Lessons in cybersafety

British Columbia’s Ministry of Management Services recently produced its sixth annual conference on privacy and security issues, this time focusing on Synergies in an E-Society. The sessions attracted several hundred specialists, along with Robert Parkins, editor of CIO Government Review. Following is his selection of highlights from the conference.

So will it be Internet: The Sequel?

Jonathan Zittrain thinks we’re headed that way. Zittrain, executive director of the School for Internet and Society at Harvard Law School, told a recent Victoria conference on privacy and security issues that today’s Internet has been hopelessly undermined by hackers, viruses and forms of malware…

“The Internet is leading the way in the erosion of privacy,” he told the meeting on Synergies in an E-Society, produced by the B.C. Ministry of Management Services. “And there’s nothing we can do about it.”

In Zittrain’s view, the open nature of the Internet, “it lets anyone who can say who they are have access, no matter who they really are,” in fact creates problems, because it assumes that “everyone is reasonable and nice.”

“The infinite control of each of our PCs is also an avenue of data that we get from the outside world — which means there is always the chance that the right sequence of data arriving into our Ethernet port will control our computers, not just inform them.

“That is a huge, glaring security problem.”

The solution, according to Zittrain, could lie with the development of another network, open only to those who can show that they take security seriously.

There are control issues with such an approach, he acknowledged, but “I think we’re heading toward a licensing scheme.

“It’s just a question of who’s going to administer it. Will it be software companies, trying to figure out how to keep viruses out of their operating systems? I’m not sure they want that role, but they may have to take it by default,” Zittrain said.

In an interview outside the conference, Zittrain said many of today’s Internet problems are the consequence of decisions taken years ago, in the ARPANET era – decisions which must be revisited.

“Whether we revise the clock by literally ripping out existing wires and putting in new wires – probably not. But might we come up with new virtual networks over this network, that have all sorts of barriers? That is possible.”

In this context, Zittrain said, government could be a leader: “It makes purchasing decisions, it configures its own networks, and there’s an opportunity, to become as it was in the ARPANET days – the proving ground, the actual cutting edge of how to make this stuff work, rather than just another consumer, like a business wanting to have a secure network.”

IT USED TO be the military-industrial complex. Now, says Barry Steinhardt, the problem is the “surveillance-industrial complex.”

The phrase “military-industrial complex” was famously coined by U.S. President Dwight Eishenhower in the 1950s and more famously expropriated by the New Left in the 1960s.

But Steinhardt, director of the Technology and Liberty Project with the American Civil Liberties Union, warned a session on the U.S. Patriot Act that private sector holders of private data are now selling it to government – sometimes including financial information.

Steinhardt also flagged what he called “policy laundering” – the practice of cycling U.S. policies through international organizations to escape domestic U.S. reviews. He cited the use of ICAO – the International Civil Aviation Organization, based in Montreal – to develop a global passport.

IN AN EFFECTIVE dissent from much of the thinking at the conference, Bernard Courtois, president of the Information Technology Association of Canada, suggested that British Columbia privacy officials had gone too far in their much chronicled challenge to the Patriot Act.

Courtois argued that any access to data on Canadians should proceed through Canadian authorities. In terms of the Patriot Act, he said, there was “no material threat.” U.S. police forces, for example, could obtain information from B.C. police forces without recourse to the Patriot Act.

Courtois said the privacy debate in B.C. had been “unbalanced.” There were other ways to manage access to data, including “contractual clauses” which insist that contacts be tailored “to the nature of the information at stake.”

ON THE OTHER hand, Heather Black, assistant privacy commissioner for the federal government, told another session that this country is still “struggling” to implement basic privacy guidelines which date back 25 years.

Despite advances like PIPEDA – the Personal Information Protection and Electronic Documents Act – Black said federal law still failed to address the export of personal information about Canadians.

And PIPEDA itself, she said, has fallen “dramatically behind technology and reality.”

THE PROBLEM, SAYS Michael Smith, is “application-centric architectures.”

Smith, chief technical officer with Secured Services Inc., told a workshop at the conference that “application-centric architectures” mean that access rights, administration, user accounts and information security all depend on applications. This, he said, leads to a series of related problems – including issues of orphan accounts and weakened authentication.

Smith’s solution calls for an “identity lifecycle management system,” an approach which isolates five core interrelated stages – creation, use, maintenance, deletion and audit of identity – and addresses the links between them. The identify management strategy rests on three key functions – administration, access and audit.

Robert Parkins (rparkins@itworldcanada.com) is Editor of CIO Government Review.