February 2019 - Security | Data Protection & Privacy

Cybersecurity & Data Protection – Public Security & Individual Freedom: doteditorial

For society to accept and use IT technologies and services, they must be secure and trustworthy. Prof. Norbert Pohlmann, Board Member for IT Security at eco Association, explores the balancing of state, community, and individual needs for cyber protection.

dotmagazine: Security & Trust in Digital Services

© Panuwat Sikham | istockphoto.com

Too many security vulnerabilities and successful IT attacks; too few cybersecurity solutions and digital competencies…. How do we achieve a high level of IT protection for our modern and connected world, and what role do ethical standards play for individual freedom in this process? 

The IT architectures of our IT systems today, such as those of end devices, servers, IoT devices, and network components, are exposed more and more to constantly changing attack and threat scenarios. Unfortunately, as made clear by Oliver Dehning, Leader of the eco Competence Group Security in his analysis of the eco Association's annual IT security study, people still don't seem to realize how much such threats could affect them. The demands in the area of cybersecurity are increasing, and this, as Yves Reding from EBRC points out in an article on cyber-resilience, calls for a behavioral change to increase not only security but also to enhance resilience through anticipating threats.

In Germany, the damage incurred in the area of cybersecurity, at 55 billion Euro per year, is already too high and continues to grow steadily. We have to arm ourselves professionally against the damage and the new reality of cyber war and deploy significantly more effective cybersecurity solutions. Where do ethical issues come into play here? Security is a fundamental human need. In 2015, the then German Federal Minister of the Interior, Hans-Peter Friedrich, even opened up a debate on a “superordinate fundamental right” to security. The term was used to justify state “security” measures which, although they may have been suitable for increasing security, were at the same time imposed at the expense of other fundamental rights, such as the right to freedom and privacy or data protection. 

How do we deal with such a conception of security and its inherent understanding of state authority? In the face of cyber war and cyber crime threats, do we need full surveillance of citizens? Or, as Klaus Landefeld, Vice Chair of the eco Board puts it, “How far should the state be allowed to go for the purposes of digital security?

The fact is: 100 percent security can never be guaranteed – neither in the analog nor in the digital world. The fight for more security is a never-ending hare and tortoise race. Nevertheless, business, society and policy-makers must settle on an appropriate level of risk upon which we can build our future as a society. But just as leaving a car window open does nothing to increase security, unprotected IT systems and non-updated operating systems and applications are also unacceptable. 

However, leaving the window of your own car open already constitutes an offense in some countries. And yet the unpatched IT system on the Internet, which becomes part of a botnet, still does not.

Perhaps this is no bad thing, given that not all analogies comparing the "real" world with the digital one are prudent, but this does allow for a basic insight into the charged relationship between individual freedom and public security. 

This tension finds a new dimension in the digital sphere. New technological possibilities offer state authorities and institutions, as well as organized crime, unprecedented opportunities to advance their respective interests. To make matters worse, IT and Internet technologies can also be regarded as “dual-use” technologies, i.e. an IT system or algorithm is neutral per se, and it is the context, application, or business case that raises ethical questions. 

But even the belief that an algorithm is initially neutral is currently being debated – and perhaps even rightly so: if we look at the hosts of white, male developers and programmers, most of whom live in Europe or the USA, it should dawn on us that every human being who designs an algorithm could potentially feed his or her own bias into the system. So in the future, companies should pay more attention to the balance and diversity of their development teams. The input data of algorithms that document knowledge and experience in a certain area also have an influence on the ensuing results. As such, knowledge about what data were used is very relevant for the evaluation of the results. If the input data contains prejudices and discriminatory views, the intelligent algorithms will also produce corresponding results. The crux of the matter is that today it is enormously difficult to monitor the input data for such prejudices, because a desired map of the defined values of a society would have to be available for these purposes, but it does not (yet) exist. 

But also the later decision-making of the business case at hand can represent a critical ethical turning point. Recently, a young start-up company in the field of social media monitoring cited its corporate philosophy as being, “We don't do everything we could do”.

This is the essence of ethical behavior, far removed from regulation. It is also the type of conduct which is being increasingly sought in the public sphere, given that, as Yannick Schneeweiss of Hornetsecurity argues, data protection remains a gray area, in spite of the whole raft of regulations. And this is also where the two separate factors of cybersecurity and data protection intersect.

Profiling is technically possible, but it is fraught with difficulties from an ethics and data protection law perspective, especially since insecure IT systems never guarantee that the profiles are reliable, confidential, and trustworthy. A data leak, however, destroys the confidence of users (or even the business user industry in the SME segment) in the new technologies. A fatal signal in times of digital change – but also a crucial insight: Without IT security and trustworthiness, sustainable digitalization does not work! In building up such reliability and security, it is worth heeding the advice of experts such as Kathrin Ohlmer of DOTZON, for example; in our interview, she talks about how domain owners can monitor and prevent abuse of their domain name.

Advancing digitalization is accompanied by many societal changes. Important in this change are common values on which we can rely. In the area of data protection, we in Europe have introduced the EU General Data Protection Regulation (GDPR) for all EU countries and providers from other countries who offer their services in the EU. As such, the GDPR is also helping to harmonize concepts of privacy in states outside of the EU, as pointed out by Oliver Süme, Chair of the eco Association in his interview on "EU-US Privacy Shield from the European Perspective". In particular, as Süme alludes to, the GDPR has already influenced the understanding of data protection in the US. This is a point also taken up in an interview with David Snead of the US-based i2Coalition which explores the US perspective of the Privacy Shield. Here, Snead anticipates significant interest in discussing the impact of the GDPR on the US in a forthcoming transatlantic dialogue in Washington. 

Essentially, the majority of US Americans regard the EU General Data Protection Regulation as a work based on more than 20 years of experience in implementing ethical values which determine how we deal with the personal data of Internet users on the Internet. Important aspects are:

- Right of access

- Right to erasure

- Right to rectification

- Right to restriction

- Right to portability 

- Right to object

But even this regulation does not discharge us from our responsibility, as entrepreneurs or state actors, to act ethically and, apart from this broad framework, to place unethical behavior in the focus of our industry or political decisions. 

Fortunately, there are numerous industry innovations which can support ethical conduct and boost trust in digital technologies, with blockchain currently playing a central role in this respect. Patrick Ben Koetter from the eco Competence Group Email, for example, explores how blockchain solutions can make email marketing more transparent and secure, while Christa Taylor of Minds + Machines looks at how naming conventions could, in turn, help to humanize blockchain. Yannik Heinze from Chainsulting elaborates on this topic in his article, "When Does a Company Blockchain Project Make Sense?". Nonetheless, as with all major innovations, blockchain is still presenting issues which will take some time to resolve: on this topic, Stephan Zimprich, Leader of the eco Competence Group Blockchain provides an in-depth insight into the area of data protection and blockchain

But even blockchain has two sides, as Ralf Benzmueller from G DATA Security Labs points out, in his discussion of the potential of crypto mining as a revenue raiser for website owners and app developers. While this is a legitimate business case when this is undertaken with the consent of the owner, the line between ethical use and abusive crypto jacking needs to be strictly observed.

A further aspect to be considered is the topic of encryption: 

For society to accept and use IT technologies and services, they must be secure and trustworthy. Encryption, for example, is an effective and essential IT security mechanism. It reduces potential attack surfaces and provides appropriate protection for digital assets. This applies to the privacy of all citizens as well as to the protection of corporate assets. We need comprehensive encryption for the transmission and storage of digital information. To do this, we need secure and trustworthy encryption products that are easy to integrate and use. 

This is particularly important in the field of communication. For the encryption of stored digital values, the appropriate IT security infrastructures must be provided that meet companies' requirements in terms of availability. Encryption systems should also be increasingly used to protect intellectual property in the future. 

This lies in the realm of the industry’s obligations. But the state is also accountable: State-mandated vulnerabilities and backdoors reduce security for all citizens and companies, and at the same time destroy confidence in increasingly important IT technologies and IT services. 

For a sustainable digitalization process, it is more important to protect digital values in the information and knowledge society than to enable potential access by secret services and law enforcement agencies through a general weakening of IT solutions. 

IT products that have already been “insecurely” released on the market, or IT security features that are only offered or can be switched on or off at the user's request, undermine the meaning and purpose of IT security. This must be avoided, because organized crime has just as much access to this vulnerability as the state, and it goes without saying that demanding ethical conduct from criminals is nonsensical! But this also means that all parties involved – the industry, the state, and society – must really pull together in order to achieve the highest possible level of security in the digitally connected world in the future. 

New technologies such as artificial intelligence can help to achieve a higher level of IT security, but the use of artificial intelligence by criminal organizations can turn this completely on its head. 

Issues of individual freedom and public security play a very important role for every citizen. A society whose economic and political ethos is based on the personal responsibility of the individual must reciprocally protect what makes the individual a social being and an economic factor: on the one hand his or her personal integrity and individual freedom, and on the other his or her material possessions. If we as a society are no longer in a position to fulfil these requirements, then we lose a part of democracy and give up our freedom. 

It is important for us citizens that economic and political systems are not neutral. That is why it will be extremely important for us to remember that we as citizens are responsible for goals and their implementation in a society. While we have created a political system to manage that for us within a previously determined framework, unfortunately this system has distanced itself too much from the necessary freedom of citizens. The most important question in the long term will be how international society and its citizens can establish an economic and political system that will in future strike a very good balance between individual freedom and the security of all citizens. The Internet is an international infrastructure that makes new framework conditions necessary for governments, for global IT companies, and also for users.

Norbert Pohlmann is a Member of the Board and Director of IT Security at eco – Association of the Internet Industry. He holds two positions at Westphalian University of Applied Sciences, Gelsenkirchen: Professor of Distributed Systems and Information Security in the field of IT, and Managing Director of the Institute for Internet Security.  For five years, he was a member of the "Permanent Stakeholders' Group" of ENISA (European Network and Information Security Agency), the European Community's security agency (www.enisa.europa.eu).