Humanizing security technology and terminology · • Data is “open” • Data is “layered”...

Humanizing security

technology and

i-locate: Indoor/outdoor LOCation and Asset management Through open gEodatawww.i-locate.eu

(GA 621040)

Scott CADZOW

C3L

technology and

terminology

Your speaker

• Scott CADZOW• Director, Consultant, Security Expert, Standards

developer, Pen-tester, Cryptanalyst (for fun), Writer/Blogger (not often), Husband, Father, Privacy advocate, Triathlete (barely competitive but enjoys it)


(GA 621040)

but enjoys it)• Rapporteur of about 20 ETSI standards (TETRA,

NGN, HF-UCI, MTS, AT-D, ITS, eHEALTH)• Chairman or vice chairman at various times of

ETSI and ISO standards groups (TETRA, LI, ITS)

Setting the tone

• “Real knowledge is to know the extent of one’s ignorance”, Confucius

• “... as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to


(GA 621040)

know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know”, Donald Rumsfeld (February 2002)

• “He that would perfect his work must first sharpen his tools.“ Confucius

The proposal to HF and Users

• Sorting terminology to identify requirements

• Background: • The terminology of security does not align to the

human expectation of security. This misalignment does a dis-service to security experts, to privacy experts, to legislation and to the affected users.


(GA 621040)

does a dis-service to security experts, to privacy experts, to legislation and to the affected users.

• Examples:• Integrity: the quality of being honest and having

strong moral principles (a gentleman of complete integrity).

• Integrity: safeguarding the accuracy and completeness of information and processing methods

Real concerns and resulting requirements

• The concerns of users of systems are not on the technology of confidentiality or on proofs of integrity or authentication

• Users tend to be concerned with less tangible or intangible things like trust, integrity and ethical behavior.

• The approach to be considered is to take the user


(GA 621040)

• The approach to be considered is to take the user debate from CIA to ESP:

• Technology often means the CIA of Confidentiality, Integrity and Availability

• As technologists we are able to say with confidence that the algorithms underpinning cryptographic confidentiality (e.g. AES), digital signature (e.g. RSA), and cryptographic hashes (e.g. SHA) give assurance of security (i.e. cannot be broken using any known capability).

• Users look more at behavioral expectations - the ESP of Ethics, Privacy and Security.

• As technologists we cannot say “this person is acting ethically” or “this recipient of your data is acting in your interest”.

What we need to foster

• ICT systems treating users with dignity

• ICT systems acting ethically

• Much more than merely respecting and protecting privacy (private data, user


(GA 621040)

protecting privacy (private data, user behavior, user relationships)

Ethics – a societal and technical issue

• Applying the Hippocratic oath to machine systems:• Ὄμνυμι Ἀπόλλωνα ἰητρὸν καὶ Ἀσκληπιὸν καὶ Ὑγείαν καὶ Πανάκειαν καὶ θεοὺς

πάντας τε καὶ πάσας, ἵστορας ποιεύμενος, ἐπιτελέα ποιήσειν κατὰ δύναμιν καὶ κρίσιν ἐμὴν ὅρκον τόνδε καὶ συγγραφὴν τήνδε‧

• ἡγήσεσθαι μὲν τὸν διδάξαντά με τὴν τέχνην ταύτην ἴσα γενέτῃσιν ἐμοῖς, καὶ βίου κοινώσεσθαι, καὶ χρεῶν χρηί̈ζοντι μετάδοσιν ποιήσεσθαι, καὶ γένος τὸ ἐξ αὐτοῦ ἀδελφοῖς ἴσον ἐπικρινεῖν ἄρρεσι, καὶ διδάξειν τὴν τέχνην ταύτην, ἢν χρηί̈ζωσι μανθάνειν, ἄνευ μισθοῦ καὶ συγγραφῆς, παραγγελίης τε καὶ ἀκροήσιος καὶ τῆς λοίπης ἁπάσης μαθήσιος μετάδοσιν ποιήσεσθαι υἱοῖς τε ἐμοῖς καὶ τοῖς τοῦ ἐμὲ διδάξαντος, καὶ μαθητῇσι συγγεγραμμένοις τε καὶ ὡρκισμένοις νόμῳ ἰητρικῷ, ἄλλῳ δὲ οὐδενί.

• διαιτήμασί τε χρήσομαι ἐπ' ὠφελείῃ καμνόντων κατὰ δύναμιν καὶ κρίσιν ἐμήν,


(GA 621040)

• διαιτήμασί τε χρήσομαι ἐπ' ὠφελείῃ καμνόντων κατὰ δύναμιν καὶ κρίσιν ἐμήν, ἐπὶ δηλήσει δὲ καὶ ἀδικίῃ εἴρξειν.

• οὐ δώσω δὲ οὐδὲ φάρμακον οὐδενὶ αἰτηθεὶς θανάσιμον, οὐδὲ ὑφηγήσομαι συμβουλίην τοιήνδε‧ ὁμοίως δὲ οὐδὲ γυναικὶ πεσσὸν φθόριον δώσω. ἁγνῶςδὲ καὶ ὁσίως διατηρήσω βίον τὸν ἐμὸν καὶ τέχνην τὴν ἐμήν.

• οὐ τεμέω δὲ οὐδὲ μὴν λιθιῶντας, ἐκχωρήσω δὲ ἐργάτῃσι ἀνδράσι πρήξιος τῆσδε.

• ἐς οἰκίας δὲ ὁκόσας ἂν ἐσίω, ἐσελεύσομαι ἐπ' ὠφελείῃ καμνόντων, ἐκτὸς ἐὼν πάσης ἀδικίης ἑκουσίης καὶ φθορίης, τῆς τε ἄλλης καὶ ἀφροδισίων ἔργων ἐπί τε γυναικείων σωμάτων καὶ ἀνδρῴων, ἐλευθέρων τε καὶ δούλων.

• ἃ δ' ἂν ἐν θεραπείῃ ἢ ἴδω ἢ ἀκούσω, ἢ καὶ ἄνευ θεραπείης κατὰ βίον ἀνθρώπων, ἃ μὴ χρή ποτε ἐκλαλεῖσθαι ἔξω, σιγήσομαι, ἄρρητα ἡγεύμενος εἶναι τὰ τοιαῦτα.

• ὅρκον μὲν οὖν μοι τόνδε ἐπιτελέα ποιέοντι, καὶ μὴ συγχέοντι, εἴη ἐπαύρασθαι καὶ βίου καὶ τέχνης δοξαζομένῳ παρὰ πᾶσιν ἀνθρώποις ἐς τὸν αἰεὶ χρόνον‧παραβαίνοντι δὲ καὶ ἐπιορκέοντι, τἀναντία τούτων.

Modern textWorld Medical Association International Code of Medical Ethics

• AT THE TIME OF BEING ADMITTED AS A MEMBER OF THE MEDICAL PROFESSION:

• I SOLEMNLY PLEDGE to consecrate my life to the service of humanity;• I WILL GIVE to my teachers the respect and gratitude that is their due;• I WILL PRACTISE my profession with conscience and dignity;• THE HEALTH OF MY PATIENT will be my first consideration;• I WILL RESPECT the secrets that are confided in me, even after the

patient has died;• I WILL MAINTAIN by all the means in my power, the honour and the


(GA 621040)

• I WILL MAINTAIN by all the means in my power, the honour and the noble traditions of the medical profession;

• MY COLLEAGUES will be my sisters and brothers;• I WILL NOT PERMIT considerations of age, disease or disability, creed,

ethnic origin, gender, nationality, political affiliation, race, sexual orientation, social standing or any other factor to intervene between my duty and my patient;

• I WILL MAINTAIN the utmost respect for human life;• I WILL NOT USE my medical knowledge to violate human rights and

civil liberties, even under threat;• I MAKE THESE PROMISES solemnly, freely and upon my honour.

… alternatively

“Do no

harm”


(GA 621040)

harm”• Not just for telemedicine

• Applies to all ICT systems

Home of Ethics?

• Considered owned by organisation• Of the medical profession• Of a bank• Of a retail store or group• …


(GA 621040)

…

• Where is the ethical “home” for a concept? Or a global ICT network of systems?

• Users are often modelled for simplicity as being outside the system boundary – are they?

Ethics versus security and privacy

• For telemedicine• Audit trail of actions involving machines must be

as good if not better than those involving humans• Non-repudiation of clinical action• Proper authorisation of all clinical and non-clinical

actions• Clinical intervention


(GA 621040)

• Clinical intervention• Clinical monitoring

• An eHealth system should be seen to perform ethically as a Turing system

• To exhibit behaviours that make its actions indistinguishable from purely human actors

2 threads intertwined

• Security• Gives assurance of the following characteristics

• Confidentiality – ensuring that data transmitted that is only meant to be seen by Alice and Bob can only be seen by Alice and Bob

• Integrity – ensuring that the system behaviour, content


(GA 621040)

• Integrity – ensuring that the system behaviour, content and look is not changed without that change being authorised (and reversible and repeatable and (essentially) correct)

• Availability – ensuring proper identification and authorisation of all actors, ensuring that performance is maintained, ensuring that the system is available to its legitimate users when they are allowed to legitimately use it

… the other thread

• Privacy• Ensuring that the system acts on private data

(generally any data that may by itself or in collusion with other data, services, or analysis be used to identify one out of a crowd) legitimately with respect to –


(GA 621040)

with respect to –• The law

• The explicit understanding of the affected parties

Threats to eHealth?

• Unauthorised access to data• Requires identification, authorisation, non-

repudiation, confidentiality (when stored and when in transit)

• Inappropriate access to data


(GA 621040)

Inappropriate access to data• Requires context processing – sometimes data

has to be released but only when it is “right”

• Incorrect clinical intervention• By hijack of telemedicine actors (the insulin pump

attack)


(GA 621040)

Characterisation of data?

• Assumptions• Data is “open”• Data is “layered”

• Potentialities• Data is loosely structured


(GA 621040)

• Data is loosely structured• Data is mutable• Data associations are highly dynamic

• Data protection and privacy (DP&P)• The same root data may be both private (subject

to DP&P) and public (not subject to DP&P)

The result we want to achieve

• Proof that all data and services acting on behalf of users do so in such a way that all data, and all processing, is essential within the privacy and security constraints set for the system


(GA 621040)

• Let systems be open to ethical and dignity audit

• Ensure that any action by the system or its users whilst connected to the system do not give rise to any increased risk to the user that would not exist if the system did not exist


(GA 621040)

Thank you for your attention

Acknowledgement

• The author acknowledges support for the presentation material from the following sources:

• i-SCOPE: The project has received funding from the European Community, and it has been co-funded by the CIP-ICT Policy Support Programme as part of the Competitiveness and innovation Framework Programme by the European Community (http://ec.europa.eu/ict_psp), contract number 297284. The author is solely responsible for it and that it does not represent the opinion of the


(GA 621040)

for it and that it does not represent the opinion of the Community and that the Community is not responsible for any use that might be made of information contained therein.

• SUNSHINE: This project is partially funded under the ICT Policy Support Programme (ICT PSP) as part of the Competitiveness and Innovation Framework Programme by the European Community (http://ec.europa.eu/ict_psp).

• i-locate: The project has received funding from the European Community under contact number 621040

Humanizing security technology and terminology · • Data is “open” • Data is “layered”...

Documents

Transcript of Humanizing security technology and terminology · • Data is “open” • Data is “layered”...