Security

1
Security the EU Telecoms PackageSeptember 2008

• Malcolm Hutty
• http//publicaffairs.linx.net/news/

2
What does security mean to you?

• Availability
• Integrity
• Confidentiality
• Authentication
• Identification
• Access control
• User profile based
• Geography-based
• Other policy enforcement

3
Banks

• Concerned about fraud on them
• Seek customer identification
• Would/should seek just authentication
• but for know your customer regulation
• Concerned about fraud on you (phishing)
• Should seek bank identification / authentication
• Actually seek to control trademark abuse

4
Financial regulators

• Financial services should only be offered by
  approved regulated parties
• Financial information should only be given
• Either, by approved regulated parties
• Or, subject to controls of type of info
• Regulators are jurisdictionally limited
• Requirement for jurisdictionally based controls

5
Healthcare regulators

• Start from premise that most healthcare
  information and products are only suitable for
  professionals, not lay people
• Requirement to prevent access to information and
  products
• Regulators are jurisdictionally limited
• Requirement for jurisdictionally based controls

6
Music And Film Industry Associations

• Seek to protect their content
• No longer entirely homogenous view
• Some just want to prevent unauthorised access to
  content
• Others want to control uses of content
• Various types of DRM
• HDCP protected path

7
Child protection

• The three child protection risks
• Content
• Contact
• Conduct
• A secure service
• Content is suitable for children all children
• No contact with adults except as approved
• Close monitoring of conduct, professional
  response to inappropriate behaviour

8
Spooks

• Think they used to be able to monitor all
  communications
• Actually, ability to process communications data
  has grown immeasurably
• But more un-monitorable communications methods
  than ever before
• Demand for universal surveillance capability

9
Other policing issues

• Requirement to suppress certain types of
  information
• Terrorism
• Pornography
• Gambling
• Jurisdiction issues are complex
• Police work mainly nationally
• Criminals cross-border
• Requirement to reverse this

10
Others

• Courts
• Injunctions against content must be honoured
• Emergency operators
• Need to know address where the user/caller is
  located
• Note that if this data is available for one
  purpose, it could be used to develop conditional
  access systems

11
That list again

• Availability
• Integrity
• Confidentiality
• Authentication
• Identification
• Access control
• User profile based
• Geography-based
• Other policy enforcement

12
A plan for a new network

• A network that guarantees
• Identity and age of user (not just subscriber)
• (Goodbye privacy)
• Location
• (Goodbye cross-border trading, hello burglaries)
• End-to-end content copy prevention
• (Goodbye open source)
• Only authorised services/applications
• (Goodbye protocol service innovation)
• White-listed content sources
• (Goodbye new sites of all types)

13
Telecoms Package

• Possible?
• All that could be done by regulatory fiat
• Its not impossible, its just not the Internet
• Planned?
• Nothing in the Telecoms Package requires or even
  directly suggests this
• but it does include powers that could be used to
  follow that plan
• and there are many voices already calling for
  ISPs to take responsibility for content
• even though the rest of the package is, as
  before, de-regulatory.

14
Telecoms Package

• Recitals 32 and 33 set out expansive role for
  NRAs in security
• Justification for regulation is that
• Reliable and secure communication is
  increasingly central to the whole economy and
  society in general
• New Article 13(a)(1) of Framework Directive
• Network and service providers must take
  appropriate technical and organisational
  measures to safeguard the security of their
  networks and services

15
Article 13(a)(1) in full

• Member States shall ensure that undertakings
  providing public communications networks or
  publicly available electronic communications
  services take appropriate technical and
  organisational measures to safeguard the security
  of their networks or services. Having regard to
  the state of the art, these measures shall ensure
  a level of security appropriate to the risk
  presented. In particular, measures shall be taken
  to prevent or/and minimise the impact of
  security incidents on users and on interconnected
  networks

16
Article 13(a)(1) has technical mandates

• 13(a)(4) The Commissionmay adopt appropriate
  technical implementing measures with a view to
  harmonising the measures referred to in
  paragraphs 1, 2, and 3,
• The technical implementing measures shall not
  prevent Member States from adopting additional
  requirements (LIBE text)
• Member States shall ensure that the competent
  national regulatory authorities have the power to
  issue binding instructions to undertakings
  providing public communications networks or
  publicly available electronic communications
  services in order to implement Article 13a.
  (Article 13b)

17
EuroISPA recommended amendment

• Networks should guarantee availability only
  (end-to-end principle)
• Member States shall ensure that undertakings
  providing public communications networks or
  publicly available electronic communications
  services take appropriate technical and
  organisational measures to safeguard the
  availability of their networks or services.
• Please ask your government to support this change
  in the Council of Ministers

18
Security the EU Telecoms PackageSeptember 2008

• Malcolm Hutty
• http//publicaffairs.linx.net/news/