Cybersecurity Trends 2/2017 EN by Cybersecurity Trends

Cybersecurity English Edition, No. 2 / 2017

Trends

Is GDPR Self Certification possible? VIP interviews:

Pierre-Louis GIRARD, Jean-Luc HABERMACHER

Hyperconnected = Hypervulnerable ?

We are a leading UK based CyberSecurity firm providing state of the art Application Delivery Networking and CyberSecurity solutions to clients in banking, retail, finance, and insurance, enabling them to leverage the power of their digital Infrastructure to beat the competition. Website: www.icyber-security.com

Twitter: @icybersecurity_

Our renown-training academy provides bespoke training to ensure that your engineers have the skills to protect your business against the growing number of relentless cyber attacks. That expertise is what gives us unique insight and the ability to work in complex multi-vendor ecosystems in order to deliver the best solution to our clients. Next Training Course: Web Application Security: 21st - 22nd October / 11th - 12th November / 25th - 26th November / 2nd - 3rd December / 16th - 17th December, Reading, UK. www.icyber-academy.com

Contact us! Griffins Court, 24-32 London Road, Newbury Berkshire, UK, RG14 1JX +44 (0) 800 086 9544 www.icyber-security.com

Cybersecurity Trends

Contents 2

Editorial: The growing role and risk of connected everything. By Norman Frankel

International Telecommunications Union: Cybersecurity - The United Nations (and not only) Acting as One. By Marco Obiso

“Application Whitelisting” - The most effective anti-malware strategy. By Cătălin Pătraşcu

5 Reasons single-password authentication should be banned. By Marco Essomba

Cyberpower, a view into future powers. By Athur Lazar

Cars and IT: Dangerous connections. By Yannick Harrel

Control by Design: A specific example of a connected but non-disconnectable object. By Jean Christophe Schwaab

When big industrial companies are hit… damages are huge. By Laurent Chrzanovski

VIP Interview with Ambassador (em.) Pierre-Louis Girard: The World Trade Organisation (WTO) and the digital world. By Laurent Chrzanovski

Achilles’ heel: Security in the context of the Web Services and IoT. By Ștefan Hărșan Fárr

Is GDPR Self Certification possible? By Mark Burnett

Connected cities: the ethical and legal stakes are huge. By Pascal Verniory

Sexual violence: old behaviors in a new digital world – why HR units need to act and for progressive States like the UK it is the last moment to act! By Laurent Chrzanovski

Insider threats: Misunderstandings and Challenges. Always underestimated, under-reported and ignored. By Vassilis Manoussos

VIP Interview with Jean-Luc Habermacher: Challenges and threats in cybersecurity seen from a top risk manager’s point of view. By Laurent Chrzanovski

Useful Tips & Bibliographical reviews 1

ds Editorial - Cybersecurity Tren

The growing role and risk of connected everything. The goal of this publication remains to open up knowledge and information sharing across research and commercial activities, so providing a bridge between public and private dialogues, in an aim to help our world operate more safely giving the growing frequency of attacks that seem to endlessly get media attention. I would highly recommend all readers to look at the Biblio section (page 44) as there are fantastic summarized write-ups on a broad range of international publications in the field of cybersecurity.

author: Norman Frankel CEO, iCyber-Security

As I write the editorial for this second English language edition of CyberSecurity Trends, in the height of the European summer, it seems after the regular attention that cyber-attacks were generating during Spring that some calm has been restored. How long that will last none of us know. The one story that continues to rumble on is to what extent Governments were and have been involved in cyber-security breaches that ultimately lead to more commercial attacks. This edition features a thought provoking opinion piece on cyberpower and where this might all go (page 8). There is also a useful introduction to the role of the World Trade Organisation and where the WTO stands on digitalization, in a VIP interview (page 18). Increasingly we are becoming more connected every day. This edition has a number of articles sourced from across Europe that look at the impacts and risks of connected cars (page 14), connected cities (page 26), security in the context of the Internet of Things (IoT) (page 20) and can we really mitigate the increasing connectivity risk by design, or have we already gone too far to truly protect privacy (page 16).

Of course, increasing connectivity and the wealth of data that is collected brings other threats that are not just commercial. Some incredible research into how sexual violence has already crossed the physical world into digital world has been published using Australia and UK as the case study. The results are alarming and a wake-up call. This very well written summary of the research (page 31) is a must read for anyone in a Human Resource or Executive capacity. What controls are we putting in place in our organizations to stem the rapid rise of digital sexual violence? In terms of corporate culture and the changes needed, this is another area that Executives and Human Resource teams will need to lead on. This is one of the core concerns raised in the VIP interview (page 38) regarding the challenges and threats in cybersecurity. With over one third of all breaches originating from insider threats (page 34) we have

possibilities. How we move toward something that makes it easier to discuss cyber-security protection and make it less “geeky” and encourage staff to learn and explore how to improve personal security is a huge challenge both in the work and home environment. It is only by encouraging teams and families to discuss this more, to talk about concerns and fears and useful tips that we can start to make some progress toward a safer society. Possibly one of the first actions we can take is with passwords and our opening article explores why single use passwords (page 6) should be banned. an article discussing insider threats and mistakes and this applies to large or small businesses. We continue to move rapidly toward the May implementation date for the GDPR. Whilst large companies already have teams working away on compliance, with SME’s there still seems to be a significant lack of awareness of the breadth and impact of these changes. Many of the executives I meet from smaller mid-size companies in my role as CEO of iCyber-Security Group still have not even heard of the new data protection regulation revisions. This is concerning especially given the potential fines and personal liabilities at stake. For many of these smaller sized businesses they are likely to leave compliance either to the last minute or even after the deadline date. With such little time to make significant changes, for many of the directors of these businesses, the question will arise if self-certification is possible (page 24) and demand will grow for templates to be made available. The GDPR changes are as much about organizational improvements in process and the training made available for staff as it is about technological compliance. Whilst data privacy and protection is undoubtedly driven by tools of a technical nature, the need for training at all levels of the organization becomes paramount to improving basic security. Our industry does not help itself with the complex acronyms, technical product names and every vendor’s solution seemingly covering all

If you would like to contribute articles or have suggestions for us to cover in future editions of the magazine, or even wish to purchase hard copy versions of the magazine to give to your customers, please do contact us via email at info@cybersecuritytrends.uk. On our website https://cybersecuritytrends.uk you can also view publications in other languages / countries and purchase subscriptions for future editions. The next edition to be published at the end of December will have a special focus on Training and looking at the tools needed for Application Security which represents the hottest growth topic on the agenda of CTO’s and CISO’s.

ends Authorities - Cybersecurity Tr

Cybersecurity - The United Nations (and not only) Acting as One

author: Marco Obiso Cybersecurity Coordinator, International Telecommunications Union (UN-Geneva)

The ITU, as requested by the international community through the UN World Summit on the Information Society, has taken as a core principle of its mandate the need to build confidence and security in the use of ICTs. Information and communication technology may have changed since the advent of the telegraph, but the mission of ITU to â&#x20AC;&#x153;Connect the Worldâ&#x20AC;? in a safe and secure manner has not. 145 years ago the ITU was established to deal with the challenges and opportunities of what was the very beginning of the information age. Today, ICTs have become an essential part of human development. Management and provision of water supplies, power grids, food distribution chains, transportation, and navigation systems depend upon ICTs. Industrial processes and supply chains are underpinned by ICTs in order to render services more efficient as well as to support building capacity on their effective use. The essence of the challenge of cybersecurity is that Internet and global ICT were never designed with security in mind. The cyber environment of today is significantly different from 60 years ago and in continuously challenging many of the

traditional approaches to security, requiring more and more holistic and innovative solutions. One thing, however is certain: cybersecurity is a global issue that can only be addressed globally. As the leading UN agency for ICTs, the ITU plays a pivotal role in facilitating this global cooperation, and together with governments, the private sector, civil society, and international organizations, can expedite the process of achieving a global cybersecurity culture, through: Facilitating the harmonization of frameworks at national, regional, and international levels; Providing a platform to discuss and agree on technical mechanisms, to be used to mitigate the risks posed by misuse of ICTs; Assisting Member States in establishing those organizational structures needed to respond proactively to cyber-threats, triggering coordination and cooperation with all stakeholders at national and international levels; Promoting the importance of building capacity and international cooperation as key elements for countries to follow-up in order to acquire competence and expertise toward achieving a cybersecurity culture at national, regional and global level. In May 2011, the first step in this direction was taken as the ITU and the United Nations Office on Drugs and Crime signed a memorandum of understanding (MoU) to collaborate globally in assisting Member States to mitigate the risks posed by cybercrime with the objective of ensuring secure use of ICTs. It is the first time that two organizations within the UN system have formally agreed to cooperate at the global level in regards to cybersecurity. In June 2017, ITU entered in a similar agreement with INTERPOL, following the same approach of pulling resources in order to help the respective communities. The ITU has realized the importance of decentralizing and distributing efforts, empowering those organizations and entities that possess that specific knowledge and expertise required to provide proper assistance not only to the ITU Membership, but to the community as a whole. Establishing global cybersecurity may be a complex, multifaceted, and challenging task, but if we act as one, the benefits gained from our information society may provide humanity with the best chance it has ever had for sustainable peace, security, and development.

“Application Whitelisting” The most effective anti-malware strategy

author: Cătălin Pătraşcu Translated from original text in Romanian

Analyzing the data processed by CERT-RO over the past few years on various malware alternatives, as well as the information published by various cybersecurity organizations during this period, there is an obvious trend to diversify, specialize and increase the complexity of malware, whether we are talking about APT (Advanced Persistent Threats), botnet, bank botnets or Ransomware. Malicious software is one of the most widespread and dangerous types of cyber threats, primarily because of the negative impact it can have on an infected computer system. There are currently a variety of techniques and technologies designed to combat this type of threat, such as well-known antivirus solutions, firewalls, IDS, IPS, etc., which are still quite effective. However, this text is about the “Application Whitelisting” concept, which I consider its implementation as of particular importance for combating the malware threat. “Application Whitelisting” involves implementing a mechanism to ensure that only an authorized / known (approved i.e. whitelisted) software runs within an IT system.

BIO Head of Office Computer Security and Monitoring, CERT-RO

At first glance, it seems idealistic and perhaps this is one of the main reasons why such a mechanism does not have a high implementation rate, especially among small organizations and even households. The concept itself is not something new, as it represents an application-level extension in the TCP / IP stack of the “default deny” approach (not allowed by default) long-used by firewall technologies. The correct implementation of “Application Whitelisting” implies: Tools to facilitate the identification of executables and software libraries (such as DLL in Windows) and which allow or block their running; Methods for identifying executables and software libraries should not be based on poor rules, such as the file name or its location in the directory structure. The most effective method is to identify them based on their digital certificates or, if not signed, on the basis of “hash” digital fingerprints; ACLs (Access Control Lists) that prevent users from changing the allowed list of software. Currently, “Application Whitelisting” is considered to be one of the most important strategies for combating malware threats. There are already several technical solutions that can be implemented, including by home users, especially in Windows operating systems where implementation can be done using the tools already contained by the operating system: SRP (Software Restriction Policies) - a feature in the Group Policy tool, starting with Windows XP; AppLocker - the recommended tool from the Windows 7 operating system, with the same purpose as the SRP facility of the Group Policy. For Linux / Unix operating systems, the implementation of “Application Whitelisting” can be a bit more difficult and resource heavy, meaning it is not natively supported by the kernel, and there is no tool dedicated to this in the major Linux distributions. However, there are some commercial solutions that facilitate implementation, but they depend on the kernel version used and problems with upgrades may occur. Other alternatives would be using the SELinux or AppArmor tools, although they were not designed for this purpose and would require consistent implementation and testing resources. In some cases, the implementation of “Application Whitelisting” may prove difficult and resource-consuming, but the benefits from preventing malware infections are considerable. Furthermore, a high level of visibility is gained regarding executable files and software libraries introduced into an information system, which is a very useful aspect of the cybersecurity incidents investigation process. In conclusion, although no security solution can be considered a panacea, “Application Whitelisting” is probably the most effective way to reduce the impact of malware in today’s computer systems.

Focus - Cybersecurity Trends

reasons single-password authentication should be banned password authentication – remains one of the most common first lines of defense used by various online systems to protect against unauthorized access to applications and data. Single-password authentication remains one of the most common attack vectors used by cyber-criminals to break into online systems. My view is that single-password authentication should be banned worldwide. All publicly accessible online systems that rely on single-password should be forced to use at least one form of strong multi-factor authentication (MFA). In this article, I cover five reasons why.

author: Marco Essomba CTO, iCyber-Security Group Ltd

The growing threat of phishing, ransomware, and advanced persistent threats (APTs)

I use passwords a lot. I have different types of passwords. From strong, mega strong, and paranoid strong. Some I can remember, some I can’t – it drives me mad sometimes. Whether you like passwords or not, single-factor authentication (SFA) – also called single-

With the rapidly growing number of sophisticated cyber-attacks, such as phishing and ransomware, SFA has had its day. One way to fight back against the rise in cyber-attacks is by using strong MFA. It must be widespread and used as the most basic type of authentication mechanism. Unfortunately, many service providers and organizations still rely on SFA as their preferred method of authentication for online systems connected to the internet. This is very bad. Here are five reasons why.

BIO

1. Humans are naturally “lazy” when it comes to passwords

Marco Essomba is a Certified Application Delivery Networking and Cyber Security Expert with an industry leading reputation and 2017 runner-up in the UK CyberSecurity Industry Personality of the Year award. He is the founder of iCyber-Security, a UK-based firm that enables organizations in banking, financial technology, healthcare, retail, and the insurance sector to safeguard their digital assets. Follow Marco on: www.linkedin.com/in/ marcoessomba/ or follow on twitter: @marcoessomba Learn more about how to protect your digital assets: https://www.icyber-security.com

When we are challenged to create a password, we often choose something we can remember easily. That usually leads to a weak password.

Focus

password fatigue. Unless strict passwords policies are enforced, users may often re-use previous passwords for convenience.

5. Password fatigue

Using password generators software can help create very strong passwords. However, various online systems still do not enforce strong password policies which means users can get away with creating very weak passwords.

Too many passwords. Too many online systems. Users are feeling the password fatigue. Many organizations are increasingly implementing single-sign-on (SSO) to allow users to login once using a single-password and then gain access to several online systems using a chain of trust. However, if the initial password used to gain access is weak, the overall system is also weakened in the process.

2. Computing power is increasing dramatically Password-cracking tools are getting more powerful. With the dramatic increase in computing power, these types of tools are now widely used by cyber-criminals. Such tools are used to guess and break passwords quickly using brute force computational algorithms. And with quantum computing this power will increase exponentially, allowing password-cracking tools to break even the strongest password in a short period of time.

3. Some service providers still store unencrypted passwords Preventing unauthorized access with strong MFA We hear in the news every day about various online systems breached and personal information stolen. One such case was LinkedIn. By stealing millions of passwords, cyber-criminals used the password database to develop better tools for cracking passwords much faster.

4. Password renewals frequency One way to keep your password safe is by changing it on a regular basis. Various online systems are enforcing this mechanism to strengthen security. However, forcing users to change password at short frequency leads to

In summary, single-password authentication remains one of the most widely used mechanisms to protect various online systems against unauthorized access. Relying on single-password authentication alone is bad practice. I argue that it should be banned completely. All online systems accessible from the internet should be forced to use strong MFA â&#x20AC;&#x201C; this will greatly reduce the rapidly growing number of cyberattacks worldwide.

ends Authorities - Cybersecurity Tr

Cyberpower, a view into future powers author: Arthur Lazar, Cyberint

Technological revolution – the global megatrend of the twenty first century

A similar transformation is felt in the global power (political) sphere too, from an international relations perspective. The new reality has a fundamental effect upon the nature of power. Its distribution is wider and its diffusion global, reaching unimaginable levels (anonymous people could get significant informational resources which transformed into effective power, could create problems for the biggest state nations).

Cyberpower – definition and characteristics One of the biggest trends is the transformation acceleration in different scientific and technological areas. The global spread of new technologies and the relative ease and pervasive access to it, not only represents a huge power opportunity but a substantial risk as well. Rapid evolution has involved dramatic growth in the speed of information circulation, so that the processing and acceleration of information transmission has fundamentally changed our entire life. The first web site was designed in 1991.1 In 1993 there was almost 50 and in 2000 it surpassed 5 million.2 The first electronic email was sent in 1971 and since 2013 more than 40 trillion emails are sent yearly from one user to another.3 We are now surrounded by a significant number of computers and devices. They play a major role in our life. It is almost impossible to imagine our life without access to this instrument, starting with reading electronic newspapers every morning, writing and replying to different emails/messages etc which are now daily routine. The advanced technologies make us feel dependent on them. The Internet is not only about sending and receiving emails. Entire critical infrastructure networks used by power plants, energy companies, transport or communications are manipulated through computers. These computers are not isolated. They are connected into a huge network. As a result, global interconnection is one of defining characteristics of “technological revolution”. As a result: the central part of our life is directly dependent on devices connected through the Internet. So that, we could say a major component of our life does not live in the physical space but in the “virtual environment”.

The emergence of a new virtual reality has a major influence over the changing of power characteristics, causing the emergence of a new power type, called cyber power. One of the most complete definitions of the cyber power concept, is Daniel Kuehl’s who states “cyber power is the ability to use cyber space to create advantages and influence in all operational environments and across all instruments of power”.4 A few stipulations are needed. cyberpower is an expression of evolved physical geography, a new power domain. 200 years ago power was almost exclusively about land. Big armies, infantries, heavy cavalry etc fought for many years in crucial land battles. At the start of the 20th century naval technologies and the emergence

of big maritime fleets exploited the sea space. At the beginning of 1900, Alfred Mahan, the US War Academy general, displayed a large military fleet, drawing attention that a new power was going to emerge: the USA.5 Later, due to air technologies, air space was used as a power resource. It is said the Second World War was largely won as a direct consequence of a decisive contribution of the allies’ air fleet. Eventually, in the sixties, seventies, eighties and during the Reagan administration, once the Star War had been started and the unprecedented arms race took place, the battlefield looked to have moved into outer space. Recently, in the context of Internet boom, cyber space resources have been handled in order to be transformed adequately. cyberpower has no value without projection capabilities. This means any power must have the capacity to impose itself in front of others, to make an impact to model and influence different behaviour types.6 To achieve this the power needs projection capabilities. Cyber power projection is equal

to naval fleets helping troop transportation and mobility, with improved logistical military capabilities. But in the cyber case the projection is almost instantaneous. As a US military strategist emphasised, through cyber power we could damage critical infrastructures many miles away, with a click of mouse.7 Even though cyberpower seems to look very similar to the other power types (naval, air, space) it is different and more superior. Cyberpower has at least five dimensions, expressed in all five space types just talked about: land, sea, air, outer space and cyber space. cyberpower is also a sum of resources that include economic, military, social and organizational. Being a resource that could fundamentally influence other types of power, it has a significant weight in the general index of power. These distinctive qualities open a new power horizon. Cyber power means more than naval power in times of maritime developments or space power in the years of Star War. At that time, none of those power types comprised all other power types, they usually tended to control just military or economic power. It is our view that power, both present and future, will fundamentally depend on cyber resources and especially on those who will mobilise as many resources as possible.

the expert opinion is that the transformation of doctrines and operational mechanisms of modern armies depends on the efficient exploitation of cyberspace capabilities. The most important resource categories used and applied in cyberspace, are13: Physical resources: man made devices, plus infrastructure allows information circulation (computers, mobile cells, fibre optics, space systems of communications, critical infrastructures, and industrial systems of networks). Control of physical resources from cyberspace is highly important. The euro Atlantic community is deeply worried about the invasion of Chinese devices on western markets. The low price paid for the products of these companies is almost impossible to be counter balanced in a global economy. As a result

The resources of cyberpower Power depends on resources. Cyberpower depends first on cyber resources and second on the capacity to transform those resources into real dividends of power. Paul Kennedy, in his study about the rise and fall of great powers, shows changing dynamics usually involved technological and economical evolutions.8 These evolutions depend on a large variety of resources. Structures changed from one historical period to another, which often brought value directly to the economy and technology. The scientific innovation process made the difference in those times. After 1500, the expansion of fighting ships supplied with long range cannons and the trade and commerce development in the Atlantic brought considerable advantage to those European states with the knowledge. Development of steam engines with coal and iron resources massively increased the relative power of some nations.9 In other words, welfare and economic power was necessary to sustain military power and vice versa. But none of these resources ever exerted such a multilateral influence over the others as cyber power resources can, where globalisation, information revolution, network control and technical interconnections have just become an important additional source of power. Cyber power leverages the efficiency in the way it can combine all resource types.10 At a high level it could be said “cyberspace is a virtual reality, completely immersive, in which computer users from the entire world can communicate each other and have mutual interactions”.11 This space is easily accessed by a large number of actors, and cheap resources, which expose it opportunities, as well as many risks. Ever since early 1990, network centric war strategy has started to replace platform wars, having at its’ “historic” centre military capabilities. The idea was expressed 20 years ago by Jay Johnson, former US Navy head of naval operations.12 The mechanism of directing a rocket in its way to the target depends on the position of a certain satellite, which is dependent as well on the infrastructure and commands received through cyberspace. Moreover,

the situation is thought to generate many vulnerabilities, if there is a supposition the devices might be used secretly by the maker exploiting unknown product vulnerabilities. The “Equation group”, associated by reverse engineering experts with TAO (Tailored Access Operation), the NSA electronic espionage team, designed its attack strategy based on infecting hard drive firmware of the most important companies producing those types of devices and selling it on the entire world.14 For that objective to be reached it was absolutely necessary to get access to the basic documentation of every series of those hard drives. In reality, to be able to do that, needed a huge category of resources, which very few can afford ! Knowhow: is highly important too. Neither Stuxnet nor Duqu would have caused so much damage in the Iranian industrial systems, if not the result of extremely advanced, highly sophisticated technological knowhow. For many years the IAAE experts (The International Agency for Atomic Energy) and Iranian state had no success finding a plausible explanation for the systemic failure of Natanz nuclear power plant centrifuges. Even though, the failure rate of those centrifuges, in normal use conditions, was approximately 10% per year, in just a few months 2,000 were replaced.15 A few years later a small reverse engineering company from Ukraine found the cause: Stuxnet one of the most sophisticated cyber weapon ever created, hidden in 500 KB of memory

ends Authorities - Cybersecurity Tr installed in a legitimate data package on the servers, which controlled the nuclear power plant. This huge scandal proves cyber power might be a very effective tool, more efficient than an economic blockade and more effective where traditional intrusive methods cannot be used. Human factor: Cyber power needs an efficient and qualitative human factor. The more qualified the human factor, the bigger the chance for an effective cyber power mechanism. It is well known Chinese hacking teams, which make up a large number of the total amount of “hackivists” worldwide, usually succeed in making trouble in the international landscape, both attacking national critical infrastructures and using intrusive tools usually associated with the espionage to steal international secrets. These “special hacking teams” consist of a huge number of human beings, very well prepared technologically. Human factor is a big vulnerability as well. Eduard Snowden made dramatic damage to the NSA once he released the agency’s secret operations. Moreover, his close relationship with Russian power and Kremlin would have offered to the later some opportunities it could not get otherwise. To these resources we can add, the information itself as a power resource, cyberspace itself is an informational environment, where information is created, stocked, and shared. The further knowledge, resulting from this process help in decision making processes.16 Joseph Nye emphasises cyber power is both hard and soft, effective inside and outside cyberspace.17 Cyberattacks targeting a computer or a critical infrastructure represent a hard resource, whilst a public diplomacy campaign run through the Internet to influence public opinion is a soft cyber resource. In this process, the credibility of those who disseminate the message is also a power resource.18 But credibility takes time to build and could be lost in a second so it might be possible for wars to be won by those who have the best credible story to share.19

Hacking and reverse engineering – the two faces of cyber power As with other power types cyberpower relies not just on its projection capabilities but also the capacity of defence, this being mainly a task for the nation states, especially when big national infrastructures are attacked. In the past, protection and defence capability were fortifications strategically placed and armies extremely mobile ready to defend a certain territory or a placement. Later, the sea and air fleets were used to defend. Today, an advanced protection system can be seen as a threat to the adversary such as the US ABM (Antiballistic Missile

System) deployed in some European countries, which is seen by Russia as a direct threat to its national security, even though the system was meant to protect the territory, rather than attack the adversary. After the Second World War the biggest actors in the system preferred to keep conflict far away from their national territory. As a result, this sent war to other countries, Korea, Vietnam or Afghanistan being just a few examples. Now with cyber, the situation has seriously changed, as the most powerful actors in the system might be hit in the interior by the adversary capabilities. In conclusion cyber power has two critical components in its structure: a defensive part (also called cybersecurity) and an offensive part (linked to what is called “projection”). The biggest problem is that the two resource types (offensive and defensive) act very different. The damages resulted from an inefficient system of attack cannot be balanced by the attack capabilities. It is generally accepted an efficient cybersecurity system has to accomplish three main objectives20: confidentiality, integrity, availability. Confidentiality means the protection of data. This is done by technical mechanisms of encrypting and access control.

Integrity is supposed to consolidate the mechanisms within the system so that it cannot be affected without authorisation. In the case of Stuxnet, the threat and damage appeared because of an illegitimate authorisation of the system and its resources, even though the intrusion seemed to be legitimate. As a result, the intrusion appeared to be normal. Not only saw the firewall and antivirus programme the intrusion as an illegitimate, but as a normal one. Availability means the capacity of the system to maintain the resources and the general functioning for a while. The principle established is that the system must be created so that the malfunctioning vulnerabilities do not have to be used by the attacker. Disruption of an entire critical infrastructure network by DDoS attacks could express the best this characteristic. Singer – Fridman added to this a fourth feature: resilience.21 The main premise being the inevitable cannot be avoided, as a result the system must be maintained even though it is attacked. To do this needs a huge amount of resources, which only a few can afford. The two faces of cyber power act differently. The strategies and resources are different. Paradoxically, reverse engineering is less complicated than hacking. By analogy, like espionage and counterespionage. The first method is supposed to collect intelligence and the second one protect the system by the attacker spies. The problem occurs when the adversaries are not visible. Solutions for an advanced cybersecurity system are few. Some antivirus programmes (software) could be developed to protect the system. But

those can be inefficient. In other cases public private partnerships are seen as a supplementary variant, but not every state is ready to protect their own systems by outsourcing protecting services to private entities. In the end, security awareness or early learning programmes for governmental agencies is important. But cyber weapons are highly technologized and use a highly sophisticated know how that often make security sensors inefficient.

Cyber power actors With cyber power actors an important barrier occurs: the imperceptibility. This feature comes from the very nature of cyberspace which is more and more permissive and allows both state and non-state actors to spread. Historically, the international system was created around the concept of state. Whatever the system was (unipolar, bipolar or multipolar) once the Westphalia treaty peace was ratified, nation states become the cornerstone of the international system. Power was distributed only between them. State power and their resources were visible, sometimes measurable and expressed through powerful armies, considerable natural resources, advanced technologies, or efficient economies. Power was perceptible. Now the distributed nature means not only could non-state actors achieve relative power capability, but even individuals can pose threats in cyberspace against states and their assets. Making an analogy with traditional forms of power, the entities that could really mobilize considerable power resources were states. The use of a certain resource type (a strategic bombing air fleet) not only was extremely expensive, but it was the state responsibility, almost exclusively. The bombing fleet was owned neither by different groups nor by individuals spread all over the world. For cyber power “the landscape” is different. In terms of intent a hacker from Singapore could want to obtain the clients credit card credentials in order to steal their money. An organized hacking group might try to attack a company to sell its secret to their competitors. It is unlikely that these types of actions could have major effect in the system. But if a hackivist group succeed in neutralizing the banking system in a certain country in time of flux for example, it is something else. If the attack implies considerable access to resources than it is reasonable to say a state actor might be the handler. The conclusion is that even though power is more distributed, the most important holders of critical cyber resources remain with states.22 Experience shows cyber espionage and cyber sabotage are state tools, and at least for now they are the only actors having intentions, motivations and resources to make those types of activities. But how could we say if a cyberweapon is used by a state or by a hacking group? If an army is visible and countable it could be easily linked to a power that could be pointed out. Cyberweapons are difficult to see and perceive. It remains a task of cyber intelligence specialists who could only deliver a “plausible assessment”23. Three levels of cyberpower concentration exist:24 1 states and governments, 2 highly structured organizations (companies, NGOs, hackivist groups), and 3 non-structured organizations, including individuals. These three layers are not stable. Individuals can offer support to highly structured organizations who in turn interact with their governments, both on the strength of public – private partnerships or, like in Russia or China,

as a consequence of local culture, where state control is very effective. Knowhow circulates in both directions too. But, sooner or later a state actor would try to control them and to make them act on its behalf. In recent years the biggest cyber-attacks appear to be linked with a nation state. Stuxnet, Duqu, Animal Farm, APT 28, Red October are only a few examples of cyber weapons used by both countries from NATO block and states from the other side. Probably for the next few decades traditional power resources will still count but the way they combine with cyber ones could make a major difference.

Cyberberkut a hackivist group fighting in Ukrainian cyber war In early 2014, after long-standing anti-governmental protests of the Ukrainian pro European movements, supporting the EU association agreement, the former pro Russian President Viktor Yanukovich left the country for Russia. Shortly after the Ukrainian Rada ratified a law which transformed the Russian language into a regional one, the Russian Army mobilized significant military forces at the Russian-Ukrainian border. A few weeks later, Russian President Vladimir Putin received an almost unanimous Duma vote for a military intervention in Ukraine. Later, calling for an need for protection of Russian citizens living abroad, Vladimir Putin had military intervene in Crimea, taking control over a territory which was ”de jure” under Ukrainian jurisdiction. Despite the international pressures against Russia from both, the West and the USA, Russian military forces have been maintained and a general conflict has occurred. The geopolitical role of Ukraine and its critical importance for Russia cannot be called into question. But the conflict that has arisen has a significant part fought in cyberspace, where “hackivist” teams are extremely active. Cyberberkut is one of the most. Cyberberkut is a pro-Russian group which emerged immediately after Putin invaded Crimea. The name of the group is derived from the former name of the Police Special Forces – Berkut, created in 1992. Their short history has already delivered intensive cyber activity, from DDoS attacks against Ukraine and its government agencies to hacking activities against very high level targets from the EU and NATO.

ends Authorities - Cybersecurity Tr Bibliography 1. Singer Paul, Friedman Allan, Cybersecurity and cyberwar, Oxford, University Press, 2014 2. Nye Joseph, Cyber power, Harvard Kennedy School, Belfer Center for Science, May 2010 3. Nye Joseph, The future of power, Polirom, Bucharest, 2012 4. Kuehl Daniel, From Cyberspace to cyberpower, defining the problem, in Kramer Franklin, Stuart Starr, Wentz Larry, Cyberpower and national security, US National Defence University Press, Washington DC, 2009 5. Popescu Paul, Bârgăoanu Alina, Geopolitica, NUSPA, Bucharest, 2004 6. Baldwin David, Power and international relations, Carlsnaes Walter, Risse Thomas, Beth Simmons, Hanbook of international relations, Sage publications ltd, 2013 7. Kenedy Paul, The rise and fall of great powers, Polirom, Bucharest, 2011 8. Maior George Cristian, State, Networks, Companies and Individuals: cyberspace paradoxes, in p. 190, in Seven fundamental issues for Romania, RAO Class, 2014 9. Zetter Kim, Countdown to zero day Crown Publishers, New York, 2014 10. Klimburg Alexander, Cyberpower and international security in international relations, seminar, spot in https://mediacapture.brown.edu:8443/ess/echo/ presentation/8792278f-7098-40ec-87a7-a51ac98c49fa 11. Cosmoiu Florin, The impact of Global Cyber threat. Evolutions and perspectives in Romania, in Seven fundamental issues for Romania, RAO Class, 2014 12. http://cyber-berkut.org/en/olden/index5.php 13. https://www.f-secure.com/weblog/archives/00002791.html 14. http://www.globalresearch.ca/unconfirmed-reportselectronic-files-of-ukraine-central-election-commissioncec-disabled-dnipropetrovsk-administration-computernetwork-destroyed-unconfirmed-report-by-cyberberkuthackers/5383742 15. http://www.rt.com/news/nato-websites-ddos-ukraine-146/ 16. http://www.ibtimes.co.uk/german-governmentwebsites-including-angela-merkels-hit-by-severe-cyberattack-1482345 17. http://leaksource.info/2015/07/12/leaked-video-showsmaking-of-islamic-state-execution-in-studio-via-cyberberkut-hack-of-sen-mccain-staffer/ 18. http://leaksource.info/2014/03/05/ukraine-leaked-callestonia-foreign-minister-and-catherine-ashton-snipersallegedly-hired-by-maidan-leaders/ 19. http://natocouncil.ca/cybersecurity-and-the-ukrainecrisis-the-new-face-of-conflict-in-the-information-age/ 20. http://thediplomat.com/2015/03/russia-tops-china-asprincipal-cyber-threat-to-us/

According to their website the group started the fight in March, 2014, when they launched an attack against the pro-European websites supporting the revolution.25 This was followed by attacks, resulting in obstruction of more than 800 mobile phones used by right activists in Ukraine26. The following examples are just a few frames of their cyber struggle: - 15.03.2015 – a DDoS attack against multiple NATO websites, including the Cyberdefence Centre of Excellence from Tallin, Estonia. The attack was confirmed by NATO;27 - 22.05.2014 a few days before presidential elections in Ukraine, Cyberberkut released another attack against the Central Electoral Committee from Ukraine;28 - 26.07.2014 a hack against a high ranking official’s email from Ukrainian Ministry of Defence;29 - 14.08.2014 Cyberberkut officially claims the shutdown of both official websites of the Polish Presidency and Warsaw Stock Exchange;30 - 22.11.2014 the group broke the news regarding the military cooperation between the USA and Ukraine, during US vice-president Joseph Biden’s official visit to Kiev ;31 - 07.01.2015 the breakdown of both Angela Merkel’s and German Parliament Facebook and Twitter accounts32 - 11.07.2015 the group pretends in access Senator John McCain’s personal computer, publishing a fake video made in a US movie studio, reflecting a so called terrorist assassin. The movie was especially made in order to justify extreme retorting measures taken against some Middle East countries.33 with one of the most spectacular interventions 05 March 2014, when the group posted a phone call discussion between Umas Paet (The Estonian Ministry of Foreign Affairs) and Catherine Ashton (former High Representative of the EU foreign relations), immediately after they just had met regarding the situation from Ukraine. Estonian officials confirmed later, the authenticity of discussion. More interesting was that the Estonian official was on the Estonian territory and Catherine Ashton was in Brussels!34 A few observations should be made. the victims reflect a wide area of targets: Ukraine, the EU, Germany, Poland, the USA, NATO etc. The group fights against countries hostile to Russian military intervention in Crimea; the attacks are diverse and point out: - blocking or destroying websites, systems of communications, sometimes critical infrastructures; - data filtration from targeted emails or high rank officials personal computers; - cyber espionage, where documents relate to Western military plans in Ukraine; - an intensive pro-Russian propaganda, deeply against pro-European forces from Ukraine. The last seems to be one of the main objectives of the group. the cyber group activity reflects a high versatility and rapidity. their technical capabilities and knowhow seem extremely advanced, as they were able to intercept and tap phones from Ukrainian and European mobile phone networks.

their human resources must be considerable and substantial, as long as the group is capable to react almost immediately to every major event from Ukraine. the analysis of the group activity reveals an evolution of the attacks, from DDoS to hacking tools. It is obvious the group reports fast to physical events and succeeded in doing damage where traditional tools cannot. In conclusion, based on victims’ analysis, resources, intentions, and behaviour we have a plausible and reasonable attribution which point out a state actor with major interests in Ukraine being hostile to NATO as well ! Nevertheless, there are no technical certainties.

Conclusions Cyber power emerged from both the Internet and modern technical communication systems. It is fundamentally different from the other power types in terms of internal ingredients and influence exerted. Its diffusion, its force of projection and its imperceptibility make cyber power almost impossible to be counteracted. It is the main reason why big actors could be hit without any previous deterrence. For as long as physical resources are still important, cyber power cannot replace traditional power assets. But, these can be amplified by cyber resources and the new combination could make the difference. It is the main reason why cyber power is a pillar of general power and its weight is rising significantly in the general power index. Similar with traditional power, cyber power is contextual, cumulative and renewable. The actors that will succeed in maximizing these features will eventually have the biggest chances to go to the top of the power ranking. Although its resources are more accessible for a broader group of actors, the reality shows that only states could really access those assets which could make real and significant differences. In conclusion, cyber power as a pillar of general power is a smart feature of smart states. The way in which the actors would both combine all types of resources and transform it in effective power will influence the way the power will be exerted and how it will be distributed within the system.

1 Singer Paul, Friedman Allan, Cybersecurity and cyberwar, Oxford, University Press, 2014 p. 2 2 Nye Joseph, Cyber power, Harvard Kennedy School, Belfer Center for science, May 2010, p 2 3 Singer Paul, Friedman Allan, op.cit., p. 2 4 Kuehl Daniel, From Cyberspace to cyberpower, defining the problem, in Kramer Franklin, Stuart Starr, Wentz Larry, Cyberpower and national security, US National Defence University Press, Washington DC, 2009, p 24. 5 Paul Popescu Alina Bârgăoanu, Geopolitica, NUSPA, Bucharest, 2004, pag 46 6 Baldwin David, Power and international relations, Carlsnaes Walter, Risse Thomas, Beth Simmons, Hanbook of international relations, Sage publications ltd, 2013, p. 275 7 Singer Paul, Friedman Allan, op.cit., p.4 8 Paul Kenedy, The rise and fall of great powers, Polirom, Bucharest, 2011, p. 391 9 Ibidem p. 15 10 Kuehl Daniel, op.cit. p.3 11 Apud. Samuel Mc Quade, Encyclopedy of cybercrime, Greenwood Publishing Group, in Seven fundamental issues for Romania, RAO Class, 2014, p.190 12 George Cristian Maior, State, Networks, Companies and Individuals: cyberspace paradoxes, in p. 190, in Seven fundamental issues for Romania, RAO Class, 2014, p.190 13 Singer Paul, Friedman Allan, op.cit., p.13 14 https://www.f-secure.com/weblog/archives/00002791.html 15 Zetter Kim, Countdown to zero day Crown Publishers, New York, 2014, p. 3 16 Daniel Kuehl, op.cit, p.6 17 Nye Joseph, op.cit., p. 5 18 Maior George Cristian, op.cit. p. 191 19 Nye Joseph, The future of power, Polirom, Bucharest, 2012, p 12 20 Alexander Klimburg, Cyberpower and international security in international relations, seminar, spot in https://mediacapture.brown.edu:8443/ess/echo/ presentation/8792278f-7098-40ec-87a7-a51ac98c49fa 21 Singer Paul, Fridman Allan, op.cit. p. 36 22 Cosmoiu Florin, The impact of Global Cyber threat. Evolutions and perspectives in Romania, in Seven fundamental issues for Romania, RAO Class, 2014, p.283 23 Klimburg Alexander, https://mediacapture.brown.edu:8443/ess/echo/ presentation/8792278f-7098-40ec-87a7-a51ac98c49fa 24 Nye Joseph, Cyber power, Harvard Kennedy School, Belfer Center for science, May 2010, p.10 25 http://cyber-berkut.org/en/olden/index5.php 26 Ibidem 27 http://www.rt.com/news/nato-websites-ddos-ukraine-146/ 28 http://www.globalresearch.ca/unconfirmed-reports-electronic-files-of-ukraine-centralelection-commission-cec-disabled-dnipropetrovsk-administration-computer-networkdestroyed-unconfirmed-report-by-cyberberkut-hackers/5383742 29 http://cyber-berkut.org/en/olden/index1.php 30 ibidem 31 ibidem 32 http://www.ibtimes.co.uk/german-government-websites-including-angela-merkelshit-by-severe-cyberattack-1482345 33 http://leaksource.info/2015/07/12/leaked-video-shows-making-of-islamic-stateexecution-in-studio-via-cyberberkut-hack-of-sen-mccain-staffer/ 34 http://leaksource.info/2014/03/05/ukraine-leaked-call-estonia-foreign-minister-andcatherine-ashton-snipers-allegedly-hired-by-maidan-leaders/

This edition is brought to you with the support of:

Intelligent Cybersecurity www.ptsecurity.com 13

Focus - Cybersecurity Trends

Cars and IT: Dangerous connections

author: Yannick Harrel Translated from origjnal article in French

Just as the DDoS (Distributed Denial of Service) attacks seem to increasingly become, in the last few years, only minor disturbing events, that are mostly irritating, more recent events have shown that they are coming back in force. One of them, of particular gravity, took place in France, in September 2016, when a major host of servers, OVH, faced attempts to paralyze the network by 1 Tbps (TeraBits per Second) attacks. The saturation flux density of the attack is remarkable, but its feed is the most worrying. Investigations have since shown that this attack would have been facilitated by IP (Internet Protocol) surveillance cameras with poor or non-existent protection. And IP cameras equal to the Internet of Things. The issue regarding the Internet of Things security is structured into two branches: one that looks at their demographic explosion, from 8 billion in 2010 to probably 80 billion in the year 2020 (according to the IDATE study bureau); the other concerns their securing. Both branches are correlated: how can a rapidly expanding phenomenon, in perpetual change, be effectively secured? And here, the cars of the future start to intervene. The well-known designers, such as the giants of the digital sector, are already seriously planning the autonomous machine of the future that is, steered with

artificial intelligence. Artificial intelligence involves the partial and then full delegation of driving. This can only be achieved if the vehicle is capable to guarantee compliance with the most reliable route selected, and in order for it to comply with the starting command, the vehicle must be permanently connected to its environment and with some communication relays. If the vehicles produced between 2000-2015 had a pre-installed and integrated database on the controlling screen, guiding the human driver (e.g. GPS navigation), the current challenge for the designer is to provide a selfevolving and up-to-date database that can respond to even more specific requirements such as a change in itinerary due to a temporary traffic jam or service space search with the most advantageous rates in a radius of x kilometers. This is the first step towards a dynamic autonomous driving style (1). This driving style will require an up-to-date information flow, ranging from leisure information (for example: a festival that takes place close to the vehicleâ&#x20AC;&#x2122;s itinerary), to security (for example: a temporary inaccessible route due to floods). To this end, four categories can be defined: Entertainment information (signaling touristic spots near the vehicle location or entertainment software integrated in the control screen); Vehicle interaction (indication of battery usage or allowing calls to the manufacturerâ&#x20AC;&#x2122;s assistance center); Driving assistance (ecological driving style or itinerary planning); Vehicle self-security (distance, payment of parking spaces or global positioning service to locate a rented vehicle).

And yet, what is the link between these connected vehicles and the IP cameras mentioned at the beginning of this article? A simple one: they follow the same worrying path. Their number will exponentially increase in the years to come, and some examples raise legitimate questions. It may also be noted in particular, an example that triggered a scandal in the specialized press: two computer science researchers, Charlie Miller and Chris Valasek, managed to interact remotely with a Jeep Cherokee (2), being able to use at will all the elements on board this 4X4: from the air conditioning system to brakes and steering, all from a distance of about 10 miles (16 kilometers).

The Fiat-Chrysler Group took this demonstration seriously and asked the users to correct this IT security weakness by adding a patch. This control takeover can be even more insidious, as it was demonstrated by the substantial alteration of a chosen itinerary on the navigation map. Dissected, the Uconnect system is a set of functions that allow you to browse, as well as play music or make a phone call. This multifunctional electronic system, found more or less in other groups in this sector, is just an entry gate for malicious persons. The entry / exit points that may be the weak points of modern vehicles are: On Board Diagnostics (OBD) Port The 4G / LTE (Long Term Evolution) Modem Bluetooth CAN (Controller Area Network) Bus / VAN (Vehicle Area Network) Bus The RFID chip (Radio Frequency Identification) The CD / DVD Reader These weak points are not always due to lack of attention or refusal to take security measures on the part of the manufacturers, or their subcontractors. Many weaknesses of the software are actually unknown (Zero Day) and are only corrected once their existence appears. It is just that the inventiveness of the hackers and the growth of access points to modern vehicles complicates the work of the responsible staff for their eradication. In addition, the consumers’ demand and habits to have a set of functions inside the vehicle makes their technical limitation impossible; the issue of deactivating electronic functions that help stabilize the vehicle in any situation does not even come into question. Under these circumstances, the growing market for connected vehicles will be easily integrated into the Internet of Things, as they will communicate and interact according with the passenger and the static and mobile terminals. The difference between hacking an IP camera and that of a connected car consists in the fact that, in the absence of a second takeover control system, the risk of a fatal accident becomes extremely high for both the driver and the passengers, and for other users, as well. It is a real danger that has drawn the attention of many equipment manufacturers and designers who are trying to eliminate the problem by reaching a minimum risk threshold, for example by implementing collaborative initiatives that aim to exchange information and redirect the researchers to the IT security field, as well towards antivirus and firewall design companies (for example, the Auto-ISAC [Information Sharing and Analysis Center] case or EVITA [E-safety Vehicle Intrusion Protected Applications]). This is a necessity because the work is Herculean: it is estimated that a connected vehicle contains almost 100 million code lines, compared to a modern fighter jet with just 8 million code lines. These exchanges between different players in the field should allow not only the increase of security level, but also the protection from theft of crucial elements from the holders of technological secrets. As the remote takeover control of a vehicle is a major risk, the risk of technical data theft can not be avoided as the data concerns both the driver and the electromagnetic details of his/hers means of transport. Therefore we must not forget that the first step of defense in the field of computer security remains still the user, concerned about protecting his/her own good ... and his/her own life.

BIO An expert and lecturer in Cyberstrategy at the Business & Finance School in Strasbourg, a founding member of the Echo RadaЯ think-tank and the owner of the “Cyberstrategy East-West” blog, Yannick Harrel is the author of numerous papers on cyber strategy and geopolitics for various publications and institutions. In 2011, he was awarded the national prize “Admiral Marcel Duval” from the French National Defense magazine. He was the employee of a pioneering company specializing in fiber optics and its implementation in France. He wrote the book “Economic and Financial Cyberstrategies”, which became a reference, and which was updated and republished in September 2014. He participated in the launch of the Cyber Defense Master›s School at Saint-Cyr Military School. At the invitation of the Council of Europe, he participated in the first two editions of the World Forum on Democracy, focusing on contemporary digital themes. His latest work, published in 2016, focuses on the automobile area, affected by the new technologies, communication and control: Automobile 3.0. He has expertise, studied and published the first French-language book on Russia›s cyber strategy in March 2013.

Andy Geenberg, Hackers remotely kill a jeep on the highway with me in it, Wired, July 21, 2015 https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway Auto-ISA - https://www.automotiveisac.com/ EVITA Project - http://www.evita-project.org/ (1) An autonomous vehicle is not necessarily connected, for example, it may use different receptors and integrated cameras (such as LIDAR [Light Detection and Ranging]) in the motion process to navigate in space. However, its effectiveness depends on a certain geographic limit and driving activity. In addition, the vehicle does not communicate with objects around it: it receives information without emitting it. Dynamic autonomous driving requires real-time data exchange. Also, a connected vehicle is not necessarily autonomous either, because the driving delegation option might not have been selected or is just not available on that model. (2) In 2013, a Toyota Prius and a Ford Espace were also hacked; however, the procedure required the presence of two specialists inside the vehicles, and it was made possible through cable and not remotely. In 2015, a remote hacking demonstration was made.

Focus - Cybersecurity Trends

Control by Design: A specific example of a connected but non-disconnectable object author: Jean Christophe Schwaab Translated from the original in French

In 2013 I lost my credit card and requested a new one. At the time of ordering the new card, I explicitly requested one without any non-contact payment system “NFC” (Near Field Communication). On one hand, because I am not interested in such a technology (which can favor spontaneous and uncontrolled purchases, generating debts, especially among young people); but especially, because this technology is not safe at all, it can be easily hacked from a distance and, depending on the general conditions of the credit card provider, up to 120 Swiss Francs paid abusively using this technology can be requested from the cardholder, even if he or she can prove that he or she acted using all necessary precautions. The legality of such a practice is very suspicious in my opinion, but who will file a lawsuit for 120 Swiss Francs?*

BIO Born in 1979, he is a Doctor in Economic Law. He is a Member of the People’s Chamber of the Federal Parliament of Switzerland (National Councilor), VicePresident of the Legal Affairs Committee of the National Council, Member of the Board and President of ASEB “Asociation Suisse des Employés de Banque”, Chairman of OSEO “Oeuvre Suisse d’Entraide Ouvrière”, former Central Secretary of the USS “The National Union of Trade Unions” (editor’s note), former deputy of Vaud Cantonal Parliament. Various published articles on labor law (list can be found here: http://www.schwaab.ch/publicationsscientifiques/) He lives in Riex, Canton of Vaud, married, with two children. Twitter: @jcschwaab / Website: www.schwaab.ch

Therefore, the owner of such a credit card now becomes blocked and assumes responsibility by a technology that can hack his/her data, with consequences that can be costly for him/her and was not requested. Nothing would be more legitimate for the owner than to be able to give up using this kind of technology if he/ she is not interested in using it. But the problem is, due to my credit card issuer (Visa, in connection with the Cantonal Bank of Vaud), it is impossible to obtain a card that does not have such features already installed. The card issuer has thus chosen to equip them with technologies that open a security breach, but the assumption of risks lies solely with the consumer. This is not the most frightening point of the story: in order to avoid fraud, Visa advised me to wrap my credit card with an aluminum foil, as evidence that the provider itself does not really trust the technology it imposes. So I’ve adopted a small anti-hacking security bag with what I had at hand (see photo – Laurent I assume you have the photo). I am relaxed, even if my work does not look very solid and I have to replace it regularly... So, in order to protect us from the risks coming from the state-of-the-art technology, we are compelled to use a product that has been in the kitchen drawer for many decades! This unimaginable story is of interest in the concept of “Control by Design” - control starting from design - which gives the owner of a connected object the inalienable right to disconnect it from any network. In this particular case, the owner of a credit card should have the right to disconnect it from the NFC system, wherever and whenever he/she wishes. If in turn, it proves that the owner considers this method of payment as advantageous and is ready to take the risk of being hacked, it is his/her judgment and can decide so freely. But if the owner is not willing to take any risk, he or she should also have the possibility to decide to do so freely. Data security accountability would then become the sole responsibility of the card issuer, which should offer customers the possibility to renounce the NFC technology. I hope that the Swiss Government will quickly implement my motion of “Control by Design” (1), which was accepted by the National Council, in December 2014. *Translator’s note: in Switzerland, the lawsuits expenses are very high. (1) http://www.parlament.ch/e/suche/Pages/geschaefte.aspx?gesch_id=20143739

When big industrial companies are hit… damages are huge author: Laurent Chrzanovski

Awareness, always and always awareness. The very reason of the existence of this journal. Awareness is HUMAN before being TECHNICAL. The whole board of a company or of an institution must have a minimum level of awareness to be able to work in good intelligence with CISOs, CIOs and CSOs, so that they in turn can ensure that the minimal technical and human needs of those specialists are met and investments are there to allow them to sharpen daily the whole system’s defenses to face the best possible threat scenario. After all, if a major accident happens, the CSO may be fired as a “scapegoat measure”, but with the results we will look at hereafter, the board and nobody else will have to answer for the losses. With the insider threat (by ignorance) bigger than ever, a safe ecosystem can only be builtwith the active participation of all the employees, none excluded. Everybody should have the chance to be provided a minimal awareness capacity in orderto bring an effective contribution to his/her workplace. After all, if a major accident happens, the system will require expenses cuts, generally resulting as a first measure by the firing of many employees… In an issue dedicated to so many non-financial businesses going 4.0, from armies to big industries and, last but not least, whole State governance systems, wefinally have real data about the real costs of an indirect global attack: “notPetya” aka “Goldeneye”. The data is now giving us insight tosift through all the mainstream media “more or less sci-fi” headlines with their statements on attributions, State wars, quick conclusions etc., to gather real information on the consequences of this global malware on some top companies, reflected in their half-year financial reports (H1). While we are waiting for the impacts on H1 benefits, we already see some astonishing Q2 results: Mondelez, US multinational leader on food sector: 3% revenues loss, Reckitt, UK multinational leader in pharma: 2% revenues loss; Maersk, the Danish shipping world leader: 300 million USD forecasted as being just the first direct consequences of the attack. The best-known example after a full H1 publication by the company itself1 is probably the French multinational

Saint-Gobain, one of the global leaders of construction and high-performance materials: three days spent… working with paper pages and pencils2, 220 million EUR loss, meaning in detail a loss of 1.1% of the revenues and… of 4.4% of the operating profit. And here we speak about a company which performed a record-H1, “attack included”, a +6.8% operating profit rise. In our opinion, the company remains prudent when it forecasts a total yearly cost of the attack of 250 million EUR, acknowledging some 30 million EUR consequences will still be paid in Q3. External analysts estimate a minimum cost of 330 million of the attack on the 2017 turnover3. Those companies for whom results are coming through are giants, they have the financial resources that could resist one or two “notPetya” per year. But even for them the problem remains: what about their trust rate? As a specialist in investments said: “The day of reckoning has come for shareholders”. For all smaller companies, further attacks could lead to severe consequences and even failure. And all that for what? Always and always, the traditional board member’s mentality: My company is not interesting for hackers, maybe only its databases and its financial transaction systems, but I secured them. I do not understand cybersecurity issues and I do not have my CISO near to me in the board. CSO’s department will handle all problems with the specialized companies we pay for that. As a result, no awareness bottom to top, no culture of cybersecurity, and – again – not a single moment of fear of being under constant attack, meaning no consciousness that the whole company, from the night cleaner to the top executive, should be involved in securing the common workplace digital ecosystem. We, Westerners, are particularly weak and uninformed, contrary to some countries – Israel and India could be quoted here – where not a few companies with industrial profile have for some time employed a mix of black hats/white hats/red hats teams, built around young passionate professionals who proactively and hourly follow what’s going on, gathering intelligence in closed groups, on the deep web, with their own networks. They are the key to test all the company’s systems and to forecast attacks with all the existing vectors and vulnerabilities, already known by hackers, but still not used. And besides awareness, may our companies’ leaders understand that actively participating intheir country and global mechanisms of vulnerability disclosure is not against their interests, on the contrary it can benefit them. What will be against their interests, we will see in a few months or, at best, years, when “not-Petyas” will happen weekly as a logical consequence of “connecting everything” with an already extremely fragile human ecosystem and to an already multi-patched technical ecosystem…

1 2 3

1 https://www.saint-gobain.com/sites/sgcom.master/ﬁles/s1-2017-fra_a.pdf 2 http://www.lemonde.fr/economie/article/2017/06/30/trois-jours-apres-la-cyberattaque-petya-saintgobain-travaille-a-l-ancienne_5153635_3234.html 3 http://www.securityweek.com/notpetya-attack-costs-big-companies-millions

ds VIP Interview - Cybersecurity Tren

The World Trade Organisation (WTO) and the digital world Interview with Ambassador (em.) Pierre-Louis Girard

author: Laurent Chrzanovski Translated from original French language article

Pierre-Louis Girard

Laurent Chrzanovski: The WTO (World Trade Organization) is an institution that everyone talks about, but few know what it really deals with. You have been the chairman of numerous working groups, particularly those who watched over China’s adherance to the Organization. Please explain the role of the WTO nowadays and in relation with its predecessor GATT (General Agreement on Tariffs and Trade). Pierre-Louis Girard: The World Trade Organization has three main functions.

BIO Ambassador, Permanent Representative of Switzerland to the GATT (1984-1988) Chief Negotiator of Switzerland for GATT and WTO (1991-2000) Ambassador, Permanent Representative of Switzerland to the WTO (2000-2007) Chairman of the Working Group on China’s accession to the WTO (1988-2001)

The first is to provide a framework of stable and predictable rules for actors involved in the international trade of goods and services. The second is, thanks to trade negotiations (like negotiating cycles, such as the Uruguay Round or as it is now the Doha Round, or in the special negotiations on a subject or specific sector), to widen the liberalization of trade in goods and services, or to develop the new rules that will apply to these exchanges. The third is to provide its members a dispute settlement system, a system where a country can appeal each time it estimates that one of its partners violated the rules of the system or caused damage to its interests. In many respects, the WTO is considered a partial development and achievement of the objectives set by the negotiators of the General Agreement on Tariffs and Trade (GATT) in 1947. Therefore, one of the goals that was impossible to reach originally at that time, covering the service sector, was partly implemented in the Uruguay Round and during the financial services negotiations that took place immediately after this round. Also, an agreement on the protection of intellectual property, applied to goods and services, has broadened the field covered by the international trade rules. Laurent Chrzanovski: What are the main working areas of WTO, or at least the categories of products and trade that it has as priority? Pierre-Louis Girard: The main working areas have not changed fundamentally, because everything about trade conditions constitutes “work in progress”, as the Anglo-Saxons would say. The efforts to liberalize the trade of agricultural products and manufactured products remain a central component of the WTO’s work. Moreover, since the original establishment of the organization, the government procurement discipline, and also the environmental cross-border aspects of trade have gained a new dimension. Finally, for several years already, the WTO and its members are focusing on the development of procedures and programs of support with regard to matters of facilitating trade and simplifying customs procedures and the mobility of goods, focusing on developing countries and their benefit out of it.

Laurent Chrzanovski: The Cancún Summit marked the commencement of open hostilities from several anti-globalization movements, where the WTO was one of the main scapegoats, but also the target of criticism from several governments. Why? Pierre-Louis Girard: Both, GATT, and the WTO, have always been the targets of complaints. These were sometimes very violent, as they were during the Uruguay Round, for example, the protests of European (and particularly Swiss), Japanese and Korean farmers. Moreover, all negotiations have been accompanied by demonstrations, at certain moments and in different dimensions, since the late 1980s, organized by NGOs from developed and developing countries, with the desire to support the latter, or at least for what the NGOs believed would represent their interests. One of the highlights of the anti-globalization movement has been clearly reached at the 1999 Ministerial Conference in Seattle, where an alliance of NGOs in favor of developing countries, of environmental protection movements, of turtles and seals, as well as representatives of US-based AFL-CIO syndicates denouncing “wage dumping” from the developing countries, have managed to block any kind of activity for two days in Seattle. The real cause of the failure of the Seattle conference was that the WTO members, including important industrialized countries, did not reach an agreement, even a minimum one, on which to start negotiating. Concerning Cancún, the same phenomenon of divergences on agriculture between important industrialized members, especially between the European Union and the United States of America, has allowed various developing countries members, to take advantage of the promises made to them two years ago in Doha by the same US and European Union, especially since Doha Round is considered a “development round”. Laurent Chrzanovski: While many states now favor region-based meetings and groups, a nation-state alliance or a specific product, how do you explain that the WTO remains at the core of the debate and that macro-regional powers, such as Russia, have fervently negotiated their accession, which took place only in 2012 (9 years after Cancún)? Pierre-Louis Girard: It is very simple because the legal basis representing the WTO agreements is the most developed, multilateral, stable and effective basis on which countries can rely in order to develop their trade / exchanges and to protect themselves against the prey actions of their trading partners. When new countries, such as China, Russia and the former Soviet republics in particular, joined WTO, a new dimension was given to their status as an independent nation, from the point of view of international law and as an active player in its development. This does not always match with the view of the prior macro nation. Laurent Chrzanovski: Today, with the exception of raw materials, finished products are increasingly hybrid and the percentage of products having a reception / transmission function is increasing exponentially. Does this data not endanger the negotiations based on “services” and “products” as they were before the Internet of Things? Pierre-Louis Girard: This phenomenon is nothing new. Most goods exports have been accompanied in the past by service items. Consider installing a turbine, after-sales service of textile machinery, etc. The fact that services may come up as a parallel export to that of the good itself, this does not change the fact that they both form a whole. Likewise, if you

buy a car today, you probably bought the opportunity to simultaneously use two services that are integrated in the acquisition: GPS and Bluetooth! Laurent Chrzanovski: A few, but important countries (including the US and China) are calling upon the WTO to eradicate the obstacles these products face, when countries refuse them under the national security exception - as defined in Article XXII of the GATT (30 October 1948!), then reproduced in 1994 (TRIPS Article 73) and about to be reproduced, almost unaltered in the GATS (Article 14bis.). Do you think that the WTO will rule on “products” that include both multiple services and the physical product itself? Pierre-Louis Girard: The article on national security is a fundamental article, but it is easy to use and abuse (think about the measures taken by the Reagan administration against Nicaragua). Its invocation usually involves considerations whose validity is not easy to assess. I therefore, do not see either the WTO members, or the Dispute Settlement Body, willing to show boldness in the matter. Laurent Chrzanovski: How do you explain the lack of adjustment of the WTO to the “digital era” we are living in now? Do you think it is wise to stick to the concept of “goods”, “services”, “agricultural and industrial products”, “products” and “intellectual property rights affecting trade”, without opening a special window for valuable goods or services with automated / digital / trans-state added value? Pierre-Louis Girard: The current legal bases are clear and strong. For a possible development of a special window for “automated / digital / trans-state added value products or services”, it would be necessary for the members to agree in advance on what these products are in fact and on the fact that the legal provisions of both, international law (including those of the WTO, in particular) and national law (the law on data protection, the law on respect for privacy, etc.) are clearly insufficient. Laurent Chrzanovski: The best anecdote during the marathon discussions you moderated? Pierre-Louis Girard: The first thing that comes to mind is a visit I paid to the Minister of Chinese Foreign Trade, during the late 1990s. When I walked into her office, she asked: “So, Mr. Ambassador Girard, what do you think about China today?”. When hearing this, I could not help but exclaim, pushing the note: “It is in full wild capitalism!”. And she could not help but laugh hard, acknowledging this way the pathway already completed with regard to the 1988 reforms, the year of setting up the Working Group on China’s accession to GATT.

Focus - Cybersecurity Trends

Achilles’ heel: Security in the context of the Web Services and IoT The mechanism through which a person understands new things, with many variables, is based on assumptions derived from previous experiences involving things of similar phenomena, with additions and substitutions, which in the end are designed to form an image not necessarily perfect, but reasonably complete.

author: Ștefan Hărșan Fárr Translated from original language

BIO Ștefan Hărșan Fárr is a computer science professional and entrepreneur with twenty years of software engineering, design and analysis experience. He has worked extensively within the domains of application development, application design, security, communication, technology standards, analytics and applied his expertise for major clients from IT, banking, pharma, tourism, etc. His greatest passion is AI, specifically computer to computer communication, human computer interaction, natural language, language design and computer semantics where he has performed extensive research. He is also passionate about physics, system theory, social sciences and evolution. Free time, is a concept he does not understand, as he always fills his time with projects that he handles with utmost seriousness, whether they are paid, personal or community oriented. He takes pleasure in sharing his knowledge as well as learning from the community because he believes mindfulness, awareness and cooperation are key to a healthy society.

When such a process does not end up in a system error that would trigger a correction mechanism, these assumptions become beliefs and subsequently regarded as indisputable truths. Although natural, this phenomenon can be a dangerous one, because when our assumptions turn out to be wrong, we can fall into the trap of making wrong decisions, not because the logic is cheating us, but because it is based on false fundamental elements. When it comes to Internet and cybersecurity, these concepts are so complex, with so many branches, that often even the specialists are forced to work with assumptions. Modern marketing is particularly harmful, as it makes use of this information jungle in order to create a favorable framework where the goods and services are easily placed. A framework full of emotions, fears, partial information, where the technology limitations are hidden and strengths brought to the fore. It is important from time to time to stop and analyze the conditions under which we operate because each system is different. Only if we understand all sides of the system can we really apply efficient mechanisms for their security, and in the end, for our own personal safety.

Security, in general Before we go into the details of the recent modern computer security system, since the information world has developed along an extremely distributed way, let’s analyze the concept of security in its most personal meaning, namely referring to an individual or group of people, be it a family or a company. Take for example, insulin. It is an essential supplement for a person suffering from diabetes mellitus - its absence can have serious consequences on one’s health. So, if we look at the “safety of insulin”, it is important that it is not lost, nor stolen, nor deteriorated, i.e. it is at the

disposal of the person in need. But if we analyze an insulin pump, things get complicated. This is a device that dynamically analyzes the glucose level and automatically injects the required dose. So, if you look at the “safety of the pump” from the point of view of the person that needs it, we can see that it is no longer enough to make sure that the pump is available to the person in need, but we must also ensure that nobody has access to the device setup, as it may harm the person in need due to the direct intimate relationship with its body.

We have to think similarly when it comes to a group, only in this case, we will have additional elements. Thus, in the case of a group, a family or a company, it is not enough if the safety of each individual member of the group is assured, we must also ensure that the group as a unit is safe. For example, in the case of a company, employees may be safe from the point of view of each person, but the company may go bankrupt because of an event that affects its operations, not necessarily the employee’s health.

Consolidated and distributed defense mechanisms The easiest and best-understood security model is the enhanced one, the one around which we can place a security perimeter. In real life this is the most popular security mechanism, even starting from ancient times, with medieval fortresses, buildings of maximum safety, our houses, countless examples are built on this model, which are not accidental, but are the easiest to defend. It is sufficient to have a relatively impenetrable perimeter, and a limited number of accesses, and no matter how vulnerable the elements inside are, their safety is provided by the perimeter. The defense mechanisms are also easy to understand and available to anyone. The concrete walls provide a high degree of impenetrability, we have the possibility to set up security guards at the doors, a secretary is an exceptional biometric filter that can identify strangers or those who do something suspicious inside the building, a dog is also an excellent biometric filter, and it is not complicated to get one in order to improve the safety of the dwelling or the yard. The same applies to cybersecurity, where we have many relatively secure mechanisms for implementing security on this kind of model that has long operated, practically from the beginning of the networks. The problem is that this model can no longer be applied to modern

information structures, because things have changed radically and the era when the information assets of an organization could be placed in such premises has long gone. We no longer have the accounting program, the database, the ERP, etc. in the local network, we have them stored by an online service provider, that is, they follow a distributed security model around which no perimeter can be mapped out and so we need other defense mechanisms. This form of distributed security is fundamentally different from the consolidated one and, unfortunately, is often misunderstood even by those who work in the field. In particular, the way of thinking about these mechanisms is reduced to the consolidated model and is often viewed simplistically: it is not a consolidated framework, there are several consolidated frames, each defended by separate perimeters, and from here on a series of misunderstandings arise and countless information vulnerabilities are born. A similar example from the physical world, which we can easily understand, is the banking system. It is a system that has worked for a long time, where the goods are not kept exclusively in the perimeter of the house, but some remain inside the house, the money goes into the bank account, and some valuable goods are stored in the bank vault. Anyone’s natural reaction to this will likely be, in fact, that this model is even safer than the classical one, with all the goods stored in the perimeter of the house, because the bank’s security perimeter is better than the house’s perimeter. It is normal to look at situations like this, and cybersecurity marketing is using our weakness of seeing the glass half full half and misses some “slightly apparent” details, which in some situations can become the Achilles’ heel of the whole system. Coming back to the bank example, it is undeniable a bank has a better safety area than any home, and as long as the good is stored in the deposit box, the sense of security is justified. But if the good in question is an object that we need on a daily basis and in the morning it must be transported to the company headquarters and in the evening back to the bank, the transitional period, in which the asset is neither in the safety perimeter of the bank nor in the security perimeter of the company, becomes significant and erodes the security aura of this complex system: bank + company. If bankers get bored of taking us twice a day to the vault and they decide to place the door of the safety deposit box by the window so that we can have access to its contents whenever we want, this whole aura completely disappears. In this scenario, the safety deposit box no longer benefits from the absolute security perimeter of the bank. No matter if its back is in the bank, its door is out of it, and

Focus - Cybersecurity Trends

everything separating the good in the safety deposit box from a villain is the door of the box itself. So, a series of vulnerabilities are introduced to the system with two safety perimeters: the transition period, the box lock, the hardness of the box, the person holding the key, the security features of the key, the security elements where the key is being kept, and so on. If this paradoxical situation seems familiar, it is because it precisely describes the security conditions of the distributed framework in the information system. Mailboxes, our photos, online bank accounts, and all other accounts where we store information assets and not only, get to suffer from these deeply misunderstood security gaps that we disregard with the false statement that the security of an information platform provider is more advanced than the one of our PC. In fact, if we are to secure the safety of an informational asset in this framework, we must ensure that all stages of its existence are secured. The security elements are not cumulative, but have a reverse synergy: the more elements the more unsafe the system becomes. When one climbs up a mountain, he or she depends on multiple safety features: the rope, the mountain rock, the anchor, the karabiners, the mate, and so on. If one of these elements breaks, the outcome may be fatal, and the more elements we introduce, the greater the chance that one of them fails. Going back to the information system, it is not enough to rely on perimeter security, and we cannot afford placing an unsafe object within this framework, we must ensure that the objects themselves are safe at all stages of their use. For example, if we cannot be sure if a file exchange system is safe, but we have to use it anyway, we can very easily encrypt the data in the file and pass the key to the recipient in another way. Solutions exist but they are not always apparent.

Online security paradigms In the distributed security model, there are two fundamental paradigms that must be taken into account: isolation, in the sense of ensuring that no one intercepts or alters transactions, and the certainty of

identity, that is, the certainty that the partner which we deal with is the right one. And if in everyday life these two are trivial, in cyberspace where the identification elements are incomparably weaker, and the transactions are made on hostile grounds, things are much more complicated and the two elements must be strictly and concurrently followed, otherwise we cannot speak of security. For example, if we have isolation but we have no certainty of identity, we can fall into the trap of safely dealing with an evil entity, and if we have the certainty of identity and we have no isolation, we can be monitored, or the transaction can be intercepted and altered without our knowledge. In 1995, Netscape introduced for the first time the secured socket layer (SSL) concept, a highly efficient mechanism capable of providing both principles, but only under its original form called MASSL (mutually authenticated SSL), which, unfortunately, despite existing for such a long time, due to practical reasons has not been spread. What most Internet users know as SSL is a simplified form in which only the server has a certificate of authenticity, the client does not, and thus the certainty of identity cannot be ensured on the client side. That is why more uncertain forms of authentication, which we are accustomed with, are being used, but which remain vulnerable to various forms of attack: by force, identity theft, interference, etc. It is important to be aware of these deficiencies when choosing a service provider or the method by which we store / manipulate a certain informational good, to take an informed decision based on importance, sensitivity, and so on. Another very dangerous phenomenon is the introduction of a new type of SSL called DV (domain validated)-SSL, which in fact is an SSL that does not bear the certainty of the siteâ&#x20AC;&#x2122;s identity, but only that it was issued for the site in question, which has zero value. Any villain can buy a cheap domain and run a DV-SSL data theft site that will look 100% legitimate, because browsers do not issue any alert, and even if this type of SSL can guarantee isolation, the unpredictable Internet user can type the password on an Internet page that steals data, because the certainty of identity is not available. Security in this modern framework based on Software as a service (SaaS) is not easily understood and even harder to assure, because, unfortunately, there is a profound technological handicap coming from the fact that it is impossible to secure both paradigms in any given situation, and so there is an inherent weakness of the system that cannot be technologically eliminated, and should be analyzed and reduced methodologically.

Security in the IoT space The IoT (Internet of Things) space is also an online space, but unfortunately, providing even greater uncertainty for many reasons. If in the case of a classic service-type application, the account, like the safety deposit box, is stored by the service provider, and this provides a certain maintenance that includes vulnerability correction, security of the perimeter behind the box, imposes certain access rules etc, then in the case of IoT devices, where most of them are stored at home or other insecure places without strict rules, professionalism, maintenance, vulnerability correction, it is virtually impossible to determine if they were fraudulently accessed.

These objects belong somehow to no one, because the responsibility for their safety is not assumed by anyone. For example, these days there has been a massive attack on the east coast of the United States that was executed by IP cameras and other devices in the homes of unsuspicious citizens. What is even worse is that these devices often have an intimate relationship with their owners, such as the insulin pump in the case of the diabetes patient. It can harm the owner not only through information loss, which is in itself grave, but also through the fact that the device can perform functions that the holder relies on, for example, it can be a smart door, a smart alarm system, and so on, which, if it does not perform its function properly, it can cause serious damage. So in the case of IoT, as in the case of online services, we need to look for and analyze the dependency points (rope, rock, anchor, karabiner, and so on) of the system and we need to make sure that all these points are solid because each introduces weaknesses through which the whole system can succumb. It might be useful to formulate a list of questions that can help us understand these weaknesses and how they affect us. It is not easy, as the responsibility is deeply diluted in the case of IoT and almost every

device is differently conditioned both, technically and from the point of view of the relationship with the person, the family or the company in question where it is placed. Any such list of questions must, however, include at least some elementary questions that we, as users of the device must be able to answer with a high degree of certainty, as a sign that we understand the problem, the associated risks, and have a plan in case things derail. For example: What kind of information does the device collect? Where is this information stored? Can the collected information be intercepted while being transferred? Can the information be stolen during storage? Who owns the collected information? Who controls the device? Who corrects vulnerabilities when they are being discovered? How do I know if the device is under the control of a malicious power? How do I turn off the device when stolen? How am I or those that I am responsible for going to be affected, if any of these questions fail?

It is very difficult or even impossible to answer all these questions, so the last question on the list is especially important. This is the question on which I can decide whether to make a compromise or prefer not to take the risk. Obviously, the response will be different depending on the device. For a smart electric bulb, perhaps the worst thing that can happen is wasting the object, so the risk is low, but in the case of more complicated devices, the situation may be much worse. On December 4, 2011, an American military drone was hijacked by the Iranians and captured because no one asked the second to last question from the previous list. It is not the case to analyze the incident in detail, but we can imagine how serious the situation got at all levels: political, technological, informational, financial, not mentioning the popular trust. This long-awaited and prematurely celebrated world of IoT is still an unborn child with a lot of positive potential but which, if we are not careful enough, can also generate a world tragedy. Last but not least, each of us is responsible for understanding the gravity of this situation and for taking necessary action anytime the decision-making power lies with us - when buying such products or when the authorities consult with us regarding the laws governing these devices. Information security is a very complex concept that is hard to define in itself, and the more complex a system is, the harder it is to analyze and understand. And although it is difficult to find a general formula covering all angles, it is relatively easy to understand each given situation, through the personal security aspect, because this fact, beyond certain generalizations, is a profoundly personal subject and those capable of finding questions and answering them will be those concerned. All it takes is elementary logic, a bit of time allocated to the matter, and a mental exercise considering all the elements affected by such a system, the components with which it interacts, the way they interact, their importance, ways of access, and how they all affect the person, the family, the company, etc., their final benefits and the risks to which we are exposed. And even if we do not find all the questions and consequently all the answers, we will be safer because we can eliminate the vast majority of the risks, because in the end it is everyoneâ&#x20AC;&#x2122;s responsibility to make sure the things surrounding us do not endanger us. This implies that there is a need for all of us at a personal level to learn more about the actions we can take to improve the security of the devices we consume to make our lives better. Ultimately such knowledge is going to have to be driven by governments and educational institutions to ensure all people have such awareness levels.

ds Focus - Cybersecurity Tren

Is GDPR Self Certification possible? The major changes in the new regulation have caught many off guard. The rules under the current Data Protection Act 1998 (DPA) can be seen as arduous, so some organisations may not be fully informed about the requirements of the law and could have been breaking the regulations without realising it. The new laws within the GDPR will seriously impact the way an organisation communicates with their audiences, how they process data and who they share that data with.

author: Mark Burnett

The General Data Protection Regulation (GDPR) will become law on 25 May 2018. It is the first major overhaul of data protection in the UK for 20 years. The purpose is to: Give data subjects more rights to their information. Have more transparency regarding what organisations and companies are doing with their information. To ensure that any organisation that collects, handles or shares personal data does so with a clear and lawful purpose.

BIO Mark Burnett, heads up the Privacy and Data Protection department within ClearComm. Mark has many years of experience working with various organisations on a number of different privacy and data protection matters. Mark is a Committee Member and Treasurer for the Institute of Fundraising (IoF) South East & London regions as well as sitting on the Committee of the IoF’s Consultants SIG. Mark is an Associate Consultant for the NCVO, exclusively delivering GDPR training to members. For more information about the GDPR, or details of ClearComm Self-Certification Online Portal, please contact Mark Burnett mark@clearcomm.org.

The GDPR aims to give clearer guidelines for communications such as consent-based preferences for data subjects; organisations won’t be able to communicate with their customers, members and supporters without a good and lawful reason. There is also the potential for hefty monetary penalties to discourage offenders from taking any chances with personal data, let alone the horror of having your reputation ruined by a newspaper headline. Penalties will be rising from a top limit of £500,000 to an incredible £20 million. The supervisory authority in the UK, the Information Commissioner’s Office (ICO) will have new powers, such as the right to enter premises, the right to audit at any point and the right to reprimand organisations. Interpreting the new rules to fit your special circumstances is vital to maintain growth in your organisation. The GDPR positively encourages organisations to appoint a Data Protection Officer (DPO), regardless of any mandatory need. You’ll definitely need a DPO if your organisation employs more than 250 employees, processes large volumes of data or collects special category data. Without a DPO, someone within the organisation must have the responsibility of ensuring that compliance is achieved and maintained. In short, a GDPR champion should be appointed. Smaller organisations, or organisations processing lower levels of data, will still need to appoint a Data Controller. This is the person who takes responsibility for data on a daily basis - what is collected, why, who it’s shared with and how long it is kept. The Data Controller is likely to be handling the data held by the organisation already, appointing processors and keeping things up to date. The Data Controller will need to quickly familiarise themselves with the new rules and implement some new tools that can be used to

facilitate and support their role in order to guarantee their organisation is managing their data in the manner the laws of the GDPR require. The first step towards compliance is to build policies for your organisation that comply with GDPR. Self-Certification offers a simple and cost effective way to do this. For example, ClearComm, can provide organisations with a Self-Certification Online Portal system which boasts a number of different features to assist the compliance process and ensure that an organisationâ&#x20AC;&#x2122;s transition to compliance is in line with industry-approved standards. The portal is dynamic to ensure that any new information or changes to the law are immediately available for users to see, and subsequently action any necessary alterations. The portal includes templates for policies and procedures, online training modules and consultancy assistance to the person in charge of data. The journey towards compliance should not be feared. There are some really positive aspects of GDPR which will help organisations look at refreshing ways to engage with their audiences and could potentially unveil major cost savings. Many organisations spend sizeable portions of their budget marketing to their target groups, much of which is wasted by using out-ofdate data. Keeping inaccurate data is a waste of time; closely assessing your data population to check it is right is common sense and a great discipline.

There are other benefits of the GDPR: Relationships and better transparency - The GDPR demands that every organisation must be able to demonstrate that it processes data fairly. By demonstrating this to customers, supporters and membersâ&#x20AC;&#x2122; organisations create better and stronger relationships, with more longevity. Data protection by design - Data protection should be an integral part of your organisation. All stakeholders, from staff to customers, will see the difference and understand the value of protecting data. Complaints and organisational challenges - Along with GDPR, compliance will result in fewer complaints. Data subjects will trust organisations with their personal information and, because the conditions for delivering communications will be right, they are more likely to accept them. Without these challenges, organisations will have more time to deliver their core objectives. Refresh procedures - The GDPR is a chance to refresh the way things are done and ensure your policies and procedures are right, lawful and future-proof. Take the opportunity to create clear and easily understood processes for staff, customers and supporters. Security â&#x20AC;&#x201C; Checking data security has always been a must, but this is a great opportunity to make it robust and fit for purpose. It will be money well spent. We believe that, ultimately, data subjects will recognise that their data has been treated with respect and this will result in a much better and more transparent relationship with the organisation.

This edition is brought to you with the support of:

Intelligent Cybersecurity www.ptsecurity.com 25

Focus - Cybersecurity Trends

Connected cities: the ethical and legal stakes are huge expectations in terms of order and comfort, hard to give up, as their real cost and value is not known. Their real contribution should be questioned to drive the most from certain technologies. We should not forget the possible dangers involved, in terms of privacy and freedom. In the following paragraphs, I return to Yverdon’s address from November 3, 2016, at CyberSec Conférence and to point out some issues that I had just sketched at that time.

The connected city

author: Pascal Verniory1 Translated from original French article

Introduction There is much talk about connected cities or “Smart Cities”. Megalopolis management becomes a major civil risk factor, especially in an era where explosive demographics are predominantly urban. It becomes a potential source of chaos if not properly managed. As with all things related to artificial intelligence, connected cities nourish fictitious fantasies and unspeakable desires. These “smart” cities generate absurd

What is meant by a connected city? It is about an ecosystem based on the collection, aggregation and data sharing2 related to the usage of the city by its inhabitants. Sources of data to achieve this are diverse: they can be automatically generated by collectors or connected objects, but they can also come from databases designed by public administrations or private companies, or even produced by individual private users. This data collection has several purposes. Usually with advantages such as improving the quality of citizens’ lives, good management of collective resources, facilitating mobility, or resolving security issues are highlighted. The stake is to create a link for and between: distance and real-time information on the availability of collective public data (traffic jams, parking space availability, location of public transport, booking sports halls, etc.); and information with regard to proximity, location, working hours of shops or tourist attractions, information on existing services or collective/ public infrastructure management. These few examples illustrate the benefits of implementing this system. But it does not mention the risks and dangers involved.

1 2

BIO Pascal Verniory is a Ph.D. in philosophy (transdisciplinarity option - ethics, economics, law), licensed lawyer and for many years the legal director of the Geneva Canton General Information Division. In his thesis, he developed a critical interpretation of copyright as it is currently regulated, proposing a multidisciplinary approach (anthropology, sociology, ethics, economics, history, aesthetics and comparative law). The author has a personal and critical approach to robotics and artificial intelligence, based on his opinion about the relationships that core personality has with creative activity.

Indeed, by collecting data, privacy is a crucial fact highlighting the vaguest aspects of the system actually being put into practice. With regard to connected cities, four aspects raise issues: a. automatic data collection from the public domain, b. data considered “public” that individuals exchange through their “smart” phones,

c. their integration into cloud spaces and, d. above all, the interpretation of this mass data for “algorithmic governance”. In conclusion, the preconceptions of data collection policy will ultimately lead us to establish a parallel between the respect for private space and the social recognition of individual freedom.

Data collected automatically in the public domain A large amount of data related to connected cities is automatically generated by snapshots taken from public roads or private public infrastructures. But choosing a camera to capture the image is not accidental. Traffic supervision can be achieved in a number of ways: by counting the vehicles driving under a magnetic loop, by video recording of traffic or by recording GPS signals that allow, for example, identification of vehicles involved in traffic. Thus, while vehicle counting with a magnetic loop does not generate personal data, just incremental statistical values, not the same can be said about video cameras or capture of GPS signals. When collecting data on public roads may involve personal data, the principles imposed by applicable laws (GDPR) on the privacy protection must be respected in a preventive manner. First, according to the principle of legality data processing must be justified by the fulfillment of a task provided by a normative text or by the express consent of the data subjectx. This reduces from the start, the goals that could justify data collection. As regards the principle of proportionalityxx, the operator responsible for data processing has the obligation to ensure that the impact of such processing is reasonable in relation to the aim pursued. Due to these principles, a procedure for actions preceding data collection is starting to ensure confidentiality in the project design (“Privacy by Design”). Thus, whenever the intended purpose permits, collection means that do not generate personal data will always be chosen, as the processing operator is no longer required to encrypt the data to ensure confidentiality, starting from the collection method, into the space where computing machines are located, and then for their entire life span. Data protection is even more important in the private sector open to the public: data being processed by private actors without the possibility of the subject being given the option to refuse data collection. In the era that we live in, the refusal to access a video surveyed area is synonymous to renouncing going to most stores, such as hyper/supermarkets. The need to apply this set of principles already indicates the danger of an uncontrolled collection of public domain data to protect the private area. These principles aim to avoid the temptation to focus on the means and to lose sight of the intended purpose. But, history shows us humanity tends to use techniques beyond immediate needs, simply because it is available, and this often generates new needs. This explains the temptation of using top digital techniques to assert one’s own modernity.

Using smartphones, users create lots of geo-localized personal data, whether they are communicating information on social networks or interrogating city information services on the street. These portable devices can therefore be considered genuine data collectors. Also other connected devices provide their own data packs that adds to that of the connected city. For example, the seemingly irrelevant data on aggregate household consumption. This data makes it possible to compare private consumption habits with those of the neighbors in order to improve them. Connecting such counters to the Internet makes it possible to remotely warn the smartphone about any programmed or unforeseen consumption. “Sense”, a widespread application, allows real-time disaggregation of the household’s overall electrical power curve to determine which appliances are used in the household and at what time.3 By comparing the collected data with the consumption curves of other users, this application gets to know more about the way the house is run than the owners themselves, and can generate a table of living habits of its occupants or even a profile of their personality. In addition, the connected devices are often made by manufacturers less concerned with IT security: such as security breaches, allowing third parties to get access to images that should be confidential. Thus, contacted video cameras that normally allow the owner to remotely monitor the house surroundings can provide the thieves valuable information about the owner’s presence. The site www.shodan.io keeps track of the images captured by unsecured cameras. The connected devices phenomenon escalated to such an extent that Ubisoft, the “Watch Dog” editor, proclaimed “We are data” on their site, when the second version of the game was released. This does not represent a lack of interest from the users regarding their private life, but rather a speech of social networking promoters and companies that promote information sharing on the Internet for the sole purpose of expanding their power.

Data generated by users Connected City data collection is not limited to those automatically collected from the public domain or open to the public. On the contrary. x (In Switzerland, paragraph 1 of the Federal Data Protection Act - LPD, Article 35 of the Law on Public Information, Access to Documents and Personal Data Protection - LIPAD) xx (In SwitzerlandArticle 4, paragraph 2 LPD, Article 35,paragraphs 1 and 2, Article 36, paragraph 1 of LIPAD)

The inconsistencies of this type of discourse are worth considering.

s - Cybersecurity Trends us u cu c oc Fo Fo For example, in 2009, Eric Schmidt, CEO of Google, made a common sense statement, but which terrified a lot of people: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place”. Eric Schmidt merely quoted a traditional Chinese proverb. However, informed observers have pointed out that Eric Schmidt was applying this thinking to Internet searches, which could change everything. This phrase promptly raised fears about privacy violation. But this prophet of the “death of private life” defends his own by absurd means: in 2005, he sued journalist Elinor Mills for her article Google balances privacy, reach4, in which she detailed some of his private life facts (assets, shares recently sold on the Stock Exchange, etc.) that she obtained from the Internet using the Google search engine dedicated to CNET journalists (News.com). Hubert Guillaud, relying on a study by Joseph Turow, Michael Hennessy and Nora Draper in 2015, reminds us that “more than half of US users do not want to lose control over their information, but they already see this loss of control happening”. Far from considering that the handover of personal rights in exchange for personalized offers is a compromise, where both sides win, the audience is resigned and defenseless. Hubert Guillaud concludes pertinently: “Inability does not value consensus”.5

Connected cities and cloud computing Connecting: Who would dare criticize this seemingly great goal, of a functional, universal harmony? The smart city goals presume communication between data and systems, or at least the use of a common standard semantics. In other words, the connected city goes through cloud computing (“Big Data”). Connected cities and cloud computing complement each other: data from connected cities feeds cloud computing, and this instead provides crossed interpretation keys from information from other sources. Once all “personal identified or identifiable information” is considered personal data, it is no longer independent of its own context. In other words, personal data itself is rare. What makes it personal is the connection to a person (determined, or even determinable). The connected city, as well as cloud computing, work to create links and participate in the creation of personal data ... and thus the very erosion of the private circle. The link to a natural person can be made through the devices that he or she uses, even if they are not expressly associated with that person. It is enough that the data is associated with a fixed point. Therefore, IP addresses of private computers are considered personal data. By

cross-checking with other data, the rest of the operations are performed. If only one express relationship is established between the computer and the user, for example through an order form, all data gathered around the IP address can be associated back to and with a determined individual.

The data controller must ensure personal data confidentiality within its sphere of influence. BUT we cannot make available data seemingly irrelevant, unless we take into account cloud computing and the amazing cross-checking capabilities it offers to users. Security rules need to be rethought and strengthened regularly, especially those that guarantee anonymity. The ones who convert data into open data must also ensure that they can stop distributing or re-using this data at any time by third parties, if they are breaching the rules that guarantee anonymity. Only distribution under license gives right to processing, at least theoretically, if not factually. Free licenses can be an example in this regard, provided they focus more on maintaining anonymity rather than on transforming data into open data, but the two purposes are not necessarily incompatible.

Data interpretation and algorithmic management Interpreting connected city data can hide serious hazards. Once integrated into cloud computing, the data can complete the profile of individuals and categorize them into models that are hard to escape from. The purpose of cloud computing remains to determine the users’ generic profile and categorize them, so that consumer behavior can be easily predicted for more efficient handling. Cloud computing is a powerful control tool. So it is that from the extremely simplistic nature of the problem and the unacceptable objectification of the other, such a profile sketching mechanism makes it possible for providers to obtain at will the status of individuals, for several reasons. The first reason is that weakening the private sphere hides, above all a power ratio. The merit for this demonstration belongs to Daniel J. Solove7, a professor of American law. Hubert Guillaud cites the opinion of a security

expert, Bruce Schneier, interviewed in 2006: “The notion of private life protects us from those who hold power, even if we do not commit any illegal deed when we are being supervised. [...] If we are noticed at any moment, [...] we lose our individuality”. Hubert Guillaud concludes: “The quest for private life consists of the democratic tension between the strong and the weak”.8 But the mechanism of profile framing, as done with cloud computing, is even deeper. Antoinette Rouvroy, a FNRS lawyer and researcher at Namur University, has the opinion: “You will be categorized according to gross data that is of no importance to you, depending on algorithms that you have no idea how they work, and this will have an impact on your life, [...] on how to react”.9 This is the main danger concealed by the concept of connected city, which Antoinette Rouvroy called “algorithmic government”. In this case, the danger does not lie in the actual information. By claiming that these massively and automatically collected data can be characterized objectively, computer engineers and their financiers are not satisfied with only presenting to policy makers data collection to verify public policy effectiveness; they unfortunately propose to extract the “motivation” of future public policies from the data concept. In short, the modern version of confusion between means and purpose, doubled by a severe lack of knowledge of the human nature. Artificial intelligence, the theory of information and the mechanistic vision of life and man should be discussed in this context. Here is one essential point: by classifying people’s behavior according to the correlations resulting from high data analysis, we destroy the fundamental rights of social recognition of individual freedom. We become constrained to follow some completely inadequate and wrong models. The hazards ahead are illustrated in the following example. Some individuals, disturbed by “human imperfections” had the idea to replace judges with robots. Applying laws and jurisprudence would in this way, be done more rigorously and more impartially. The judging of the one who violated the law would be done by statistics, by a partial awareness of the past applied in the future. Is there a better way to eliminate any person’s possibility of evolution? To deny that person’s right to be heard? The next step in the roadmap would be establishing a predictive justice, that is to say, arresting those whose profile would point them as potential lawbreakers. We know the rest. Is judging someone on the basis of someone else’s past an inadmissible violence? Once this system is implemented, which judge would have the courage to make a contradictory decision with the statistical predictions promoted by machines?

It would be naive to believe data is objective just because it was collected automatically and systematically: once it is not “given”, but built by choosing the means of collection and location. Information theories forget this too quickly. In general, the person looking for something finds only what he or she is looking for and can miss the essence without noticing. Phenomenology, by the notion of intentionality.10 Also, collection means do not continually capture data but only record some part of reality, not necessarily the most relevant. Further, the means of collecting, filters only intentions - and even biases - of the person that installed it and does not cover the possibility existing at the intention stage. And the latter is essential in understanding the future. Isn’t the future shaped by explorations? Only coherent criticism would allow us to look at the information and the means used to collect it. The ideas mentioned above highlight the need to combat / question ongoing projects aimed at an “automated organization of the world”11, such as the one run by Sidewalk Labs, a subsidiary of Alphabet, a company that controls Google. The project is about creating a whole city “built from the Internet”, with the help of retroactivity loops, then applying this model to the entire planet.12 This means assigning the power to decide for humanity, to a small group of people: Google City not only eliminates any political program, but verges on totalitarianism. Hannah Arendt argued this will not only restrict freedom, but also eradicate any trace of spontaneity.13 If for Hannah Arendt spontaneity is not just a fantasy, but by definition, unpredictable, individual originality of our own way of being, then is Google City ultimately fueling the ambition of human eradication between humans?

Being a Subject nowadays Isn’t our major life challenge to find out who we are and who we want to become? Do we want to accept being reduced to data or being compared to machines? While the robot, reproducible until infinity, is concerned with the error and the result and the improvement on it, isn’t the human being, unique, with the intention of becoming Who he or she is, more about the purpose? On this road, failures teach us at least as much as victories. As such economic or social policies must take into account the meaning of our lives, otherwise what would they serve?

Focus - Cybersecurity Trends

Switching from “human sciences” to “subject disciplines” needs considerable work. This involves perceiving the human being in its specificities, not as an object of science but as a Subject14, and requires the development of a method other than that adopted by traditional sciences. Reproducibility, quantification, and refutability requirements need to be replaced by other approaches that are relevant to Subject study15. It would be possible to avoid the need for human “science” of self-adopt hypotheses by inappropriate methods. Much still to be done, whilst progress is robotics and artificial intelligence is travelling at far greater velocity of progress. This should concern us all.

The great erosion Cloud computing can erode the private sphere of personal data, just as algorithmic governance depreciates the very foundation of the social recognition of our individual freedom. The importance of comparative data currently in the hands of service providers makes our behavior more predictable for these providers than for us. Alexandre Lacroix asserts that the free human being of tomorrow will be the one whose behavior will prove less predictable for the provider than for herself16. This is the link between the private sphere and the individual freedom, and the protection of the private sphere guarantees us freedom.

To paraphrase the title of Karl Polanyi’s famous work, La Grande Transformation, if we were to characterize the main effect of cloud computing, we would certainly describe it as “the great erosion”.

To avoid it, we are offered several alternatives. First, everyone must remain the master of his or her personal data property, which is the exclusive right of each person (Thomas Hobbes). This can be achieved if the political authorities impose, for the right to distribute the data of the connected city, a license to ensure their anonymity over time and taking into account the evolution of cloud computing. It also requires individual education and knowledge which we are far from achieving. The impossibility of re-identifying connected city data must therefore be mandatory and requires permanent vigilance. In this regard, Avrind Narayanan and Vitaly Shmatikov remind us that “The versatility and power of re-identification algorithms implies that terms such as «personally identifiable» and «quasi-identifiers» have no technical meaning. Since certain attributes can uniquely identify, any attribute can be identified in combination with others”. Second, we need to ensure the openness of the collected data, and each one should know what algorithms, which interpretation rules are applied to the data that concerns them.17 Finally, the relationships between individuals and the community must be strictly observed, and the theory of information must be confronted with the theories of knowledge. Connected cities can be a force for good but as the article demonstrates they also come with substantial risks on exposure to our data if hacked and the categorization of each of us in society. “Vast programme”, as Charles De Gaulle used to say. That is why it is even more fascinating.

1 Pascal Verniory expresses his personal point of view in this article. His views do not reflect the position of his employer. 2 Data and information notions are diametrically opposed understood by computer scientists and jurists: for law practitioners, the data represents the gross form (without contextualization or interpretation) of information, while for information theory - and thus for informatics - the information is the one that becomes “given” by putting it into context. In this article, the term “data” must be understood in the sense approved by the law. 3 BOGOST Ian, Home Monitoring Will Soon Monitor You, The Atlantic (Washington), 11.11.2016. 4 MILLS Elinor, Google balances privacy, reach, 14 July 2005, CNET News, https://www.cnet.com/ news/ google-balances-privacy-reach-1/, accessed on 25 March 2017. 5 Guillaud Hubert, Données personnelles : l’impuissance n’est pas le consentement, 11.06.2015, http://www. internetactu.net/2015/06/11/donnees-personnelles-limpuissance-nest-pas-leconsentement/, accessed on 25 March 2017. 6 GUILLAUD Hubert, La valeur sociale de la vie privée, on InternetActu.net, no. 241 (23 October 2009), http://www.internetactu.net/2009/10/21/la-valeur-sociale-de-la-vie-privee 7 SOLOVE Daniel J., The Digital Person : Technology and Privacy in the Information Age, New York University Press, New York 2006; “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy, in San Diego Law Review, vol. 44 (2007), pp. 745-772; http://papers.ssrn.com/sol3/papers. cfm?abstract_id=998565 9 ROUVROY Antoinette, STIEGLER Bernard, Le régime de vérité numérique – De la gouvernementalité algorithmique à un nouvel État de droit, 07.10.2014, in Socio, La nouvelle revue des sciences sociales, 4 | 2015, Dossier : Le tournant numérique… Et après?, pp. 113-140; http://socio.revues. org/1251 10 On this subject, see especially BORTOFT Henri, Prenons l’apparence au sérieux, Triades, 2012 11 SADIN Éric, La Silicolonisation du monde – L’irrésistible expansion du libéralisme numérique, L’Échappée, Paris 2016, pp. 108-109 12 PIRENA Alexis, Et si Google créait sa propre ville avec ses propres règles ?, 06.04.2016, www. numerama.com/tech/161094-et-si-google-creait-sa-propre-ville-avec-ses-propres-regles.html, accessed on 28 March 2017 13 Arendt Hannah, Le Système totalitaire – Les Origines du totalitarisme, Le Seuil, coll. Points, Paris 2002, p. 190 14 The title of a work by Jean-François Malherbe illustrates this concept well: Subject of life or object of care? (Sujet de vie ou objet de soins? Introduction à la pratique de l’éthique clinique, Éditions Fides, Montréal 2007) 15 Verniory Pascal, “Human Sciences” or “Disciplines of the Subject”?, in Human and Social Studies Research and Practices, Iasi (Romania), vol. 2, no. 3 (September 2013), pp. 33-58 16 LACROIX Alexandre, En finir avec le hasard?, in Philosophie Magazine, no. 102 (September 2016) 17 This is also the case for the European legislation with the adoption of Regulation 2016/679 of 27 April 2016 (General Regulation on Data Protection), which will enter into force in May 2018; it provides that the data subject will be able to ask the data operator not only for personal data from his personal administration file, but also for the algorithms applied to him or her.

Sexual violence: old behaviors in a new digital world – why HR units need to act and for progressive States like the UK it is the last moment to act! author: Laurent Chrzanovski

During the past few months, all the attention of the very best European cybersecurity specialistsand media, have focused on three key points: the consequences and lessons to draw from the WannaCry and GoldenEye exploits, the global “4.0 info-intox war” and its effects on our ecosystems, and, last but not least, the steps to accomplish compliance while remaining resilient, to meet European regulations (GDPR, PSD2).

1 2 3

As the above plays out, more than ever, the protection and awareness of adult human relationships in the “digital variant”of their professional and private lives remains largely undiscussed. In most businesses, institutions and countries, the Human Resource departments, whose principal task is to

hire the best candidate for a position and to solve interpersonal conflicts between employees, have failed to give due attention to enforce common sense training practicesfor the digital world. As with many other professional functionsthat existed prior to the web, HR units have blithely followed the false and very damaging assumption that, with the “2.0” world, everything changed and that the anonymity of indecent or even criminal attitudes digitally,in the workplace, were no longer their prime responsibility. The same applies for most States’ law enforcement bodies, whose principal task is to solve crimes faced by individual citizens. In this field, the number of agents trained to understand links to the digital transformationof society is extremely small when compared to the training programs for agents to solve cases linked with physical world offenses. Yet two sectors of the law enforcement bodies are almost entirely “digitized”, thanks to huge human and technological investments: the services in charge of tracking pedophiles and the special e-fraud units. In this context, reading the brilliantly written and very first exhaustive study on “digital age” sexual violence against women leaves us with a deep sense of bitterness and revolt. Illustrated by hundreds of real data cases and their sad corollary of injured and dead people, the research led by Anastasia Powell and Nicola Henry1 offers a pioneering and complete masterpiece. It is based on a very accurate case study, from the parallel analysis of two States: the UK and Australia, chosen for the abundance of available (yet almost unexploited) data as well as for their socio-cultural differences. Punctual examples from USA, Canada, New Zealand and other countries complete the frame. The very idea of this choice is to be praised, i.e. to observe the realities of an important “Old Europe” country, witha culture and a mentality rooted in an

Focus - Cybersecurity Trends BIO Laurent Chrzanovski (HDR Postdoc Phd MA BA) is a Professor at the Doctoral and Postdoctoral School of Social Sciences at the University of Sibiu (Romania). Thanks to his work experience in 12 European and South Mediterranean countries, he has since 2010, expanded his fields of research into cyber security, social, behavioral, cultural and geopolitical aspects. As such, he is a member of the ITU (UN-Geneva) cybersecurity expert group and a contract consultant for the same institution, as well as for several Swiss and French think-tanks (PPP). He founded in 2013 and continues to run, the “Cybersecurity in Romania”, a macro-regional public-private platform (www. cybersecurityromania.ro), supported by the ITU, all related public institutions in the host country, as well as many other specialist organizations from France, Switzerland, Italy and the United Kingdom. In the same spirit, he co-founded in 2015 and is editor-in-chief of one of the very few free quarterly cyber-prevention journals (a PPP) designed for the general public. Originally, intended for Romanian audiences, Cybersecurity Trends is today published - with the collaboration of prestigious specialist partners - in multiple languages adapted to French, Italian, English (as of June 2017) and German (as of September 2017) audiences (https://issuu.com/ cybersecuritytrends). It should be noted that the Congress and the magazine have been promoted and supported by the ITU since 2015 as the “Best Practice Example for the European Continent”. Laurent Chrzanovski is the author / editor of 23 books, of more than 100 scientific articles and as many other texts intended for the general public.

extremely rich governmental, philosophical and juridical past, andcompared them with, on the other side, a “New Country”, with its own culture where the adaptive element is very important, dealt to fit at the best a successful social multicultural “melting pot” that is in constant transformation. A key point that should be understood by any social/ law enforcement/HR professional is strongly madesince the beginning: the digital tools did not give birth to or change dramatically, the nature of crimes and offenses with a sexual character. The main difference with the pre-web era is that the new technologies both facilitate aggressions and amplify their diffusion. Another direct consequence (and challenge)of digital communications is that the victimizing behaviors of

thevictims grew in adramatic way. A decade ago, in a physical world only a small number of women had the courage to complain to State Authorities. In the digital world of assaults and crimes, victims are even more unlikely to walk into a Police section, strongly (and wrongly) believing they bear a part of responsibility. The research also identified the most important behavioral changes in this new world of harassment. Today, workplace digitalsexual violence against womenhas reached, in Australia, UK andthe USA, the same percent of reported physical domestic/family violence (between 6% and 8% of cases) (p. 249). This score is smallthough when compared to the digital violence operated by anonymous persons (between38%and 27 % of cases) or by friends/acquaintances (between 26% and 18% of the cases). But all these numbers are worrying. This digital nature of violence is more than worrying, for States and Private companies. The research found that workplace crimes and those ones linked to known friends/acquaintancesdramatically increased compared with the pre-digital age, where domestic abuses and crimes committed by totally unknown people were largely predominant. The “4.0” anonymity offered and the relative difficulty to prevent in the digital world the occurrence of the physical phase of the crime are naturally pushing the lowest instincts both by co-workers and by known people, as the “physical barrier” disappears due to the web interfaces. Another problem highlighted and discovered in the study,showing the physical to digital transfer of crime, is the constant socio-professional inequality between men and women. This fact should really “shake” decisionmakers as the Scandinavian and the Anglo-Saxon world, often given as an example of gender equality promotion, is in fact among the most violent EU countries: due to freedom of expression, equality promotion messages are literally sunk under hundreds of messages, blogs and websites promoting “gender hate”. Even worse is the analysis of Australia. This country has regularly been awarded pioneer status in best practices to fight bullying, sexting or grooming, with excellent prevention tools and institutions dedicated to minors (childrenand teens) in existence for many decades. Europe should take this study as a reference for learning the “toxicity” of theworldwide decision to create two different “niches”: minors and adults. This giant mistake, often justified for electoral reasons and short-term views, implied that huge human and technical means, have been, like in Australia, massively deployed to protect minors, abandoning adults to some poorly founded NGOs. As a matter of fact, allresearches known to us identified that more than 80% of the problems and crimes faced by minors are the same as, or have a direct parallel in the adult world. Moreover, the adult world is far morecomplex and less structured than the minor world, meaning that now

we have to undertake from almost ground zero an awareness education which should have been launched decades ago, in tandem with the minor prevention campaigns. The authors’ conclusion give us as many fears, as they propose useful solutions: ”Communication technologies gives us a frightening glimpse into the deeply embedded racial, gendered, class and sexual prejudices that continue to permeate the collective consciousness; paradoxically they alsooffer a provocative assortment of tools and platforms for facilitating vigilantism, activism and informal justice.” (p. 290). Coming now to the U.K., we observe immediate action is needed: contrary to Poland and the Mediterranean Europe, which have the lowest sex crime rates (analysismade on the quantum base of the hospitalized/ dead victims in regard to each country’s population and not on the old base of signed legal complaints2). This fact confirmsthe2014 data analysis made by the European Union Agency forFundamental Rights, on a reliable sample of 43’000 women3. The UK situation is terrifying, the country being ranked 5th most “sexually violent” (equalwith France) after Denmark, Finland, Sweden and the Netherlands. What a blast and wake up call, to the popular common belief concerning the most “dangerous countries “! Every citizen should know that gender as well as the ethnic tolerance and acceptance we witness, for instance in London or Amsterdam, is turning into a nightmare of hidden collateral violence.

There is hence a huge and immediate co-ordinated need, as underlined by the study, required for a real and concrete common action led by State authorities, hand in hand with Business sector leaders. Anastasia Powell and Nicola Henry’s analysis proves that the means to act against a possible worsening of the situation can be found…with the very same digital media. They show how useful programs such as ”digital justice” or “justice through recognition” could work. Theseconceptsaim to illustrate and educate, together with prevention texts, support and, above all, a wide collection of real examples of victims. If NGOs, Private sector and State help to diffuse the news, a simple ”survivor selfie” provided by a victim can quickly become viral and reach an enormous proportion of the population, shocking citizens to raise their curiosity for

understanding better what this criminal phenomenon is. The academic system, also has to make huge improvements, accepting to reform itself quickly in order to offer to the Human Resource society specialists new capabilitiesfittingthe newest online technologies, thus helping to prevent damages to any company’s human ecosystem4.

The Rutgers University program manifesto As some very advanced corporations show in their latest human strategies, businesses could even turn this new way of helping and protecting all their teams,into a business and image competitive advantage. If, in a company, the HR department were to work in close partnership with the Infosec department (CISO’s and CSO’s teams), which already use the same internet tools to spot and prevent the use of the employees’ weaknesses in the field of Social Engineering, this becomes an easy task to achieve. Even if, by modesty, the authors repeat from the first to the last page that their research is merely a “technofeminist and criminological framework”, the work’s methodology, the pertinence of the analysis, and, last but not least, the exhaustive way to examine a precise yet extremely complex phenomenon such as sexual violence against women offers a real masterpiece. This study should be read by every professional dealing with a large team and/or in charge of the wellness and the smooth socio-professional interaction of each employee. It should become core reading for Human Resource professionals and part of the business studies programs taught in Universities. This work, together with many others, shows again that, alas, the physical concrete phase of violence against women (as it is the case for suicide or jihadism) has a very long digital past, which has not just a monstrous effect on the victim but also a very deplorable influence on all the human ecosystem where the victim (and maybe the aggressor too) works and lives. 1 Anastasia Powell, Nicola Henry, Sexual Violence in a Digital Age (Palgrave Studies in Cybercrime and Cybersecurity), Melbourne 2017 (323 pp.) 2 European think tanks not yet published ongoing research. We wish to thank our interlocutors of the French Law Enforcement agencies for this information. 3 http://fra.europa.eu/en/publications-and-resources/data-and-maps/ survey-data-explorer-violence-against-women-survey 4 In this sense, among the few successful and implementes cases, see the pioneering and transdisciplinary project ofthe Rutgers University (NJ, USA) : http://endsexualviolence.rutgers.edu/

ds Focus - Cybersecurity Tren

Insider threats: Misunderstandings and Challenges. Always underestimated, under-reported and ignored.

author: Vassilis Manoussos

Data breaches in the news Data breaches, cyber attacks, state sponsored cyber interference and the threat of a cyber war are now a constant theme in all mainstream media. People hear and read more and more about it; but what do they actually learn?

BIO Vassilis Manoussos is a Digital Forensics Consultant, owner of Strathclyde Forensics, and an Advisor to The Security Circle in Glasgow. At the same time he is an Associate with Edinburgh Napier University and The Cyber Academy. He has vast experience in digital forensic investigations, auditing police reports and providing cyber security advice. He is a regular speaker to international conferences, symposia and UK universities. Mr Manoussos can be contacted at vassilis@ForensicsExperts.co.uk

The cases that make the news are always the big breaches, the ones of the size of Talk-Talk, SONY and Yahoo. It is the big numbers that attract attention; as one would expect from media reporting. However, these cases are the tip of the iceberg. These are the cases that are too big to hide, often too big to manage and contain immediately. They are the ones that shock us by the mere size of their numbers. Yahoo! had 1 billion email accounts compromised. Talktalk had 157,000 userâ&#x20AC;&#x2122;s private and banking details lost. BUPA (part of the healthcare industry, the biggest source of data breaches in the world) lost 500,000 records. The NHS, universities, Tesco Bank, Three Mobile are just a few of these examples. The problem however is that these are colossal businesses that operate in highly regulated environments (i.e. telecoms, banking and healthcare) where even existing data protection laws and other regulatory statues demand the publication of breaches and the notification of those affected. These numbers however do not take into consideration the smallest cases of data breaches, leaks and hacks. The truth is that big companies will always be big targets. But small businesses may not necessarily be. Small businesses have a tendency to lose their own data, because they do not have basic security processes in place, nor do they have any training of their staff. SMEs and micro businesses often do not know where their data is stored, and most of the time they will not become aware of any breach or leak, until they are directly affected (i.e. when someone uses inside information to extract money from the business, usually by means of phishing or other forms of social engineering). Quite often, SMEs lose their data through a third party: a vendor, a client, or even a government agency. The breaches of data may extend from the very simple to the most critical. In the simplest of its form, a breach could be the skimming of emails from address books. I have a number of business accounts I use for different purposes. One that was used to communicate with clients and potential clients ended up receiving increasing number of spam. I know that I had not registered this email with any website, and I know my firewalls and security software is in place. In fact, more than 30 other email accounts I have set up on my domain names received no spam at all. The one that was flooded with spam was found at the computers of individuals with little or no web security installed. As a result, my email ended up in numerous spam lists, share around the world. At some point, even my spam filters could not cope, so I discontinued that account, and opened another one. This is the kind of indirect leak that individuals and businesses suffer way too often. This was obviously at the lowest end of the spectrum, and it became an annoyance

rather than a risk for me. But in the same way, the contaminated device of a contractor or consultant may end up in leaking more sensitive information, that can lead to direct financial losses.

What the numbers reveal Statistics on data breaches may vary from source to source, but the trends seem to be consistent. Healthcare and Government are the two major sources of leaks and subjects of breaches. According to Gemalto and their BreachLevelIndex1 website, in 2016 we had a record of 1,378,509,261 records2 compromised in 1,792 breaches. A good sign was that 4.2% of the leaked data was encrypted, rendering them practically of no value to their new holders. The bad news is that only 4.2% of the leaked records were encrypted. Another disturbing statistic is that in 52.2% of the breaches the number of compromised records is classified as “unknown”.

Graph 1. Data breaches by source (source: breachlevelindex.com) When it comes to large organisations, the risk is often from outside their security perimeter. As we can see in Graph 1, a bit more than two thirds of the breaches are orchestrated from the outside3. However a significant 28% is attributed to insiders and accidental loss. Both of these sources are a combined insider threat for every business.

Graph 2. Data breaches by type (source: breachlevelindex.com)

The majority of the data breaches are resulting in Identity Theft, the most severe risk to organisations and their clients. There is no surprise that the records of healthcare organisations and businesses are the primary target for cyber criminals.

The threat from within With an estimated 28% of leaks and breaches coming from within affected organisations, it makes sense that businesses and their CISOs should start their defences from reducing this segment of the threat. According to the Info Security Magazine, an estimated 63% of businesses have been affected by an “old school” data leak: the printer. It is estimated that somewhere between 10-18% of inside leaks are the result of printed documents leaving the business premises in the hands of an employee or a contractor. The risk extends to documents that have been supplied to statutory organisations (i.e. tax authorities, local government, environmental authorities) that did not end up properly shredding or destroying the received documents. This percentage is large by itself, if one considers that it takes place in a corporate environment with networked printers that that requires user login to print, and thus creating a traceable activity. In smaller business environments where a shared printer does not require login credentials for a user to pick up the hard copy, the only solution to investigate a suspected breach-by-printing is a systematic (and often disruptive and expensive) digital forensics investigation. This puts small businesses at the forefront of leak-by-printing.

Does size matter? Although the answer to this question is often yes, when it comes to data security the answer is diffidently NO! It does not matter how small or big an organisation is: its digital assets are valuable to all its stakeholders. The majority of small and family businesses do not have a systematic security in place to protect their digital assets. They believe that a breach will not happen to them, as they are not an important financial or industrial target. The truth however is that small businesses suffer more and more every day from different types of cybercrime, caused by leaks or by disloyal employees. It was June 2013 that the leak of NSA documents by Edward Snowden made the news. Snowden bypassed antiquated security protocols and used his high privileged access to copy classified US government documents onto a flash drive. Working from Honolulu, a few good hour zones away from the NSA’s Fort Meade server farms, he breached US security by following a few simple steps. And the question for small businesses

ds Focus - Cybersecurity Tren is now simple: if the NSA can be hacked by an employee... what do you think will happen to you?

The real threat... Experience has shown that in the case of small businesses who do not warrant a full scale cyber attack, the threat is either an insider or someone from the outside using social engineering. The majority of my recent business cases had to do with people being tricked to pay invoices after “new banking details” were provided, usually by email. This kind of threat can be traced to insiders and outsiders at the same time. The inside threat is obvious: an employee that wants to make quick money, or a disloyal or disgruntled employee. There is however another semi-inside threat: the IT guys. Many businesses when they grow and need to have a network installed, they opt for the solution of having an IT company running their infrastructure. This is fine, and obviously legitimate and reputable businesses will be trusted. However, things may go wrong on their side that will affect their clients. In a recent investigation, the IT support company in Glasgow had a few of their staff leave the company, but nobody bothered to change the login credentials to their clients’ servers to prevent these people from retaining access. Although this was not intentional, it was gross misconduct on their part.

reading her documents. However, one day he decided to perform a software upgrade. He thought that it would be sensible to backup all her wife’s documents on the cloud, on a service that it turned out was keeping the documents available for indexing by search engines and for password free access. From the 725 documents that were uploaded, only 15 were indexed and cached, but 6 of them had highly sensitive information pertaining to Court of Protection and Family Court. The leak of just 6 documents affected directly and indirectly approximately 200-250 people, including children and vulnerable adults. The leak was indeed a mistake, and no one suggested that it was done intentionally, thus the very small fine. However, the lawyer should have known better. There were already guidelines in place both from the Bar and her Chambers and she ignored her.

GDPR is coming... The new EU General Data Protection Regulation (GDPR) is on its way, with less than a year to meet the deadline of its implementation. Recent research (mainly through Freedom of Information Requests) has shown that a significant amount of businesses and government organisations are not on course to meet the deadline. According to the Law Society (England) only 54% of businesses believe they will be ready, meaning that about half do not believe they will make it to the deadline. At the same time 24% of businesses have not even started planning. Things are even more worried when it comes to Local Government however. According to the ICO5:

It was an accident... Accidents do happen, but it’s important that we are prepared to deal with them. The biggest problem in the use of computers and the internet is that anyone is allowed in. One would expect that a professional (i.e. a doctor or a lawyer) would know what they are doing. Right? Well.... no. The majority of legal professionals for example have no training in using computers, the cloud, or how to ensure that their computer is secure. They may have some training to use a specific piece of software (i.e. case management), and practical experience on writing documents in Microsoft Word and emailing them. But that does not mean that they have any idea on how computers, word files or emails work. And here is the problem. You will not have someone without training to operate on you, but you trust a professional with zero training, to manage sensitive personal data of you, your family or your business. On the 16th March this year, the ICO (Information Commissionaire’s Office) in the UK charged a lawyer with a £1,000 fine4 for leaking sensitive documents. The lawyer worked on sensitive client documents from home. She used a shared computer (also used by her husband) and she failed to encrypt the documents according to current guidelines. There was no evidence that her husband was

Graph 3. ICO on Local Government & GDPR (source: iconewsblog.org.uk) The findings6 on the preparedness of the councils are worrying. They handle a huge amount of personal data on everyone who lives, works or owns property or a business in their jurisdiction. GDPR is going to be a one-stopshop for business data privacy and safety, with its major new characteristic being “privacy by design”. Businesses need to take a step to ensure that they have done all that is proportionally possible in order to ensure the integrity of the personal data they hold, the fair usage and disposal when necessary. In other words, they need to learn to do their due diligence. The new legislation has provisioned

hefty fines and industry experts speculate that the first big organisations to fail to comply, may become examples by receiving the maximum (or close to maximum) penalties. However, having done due diligence, having processes in place, regular audits and cyber-insurance, is bound to reduce liability for offending organisations.

Epilogue Businesses need to understand that their digital assets and sensitive data they hold are important not only to their business operations. They are important to all the stakeholders they are associated with, and to those that will be affected should any of that sensitive data is made public. Businesses need to get away from the mentality of “it will not happen to me” or “we are too small a business for someone to bother with us”. It has happened to organisations of any size, from sole proprietors and practitioners, to charities and multinationals. Businesses need to start planning on cyber security and compliance with GDPR. These are not two isolated tasks. They are directly related, and if done properly at the same time, the end result will be more effective, more functional and will add more value to the business. Some of the issues that need to be in the focus of all businesses and organisations are: Investment in basic cyber security software (anti malware and firewalls) Investment (where relevant) in Data Loss Prevention and Data Loss Detection software

Investment in training of all staff, on basic data safety principles and processes Data Security and Privacy by design Regular audits of IT Policies, software and hardware compliance Preparation for GDPR compliance Preparation of an Incident Response Plan Preparation of a Disaster Recovery Plan Regular training and attack simulations for the Response Team Design of Damage Control Plan (with a lawyer and/or PR) Retainer of Digital Forensics firm or practitioner in order to investigate any incident as it is discovered. Prevention is always cheaper than cleaning up a mess. 1 http://breachlevelindex.com 2 http://breachlevelindex.com/assets/Breach-Level-Index-Report-2016Gemalto.pdf 3 http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2016Gemalto-1500.jpg 4 https://ico.org.uk/media/action-weve-taken/mpns/2013678/mpn-databreach-barrister-20170316.pdf 5 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/03/ ico-survey-shows-many-councils-have-work-to-do-to-prepare-for-new-dataprotection-law/ 6 https://iconewsblog.org.uk/2017/03/20/information-governance-survey/

Be prepared for 25th May 2018 – get a GDPR Readiness Review Apply for a GDPR status review based on the context of your own organisation to understand how prepared you already are for GDPR. The review takes into account both processes and technology, and if they are private and secure by design. The review also identifies shortfalls in existing documentation. The Action Plan delivered in your report includes staff training, insurance, breach reporting, disaster recovery and much more that needs to be borne in mind. Your Readiness Report summarises GDPR, the context for your organisation, your own Action Plan, your milestones, available support & Appendices re GDPR relevance to you. As a business leader, you need to understand how GDPR will impact your organisation, including what preparations are required to align your processes to comply with GDPR.

For further information contact Mark Sipe: mark.sipe@icyber-security.com / +44 7712 272844.

Trends VIP Interview - Cybersecurity

Challenges and threats in cybersecurity seen from a top risk manager’s point of view VIP Interview with Jean-Luc HABERMACHER author: Laurent Chrzanovski Translated from original article in French

Jean-Luc Habermacher

Laurent Chrzanovski: Tell us more about your professional role Jean-Luc Habermacher: As executive member of major international industrial groups for more than

BIO Founder and President of the Energy Valley – the first European cluster of energy power industries, Jean-Luc is an expert risk manager, with experience in several major companies (CEGELEC, ALSTOM, CONVERTEAM, GENERAL ELECTRIC). He is Regional Vice-President of the Franche-Comté Auditor’s Association of the Institute of Higher Studies of National Defense (IHEDN), Professor at the University of Bourgogne-Franche-Comté (France) and Lieutenant-Colonel of the French Gendarmery (RC). He is also project manager for the deployment of business Intelligence for several private companies.

30 years, I have worked in many different positions and levels, mainly assuming the role of Risk Manager and Chief Security Officer. Trained at the Institute of Higher Studies of National Defense (IHEDN), I also had to direct the development of all Economic Intelligence projects and drive through the actions developed by the groups I worked for. Now I help businesses in risk prevention and cyber risk resilience as part of my mission of Lieutenant-Colonel (RC) of the French Gendarmery. Conscious of the need to create a real culture of risk management in every business, I also teach in several universities as Professor and as a member of the National Association for Insurance and Risk Management for Business. I am also active in different national think tanks dedicated to various aspects of security. Ten years ago, I created the first French Cluster of Power Energy Industries, under the brand “Energy Valley”, which I continue to preside over. The cluster is aimed to promote and develop and keep in France, innovative industries operating within the energy sector. I have also served five years as Deputy at the National Parliament, a function which allowed me and still allows me to work with the highest State authorities when security legislation is on the agenda. Laurent Chrzanovski: How did you get to find such an interest for cybersecurity? Jean-Luc Habermacher: For many years, during the diverse activities I led within the companies and the economic sectors, with my Risk Manager, educational and cultural background, I focused on trying to understand how those businesses analyzed their risks and their exposures within the frame of a global vision. Very quickly, I realized the digitization of the technologies within a company was not treated with the “cyber-risk” perception at its real heart. During talks with several private decision-makers, even without being systematically “paranoid”, when it came to their perception of their company exposure to different risks, I saw how the digital component

was analyzed only through a technological point of view, without understanding its global economic whereabouts. There was in my opinion, a real denial of taking into account the economic risks directly linked to the industrial digitization. My Economic Intelligence training helped me realize the absolute necessity to question the economic sector and to make it aware of this important loophole within the risk analysis of a company. Laurent Chrzanovski: Which aspects of the “cyber world” worry you today? Jean-Luc Habermacher: The technological dependency of the companies to the IT tools and systems is so high, that an inaccurate analysis of their exposure to threats can be deadly to a firm. For too many years, decision-makers have focused on data losses and developed backup strategies, which multiplied the interconnection between tools and systems.

To summarize, the «industry 4.0» is far from being sufficiently analyzed with regard to the vulnerability of the machines and all the systems connected to them. Recent examples of cyberattacks provoke a clear understanding of the enormous breaches existing in the production and supervision tools. Today, a major part of the global architectures of the connected systems within the companies has to be re-thought and recreated. The geo-strategic challenges targeting the economy are also a topic not understood by most small and medium enterprises, given it is obvious some «superior interests» lay behind many of the cyberattacks targeting economic networks and companies. Cyberattacks do reflect a modern version of the economic war that is and always will be waged by the major powers, whether State or private actors. Within this framework, the interconnection of the tools and systems leads to an interdependence which opens many doors to very grave vulnerabilities. It has to be added that the dominant technology positions of some actors is creating, slowly but surely, schemes of structural dependencies which may be extremely dangerous. We are already in a «3rd world war” and the economic stakes are predominantly geopolitical;

it would be an irresponsibility not to understand this approach. Laurent Chrzanovski: How do you evaluate the awareness level within the companies you worked/ work for? Jean-Luc Habermacher: The big industrial groups have integrated for many years their information systems to withstand targeted destabilization attacks with complex processes of securing them set. Yet

platforms and connectivity of the production tools were often missing in the risk analysis and therefore in the measures taken. Recent events highlight these additional vulnerability points. Securing the ties with the outsourced companies responsible for the maintenance of the tools is also neglected. This introduces weakly secured entrance points for criminals. Nevertheless, the security policies of the big companies have been upgraded significantly during the last few years, hunting down even the risky behaviors of employees. PCs, laptops and connected devices are also included in very strict schemes and systematically checked. In my opinion, externalized data centers used by several companies, remain today, real weak points. I wouldn’t be surprised if we will find out that attacks or data leaks / thefts have been successful through those centers’ vulnerabilities. Laurent Chrzanovski: How are the “Energy Valley” companies prepared? Jean-Luc Habermacher: The “Energy Valley” cluster brings together CEOs and actors of the French energy sector. As President, I do lead actions to make them sensitive to the new threats and ensure that all members are correctly informed on the newest risks they could face in their activities. Digital technologies are now sensitive for the whole production chain of the physical elements, but also for the creators of control and command systems, who supervise the energy production and distribution units. Consequences of threats are hence very different for these two categories of work.

Trends VIP Interview - Cybersecurity The real understanding of the vulnerabilities of the “Connected plant” is something very new in the world of the CEOs of small and medium enterprises. It is in this domain we have to focus and deploy training and, if needed, assistance, to help those companies to pass global standard audits.

The very delicate sector of driving all energy systems – production, exploitation and distribution is also a major work field for us. On this point, it is obvious that the biggest risks are to be located on platforms and software managing all the real tools, two elements of which are proved to be insufficiently secured these days. We then have to work in coordination with the firms which build and develop operating systems in order to integrate correctly the necessary protections and to set controllable intervention processes, this last point meaning, basically, to change the very culture of the different actors. It is very important to spread messages in this sense, and to multiply them through dedicated journals with the help of the Chambers of Commerce & Industry, the Industrial Committees, the professional syndicates and associations and so on. We also have to implement specific training on analysis and management of the cyber risks within the Universities and the Engineer / IT’ High Schools, as our companies also need this support. In addition, we work in a tight relationship with the State services (Police and Gendarmery) which help us to send alerts to our members and can, if needed, assist them during their administrative processes in case of an attack. Laurent Chrzanovski: Which security aspects of the cyber world do you consider particularly underestimated if compared with physical behaviors? Jean-Luc Habermacher: As I said before, the connectivity of the systems, may they be internal or external to the company, has become a vital necessity we have to live with. Technological barriers are extremely difficult to be implemented. Even more, by nature, humans will try their best to bypass them.

The multiplication of the collected data in the immediate vicinity of the individuals and the analysis which can be obtained by crossing them are perceived as enormous economic challenges for the near future. In this sense, a huge number of actors are already largely collecting direct and indirect data. We observe the implementation of a multitude of applications, which, in a devious way, are collecting and transferring individual and collective data. That data if it escapes could be used against us. The wish to associate ITC to so many daily activities should be taken after a real conscious review of the technical dependences they generate, as well as of the socio-behavioral consequences they create. Laurent Chrzanovski : Who should assume the digital defense culture in companies and in what form? Jean-Luc Habermacher: Nowadays, cyber-defense strategy is usually handled by an IT supervisor, which implies a very “technical” approach and culture. But as challenges are turning more and more economic, companies must be able to analyze their vulnerabilities in this field. Technology, or digital tools to be more precise, become only vectors or weapons of attacks used against the company, it is hence mandatory to have a vision with a real 360° analysis.

Jean-Luc Habermacher and the French Delegation at the CybersecurityRomania congress We have to develop a different risk culture, starting by identifying the reasons for the possible attacks and then try to anticipate the mechanisms which could be used against the company, and, last but not least, to understand the consequences the company would face in all different scenarios. In this context, I am not sure that the profile of “Information Systems Specialist” is the best to lead this reflection and to develop the risk culture within the company. The decision makers (CEOs, Board) have to be informed and to be interested in the strategic vulnerabilities their company could be exposed to, and be conscious that the answers in terms of resilience are not just technological. The human, cultural, sociobehavioral and even geopolitical components have to be taken into consideration alongside technological. The implementation of risk tools will help integrate this dimension. It is obvious material damages should be covered, but it is essential to

forecast the cover and the management of immaterial damages. The risk manager profile will therefore have to incorporate all the knowledge related to those potential problems. Laurent Chrzanovski: In your opinion, why did Europe ignore for so long our transition to the digital world and its security challenges in comparison with the major world powers?

The EU Commission «Berlaymont» building © EU Parliament Magazine Jean-Luc Habermacher: I don’t know if Europe really ignored the security challenges linked to the digital transformation, but what is sure, is that the development of new technologies has not always been perceived within the frame of a global analysis. The immediate interest for some tools or applications has somehow hidden the indirect medium and long term consequences they could generate. On the other hand, we may not have been able to anticipate sufficiently the consequences of the technological dependences when they started to be implemented by the major players in the field of software, networks, digital information management etc. Economic convergence has also been insufficiently understood to allow preparation to answer the technological dependences they were creating. International law frameworks are also rarely adapted to allow avoidance of critical situations, while the single States’ economic interests continue to prevail on the collective European interest. Europe is like a big house where each of the tenants would like to use and manage according to his/her own interests - such as the opening of the doors and windows, the power grid or the heating. The community interest ends at each apartment’s door. Hence proposing or imposing community rules means imposing one’s own constraints to self-development. Consensus being the EU governance rule, the acts and decisions taken are and will always be as basic as possible. Some projects, like GALILEO, reach some technological independence, but as we have seen, its real implementation is very complicated and above all, very long. The evolution of technologies and digital structures need very short reactivity times, which are alas too often incompatible with the red tape of the administrative governance of European Institutions.

Laurent Chrzanovski: Is it still possible, in a continent without any open war since 1945, to recreate a vigilant mentality without being nicknamed “war-wager” or “big brother”? Jean-Luc Habermacher: The terrorist actions which hit several European countries since 2001 has reactivated a certain vigilant spirit and tend also to reactivate a social conscience. Alas, the cyberattacks have not the same visibility that the street attacks have had, even if in some way, their consequences can be similar as a matter of economic and social impact. The technological support used by the cyberattackers are both individual and collective, and human behavior has become transmission vectors of those weapons. Trying to regulate some practices will lead us to a collision with individual behaviors and we will need to talk seriously about the notions of freedom and of interference. The race for the digital technologies and the multiplicity of the applications and services favored by a vast majority of the population is making any regulation very difficult. The politicians’ awareness it self is not mature enough for them to be an influence maker in generating real collective and social vigilance measures. The legal framework itself should be upgraded to allow much larger investigation actions than now and to take more severe sanctions. But to implement such rules there is an enormous work to be done in explaining to the citizens that their security may pass through some restrictions on their “individual liberties”. Laurent Chrzanovski: Why are we so resistant to good practices, when they exist in our neighbors, and why do we try to reinvent the wheel in each country? Jean-Luc Habermacher: I think that in the mind of many of us, and mainly of our rulers, there is a strong wish to personalize systematically any action or processes. If we speak of adopting a “good practice”, there will always be a pretext to try to personalize it – for instance to adapt it better to our context – as the nationalist spirit is still very present among our politicians. Syndicates or professional associations in the cyberrisk/cybersecurity expertize domains are almost nonexistent and hence cannot play any rule in influencing actions at a European level. There is, in this field, a real action plan to be thought through. Professional bodies should be created, ensuring that the representativeness of the different competency domains in those fields work in a transversal method to promote the targeted outputs and capitalize on them.

ends Useful Tips - Cybersecurity Tr

The National Cyber Security Centre (NCSC) (www.ncsc.gov.uk) Incident advice and guidance

The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security. It is part of GCHQ. The NCSC brings together and replaces CESG (the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI). The NCSC’s main purpose is to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience. It works together with UK organisations, businesses and individuals to provide authoritative and coherent cyber security advice and cyber incident management. This is underpinned by world class research and innovation.

What is a cyber security incident ? The UK NCSC defines a cyber security incident as : A breach of a system’s security policy in order to affect its integrity or availability The unauthorised access or attempted access to a system Activities commonly recognised as security policy breaches are : attempts to gain unauthorised access to a system and/or to data the unauthorised use of systems and/or data modification of a system’s firmware, software or hardware without the system-owner’s consent malicious disruption and/or denial of service The NCSC defines a significant cyber security incident as one which may have : impact on UK’s national security or economic wellbeing the potential to cause major impact to the continued operation of an organisation

Cyber security incidents can take many forms: denial of service, malware, ransomware and phishing attacks. Is it an incident? If you are experiencing unexpected or unusual computer network issues, we recommend that you contact your system administrator or service provider to identify the root cause of the issue. If a cyber security incident is confirmed, please consult the NCSC guidance for detailed advice. Personal attack. There are a number of crimes which we do not define as cyber security incidents. Cyber bullying, threats via email, text or instant message are all examples. If you are in the UK, you should report these to the police. You can contact them by telephone on 101, or see the police.uk website for further information. Fraud Action Fraud is the UK’s national fraud and cyber crime reporting centre. If you believe you have been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website.

Contacting the NCSC Incident Management team If you feel you are the victim of a significant cyber security incident you can report this to the NCSC (https://www.ncsc.gov.uk/articles/get-helpsignificant-cyber-incident-guidance)

Get Safe Online (www.getsafeonline.org) The website is the UK’s leading source of unbiased, factual and easy-to-understand information on online safety. It is a unique resource providing practical advice on how to protect yourself, your computers and mobiles device and your business against fraud, identity theft, viruses and many other problems encountered online. It contains guidance on many other related subjects too – including performing backups and how to avoid theft or loss of your computer, smartphone or tablet. Every conceivable topic is included on the site – including safe online shopping, gaming and dating … so now you really can stay safe with everything you do online.The site also keeps you up to date with news, tips and stories from around the world.

10 Steps To Cyber Security at-a-glance: An effective approach to cyber security starts with establishing an effective organisational risk management regime (shown at the centre of the following diagram). This regime and the 9 steps that surround it are described below.

Get Safe Online is not only a website, however, as we also organise national events - such as Get Safe Online week - and work closely with law enforcement agencies and other bodies in support of their outreach activity, internal awareness and customer online safety. Get Safe Online is a public / private sector partnership supported by HM Government and leading organisations in banking, retail, internet security and other sectors.

Get Safe Online Code of Conduct:

And simple steps…

01 02 03 04 05 06 07 08 09 10

Make sure your computer has up-to-date internet security software, switched on. Don’t reveal personal information on social networking sites. Regularly backup the data on your computer and smartphone/tablet. Never reveal your password or PIN when asked to do so by email or on the phone. Make sure your wireless network is secure at all times. Be careful who you are selling to and buying from on auction sites. Choose strong passwords, change them regularly and don’t tell anybody what they are. When shopping, paying or banking online, always make sure the website is secure. Always download the latest software and operating system updates when prompted. Remember your smartphone is also a target for viruses and spyware.

Trends Bibliography - Cybersecurity Emilio C. Viano (Ed.), Cybercrime, Organized Crime, and Societal Responses. International Approaches, Springer, Cham 2017, 380 pp.

criminals - or do we consider that the society, economy and culture will be enough to prevent us from being really easy targets in the future?

This volume represents an impressive interdisciplinary success through the breadth of themes presented and the quality of the texts. In fact, it is an investigation of the disorders and vulnerabilities of our society and of each of us as individuals when facing the Internet, which actually provide the doors that allow criminals to perform their deeds. Once introducing a comprehensive description of everything that should normally be defined as “cybercrime”, the authors examine the legal texts and acts in force in various countries, and highlight the new types of crimes that are not yet covered by the legal framework. The book also raises the question of compatibility of certain legal actions with the constitution of different countries, which could help their citizens, but also what would happen if besides the criminals, private consumers would be legally punished (when using non-licensed products available on the Internet) and what to expect in the future from legislators. Then, there are very interesting examples of how criminals use human vulnerabilities for specific purposes. The chapter begins with a study devoted to the degree of submission of young women to the grooming phenomena, an acceptance of domination that is carefully studied and used by terrorist groups in order to select future recruits. It also details how the manipulators start from sarcasm, quickly move to mockery and then to insults in order to attract the victim to a group that promotes hatred and religious or ideological violence. Infidelity, too, an immorality that can be found throughout human history, gives criminals ideal targets for blackmail of any kind when breaking the databases of “spicy” dating sites of married persons. Then, the volume focuses on identity theft issues, used in very different legal situations, criminal intrusions in public or private surveillance systems, their access to the mobile devices of the citizens (smartphone, tablet). As examples, two well-known Italian criminal groups (Mafia and ‘Ndrangheta) are presented. One can see how all this data is used in various ways to obtain through blackmail any concession from the chosen victims. Criminals and social networks, individuals who become consumers of illegal products (pharmaceuticals or drugs) through seemingly banal chatting, enormous Internet facilities for drug and human being traffickers are other chapters that clearly show how any criminal activity that exists for centuries now has an extremely sophisticated element to it. The volume ends with case studies, focused on countries and ecosystems, before asking all the moral questions that each of us need to have an answer to: do we want mass surveillance by the state in order to prevent complete infiltration of the Internet by the

Babak Akhgar, Ben Brewster (Eds.), Combating Cybercrime and Cyberterrorism Challenges, Trends and Priorities Springer, Cham 2016

This volume is different from other similar readings by its structure, being especially useful to readers in the European space because it is exclusively written by actors from this space. The volume is not just solution, but also covers lessons learned from the analysis of cybercrime and the fight against it so far. Structurally, the first part of the paper focuses on an analysis of “Approaching Cybercrime and Cyberterrorism Research” - and focuses not only on the inventory of the analytical methods used by the organizations involved in the understanding and fight against cybercrime, but also on their critical analysis, in the context of the exponential explosion of the amount of objects connected to the Internet. The second part, dedicated to the legal context, ethics and privacy protection, does not introduce great news, in comparison with the third part that focuses on the profound analysis of the two reasons that lead to the misunderstanding or partial understanding of the real situation concerning: - The lack of benchmarks and references regarding the real crime costs due to the reluctance of sectors to make public real-time data (e.g. financial and banking sector); - Critical difficulties in sharing relevant information and building activities between different states. While analyzing two opposite examples, UK and Poland, the first state being more open to information sharing and the second one constantly evaluating the opportunity of sharing versus the risk of affecting state sovereignty, this volume highlights the extent to which the different levels of security culture prevent, in the absence of real leadership, rapid and effective exchange of useful information. Unfortunately, the last part is a “patchwork” of very few relevant articles through their practical content, topics highlighted by its title “Policy Development and Roadmaps for Cybercrime and Cyberterrorism Research”. Written in a European style, it is about the themes (almost all) discussed and unresolved so far since the signing of the Budapest Convention. Again, issues about Public Private Partnerships, about roadmaps; ways of working coherently together are examined. Very nice on paper, but until actually viewing how each country concretely applies the NIS Directive, in real life by the experts involved, who are actually facing these problem, not just the independent researchers and the academic environment, these all remain concepts.

Stefan Beissel, Cybersecurity Investments Decision Support Under Economic Aspects Springer, Cham 2016 This guidebook should be mandatory reading for managers of large companies that still do not consistently invest in security. It is a simple paper to be read, structured as a study lecture, explaining, chapter by chapter, about the development of cybersecurity, since the appearance of the concept, the permanent evolution of threats, the economic advantages of considering security as an investment and not a risk. It is especially, a review of all the components of security - the human and technological factors. The author particularly underlines that we are living in a world increasingly affected by the globalization phenomenon, and competitive differences have become evident between the private companies that have understood and integrated business security and the ones that regard security just as a minor need and do not allocate adequate resources and appropriate managerial responsiveness. If we don’t mind the (bit too) academic style, we can read a real plea for decision makers to ensure the security of their business, and the competitive advantages that can arise, if correctly understood and applied. Jeremy Wittkop, Building a Comprehensive IT Security Program Practical Guidelines and Best Practices Apress & Springer, New York 2016 As opposed to the preceding volume, Wittkop addresses, with many anecdotes and a very attractive style, not a steering committee, but directly each manager. What is a security program and what needs to be done to make it work? This volume allows any businessman to read and understand what the stake is especially the fact that the single technological factor approach is a failure, as the most vulnerable link, the human factor - from the CEO to the administrative staff of the company - is not involved in educational security activities. Providing collateral examples like Hurricane Katrina, to explain the impact of unforeseen risk in the evolution of a disaster, or “if Al Capone had a laptop”, the author brings together readable elements in order to capture the reader’s attention and, in a way, softens certain parts that may seem too complicated or without obvious solutions.

Neil C. Rowe, Julian Rrushi, Introduction to Cyberdeception Springer, Cham 2016 This volume is truly unique because it succeeds, in a very clear manner, to make a 360° analysis of the concept known as “deception” - misleading / distraction / trickery, etc., from the psychological concept to its uses for civil or military purposes, defensive or offensive, and concrete ways of deceiving, the creation and use of forgery, defensive camouflage or false apology, and of course, the use of these kind of techniques for protection against social engineering that has become a phenomenon on a large scale. With the right ethics, to which a whole chapter is allocated, new technological tools for defense can be built, much cheaper than the classical technologies having the same purpose. There are concrete elements that highlight how far back in history go the origins of disillusionment, intoxication, propaganda, counter-propaganda - in general, the successful use of falsehood against criminality. The author proposes a series of techniques for measuring the success of concrete actions in order to introduce them into the strategic security policies of different types of organizations such as why not, add a Chief Deception Officer to their future organizational chart or better integration of the functional description to the CSO, CIO, CISO, positions.

Markus Jakobsson (Ed.), Understanding Social Engineering Based Scams Springer, New York 2016 135 pages of examples to better understand the increasingly advanced mechanisms that have generated the evolution from massive spam campaigns to those very well targeted toward certain victim categories, through complex social engineering techniques. The preamble of this volume is already a big surprise, showing how massive campaigns (with over 1 million recipients) have, in the last few years, yielded only, proportionally speaking, very few victims (8) and poor turnover for the criminals (approx. $ 16,000 per campaign). Hence, it has come to attacks that have taken place based on a good understanding of a business ecosystem: with only one thousand recipients, these types of attacks are achieving their targets with a high degree of efficiency (over 70% representing the average acceptance rate of the messages that have passed the technology filters) and are bringing the attacker a ROI of more than $ 160,000. The author demonstrates how cybercrime groups develop attacks that are complex and adapted to the level of sophistication

Trends Bibliography - Cybersecurity and value of the target, as well as the criminal profit that is about to be generated. In this book, besides implementing efficient technologies, it is recommended to adopt rapid and pragmatic measures to increase awareness and understanding among employees, on which the overall security level of any organization can dramatically depend. Their level of training is being considered the final filter against complex criminal schemes based on falsifying the originality elements of an electronic message used as an attack vector. Luis Ayala, Cybersecurity Lexicon Apress & Springer, New York 2016 Byzantine fault, Easter eggs, Cain & Abel, Jump kit, Piggybacking attack or Vampire tap - maybe, you did not know about these expressions, some weird, some funny. Not only do they exist but also have a precise meaning in the specialists’ language, and when looked at in-depth, they are not funny. This extremely useful 200-page dictionary shows how much the cybersecurity profession has evolved. The added value of this lexicon is includes associations between critical infrastructure concepts and new phrases used in the cyber field that have entered daily vocabulary. Steve Grobman, Allison Cerra, The Second Economy. The Race for Trust, Treasure and Time in the Cybersecurity War Apress & Springer, New York 2016 “According to the Center for Strategic and International Studies, a Washington think tank, the estimated global costs of cybercrime and economic espionage are nearly $450 billion, placing cybercrime in similar company with drug trafficking in terms of economic harm. Put another way, if cybercrime were a country, its GDP (gross domestic product) would rank in the top 30 nations, exceeding the economies of Singapore, Hong Kong, and Austria, to name just a few”. This finding, which seems shocking, has the aim of warning about the magnitude of the cybercrime phenomenon at global level, the authors reviewing the criminal evolution and spying activities from past to the present. The volume is intended for a wide audience, but especially managers, to make them understand the ecosystem complexity. The authors manage, by providing them with the tools to address the three relevant elements: trust, finance and time. The easier and faster an IT attack is, the more difficult it is to counteract. The context,

in which the preparation for such events, both technologically and educationally, allows for a series of concrete actions and measures designed to prevent and early detect such attacks. The realistic and calculated cynicism of the authors is a refreshing honest approach to these issues. We highlight some relevant phrases that demonstrate that the pragmatism and proactive protection measures of a company that should not only be adopted when set by the law and ethics does not save anyone from being a potential victim. The first axiom, summing up a quote from Indian lawyer B. R. Ambedkar: “History shows that where ethics and economics come into conflict, victory is always with economics”. Ironically, the authors point out that when the private sector is “turning a blind eye” on certain ethical issues, this is always the recipe for worldwide success, so wanting to be “ethical” when it comes to defense against criminal attack is more propaganda than reality. Another element emerging from the study of real cases indicates that, apart from the very thoroughly investigated cases, indicating that a state is behind a cyber-attack against a private entity is absurd. The morphology of attacks and modus operandi highlighted over recent years shows that assigning an attack is an extremely difficult action, often impossible to achieve with existing resources, including even when a clear connection can be made to a criminal group known to have ties with a particular state, but which acts primarily to sustain its own financial interests. Also included in the volume is a reflection of British poet and philosopher Gilbert K. Chesterton, addressed to political and managerial elites: “It is not that they can’t see the solution. It is that they can’t see the problem”… And shocking arguments that come to remind us of a derailed reality due to the frenzy of innovation that is no longer understood by the managers. Today’s world complexity developments are highly relevant reflected in the parallel between the first mission to the moon and today’s smartphone: the NASA mission that led Neil Armstrong and his teammates to the moon was supported by a software program that had 145,000 code lines. At the moment, a simple operating system (without apps, etc.) for a mobile phone, Android, includes 12 million lines of code... Casey Inez Canfield, Baruch Fischhoff, Alex Davis, Quantifying Phishing Susceptibility for Detection and Behavior Decisions, in Human Factors: The Journal of the Human Factors and Ergonomics Society 58: 8 (December 2016), pp. 1158-1172 This article reviews broad research conducted in 2015 on 162 volunteers, chosen according to their profile to constitute a representative selection for an average-sized company. The analysis was funded and approved by the Institutional Review Board at Carnegie Mellon University and its methods followed step by step the code of ethics - American Psychological Association Code 196 of Ethics. The results are more than worrisome. In order to identify those susceptible to a phishing campaign, prior to receiving specific

emails for analysis, each participant also received cautioning messages, like - “Be aware, more than half of the emails are phishing emails”. Moreover, no complex emails were sent, but emails contained all the elements that could indicate a phishing message: (1) impersonal salutation, (2) false URL or false IP address sent with intent name created to attract attention (3) unusual content regarding both the “false” issuer and the recipient (4) urgent action requests and (5) grammatical errors and spelling (typos). In detail, the perception of the phishing phenomenon is pretty good: the representative sample knew what a phishing email is and what the possibilities of analyzing and removing / and reporting are. This is proved in the evaluation of the first experiment, where the participants had to answer the following questions: (1) “Is this a phishing email?” (Yes / No) (Detection); (2) “What would you do if you received this email?” - This one, with multiple options. But, the analysis of the results of a simulated phishing campaign was devastating, with the rate of human errors being high, according to the table below.

© Canfield, Fischhoff, Davis, Fig. 3 The findings, seen in the above graph, are devastating, and if the same test were conducted in a European corporate context, where the level of awareness on cyber security risks is lower than in the US, the results would have been more serious. The goal of this type of study is to generate reactions at European level to limit the damage generated by phishing campaigns, used as distribution vectors for a wide range of cyber threats ... apparently, the first place for 2016 being taken by Ransomware distributions!

The book reviews are drafted by Laurent Chrzanovski and do not necessarily express the point of view of the magazine.

Wolf J. Schünemann, Max-Otto Baumann (eds.), Privacy, Data Protection and Cybersecurity in Europe, Springer, Cham 2017 (148 pp) Even if book title is a little too pretentious if we look at the contents, the volume has a few merits, as it brings together research from specialists in different topics – from the “right to be forgotten”, to social media, to the different type of surveillance institutions and policies as well as the upcoming laws to be enforced – in 6 European countries (Spain, UK, France, Germany, Lithuania, Romania). For the UK readers, two articles are particularly relevant, as they cover two very hot topics and as they are written by German researchers they offer a “foreign point of view” on todays’ UK reality.

The authors provide very interesting abstracts, such as: Bernhard Gross’ “Harvesting Social Media for Journalistic Purposes in the UK” (pp. 31-42) stress the fact that “Social media (…) allows citizens in open, democratic societies to participate more actively in these processes. At the same time, established mainstream media institutions retain a dominant position in the public sphere. This chapter explores the relationship between editorial policies, guidelines and regulations in the UK, with a special focus on the use of social media as sources in domestic local news coverage. These codes govern everyday journalistic practice and hence shape individual journalists’ behavior in relation to sourcing. A tension arises out of the juxta-position of a journalist’s right to freedom of expression and an individual’s expectation of privacy”. A few pages further, Stefan Steiger’s “The Unshaken Role of GCHQ” (pp. 79-95) points out that after Snowden’s revelations, “(…) The governments of the US and UK faced harsh criticism following the first revelations in June 2013. Disclosed documents and statements from Edward Snowden suggested that the British GCHQ acted even less restrained than its American counterpart. Those developments nevertheless did not lead to more limitations of surveillance capabilities in Britain. Quite the contrary, the Government legalized some of the revealed practices with the Investigatory Powers Act. (…) How was it possible for GCHQ’s surveillance practices to remain stable after the Snowden revelations? In order to answer this question a theoretical analysis of the domestic processes of role contestation and role stabilization is conducted. It is argued that the continuity of surveillance practices is best understood by looking at the historical experiences the Britons have made with their intelligence agencies”.

Trends - Cybersecurity Trends A publication get to know!

and

edited by:

Copyright: Copyright © 2017 Pear Media SRL, Swiss WebAcademy and iCyber-Security. All rights reserved. Redaction: Laurent Chrzanovski and Romulus Maier (all editions) For the iCyber-Security edition: Norman Frankel ISSN 2559 - 6136 ISSN-L 2559 - 6136 Addresses: Bd. Dimitrie Cantemir nr. 12-14, sc. D, et. 2, ap. 10, settore 4, 040234 Bucarest, Romania Tel: 021-3309282 / Fax 021-3309285 Griﬃns Court, 24-32 London Road Newbury Berkshire, RG14 1JX, UK +44 800 086 9544 www.icyber-security.com https://cybersecuritytrends.uk/ www.icyber-academy.com www.cybersecuritytrends.ro www.agora.ro www.swissacademy.eu

In partnership with:

issuu.com/cybersecuritytrends