I have greatly enjoyed being an adviser to the project. Here is the two-part interview I recently did with Prof. Ash:Ten draft principles for global free speech are laid out, together with explanations and case studies – all for debate. Prominent figures from diverse cultures, faiths and political tendencies are interviewed and asked to comment, through video, audio and text. We have Indian novelist Arundhati Roy on the media and national security in India; Iranian cleric Mohsen Kadivar on Islam and the criminalisation of insults to religion; Chinese academic Yan Xuetong on universal values; former head of the Formula One association Max Mosley on privacy with more to come… The entire editorial content is carefully translated into 13 languages, covering more than 80% of the world's internet users, by native-speakers of those languages (mainly graduate students at Oxford University). Anyone can then contribute to the online discussion in these or any other widely used languages, and there is a facility to give a rough translation of every user-generated comment into most languages using machine translation.
Tuesday, January 24, 2012
Can the world agree on free speech principles?
Prof. Timothy Garton Ash and his team at St Antony's College have just launched their fascinating new free speech project, FreeSpeechDebate:
Tuesday, November 29, 2011
Giving evidence to Privacy and Injunctions Committee
Yesterday I gave evidence to Parliament's Joint Committee on Privacy and Injunctions. I tried to explain the difficulties in stopping a specific piece of information appearing anywhere on the Internet, particularly in user-generated content and on social media platforms:
Saturday, November 12, 2011
Internet freedom: EU v US
GW has now posted a video of my talk. Thanks again to Professors Nunziato and Carillo for organising such an enjoyable visit.
Thursday, May 26, 2011
ENISA reform at the European Parliament
This afternoon I'm giving evidence to the European Parliament's industry committee at an expert hearing on the future of the European Network and Information Security Agency. Here is the text of my prepared remarks:
ENISA's role in light of current systemic cybersecurity risks
Last year, with my colleague Prof. Peter Sommer, I carried out a study for the OECD on “Reducing global systemic cybersecurity risk”. We assessed the likelihood and potential consequences of catastrophic failures of information system security, comparing them to other potential “global shocks” such as an international flu pandemic or further financial crisis. Our conclusion was that in the medium term, few single foreseeable cyber-related events have the capacity to propagate onwards and become a full-scale “global shock”.
This does not mean that individual cyber-related events could not generate a great deal of harm and financial suffering; indeed there are many examples where this has already happened. And European societies are becoming increasingly dependent on the availability of the Internet and related communications and computing infrastructures.
Bodies such as ENISA can play in key role in reducing these threats, and ensuring that in the longer term they do not develop into catastrophic global risks. Responses to such shocks limited to the level of the nation state are likely to be inadequate. Coordinated international activity is required, with all the associated problems of reaching agreement and then acting in concert. The European Union has a clear advantage in facilitating and coordinating Member State activity in this field.
The European Commission’s proposal for a regulation concerning ENISA contains a number of measures matching our own recommendations to the OECD, especially in supporting the Digital Agenda for Europe. I want to highlight three key areas: supporting the European Forum of Member States and European Public Private Partnership for Resilience; facilitating EU-wide cooperation and preparedness; and addressing market failures in security.
First: supporting the Member State forum and Public-Private Partnership.
Attacks on systems connected to the public Internet can originate from anywhere on that network. Vulnerabilities in software developed in one country and installed in a second can be exploited remotely from a third. Failures in critical information infrastructures in one nation can cascade into dependent systems elsewhere.
Member States and the private sector need to coordinate their efforts to enhance cyber security levels, develop safe and trusted methods for information sharing about vulnerabilities, block and deter attacks, and improve the resilience of critical infrastructure. Officials will need, if they are not doing so already, to plot out the dependencies of key central government and critical infrastructure systems. They will need to identify points at which computer and communications facilities may become overloaded during catastrophes and arrange for the provision of extra resource and resilience. They will also need to create contingency plans should large important systems fail. ENISA can support all of these efforts through its role in the European Public-Private Partnership for Resilience.
A further role is horizon scanning for future threats arising from changes in the broad cyber world. For example, Member States need to carefully consider the implications of outsourcing and cloud-based systems for the resilience of the services they provide, identifying any new interdependencies that result and how they would deal with catastrophic failure of third-party services. Contracts and Service Level Agreements need to include provisions on availability and liability for security breaches, as well as the geographic location of sensitive data and the level of access of third-party staff. ENISA has published a number of useful reports examining these issues in the last few years.
By procuring and operating more secure systems, governments will reduce the risk of exploitation and failure of their own critical services. They will also incentivise software companies, Internet Service Providers and other companies to create more secure products that can also be sold to the private sector.
All of these activities would benefit from cross-EU planning and support from ENISA in the European Forum of Member States.
Second: facilitating European cooperation and preparedness.
Most of the Member States now have effective government and industry Computer Emergency Response Teams. These CERTs meet and share best practice through groups such as the Forum for Internet Response and Security Teams. This also allows computer security engineers in different countries to get to meet each other and build informal relationships of trust. Such social contacts can, in an emergency, help resolve problems more quickly than via the official formal structures. ENISA could usefully support the work of such groups.
Just as has become common in the financial sector, regulators should conduct regular “stress test” exercises to measure vulnerabilities and ensure the resilience of infrastructure in the face of attack. ENISA can facilitate the European components of the international exercises that are necessary to fully test responses to global threats.
Finally: addressing market failures in information security.
Unlike much 20th-century critical national infrastructure, the Internet is almost entirely developed and managed by private companies. In the long run, the most important role of ENISA (and EU Network and Information Security policy) is to support policymakers in modulating the incentive structures that are causing market actors to under-protect systems. The technology is available to build a much more secure Internet. The key question to ask is why it is not being deployed, particularly in end-user system software.
Companies managing critical infrastructure have incentives to maintain continuity of service to their customers, but without some government intervention they may not be willing to commit resources to protecting wider interests of society. These include public confidence promoted by the general availability of shelter, electricity and gas, and telecommunications. Governments can use legislation, licensing and regulation to impose standards for security and resilience upon operators of Critical Infrastructure. This should become a core concern for regulatory agencies in the water, power, telecommunications, financial services and healthcare sectors.
ENISA can act as a centre of expertise to support the Member States and their critical infrastructure regulators, particularly in setting baseline security standards and modulating market incentives to encourage resilience. It can also usefully act as a centre of expertise supporting the Commission and groups such as the Article 29 Working Party of data protection authorities. This expertise is crucial to the success of highly technology-dependent policy goals such as the protection of Europeans’ fundamental rights to privacy and data protection.
If we are to make the Commission’s plans for “privacy by design” effective, it would be logical to task ENISA with developing urgent plans to ensure suitable standards and infrastructure are deployed, making use of the latest discoveries from EU research programmes. No other agency or regulator has a sufficiently technical EU-wide mandate to overcome the formidable structural obstacles that have so far prevented this from happening.
To conclude: ENISA clearly has a key role to play in the development of a secure and resilient European information society that protects fundamental rights. I can find much to support in the Commission’s proposal to develop its mandate.
Thank you for your attention.
ENISA's role in light of current systemic cybersecurity risks
Last year, with my colleague Prof. Peter Sommer, I carried out a study for the OECD on “Reducing global systemic cybersecurity risk”. We assessed the likelihood and potential consequences of catastrophic failures of information system security, comparing them to other potential “global shocks” such as an international flu pandemic or further financial crisis. Our conclusion was that in the medium term, few single foreseeable cyber-related events have the capacity to propagate onwards and become a full-scale “global shock”.
This does not mean that individual cyber-related events could not generate a great deal of harm and financial suffering; indeed there are many examples where this has already happened. And European societies are becoming increasingly dependent on the availability of the Internet and related communications and computing infrastructures.
Bodies such as ENISA can play in key role in reducing these threats, and ensuring that in the longer term they do not develop into catastrophic global risks. Responses to such shocks limited to the level of the nation state are likely to be inadequate. Coordinated international activity is required, with all the associated problems of reaching agreement and then acting in concert. The European Union has a clear advantage in facilitating and coordinating Member State activity in this field.
The European Commission’s proposal for a regulation concerning ENISA contains a number of measures matching our own recommendations to the OECD, especially in supporting the Digital Agenda for Europe. I want to highlight three key areas: supporting the European Forum of Member States and European Public Private Partnership for Resilience; facilitating EU-wide cooperation and preparedness; and addressing market failures in security.
First: supporting the Member State forum and Public-Private Partnership.
Attacks on systems connected to the public Internet can originate from anywhere on that network. Vulnerabilities in software developed in one country and installed in a second can be exploited remotely from a third. Failures in critical information infrastructures in one nation can cascade into dependent systems elsewhere.
Member States and the private sector need to coordinate their efforts to enhance cyber security levels, develop safe and trusted methods for information sharing about vulnerabilities, block and deter attacks, and improve the resilience of critical infrastructure. Officials will need, if they are not doing so already, to plot out the dependencies of key central government and critical infrastructure systems. They will need to identify points at which computer and communications facilities may become overloaded during catastrophes and arrange for the provision of extra resource and resilience. They will also need to create contingency plans should large important systems fail. ENISA can support all of these efforts through its role in the European Public-Private Partnership for Resilience.
A further role is horizon scanning for future threats arising from changes in the broad cyber world. For example, Member States need to carefully consider the implications of outsourcing and cloud-based systems for the resilience of the services they provide, identifying any new interdependencies that result and how they would deal with catastrophic failure of third-party services. Contracts and Service Level Agreements need to include provisions on availability and liability for security breaches, as well as the geographic location of sensitive data and the level of access of third-party staff. ENISA has published a number of useful reports examining these issues in the last few years.
By procuring and operating more secure systems, governments will reduce the risk of exploitation and failure of their own critical services. They will also incentivise software companies, Internet Service Providers and other companies to create more secure products that can also be sold to the private sector.
All of these activities would benefit from cross-EU planning and support from ENISA in the European Forum of Member States.
Second: facilitating European cooperation and preparedness.
Most of the Member States now have effective government and industry Computer Emergency Response Teams. These CERTs meet and share best practice through groups such as the Forum for Internet Response and Security Teams. This also allows computer security engineers in different countries to get to meet each other and build informal relationships of trust. Such social contacts can, in an emergency, help resolve problems more quickly than via the official formal structures. ENISA could usefully support the work of such groups.
Just as has become common in the financial sector, regulators should conduct regular “stress test” exercises to measure vulnerabilities and ensure the resilience of infrastructure in the face of attack. ENISA can facilitate the European components of the international exercises that are necessary to fully test responses to global threats.
Finally: addressing market failures in information security.
Unlike much 20th-century critical national infrastructure, the Internet is almost entirely developed and managed by private companies. In the long run, the most important role of ENISA (and EU Network and Information Security policy) is to support policymakers in modulating the incentive structures that are causing market actors to under-protect systems. The technology is available to build a much more secure Internet. The key question to ask is why it is not being deployed, particularly in end-user system software.
Companies managing critical infrastructure have incentives to maintain continuity of service to their customers, but without some government intervention they may not be willing to commit resources to protecting wider interests of society. These include public confidence promoted by the general availability of shelter, electricity and gas, and telecommunications. Governments can use legislation, licensing and regulation to impose standards for security and resilience upon operators of Critical Infrastructure. This should become a core concern for regulatory agencies in the water, power, telecommunications, financial services and healthcare sectors.
ENISA can act as a centre of expertise to support the Member States and their critical infrastructure regulators, particularly in setting baseline security standards and modulating market incentives to encourage resilience. It can also usefully act as a centre of expertise supporting the Commission and groups such as the Article 29 Working Party of data protection authorities. This expertise is crucial to the success of highly technology-dependent policy goals such as the protection of Europeans’ fundamental rights to privacy and data protection.
If we are to make the Commission’s plans for “privacy by design” effective, it would be logical to task ENISA with developing urgent plans to ensure suitable standards and infrastructure are deployed, making use of the latest discoveries from EU research programmes. No other agency or regulator has a sufficiently technical EU-wide mandate to overcome the formidable structural obstacles that have so far prevented this from happening.
To conclude: ENISA clearly has a key role to play in the development of a secure and resilient European information society that protects fundamental rights. I can find much to support in the Commission’s proposal to develop its mandate.
Thank you for your attention.
Wednesday, April 06, 2011
Security and Privacy in Implantable Medical Devices
Last week I was in Lausanne to speak at a workshop on Security and Privacy in Implantable Medical Devices. It was amazing to see some of the body sensors and actuators being developed by bioengineering researchers and companies. You can see my slides on privacy by design, but I highly recommend some of the other presentations — I was particularly amazed by the Chinese researchers growing tracheas using sheep as "in vivo bioreactors"!
Monday, March 21, 2011
Privacy, trust and biometrics in Bangalore
If you're near Bangalore, you might be interested in the talk I'm giving this afternoon at the Indian Institute of Science on Privacy, Trust and Biometrics. This is a hot topic in India right now, due to the government's plans for a high-tech national identity database not so dissimilar to the one recently destroyed in the UK. Hope to see you there!
Wednesday, February 16, 2011
Hillary Clinton's Internet Freedom 2.0 speech
Hillary Clinton gave a second speech yesterday on the subject of Internet freedom. Here is my response, written for Index on Censorship:
Hillary Clinton is right to say “the choices we make today will determine what the Internet looks like in the future”. The US government can have a long-term impact by supporting the development and use of technology in tune with her vision of the “freedom to connect”.
Such technology would make it easy for individuals to debate, organise and protest online without making it trivial for government spies to monitor and suppress those activities. It would widely distribute control, rather than concentrate it in government or corporate hands that can easily choose to extinguish speech — as Amazon did in throwing WikiLeaks off their servers.
It would certainly not come with surveillance functionality built in – as the US, UK and many other western governments require of Internet routers and telephone exchanges and would like to extend to social media sites.
In short: Clinton needs to make sure the Internet’s future public spaces look more like Tahrir Square and less like Tiananmen Square.
Hillary Clinton is right to say “the choices we make today will determine what the Internet looks like in the future”. The US government can have a long-term impact by supporting the development and use of technology in tune with her vision of the “freedom to connect”.
Such technology would make it easy for individuals to debate, organise and protest online without making it trivial for government spies to monitor and suppress those activities. It would widely distribute control, rather than concentrate it in government or corporate hands that can easily choose to extinguish speech — as Amazon did in throwing WikiLeaks off their servers.
It would certainly not come with surveillance functionality built in – as the US, UK and many other western governments require of Internet routers and telephone exchanges and would like to extend to social media sites.
In short: Clinton needs to make sure the Internet’s future public spaces look more like Tahrir Square and less like Tiananmen Square.
Subscribe to:
Posts (Atom)