Privacy, Cybercrime Headline the Infosecurity Europe Conference
Attendees debate NSA surveillance, privacy reforms, cybercrime defenses, and sharpen their CISO skills.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt841521942861b80d/64f0dcd896efc9f40e2f8c91/01--London-Eye.jpg?width=700&auto=webp&quality=80&disable=upscale)
Information security professionals and technology vendors from Europe and beyond descended on London this week for the annual Infosecurity Europe conference.
The topics of privacy and surveillance dominated conference presentations and panels. That befits Europe's reputation for not only taking people's privacy seriously, but often treating privacy as a right unto itself, which need not necessarily be weighed against business interests or market demands.
Finding answers to many of those concerns, of course, remains difficult because of the continuing rapid evolution in consumer technology, as well as the default tracking arrangements, into which many consumers opt in simply by using free mobile apps. "If you download anything for free, then you're the product; nothing is free," said Troels Oerting, head of the European Cybercrime Centre (EC3) and assistant director for the operations department at Europol, the EU's law enforcement agency. But in the future, he predicted that Europe would pass legal "standards for protection."
In fact, EU officials and lawmakers are revising Europe's watershed 1995 Data Protection Act, which for many global privacy experts remains the gold standard in how people's privacy rights can be protected. But David Smith, deputy commissioner at the UK Information Commissioner's Office, said in an interview at the conference that, even though EU officials hoped to have a new law in place last year, Edward Snowden's NSA leaks stalled negotiations.
Furthermore, as with Congress in the United States, crafting new laws is rarely a fast process. "The existing European directive behind our current law took five years to negotiate," he said. By contrast, "we're getting on to three years now [in terms of negotiations into the new law], and it's much more complicated now" than in 1995. That's thanks in no small part to the rise of the Internet and mobile devices since the first law went into effect.
The specter of US government surveillance, as highlighted by Snowden's NSA leaks, dominated many conference discussions, especially when it comes to how the NSA's digital dragnet affects Europeans' rights. "As a society, what's the danger to us?" Graham Cluley, an independent security analyst, asked during a conference panel on cybercrime. "I think the danger to us might be the erosion of our privacy, mainly state-sponsored surveillance, which our government is doing or allowing to be done to us."
But Mikko Hypponen, chief research officer at F-Secure in Finland, said there's an upside to the technological evolution that's allowed the NSA to conduct massive amounts of surveillance, in that such programs remain vulnerable to whistleblowers and leakers. "The Internet and technology like this have enabled wholesale blanket surveillance on us. Governments can watch us because the information is so accessible and easy to store," Hypponen said. "However, it's the very same technology that allows us as citizens to get information about wrongdoing and make it public, so while the governments are watching over us, they know that we are watching over them."
Infosecurity Europe conference attendees faced one unusual challenge this week: A 48-hour London Underground (Tube) strike commenced the night before the conference began. Cue long lines and delays for anyone not walking, biking, or jogging to work, though a few buses and Tube lines continued to run with reduced service throughout Tuesday and Wednesday.
(Source: Mathew Schwartz)
Regardless of the Tube strike, the conference still managed to attract more than 4,500 people to Earls Court on its first day and more in the following days. Vendors comprised 340 companies from 24 different countries. There were also pavilions devoted to technology and services from the United States and France. The Moscow City Government -- tagline: "The Safe & Open City" -- also brought representatives from a number of Russian technology players, including the systems integrator and consultancy ELVIS-PLUS.
(Source: Infosecurity Europe 2014)
Cybercrime-related discussions loomed large during the conference. During the opening keynote presentation, Troels Oerting, the EC3 head and Europol assistant director (shown here), detailed how organized crime gangs -- largely composed of Russian speakers -- are increasingly operating online and targeting European businesses and consumers.
In response, European police agencies continue to develop their digital forensic capabilities and rethink how they should investigate and coordinate operations. "Are we successful? Not completely," Oerting said. "Am I concerned? For certain."
It will be essential for police officials to work directly with the organizations being targeted by financial crime syndicates, he said. "Recently we have had a number of operations with MasterCard and Visa with very good success."
In a separate session, Michael J. Driscoll, an FBI assistant legal attacheĢ, who's attached to the US embassy in London, echoed the European law enforcement official's assessment and emphasized that, unlike more traditional types of law enforcement work, private-sector cooperation remains mandatory if criminals are to be pursued, arrested, and prosecuted. "I have never seen a threat that requires the involvement of the regular public, like the cyber issue," he said. "I can't get out there and start the investigation until you open the door for us." (Source: Infosecurity Europe 2014)
Beyond big-picture privacy and surveillance questions, many conference presentations focused on professional matters such as sharpening one's CISO skills and securing your business.
Interestingly, many information security experts at the conference -- just steps from an expo floor jammed with the latest information security products and service providers -- also emphasized that CISOs and security professionals should focus first on the goals of their business, rather than the technology they use to support those goals. "I think security innovation is a waste of time," said Michael Colao, head of security for the investment firm AXA UK and a participant in a "security as enabler" panel session. "My business thinks in money. I've done something really innovative in security that will save 20 grand a year? That's a rounding error, in my business."
Instead, he said, CISOs need to play to the long-term goals of the business. "The important thing to do is to pair, to some degree, with the strategy in your firm, which is often hard, because they're hidden, and they don't show up very often." But such strategies "often have the CEO's ear," and tying security decisions into the CEO's vision for the business in 2020 or 2030 -- industries the business plans to move into, parts of the business that executives plan to sell off -- is the mark of a well-run security program. (Source: Infosecurity Europe 2014)
For many conference attendees, information security isn't just a day job. Representatives from the International Information Systems Security Certification Consortium -- better known as ISC(2) -- were out in force at the conference, marking the nonprofit's 25th anniversary this year. The group recently introduced a new version of its cyber forensics certification, which debuted last year for the United States and South Korea. The new version, CCFP-EU, is customized for the European Union legal environment.
At the conference, ISC(2) member Richard Lane, who heads the information security section in the information and communication technology (ICT) division of the World Intellectual Property Organization in Geneva, highlighted the group's Safe and Secure Online program, in which ISC(2) members volunteer to educate kids about computer security.
"The program gets our certified members to go out into schools and educate children, parents, and teachers," Lane said. "We cover all sorts of things: cyber-bullying, sexting, social media risks. For the younger ones, we cover things like staying safe online -- educate them around the risks of what they're doing." He said the emphasis isn't about what to do or not do, but rather to work with kids to see what they're doing, and then try to help them minimize related risks, for example, by disabling geotagging if they're uploading pictures to Instagram from a GPS-enabled device.
The Safe and Secure Online program began in the United Kingdom in 2006 and has since expanded to Canada, Hong Kong, India, Ireland, Switzerland, and the United States. To date, the program's volunteers have trained more than 150,000 people. (Source: Mathew Schwartz)
Eric Cole, chief scientist at Secure Anchor Consulting and a SANS Institute instructor, took a pause from conducting network security courses in Washington to fly to London and be inducted in the Infosecurity Europe 2014 Hall of Fame, which honors his contribution to the security industry.
Past inductees include such information security notables as Bruce Schneier, Eugene Kaspersky, Graham Cluley, Dan Kaminsky, Mikko Hypponen, Phil Zimmermann, and Whitfield Diffle.
Cole, author of such books as the Network Security Bible (Wiley, 2009), started his career designing secure communications systems for the CIA. He briefly served as chief scientist for Lockheed Martin and later worked at the antivirus firm McAfee -- under the helm of "eccentric millionaire" John McAfee -- before it was sold to Intel. Cole is now in charge of the cyber defense curriculum for the SANS Institute. (Source: Mathew Schwartz)
No security conference would be complete without booths, banners, tchotchkes, and T-shirted evangelists sporting headset microphones. Back on the Infosecurity Europe expo floor, if there was a conference award for "does exactly what it says on the tin" -- a popular British colloquialism meaning that you get what you see -- one strong contender would be iStorage, for its diskAshur. The USB3 hard drive uses up to 256-bit AES to encrypt all data stored on the device. The device, which is FIPS level 3 140-2 certified, isn't managed via software installed on a PC. Instead, before accessing any data on the device, it must be unlocked using a PIN code of between 7 and 16 digits, after which a user has 30 seconds to plug the USB cable into a PC.
If the device is tampered with, or if a preset number of incorrect PIN codes are entered, the drive will erase itself. Likewise, users can set a "self-destruct" PIN code that immediately erases all information stored on the drive.
Customers include the UK government and Britain's Ministry of Defense. (Source: Mathew Schwartz)
Not all the security technology being flogged -- that's British slang for "sold" -- at the conference demanded high levels of investment. In an update on the old monitor privacy screens that used to allow people to block their co-workers from seeing what was on their state-of-the-art 14-inch CRT monitor, for example, 3M displayed its Easy-On Privacy Filters. Available for a variety of laptop, smartphone, and tablet screens, the filters can be used, removed, and reused to protect confidential data from unauthorized side view. Different versions of the filter are required depending on whether a device is used in landscape or portrait orientation.
(Source: Mathew Schwartz)
Not all the security technology being flogged -- that's British slang for "sold" -- at the conference demanded high levels of investment. In an update on the old monitor privacy screens that used to allow people to block their co-workers from seeing what was on their state-of-the-art 14-inch CRT monitor, for example, 3M displayed its Easy-On Privacy Filters. Available for a variety of laptop, smartphone, and tablet screens, the filters can be used, removed, and reused to protect confidential data from unauthorized side view. Different versions of the filter are required depending on whether a device is used in landscape or portrait orientation.
(Source: Mathew Schwartz)
Information security professionals and technology vendors from Europe and beyond descended on London this week for the annual Infosecurity Europe conference.
The topics of privacy and surveillance dominated conference presentations and panels. That befits Europe's reputation for not only taking people's privacy seriously, but often treating privacy as a right unto itself, which need not necessarily be weighed against business interests or market demands.
Finding answers to many of those concerns, of course, remains difficult because of the continuing rapid evolution in consumer technology, as well as the default tracking arrangements, into which many consumers opt in simply by using free mobile apps. "If you download anything for free, then you're the product; nothing is free," said Troels Oerting, head of the European Cybercrime Centre (EC3) and assistant director for the operations department at Europol, the EU's law enforcement agency. But in the future, he predicted that Europe would pass legal "standards for protection."
In fact, EU officials and lawmakers are revising Europe's watershed 1995 Data Protection Act, which for many global privacy experts remains the gold standard in how people's privacy rights can be protected. But David Smith, deputy commissioner at the UK Information Commissioner's Office, said in an interview at the conference that, even though EU officials hoped to have a new law in place last year, Edward Snowden's NSA leaks stalled negotiations.
Furthermore, as with Congress in the United States, crafting new laws is rarely a fast process. "The existing European directive behind our current law took five years to negotiate," he said. By contrast, "we're getting on to three years now [in terms of negotiations into the new law], and it's much more complicated now" than in 1995. That's thanks in no small part to the rise of the Internet and mobile devices since the first law went into effect.
The specter of US government surveillance, as highlighted by Snowden's NSA leaks, dominated many conference discussions, especially when it comes to how the NSA's digital dragnet affects Europeans' rights. "As a society, what's the danger to us?" Graham Cluley, an independent security analyst, asked during a conference panel on cybercrime. "I think the danger to us might be the erosion of our privacy, mainly state-sponsored surveillance, which our government is doing or allowing to be done to us."
But Mikko Hypponen, chief research officer at F-Secure in Finland, said there's an upside to the technological evolution that's allowed the NSA to conduct massive amounts of surveillance, in that such programs remain vulnerable to whistleblowers and leakers. "The Internet and technology like this have enabled wholesale blanket surveillance on us. Governments can watch us because the information is so accessible and easy to store," Hypponen said. "However, it's the very same technology that allows us as citizens to get information about wrongdoing and make it public, so while the governments are watching over us, they know that we are watching over them."
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024