Thoughts and Overview of ETSI Cybersecurity Week 2019

Introduction

The ETSI Security Week 2019 took place the week of 17-21 June 2019.

Access the ETSI Security Week Presentations = https://docbox.etsi.org/Workshop/2019/201906_ETSISECURITYWEEK

This year, the ETSI Security Week continued debating different aspects of cybersecurity.


  • On day one they first set the scene with talks on the Cyber Security Landscape.
  • Then on Cyber Security Policy Actions on 18 June, related to the upcoming Cybersecurity Act and ePrivacy regulation. 
  • The Artificial Intelligence thread focused on the security angle to AI, completing the ETSI’s April AI Summit, on 19 June.
  • And they discussed how security can keep pace with the rapid change of technology, networks and society on 20-21 June
  • They also hosted a Hackathon event on the new Middlebox Security Protocol standards on 20-21 June 2019. 





Discussion of topics

Day 1


  • One the first day there was a good overview of the threat of state-sponsored cyber espionage with less than subtle nods to Russia and China. 
  • Also, the state of Quantum Computing was shown and how it will affect cybersecurity, with the key message being that as long as we continue to prepare for it the security doomsdays scenarios of quantum computing shouldn't come to pass. 
  • A problem was highlighted of the growing skills shortage within cybersecurity which may make meeting and countering new and evolving threats a problem though most companies and government organisation acknowledge this problem and are taking steps to address it. See or search for NCSC youth programs. 
  • A good overview was given on the importance of threat intelligence. It was also talked about how threat intelligence can also be used by attackers to improve or modify their attacks. This stressed the importance of minimising the attack surface of assets. Along, with a case for honeypots should be included in future security standards documents.
  • The talks raised the importance of products in supply chains and their potential impact on cybersecurity, with key emphasis that there needs to be greater awareness of the provenance of products and services business/organisations use. 


Day 2


  • Overall, from the topic of the day, the impression was while it has some sort of cost of businesses (major or minor depending on preparedness) the Cybersecurity and ePrivacy Act should improve the landscape regarding security in general.
  • The presentation from Nokia Bell Labs, about the cyber borders of a country, raised an important issue surrounding the rise of the splinternet/cyberbalkanization which could fragment the cybersecurity landscape presenting possible unknown risks to businesses and consumers.
  • IoT security is still a challenge but it shouldn't be because, in theory, we as a whole do have the skills to tackle these problems. Though it does require greater convergence between standard bodies, regulators and industry. Ideally, we to be ahead of this problem before 5G leads to an explosion in the number of IoT devices. 
ePrivacy Act

  • The idea is that the user should have control over the flow of their data. Though for this to be achieved relies on consent either being given or presume. Also, users should have the ability to revoke or review their options. For this happen will require a change in design in philosophy from companies. It will build upon aspects of GDPR and for enforcement of it, most EU countries will rely on previously set-up Information commissions. The ePrivacy Act will be applied to software, services and devices. 
  • This building upon previous EU regulations on privacy and data protection expands to cover metadata of services and software and how the user interacts with them, along with content and communication.
  • Companies will have to consider privacy by design/default for their products or services.
  • But the risk with the new act is that how it is implemented may weaken cybersecurity measures. So a balance has to be found between privacy and security.


Day 3


  • When it comes to the impact of AI in a European context, ETSI has the potential to play a supporting role in producing guidelines or Technical Reports on ethical methods or means when developing AI systems or tools. 
  • For AI to succeed as a tool for cybersecurity it needs a clearly stated goal. This will require long-term investment to minimise false-positive events. Humans will never be out of the loop due to the need to double check results or to identify or provide context to flagged problems.
  • Overall, the message from the days' talks were fewer technicians and more humanists. 

Day 4

IoT

  • The progress on Standards for security as an EU level is slowly progressing. Individual national schemes, for example, NCSC certification of IoT devices will be getting there first.
  • There may come a time where greater enforcement against companies selling unsafe security wise IoT devices may come about. With companies only being allowed to sell IoT devices if they can prove they are "secure", whatever that eventually entails.
Quantum-Computing
  • Slow but steady progress on quantum-proof cryptography is coming along, to ensure that current and future services, software and devices are protected.
  • ETSI QSC group will begin to publish Technical Reports in the near future that will or should lead to standards regarding quantum-safe-cryptography. 


Day 5

Eco-System

  • A presentation from Airbus is worth checking out, it gives an interesting overview of the Cybersecurity threats to aircraft. It emphasises the importance of taking measures to ensure supply chain integrity and protection.
  • They also presented their plans to protect/mitigate aircraft from cyber attacks. 

Behavioural Aspects of Cybersecurity

  • Important to note human nature cannot be standardised. Though this doesn't mean it cannot be ignored. The role of bodies like ETSI can produce guides and reports of best practise and methods that could be used to improve behaviour in cybersecurity.
  • To change behaviour requires to take into account the capability, opportunity and motivation of users. 



Conclusion

It was a useful and worthwhile event. Next year should build upon this year. It will be a good use of free time to check the presentations in the link at the beginning of this blog.


Note

Huawei was on their best behaviour and in full charm mode. Aiming to convince they are no threat. Remains to be seen.

Comments

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

A personal interest post - Replacing the Tornado in the RAF

Personal Interest - Cancelled/Unbuilt British Army Projects