes. We won a contract regarding the payment card industry in canada. There is room for other CAs to support fianncial institutions across the country. Also credit institutions like Home Depot, Canadian Tire.
We mention semantic technologies and ontologies - moving from security to semantic engineering. Bridging the gap from data to information to knowledge. Bottom line, you should be looking in that area. The semantic web is not web 2.0, it's something entirely different. Gathering meaning from unstructured text.
There's a lot of work going on in this area, especially for the intelligence community. See the National Center for Ontological Research at the University of Buffalo. Drowning in data but dying of thirst. Semantic Web Intelligence Group. Common Sense Knowledge Base. 'We need adults in the semantic world.' Report: Objects in the Mirror are Closer than they Appear.
Security and privacy convergence: building a document that describes how all the standards come together. ISO SC 27 changed to identity management and privacy technologies. Keith T. Hall - enterprise security architecture. Surveys various architectures. Recommends one. We wrote a paper on mapping security and privacy frameworks. If you're a systems engineer, here's how to think of this as an integrated activity from the very start.
Part Three. Next Steps
The intangible economy
- knowledge assets - what people know and put into use
- collaboration assets - who people interact with and create value
- engagement assets - level of energy and commitment of the people - why not a national centre for ontology here in NB?
- time quality - value for people in the short term - how quickly value is created
We need an Industry Canada led initiative to...
- have academic support the development of international standards in privacy and security
- a near-term focus on leveraging work that is underway
- focus on research that is relevant to the global security industry
- reinstate R&D as one of the cyber security strategy components - it was removed last month, I don't understand why
- a political awareness campaign - our politicians know little about the issues
- a vision without funding is an illusion - what are the financial implications of policies? eg. who pays the doctor for reporting