Thursday, November 06, 2014
Today’s Times (4/11/2014) front-page story contains an error: “Virtual ID for everyone” should read “Virtual IDs for everyone”. It is a vital part of the scheme that we may all have plural identities.
For the last two years, we, as members of the Privacy and Consumer Advisory Group, have been working with the dedicated Cabinet Office team to define nine Identity Assurance Principles that, if implemented across government, would protect against the Verify scheme becoming a shadow identity card system.
Control by the citizen is at the heart of these principles. You choose (and can discard) your own virtual identities. They are not imposed on you by the state. You can read more on the principles at https://www.gov.uk/government/consultations/draft-identity-assurance-principles/privacy-and-consumer-advisory-group-draft-identity-assurance-principles
Obviously a citizen using a public service (online or otherwise) needs to be identifiable to that service to some degree. But this does not mean a service provider should have access to any unnecessary information about the citizen. That is what the Verify scheme was conceived, laudably, to achieve.
Our Identity Assurance Principles are intended to ensure it does achieve that in practice. We have recommended that all existing powers of data access or disclosure should be re-approved by Parliament as these powers have themselves been transformed by modern technology. We also call for effective forms of redress, and for an effective regulatory and judicial oversight over the use of such powers.
Public support for virtual identity will depend on trust and understanding. Our Nine Principles are designed to build that, but will only do so if members of the public know what they are, and that the authorities will obey them. That is why we have asked that, after the testing phase, the principles are written into law to ensure their general application.
Guy Herbert, General Secretary, NO2ID
Louise Bennett, BCS Policy Board Member
Dave Birch, Consult Hyperion
Ian Brown, Professor of Information Security and Privacy, Oxford Internet Institute
Emma Carr, Director, Big Brother Watch
Dr Gus Hosein, Director, Privacy International
Dr Chris Pounder, Amberhawk
Dr Edgar Whitley, London School of Economics
Monday, September 01, 2014
I heard more about NATO's plans over the summer, when they were kind enough to invite me on a tour of their headquarters (outside Brussels), cyber-defence facilities (in Mons), and the Cooperative Cyber Defence Centre of Excellence in Tallinn (although unfortunately I couldn't make it to the latter). These plans will be finalised at the Wales Summit of NATO leaders this Thursday/Friday in Newport and Cardiff (whose poor residents have to put up with a 10 mile security fence).
Background and current strategyNATO's mandate is cyber defence - it will not be carrying out "active defence" (e.g. striking back against hostile systems), nor coordinating member states' cybersecurity (which apparently remains a very sensitive national prerogative).
The first, basic, NATO cyber strategy came in 2008, following attacks on Estonian and Georgian systems by "patriotic hackers" that were strongly suspected to be coordinated by the Russian government. A more developed strategy was agreed in 2011, with an action plan mainly focused on securing NATO's own networks and systems, which link the member states' deployed facilities.
These systems have recently been upgraded in a 58m€ project to provide centralised protection to classified NATO networks across 51 sites, with three to complete. This gives commanders situational awareness and analytical tools, and constantly updates network sensors.
NATO has established a Cyber Defence Management Board to coordinate policy and military activity. It has defined minimum requirements for cyber protection for national networks that NATO depends on, and national cyber capability targets (e.g. national strategy, CERT, supply chain regulations) for 2019. This has been a major driver of investment and uniformity. The Cyber Defence Committee has the lead political role in policy governance, acting as a link between the North Atlantic Council and all other NATO committees.
NATO has a good EU partnership at staff level, and holds reciprocal briefings with the Organisation for Security and Cooperation in Europe, and Council of Europe. There is an "intense tempo" of cooperation with five Western European non-NATO partners (Sweden, Ireland, Austria, Switzerland and Finland), as well as Australia and New Zealand. Following vetting for information sharing mirrored by the intelligence domain, this allows these countries to participate in cyber coalition exercises. NATO can blend cyber intelligence with classical intelligence to do much better attribution of attacks.
The new strategyNATO's 2014 enhanced policy brings new elements:
- A link between cyber and collective defence. Art. V applies on a political case-by-case basis; there are no general criteria for its application.
- A focused exploration of the threat landscape.
- A framework for assistance to allies in cyber crises and in peacetime — the key element is information sharing, alongside rapid reaction teams, NATO as a clearing house for bilateral assistance and the civil emergency planning process, then more generally situational awareness, early warning, exchange of expertise, interoperability, and impact analysis (made possible by increased national investment reducing concerns over free riding).
- An explicit statement that international law is applicable in the cyber domain.
- An increased emphasis on training, education and exercises, with “coherent” use of NATO schools.
- NATO-industry Cyber Partnerships — to be implemented post-Wales, but there are already links with industry, mainly on procurement. NATO wants a different level of information sharing, with a structured platform (building on national sharing) and bigger regular meetings. This will be voluntary, but as inclusive as possible.
The Alliance already has three “smart defence” collaborative development projects between members:
- Canada, Netherlands, Germany, Romania and Finland are developing smart sensors, analytical tools, and an information sharing platform.
- A Malware Information Sharing Platform, developed at Mons, and offered to all member states. 50% of members are already participating, and this will become NATO-wide.
- Portugal has launched a training and education initiative, and wants to use the NATO school to become a major hub. This will be an element in a federated network, and make training more uniform, cheaper and more effective.
AnalysisThese all seem sensible measures. I was surprised at how determined many of the NATO members seem to be to preserve their own sovereignty even within the Alliance (although they do need to protect themselves against Russian spies). It is astonishing that (according to the New York Times) the US, UK and Germany will not share information about their offensive cyber capabilities even with their closest allies — leaving NATO officials to scour media reports of Edward Snowden's revelations. (I hope that my expert witness statements in Big Brother Watch v UK and Privacy International v GCHQ were helpful :)
NATO suffered a substantial Distributed Denial of Service attack for the first time on 15-16 March 2014, the night before the Crimean "referendum" on joining Russia, bringing down the NATO website for 12 hours. Successful attacks on public-facing websites have no impact on NATO readiness, but are embarrassing. The Alliance was previously focused on espionage attempts against their systems.
The enhanced strategy clearly needs to be implemented quickly, before Putin's unconventional warfare tactics and Little Green Men start making higher profile "virtual" appearances in Ukrainian and NATO member systems.
Sunday, June 08, 2014
Very inspiring today to see over 500 people turn up for the Don't Spy On Us coalition's day of action, on the first anniversary of Edward Snowden's leaks. There were some great speeches - amongst others from Bruce Schneier, Jimmy Wales, Duncan Campbell and Shami Chakrabarti.
Tuesday, March 04, 2014
"Although we might be safer if the government had ready access to a massive storehouse of information about every detail of our lives, the impact of such a program on the quality of life and on individual freedom would simply be too great. And this is especially true in light of the alternative measures available to the government... We recommend that the US Government should examine the feasibility of creating software that would allow the National Security Agency and other intelligence agencies more easily to conduct targeted information acquisition rather than bulk-data collection."Meanwhile yesterday, shadow Home Secretary Yvette Cooper gave a shorter speech to Demos. She acknowledged the deficiencies of the existing legal regime, and that the Intelligence and Security Committee should be chaired by an opposition MP to give it more credible independence from the government, and given permanent technological expertise. She also said that the Communications Data Bill previously proposed by the government was "far too widely drawn, giving the Home Secretary unprecedented future powers, and with too few checks and balances, and has rightly been stopped." There seems to be a developing consensus between the two parties. Yvette Cooper has called for much more public debate about Internet surveillance, echoing Nick Clegg's concern about a loss of public confidence in the intelligence agencies. Both want stronger oversight by converting the existing interception and intelligence commissioners - retired judges - whose work is largely unknown by the public, into a higher-profile Inspector General. And both recognise that the Regulation of Investigatory Powers Act now needs changing, in areas such as stronger safeguards for "metadata", and looking again at the broad powers given for GCHQ surveillance of "external" communications that start and/or end outside the British Isles (i.e. most Internet communications). The deputy PM has asked the MoD's external think-tank, the Royal United Services Institute, to convene an Obama-style review panel to report back on these issues after the next election. By then, as Clegg said, there will be irresistible pressure for Parliament to update the UK legal framework to better reflect the realities of today's Internet - and perhaps a Labour-Lib Dem coalition that would make this happen. Hopefully those Conservative MPs such as David Davis, who have played a strong role in the public debate so far, will also be able to persuade their colleagues in government of the necessity of reform.
Wednesday, January 09, 2013
The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised... The cyber threat is, like some other emerging threats, one which has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation's security. The Government needs to put in place - as it has not yet done - mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents. It is time the Government approached this subject with vigour.I think this conclusion may be overstated. In a time of serious budgetary cutbacks, the government has committed serious new money — £650m — to cybersecurity activities (although this may have been concentrated too heavily at GCHQ). A small amount of that is going towards Academic Centres of Excellence in Cybersecurity Research, one of which is at Oxford. The report fails to draw an adequate distinction between risks to defence systems and broader national security. And while information security is not developing nearly quickly enough in critical national infrastructure, we are not yet at the point at which likely adversaries would have the motivation and capability to cause serious damage to property or loss of life via these vulnerabilities.
The conclusions Peter Sommer and I reached last year for the OECD in our report on global systemic cybersecurity risk still hold: this is a long-term planning concern for government, not a short-term panic. I've made these points in interviews this afternoon for the World Service and BBC Scotland.
Thursday, September 20, 2012
“This was, in essence, a one-off offensive Twitter message, intended for family and friends, which made its way into the public domain. It was not intended to reach Mr Daley or Mr Waterfield, it was not part of a campaign, it was not intended to incite others and Mr Thomas removed it reasonably swiftly and has expressed remorse. Against that background, the Chief Crown Prosecutor for Wales, Jim Brisbane, has concluded that on a full analysis of the context and circumstances in which this single message was sent, it was not so grossly offensive that criminal charges need to be brought."This was a positive application of the Human Rights Act and European human rights jurisprudence to a tweet that qualified for the Communications Act 2003 offence of a "grossly offensive" communication sent using a public electronic network. This offence clearly needs reviewing, as the DPP suggests:
"Social media is a new and emerging phenomenon raising difficult issues of principle, which have to be confronted not only by prosecutors but also by others including the police, the courts and service providers. The fact that offensive remarks may not warrant a full criminal prosecution does not necessarily mean that no action should be taken. In my view, the time has come for an informed debate about the boundaries of free speech in an age of social media."Douwe Korff and I suggested a possible approach in a report for the Council of Europe's Commissioner for Human Rights last year.
The message does not seem to have reached the Greater Manchester police, who have this afternoon arrested a man over a Facebook page praising the alleged murderer of two officers. While repellent, is this really their highest priority right now? There are concerns that the police press conference (as well as a statement by the prime minister) may already have prejudiced the forthcoming murder trial.
Tuesday, January 24, 2012
I have greatly enjoyed being an adviser to the project. Here is the two-part interview I recently did with Prof. Ash:
Ten draft principles for global free speech are laid out, together with explanations and case studies – all for debate. Prominent figures from diverse cultures, faiths and political tendencies are interviewed and asked to comment, through video, audio and text. We have Indian novelist Arundhati Roy on the media and national security in India; Iranian cleric Mohsen Kadivar on Islam and the criminalisation of insults to religion; Chinese academic Yan Xuetong on universal values; former head of the Formula One association Max Mosley on privacy with more to come… The entire editorial content is carefully translated into 13 languages, covering more than 80% of the world's internet users, by native-speakers of those languages (mainly graduate students at Oxford University). Anyone can then contribute to the online discussion in these or any other widely used languages, and there is a facility to give a rough translation of every user-generated comment into most languages using machine translation.