Tag: Cybersecurity

Digital ID Explained: Pros, Cons, and “Should I get the Trident ID card?”

nielharper

PURPOSE

I continue to receive countless questions from various walks of Bajan society about the Trident ID card and the national digital ID program. This is stark evidence that the Government of Barbados HAS NOT done an adequate and effective job of alleviating the concerns of the public. As such, I wanted to clarify once and for all the pros and cons of digital ID systems, and answer the million dollar question I am repeatedly asked, “Should I get the Trident ID card?”

INTRODUCTION

Digital identity (ID) has become the topic of the moment in Barbados, given the government’s poor implementation, failure to address the fears and anxieties of the public, and generally ineffectual communication to the average person on the street as to why they need digital ID and what value it will bring to their lives. The government has set out to provide a single digital identity to all residents/citizens through the collection, storage, and use of their biographic data (e.g., name, address, date of birth, gender, national registration number, etc.) and possibly their biometrics (e.g., fingerprints, iris scans, facial scans, etc.) as the primary means of establishing and verifying their identity. They will achieve this through a legally mandated, centralised national digital ID system.

Governments, international organizations, and multilateral banks (e.g., International Monetary Fund, World Bank, etc.) argue that digital ID systems provide benefits such as more effective and efficient delivery of government services; poverty reduction and welfare programs; financial inclusion through better access to banking and other products/services; minimise corruption; and preservation of national security interests. Multilateral banks are providing significant funding to developing countries to implement digital ID. In some cases, they’re even making the implementation of digital ID systems a ‘condition’ of loan agreements.

Critics maintain that digital ID systems may actually not guarantee more effective access to social and economic benefits, enhance service delivery, or improve governance, while at the same time, they raise serious issues, including worries about how they are developed and managed; social exclusion and discrimination; privacy and data protection; cybersecurity; and major risks for human rightsWith regards to human rights, they threaten the right to privacy, freedom of movement, freedom of expression, and other protected rights. Additionally, since they usually involve the creation and maintenance of centralised databases of sensitive personal data, they are also prone to breaches by hackers or abuse/misuse by government institutions. These issues may lead to digital IDs becoming widespread tools for identification, surveillance, persecution, discrimination, and control, especially where identities are linked to biometrics and made mandatory. 

For a more detailed explanation of both sides of the debate, please see below the PROS and CONS related to digital ID systems.

PROS

Easier access to services: digital ID systems can enable more efficient digital transformation across the local economy and increase Barbados’  participation in the global digital economy, especially given that many transactions – local and international – require personal identification. With Barbadians presented with less obstacles to prove their identity, commercial activities (including e-commerce) and government services (including e-government) become more accessible and effective.

Faster and cheaper transactions: the use of digital ID can allow for reductions in costs and response times, resulting in speedier execution, less red tape, and the availability of more responsive and relevant services. The quickness and trust with which a person’s identification can be verified allows for cheaper and more efficient interactions for all involved.

Fraud reduction: digital ID systems can offer several benefits in terms of online security, thus reducing the occurrence of online scams, fraud, and personal data breaches. A number of countries that have implemented digital ID have experienced significant decreases in fraud, saving them tens and even hundreds of millions of dollars.

The graphic below outlines several ways in which digital ID can be used based on the roles played by organizations and individuals (Source: McKinsey).

The four (4) main areas of direct economic value for individuals have been identified as increased access to financial services, improved employment opportunities, greater agricultural productivity, and time savings. The five (5) highest sources of value for institutions – both the private and public sectors – are cost savings, fraud prevention, increased revenues from goods and services, improved employee productivity, and higher tax revenues.

CONS

Privacy and security: digital ID systems process billions of data points of our private information, regularly without our consent or knowledge. This information can include biographic details (NGN, date of birth, gender), biometrics (facial recognition, iris scans, fingerprints), banking and transactional data, and location-based info when digital ID is used for example in public transportation (the government has expressed plans to use the Trident ID for cashless payments on buses). The centralisation of so much data, excessive sharing of personal data without user consent, inability to control your personal data, exposure to cyber attacks and data breaches, and in worst case scenarios – mass surveillance by corporations and governments – are all issues which show the potential negative impact of digital ID.

Discrimination, biases and exclusion: the Barbados Digital Identity Act has a number of clauses which generate concerns about discrimination and exclusion. The Act states in several places that the digital ID will be required for persons to be added to the register of voters, to vote in elections, to access public and private services, and to obtain a driver’s license. There are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded (e.g., the Trident ID website currently DOES NOT have several accessibility features for the disabled). Digital ID technologies are also at the end of the day developed by humans, and through poorly designed algorithms and data analytics, can reinforce their biases. Discrimination against key communities such as immigrants, LGBTQ+, homeless, and the disabled, among others have been highlighted in many digital ID related studies globally.

Technical errors: unintended consequences can occur that lead to restricted access to critical services (e.g., failures in authentication at points of service with no redundancy; websites that aren’t user friendly or stable; duplicate or inaccurate records; inability to add essential information; or the lack of reliable technical support, etc.). The government must fully consider availability risks and identify user-centric and privacy-enabling solutions to mitigate them. In African and Asian countries, numerous instances of technical errors were uncovered which presented citizens with major challenges.

Deployment challenges: five key problems exist, which are the lack of funding to maintain secure cyber systems and to hire or retain critical human resources to administer them; unequal access to mobile Internet and smartphones – the technology with the most potential to drive the uptake of digital ID; dependency on a specific technology or vendor; low trust in government; and the difficulty of rolling out in rural areas.

SHOULD YOU GET THE TRIDENT ID CARD?

As I have stated before, my concern is not particularly with the Trident ID card. The card is only one small piece of the overall digital ID ecosystem. My biggest concerns are as follows:

Poor legislation underpinning the digital ID system: Digital ID must be supported by a legal and regulatory framework that supports trust in the system, prevents abuse such as warrantless and disproportionate surveillance, guarantees data privacy and security, prevents discrimination, and maintains provider (government and corporations) accountability. This includes laws for digital ID management along with laws and regulations for e-government, privacy and data protection, computer misuse, data sovereignty/localisation, electronic transactions, limited-purpose ID systems, accreditation of participants, and freedom of information, among others. Unfortunately, a number of these laws are not available in Barbados at this time, and where they are, the language is problematic, enforcement is deeply lacking, or the legislation is outdated.

Government’s atrocious record in terms of protecting IT systems and the personal data privacy of individuals: The Government of Barbados DOES NOT have the resources (people, processes, or technologies) to secure complex IT systems and provide consistent privacy-enabling solutions. If they did, there would not be so many successful cyber-attacks and data breaches of government online systems in recent years (e.g., Queen Elizabeth Hospital, Ministry of Information and Smart Technology, Immigration Department, Barbados Police Service, and many others). Until government invests significantly in building their capacity in these areas, their IT systems and the personal data of Barbadians will be AT RISK.

The communication (or lack of) by government addressing the public angst around their digital ID program: Government has not effectively articulated the benefits of digital ID, its value to the average person on the street (in real and meaningful terms), its potential disadvantages and risks, what they are doing to manage these risks, and what Barbadians can do to protect themselves. Instead they have chosen to evade questions, avoid public discussion with experts involved, and turn their resources towards attacking private citizens who are expressing concerns.

In my 2018 European Union (EU) cybersecurity assessment report to the government, I clearly stated:

Trust in the Internet and in the use of online services is critical to developing a thriving local Internet economy and to participating widely in the global digital economy. Low trust in the Internet, e-government services, and e-commerce services hampers the government, businesses and consumers from fully taking advantage of all the economic benefits the Internet has to offer. Given the high fixed broadband and mobile data penetration rates in Barbados, this is especially concerning.

European Union Consultancy to Develop a Government Cybersecurity Assessment and Strategic Roadmap – Cybersecurity Assessment Report (Authored by Niel Harper)

From 2018 to this present day, they have failed to address the low levels of trust or their lack of expertise in delivering secure and privacy respecting IT solutions, all of which are undoubtedly preventing them from delivering their digital transformation and modernisation agenda.

Ultimately, Barbadians need to decide for themselves if the value of obtaining the Trident ID outweighs the associated risks. I cannot make this decision for anyone. All I can do is educate and build awareness, and try to put some pressure on the government to be more accountable and take greater responsibility for protecting citizens from the negative effects of digital ID, mass personal data processing, cyber attacks and data breaches, human rights violations, online fraud, and other harms resulting from widespread government use of information and communication technologies (ICTs).

ADDITIONAL RESOURCES

FACT CHECK: The Electoral and Boundaries Commission’s Response

Why the Barbados Election Least Data Leak is Problematic – And How It Could Have Been Prevented

Comments on the National Identity Management System Act

Too Many Unanswered Questions: The Barbados National Digital Identification

Creating a good ID system presents risks and challenges, but there are common success factors

What is a digital identity ecosystem?

Understanding the risks of Digital IDs

12 steps to building a top-notch vulnerability management program

nielharper

Along with my peer CISOs, I recently added my $0.02 to a CSO Online article on how to get the best results out of an enterprise vulnerability management program.

I particularly wanted to zoom in on key performance indicators (KPIs), given this is an area where many security professionals don’t focus enough of their attention.

“He says organizations could use any of the commonly used key performance indicators—such as percentage of critical vulnerabilities remediated on time and percentage of critical vulnerabilities not remediated on time—to measure current state and track improvement over time.

Other KPIs to use could include percentage of assets inventoried, time to detect, mean time to repair, number of incidents due to vulnerabilities, vulnerability re-open rate and number of exceptions granted.”

What are some of your key focus areas?

Don’t get your wires crossed – The evolution of cyber risk and why more companies are considering captives

nielharper

A captive is a licensed insurance company fully owned and controlled by the insured parties – a type of “self-insurance.”

Captives are essentially an alternative for organizations to retain and finance cyber risk via actuarial-determined premiums to be paid from the parent company to the captive. They’re becoming more popular due to an increasingly tough cyber insurance market.

Many thanks to Captive Insurance Times and to the amazing Rebecca Delaney for featuring me alongside other industry professionals on discussing this important topic.

The feature can be found on pages 18-22, and is now available to read in the latest online issue at this link: https://bit.ly/3KMnX8j

Ransomware has “changed the game” of cyber insurance

nielharper

I recently made a presentation on ransomware and cyber insurance at the Barbados Risk and Insurance Management (BRIM) conference.

Many thanks to the Captive Insurance Times’ reporter Rebecca Delaney for so excellently capturing my session. In the intro section, she wrote:

“Cyber insurance is not an exhaustive replacement for robust security capabilities, warns Niel Harper […] He explained that ransomware is so disruptive because of the extensive network of paid services it has spawned, such as access brokers, malware packing, phishing kits, hosting and infrastructure, anonymity and encryption, and hardware for sale… In addition, distribution networks include social network spam, instant messaging spam, exploit kit development, spam email distribution, and traffic distribution systems.”

The full article can be found at: https://bit.ly/3MMs71t

The UK seeks to enforce tougher standards on MSPs

nielharper

The UK government is proposing new regulations to strengthen cyber resilience in the private sector. Their intention is to expand cybersecurity rules for critical infrastructure (CI) operators to include managed service providers (MSPs), more stringent breach notification requirements, and legislation to establish the UK Cyber Security Council as the standards development organization for the cybersecurity profession. This is a welcomed development, but more details about implementation and enforcement are needed.

MSPs are deeply integrated into the supply chains of several businesses, especially those organisations categorised as CI providers. They not only have privileged access to their customer’s infrastructure and applications, but also to the personal data of millions of citizens. A single breach of a MSP can potentially allow threat actors to compromise hundreds, even thousands of organisations. Additionally, the accompanying fallout from personal data leakage would have a serious impact in terms of impersonation, fraud, and other identity-based crimes. Poor risk management practises and weak security controls in MSPs can have dire consequences to national security and the economic prosperity of the UK.

Better cyber incident reporting, especially where mandated by law, has several positive effects. For one, it ensures that regulations keep pace with the evolving threat landscape to better protect consumers by allowing them to respond quicker to leaks of their information. It also provides certain guarantees that law enforcement agencies (LEAs) receive timely information to better model threats, mitigate the risks, prevent or lessen harm from breaches, and take action to reduce the likelihood of future attacks.

At a macro level, the new regulations are focused on strengthening the country’s cyber-resilience in response to growing supply chain and critical infrastructure attacks – this is essentially a public safety matter. It can provide security to UK citizens against the negative impacts of attacks on critical infrastructure providers such as financial services, telecoms, energy, food & agriculture, defence, manufacturing, and others. It also protects businesses in these key industries where the incapacitation or destruction of their assets, networks and systems would have a paralysing effect on the UK’s national security, economic security, national public health or safety, or any combination thereof.

Cybersecurity is a risk management discipline, and improvements in the overall assessment of risks and development of effective risk responses leads to better security posture. For example, ransomware attacks are very much preventable, yet many businesses don’t invest the time or resources to understand their risks/exposures and implement relevant controls such as data recovery processes, isolated backups, encryption at rest, and routine backup testing. I believe these new regulations can most definitely enhance risk management capabilities in MSPs and other CI operators to counteract a broad range of cyber attacks, including ransomware.

It is imperative that companies develop stronger capabilities around risk management. For one, they need to view cyber risks as business risks and recognise that the impacts range from financial (loss of revenue or drop in share price) to operational (business disruption) to reputation (loss of customer and shareholder confidence) and ultimately regulatory (fines or other penalties). Consequently, they will need to embed a risk culture and build risk management capacity across their enterprises, or face punitive regulatory measures.

A shocking percentage of businesses routinely ignore growing cyber threats, thinking that “it won’t happen to them.” And this isn’t just small to medium enterprises (SMEs), but also large businesses across critical sectors. Several of these organisations don’t have a dedicated cybersecurity leader or functional information security department, refuse to invest in much needed controls and capabilities, and regularly hide breaches from staff, customers, and investors. Without specifically calling out any companies, there are more than enough examples of massive breaches at major businesses to validate my points. The price of failing to act is way too high, and the government would be negligent to not introduce these new regulations.

Why the humanitarian sector needs to make cybersecurity a priority

nielharper

“In the not-too-distant past, international organizations (IOs) and non-governmental organizations (NGOs) working on humanitarian initiatives largely depended on landlines and fax machines to communicate and convey data back to their regional hubs or headquarters.

Now, like most businesses, NGOs and IOs have invested significant funds in information and communication technologies to enhance their crisis management capabilities. For example, better and faster decision-making is achieved through capturing and analysing demographic data to identify vulnerable groups, online surveys have proven critical for water, sanitation, and hygiene teams in the delivery of population health services, and biometric-enabled digital vouchers have been instrumental in reducing errors and fraud in the payment of traders.

These changes make humanitarian aid faster and more efficient. Picking up these digital tools helps save lives. However, digital transformation has also made IOs and NGOs enticing targets for cyber attacks by criminals, terrorists, and authoritarian regimes. The reasons for this range from the purely financial – people in crisis make easy targets for scams and theft – to the political – digital is becoming another avenue to attack a regime’s perceived enemies.”

I recently joined with the World Economic Forum’s Centre for Cybersecurity to author this piece for the Davos Agenda.

This article examines the cybersecurity threats being faced by international organizations (IOs) and non-governmental organizations (NGOs), outlines some key steps they should take to counteract these threats, and touches on what the private sector can do to support IOs and NGOs in responding to these risks & challenges.

You can read the full article on the World Economic Forum website.

Cloud Security Trends: What Is Cybersecurity Mesh?

nielharper

“Have you heard of cybersecurity mesh?

Some are calling it one of the more notable trends for cloud security and today’s other cyber concerns. So, what is it, and how does it work? The technology stack is breaking down as more people use architectures based on micro-services.

They’re also using blockchain and other trust models to embrace an information-centric security model that works with distributed services (key to cloud security).”

I recently shared my perspectives on cybersecurity mesh with IBM Security Intelligence.

Check it out and let me know what you think!

Pandemic Democracy: COVID-19 And Election Management

nielharper

Elections are large, social gatherings that involve masses of individuals and galvanise entire societies. No other national operation presents a similar degree of operational magnitude, legal and procedural complexity, and broad-based participation.

The COVID-19 pandemic has quickly disrupted elections, creating new pressures and challenges on how they are managed. The key public health threat associated with elections stems from the need for voters to cast their ballots in person, at a polling stations, most often on a single day. Caribbean nations are particularly impacted as they don’t generally support absentee voting, provisional balloting, early voting, or e-voting (in-person or online).

On January 9th, I participated in a Town Hall discussion hosted by the University of the West Indies – Cave Hill Campus.

The panel was predominantly made up of very experienced and highly capable election management professionals, with myself being the sole expert focusing on leveraging technology to guarantee the representativity and legitimacy of the democratic process. My contributions were specifically around the following areas:

  • Guaranteeing access to the voter registration list in a secure and privacy enabling manner
  • Ensuring speed and transparency in counting votes by moving to secure, electronic systems
  • Emergency planning in response to situations like national disasters and pandemics
  • Accommodation for hospitalised voters
  • Staffing electoral commissions with key IT and information security resources
  • The need for government investment in the digitalisation of elections

It was a very stimulating discussion, and I want to express my gratitude to the University of the West Indies for inviting me. Additionally, I want to thank the panelists and the moderators (Professor Cynthia Barrow-Giles and Dr. Dalano DaSouza) for sharing their ideas and insights.

Why the Barbados Election List Data Leak is Problematic – And How it Could Have Been Prevented

nielharper

On 27 December 2021, the Prime Minister of Barbados Mia Amor Mottley scheduled a snap election for 19 January 2022.

On 29 December 2021, a full data dump of all eligible voters in the country was published by the Government of Barbados on the open Internet. This occurred largely because the Representation of the People Act 13(1) states “The [Electoral] Commission shall cause to be prepared and shall publish not later than the 31st day of January in every year a register of electors for each constituency and a register of foreign service electors entitled to vote at any election.” 

In the past, this list was made available in somewhat controlled environments to be queried by election officials, candidates, voters, etc. to ensure that elections accurately reflected the will of the people (in most all cases it was usually printed and held at libraries, constituency offices, polling stations, etc. to be reviewed by interested parties). To limit congregation of individuals in the previously mentioned locations during COVID-19 times, it was decided to publish the full voters list on the Internet to ensure access for all.

The 5250-page list contains approximately 250,000 individual records with the below personally identifiable information (PII). *

  • Last Name
  • First Name
  • National Registration Number (similar to a Social Security Number in the United States)
  • Gender
  • Date of Birth
  • Residential Status
  • Constituency (Voting District)
  • Home Address

* The total population of Barbados currently hovers around 290,000 persons.

Instead of this data being restricted to a few thousand persons in Barbados, it was now accessible by all 4.6 billion Internet users, exposing 250,000 Barbadians to increased risks of data misuse and abuse, fraud, identity theft, and other financial and reputation risks. The information was quickly downloaded and posted on Reddit and a number of hacker/fraudster sites on the Dark Web, making it perpetually available to malicious actors. There is also a high physical risk to individuals with regards to stalking, home invasions, robberies, rape, etc.

PII, also referred to as personal data, covers a wide variety of information that can identify a living individual. If a piece of information is unique to that person, it can lead back to them in several ways, and it is private and needs to be protected with the greatest care.

Why Does Personal Data Need to be Kept Safe?

The reason this type of information requires protection is that it can be used to commit fraud or to steal an individual’s identity.

Depending on what a thief is trying to accomplish, he will need different types of information. To open specific accounts all that is needed is an email address, while in other cases an individual’s name, address, date of birth, a national registration number, and other information may be required.

It’s also critical to note that accounts of all types can be opened over the phone or via the internet without having to physically visit a location for your identity to be verified. This provides opportunities for criminals with appropriate stolen information to open bank accounts, enter into contractual agreements, or make claims using someone else’s information or identity.

If a criminal is fraudulently using your information, you might not even know it. They may not use the credit card you already own to make purchases (in which case you might catch them by looking at your purchase history). Most often, criminals open up new, separate accounts using the victim’s information, leaving the victim unaware of the damage that is being done until years after the fact. In that time criminals can rack up a lot of debt using your identity.

How Can Identity Thieves Use Your Personal Data?

There are several ways which identity thieves can use your personal data, including but not limited to the following:

  • Open a new credit card account.
  • Create fake social media accounts with your identity (e.g., Facebook, Twitter, Instagram, etc.).
  • Take out a commercial bank loan.
  • Obtain and use your debit card to withdraw funds.
  • Change your billing address so your bills will no longer be delivered.
  • Obtain expensive medical care or procedures.
  • Open new utilities accounts in your name (e.g. electricity, water, natural gas, etc.).
  • Obtain a mobile phone service.
  • Open a bank account, obtain a cheque book, and write bad checks.
  • Obtain a new driver’s license or national ID.
  • Use your information when arrested or in a court action.
  • Engage in bullying, stalking, harassment or otherwise cause fear.
  • Inflict severe reputation damage.
  • Combine it with additional data gathered from the Internet (e.g., Google search, Facebook, Instagram, LinkedIn, etc.) to create even more detailed profiles of individuals.

How Long Does It Take Fraudsters to Use Stolen Personal Data?

In 2017, the Federal Trade Commission (FTC) in the United States demonstrated how criminals can use your personal information within minutes. The FTC developed fake personal data and posted it on a website that hackers use to make stolen information available. It took a mere nine (9) minutes for the fraudsters to access the information, and over 1,200 attempts were made to access email, credit card and payment accounts. The research confirms how valuable personal information is to identity thieves, and if they can gain access to it, they will most definitely use it.

What Should the Government Have Done Instead?

While it’s not an exhaustive list, below are some of the key steps the government should have taken.

From a technology perspective, a searchable database should have been published on the Government Information Service (GIS) portal, where individuals could use personal data which they already knew to confirm that they were on the voters list. The full database could have been provided to election officials and campaign managers using a digital rights management (DRM) solution to control access and distribution of the document. 

The Data Protection Act was approved by Parliament in July 2019 and came into force in March 2021. This statute introduces a strong privacy and data protection regime in Barbados, and its wide-reaching impact on overall data governance across sectors and industries should have triggered key updates to existing legislation, processes and operational guidelines (including the Representation of the People Act and any other legislation involving personal data processing). And this doesn’t even address the urgent need for broader legislative reforms in the country. There are way too many outdated pieces of legislation which are incompatible with progressive changes in technology, changing community awareness, changing community values, and changing expectations of the legal system.

Appropriate funding should be allocated to the Office of the Data Protection Commissioner to better equip them in investigating and monitoring data breaches and providing other types of regulation involving the public sector. Additionally, these financial resources can be used to deliver privacy awareness training to educate government personnel on how to protect individual privacy in their daily work. Simultaneously, a public campaign should be started to achieve broad public awareness on all issues related to the Data Protection Act and the new legal framework created. The Office of the Data Protection Commission is severely under-resourced at present, making it virtually impossible to implement and enforce the Data Protection Act, which focuses largely on preventing exactly these types of data leakages. For example, adhering to the principle of data minimisation would have significantly reduced the risk and impact of publishing the entire voters list. By this I mean the narrowing of data collection and processing to strictly what is needed – In this case, there is absolutely no reason to publicly release the National Registration Number (NRN) and Date of Birth of all eligible voters.

Why the Electoral and Boundaries Commission (EBC) is Dead Wrong

The Electoral and Boundaries Commission (EBC) has strongly (and wrongly might I add) defended its decision to publish the voters list online. Their position is that “We are obligated to publish the list now electronically so that more people can have access to it.” Chairman of the EBC Queen’s Counsel Leslie Haynes also maintains that “ID numbers are not private” and made reference to them “being published before the introduction of the digital age in public libraries, rum shops, the electoral office and other spaces.” Because a law states that you must publish information electronically doesn’t mean you should make it accessible to 4.6 billion Internet users (including hackers, fraudsters and other cyber criminals). There are numerous laws in Barbados that are outdated, poorly drafted, contradictory to other laws, and incompatible with existing technology – Should we follow them all to the letter or do we comprehensively update them to be more fit for purpose? Moreover, there are numerous technology solutions available for publishing said data online in a controlled manner to reduce the overall risk and exposure. And if they are not at fault, why did government officials remove the voters list from the public websites?

Finally, national registration number (NRN), date of birth (DOB) and home address are all private information, and there are established technical standards, privacy principles, and national laws or treaties around the globe that assert as much. From a data minimisation perspective, the requirements of the law could have been satisfied without including NRN and DOB.

Where online can you find the social security numbers (SSNs) for all eligible voting Americans? What about the passport numbers or driver’s license numbers for all voting Canadians? What about the national ID numbers for all voters in France, Denmark, Switzerland, Germany, etc.? The answer is NOWHERE!

[UPDATE] Sunday, 2 January 2022 – I have amended the original blog post in response to the EBC’s staunch defence of their decision to publish the voters list on the open Internet.

Five Cybersecurity Takeaways from the ARIN 48 Keynote and Panel

nielharper

“During the Q&A, Harper also pointed out that the European Union Agency for Cybersecurity (ENISA) has adopted a cybersecurity certification framework where certain Internet of Things (IoT) devices must be validated from a privacy and security perspective, and said the US is working on a similar initiative.”

Insecure IoT devices continue to be major contributors to Internet (in)security, particularly with regards to increasing attack vectors for enterprises, distributed denial of service (DDoS), critical infrastructure (CI) resilience, and personal data protection, among other risk areas.

ENISA is doing some great work with their Guidelines for Securing the IoT Supply Chain, Cybersecurity Certification Framework, Risk Assessment Tool for IoT, and the Good Practice for Connected Cars.

Still, there’s a lot more to be done through increased stakeholder collaboration. I definitely have time for these types of initiatives!