Thoughts and Overview of ETSI Cybersecurity Week 2019

Introduction

The ETSI Security Week 2019 took place the week of 17-21 June 2019.

Access the ETSI Security Week Presentations = https://docbox.etsi.org/Workshop/2019/201906_ETSISECURITYWEEK

This year, the ETSI Security Week continued debating different aspects of cybersecurity.


  • On day one they first set the scene with talks on the Cyber Security Landscape.
  • Then on Cyber Security Policy Actions on 18 June, related to the upcoming Cybersecurity Act and ePrivacy regulation. 
  • The Artificial Intelligence thread focused on the security angle to AI, completing the ETSI’s April AI Summit, on 19 June.
  • And they discussed how security can keep pace with the rapid change of technology, networks and society on 20-21 June
  • They also hosted a Hackathon event on the new Middlebox Security Protocol standards on 20-21 June 2019. 





Discussion of topics

Day 1


  • One the first day there was a good overview of the threat of state-sponsored cyber espionage with less than subtle nods to Russia and China. 
  • Also, the state of Quantum Computing was shown and how it will affect cybersecurity, with the key message being that as long as we continue to prepare for it the security doomsdays scenarios of quantum computing shouldn't come to pass. 
  • A problem was highlighted of the growing skills shortage within cybersecurity which may make meeting and countering new and evolving threats a problem though most companies and government organisation acknowledge this problem and are taking steps to address it. See or search for NCSC youth programs. 
  • A good overview was given on the importance of threat intelligence. It was also talked about how threat intelligence can also be used by attackers to improve or modify their attacks. This stressed the importance of minimising the attack surface of assets. Along, with a case for honeypots should be included in future security standards documents.
  • The talks raised the importance of products in supply chains and their potential impact on cybersecurity, with key emphasis that there needs to be greater awareness of the provenance of products and services business/organisations use. 


Day 2


  • Overall, from the topic of the day, the impression was while it has some sort of cost of businesses (major or minor depending on preparedness) the Cybersecurity and ePrivacy Act should improve the landscape regarding security in general.
  • The presentation from Nokia Bell Labs, about the cyber borders of a country, raised an important issue surrounding the rise of the splinternet/cyberbalkanization which could fragment the cybersecurity landscape presenting possible unknown risks to businesses and consumers.
  • IoT security is still a challenge but it shouldn't be because, in theory, we as a whole do have the skills to tackle these problems. Though it does require greater convergence between standard bodies, regulators and industry. Ideally, we to be ahead of this problem before 5G leads to an explosion in the number of IoT devices. 
ePrivacy Act

  • The idea is that the user should have control over the flow of their data. Though for this to be achieved relies on consent either being given or presume. Also, users should have the ability to revoke or review their options. For this happen will require a change in design in philosophy from companies. It will build upon aspects of GDPR and for enforcement of it, most EU countries will rely on previously set-up Information commissions. The ePrivacy Act will be applied to software, services and devices. 
  • This building upon previous EU regulations on privacy and data protection expands to cover metadata of services and software and how the user interacts with them, along with content and communication.
  • Companies will have to consider privacy by design/default for their products or services.
  • But the risk with the new act is that how it is implemented may weaken cybersecurity measures. So a balance has to be found between privacy and security.


Day 3


  • When it comes to the impact of AI in a European context, ETSI has the potential to play a supporting role in producing guidelines or Technical Reports on ethical methods or means when developing AI systems or tools. 
  • For AI to succeed as a tool for cybersecurity it needs a clearly stated goal. This will require long-term investment to minimise false-positive events. Humans will never be out of the loop due to the need to double check results or to identify or provide context to flagged problems.
  • Overall, the message from the days' talks were fewer technicians and more humanists. 

Day 4

IoT

  • The progress on Standards for security as an EU level is slowly progressing. Individual national schemes, for example, NCSC certification of IoT devices will be getting there first.
  • There may come a time where greater enforcement against companies selling unsafe security wise IoT devices may come about. With companies only being allowed to sell IoT devices if they can prove they are "secure", whatever that eventually entails.
Quantum-Computing
  • Slow but steady progress on quantum-proof cryptography is coming along, to ensure that current and future services, software and devices are protected.
  • ETSI QSC group will begin to publish Technical Reports in the near future that will or should lead to standards regarding quantum-safe-cryptography. 


Day 5

Eco-System

  • A presentation from Airbus is worth checking out, it gives an interesting overview of the Cybersecurity threats to aircraft. It emphasises the importance of taking measures to ensure supply chain integrity and protection.
  • They also presented their plans to protect/mitigate aircraft from cyber attacks. 

Behavioural Aspects of Cybersecurity

  • Important to note human nature cannot be standardised. Though this doesn't mean it cannot be ignored. The role of bodies like ETSI can produce guides and reports of best practise and methods that could be used to improve behaviour in cybersecurity.
  • To change behaviour requires to take into account the capability, opportunity and motivation of users. 



Conclusion

It was a useful and worthwhile event. Next year should build upon this year. It will be a good use of free time to check the presentations in the link at the beginning of this blog.


Note

Huawei was on their best behaviour and in full charm mode. Aiming to convince they are no threat. Remains to be seen.

Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more