1
Two Critical Challenges in Information Privacy:An Opportunity for Industry Leadership
John SaboManager, Security, Privacy and Trust Initiatives
Computer Associates
Smart Card AllianceWinter Meeting 2003
ISTPA Framework Copyright © 1999-2003 International Security, Trust & Privacy AllianceAll Rights Reserved
2
Basis for My Perspectives
! E-Government services! Cross-Government privacy! Computer System Security and Privacy
Advisory Board (CSSPAB) Findings! ISTPA Framework and related projects! IT-ISAC and other organizations addressing
Critical Infrastructure Protection
3
ISTPA
! International Security Trust and Privacy Alliance
! ISTPA is a not-for-profit alliance of organizations addressing "issues related to security, privacy and trust from a
consumer, technology and business perspective! Not a privacy advocacy organization! ISTPA’s focus is on the protection of
personal information (PI).
4
ISTPA Members and Affiliates!ACEtek Research!AMD!BITS!Carnegie Mellon University!Computer Associates!CYVA Research Corp!EWA IIT!GemPlus!Government of Alberta, Officer of CIO!GSR Strategic Consulting!Intel!International Systems Security Engineering Association (ISSEA)
!Johns Hopkins University !Kendall Scott!KLS Consulting, LLC!Motorola!NCR!OneName Corporation!QuickJustice!TCV UK. Ltd!TRUSTe!Vanguard Integrity Professionals!W. Scott Blackmer!Wave Systems Corporation
5
ISTPA’s Organization! Board and Executive Director! Self-Managed! Four working groups:
" Framework" Privacy Tools and Technology" Legal and Regulatory Requirements " Outreach
! 2-3 meetings annually plus WG meetings/teleconferences
6
ISTPA Privacy Perspective
! Use of information technology benefits consumers, citizens, business, government.
! With these benefits come risks which must be understood and mitigated --security and privacy are paramount.
! Based on sound privacy policies, technology can be used effectively to satisfy consumer and citizen concerns and engender trust.
7
Is Information Privacy Understood?
! Consumer privacy- identity theft?! Web policies?! Government: big brother (in US)?! Government: privacy guardian (Europe)?! Wireless privacy: location issues?! Digitally managed surveillance?
! …What is information privacy?
8
Privacy Knowledge and Drivers
! OECD Privacy Principles! Fair Information Practices! Global Privacy Laws – EU, Canada…! Regulations! Business privacy rules! Global Legislation
" U.S. Privacy Act" Gramm Leach Bliley and HIPAA " Canada, EU and member States……
9
Privacy’s Core Principles(OECD, 1980)
! Collection Limitation! Data Quality! Purpose
Specification! Use Limitation
! Security! Openness! Individual
Participation! Accountability
10
Fair Information Practices
•Notice and Awareness•Choice and Consent•Access•Information Quality & Integrity•Update and Correction•Enforcement and Recourse
11
Sufficiency for Integrated Privacy Solutions?
! Relationship among components of principles and practices are not intuitive
! No consistency in terminology! Critical architectural components are missing
or only implicit, such as the consumer, “agency,” interface
! Little work underway addressing privacy management systemically
! Relationship between privacy and security not generally understood
12
Privacy-Security-Trust Relationship
! Security: locks, guards, passwords, cryptography, digital signatures, … establishment and maintenance of policies and measures to protect a system.
! Privacy: proper handling and use of personal information (PI), consistent with the preferences of the subject.
! Confidence/trust: freedom from worry; predictability.
13
PERSONAL INFORMATION
AGREEMENTS AND RULES
PROPER
HANDLING
POLICYUSE OF
PERSONAL INFORMATION
PERSONAL INFORMATION LIFE CYCLE
PRIVACY MANAGEMENT
Multiple data processors,systems, policies, andJurisdictions
14
How ISTPA Has Addressed the Issues! Published an open, policy-neutral Framework (v1.1)
for designing, constructing, and evaluating privacy architectures, technologies and tools to meet business and consumer needs
! Mapping legal, policy, and business requirements into the Framework via use cases and modeling
! Proposing objective privacy research on usability, manageability and costs of implementing privacy technologies
! Working with ISSEA to propose introduction of an expanded Framework as an ISO Publicly Available Standard
15
Value of A Privacy Framework! Networked trust systems require interoperability -
- privacy requirements must be supported across jurisdictional, business, and consumer boundaries.
! A framework of privacy services can serve as a solution-neutral methodology and tool for policymakers, business managers, developers, auditors and regulators, and consumers
! A complete analytical model is needed to foster development of data protection standards, products and services
! In emerging systems such as Critical Infrastructure Protection, a framework can help establish trust
16
ISTPA Privacy Servicesand Capabilities
(Copyright 2000-2002, International Security Trust and Privacy Alliance)
# Interaction# Agent ©# Validation# Negotiation# Enforcement
# Control# Audit (Log)# Certification# Usage# Access ©
17
Binding Agreement-Based Controlsto Data Lifecycle
PI Contract
Personal Information
Intended Use
Credentials
PoliciesConditionsPermissions
Identity CredentialsSignature
BINDING
18Legal, Regulatory, and Policy Context
Security Foundation
Agent
Control
InteractionNegotiation –0pt
Data Subject Data Requestor
Usage
PI, Preferences& PIC Repository
Agent
Control
InteractionNegotiation - Opt
PIC Repository
PIContainer
(PIC)
EnforcementAuditCertificationValidation
Privacy Services & Capabilities
Assurance Services
Access
19
SecurityPolicy
Internal CorporateUser and Application Processing
Web Access
Data SubjectSecurityControls
Data CollectorSecurityControls
Integrated Privacy Management Controls
20
Security: Enabling Privacy Management
! Security is enabler for enterprise, government, cross- sector and sector-government privacy management
! Policy-based requirements based on risk management principles
! Security components include:" Identity management" Access management" Threat management" Security Command Centers
21
Security and Privacy Services LinkagesMust be Defined
Security Integration
Legal, Regulatory, and Policy Context
Security Foundation
Agent
Control
InteractionNegotiation
Data Subject Data Requestor
Usage
PI, Preferences& PIC Repository
Agent
Control
InteractionNegotiation
PIC Repository
PIContainer
(PIC)
EnforcementAuditCertificationValidation
Assurance Services
SecurityServices
22
In this Context:New Challenges for Information
Privacy
23
Two Emerging Challenges
! The Migration of Traditional Government Services to E-Government
! Private Sector Critical Infrastructure Protection (CIP) and Cyber Security
24
E-Government
25
IT Environment Risk Exposure
Exposure to Computing Environment ThreatsRecreation One StopFederal Rulemaking
General Information
Consolidated Health informatics
Enterprise HR IntegrationIntegrated Acquisition
E-Clearance
Increased Risk Exposure
Open networks
COTS Products
External Trust Centers
Closed Systems
Well-defined TrustLimited integration
Legacy Government
e-Government
26
E-Government Category Risk Exposure
“Trust Partn
er” Exposure to Threats
Increased Risk Exposure
Government – to - Citizens
Government-to-Business
Intra-Agency
Government – to Government
Controlled Trust Environments
“Open” Trust Environments
Trusted Intermediaries
27
Legacy Government Privacy Rules
! Government Privacy – Privacy Act of 1974" Identify and Publish Systems of Records" Inform individuals: purpose collected, rights, benefits,
obligations" Provide reasonable safeguards regarding disclosures and
protections against security and integrity threats" Maintain accounting of all disclosures of information except
Freedom of Information Act and agency “need to know” staff" Assure records are accurate, relevant, timely, complete" Permit individuals access and amendment of to records
! Sector-specific rules (e.g. HIPAA, FTC etc.)
28
Computer System Security and Privacy Advisory Board Privacy Report – September 2002
! CSSPAB created under the Computer Security Act of 1987 to identify issues relative to computer systems security and privacy
! Reports issued to the Director of NIST and OMB -(csrc.nist.gov/csspab)
! Report Addressed two questions:" Government Privacy Policies – are government privacy
policies adequate in light of technological, societal and other policy changes and influences?
" Government Privacy Management – can improvements be made to Federal agencies’ business processes and use of technology in support of law, regulations and privacy policies?
29
CSSPAB Recommendations
! Five major recommendations, including:" Examining databases having linkages among
Federal, state, and local government and private sector systems
" Addressing Fair Information Practices … in light of e-Government initiatives to support electronic transactions
" Tasking an appropriate government body to evaluate the Privacy Act in light of modern-day industry practices, citizen expectations, technologies, and issues and to recommend needed changes.
30
What Can Industry Do?
! Provide collaborative leadership in bringing industry knowledge, technologies, and standards development to bear on information privacy issues.
! Contribute to research, studies, demonstration projects and other initiatives which advance the state of the art of privacy management systems and solutions.
! Tackle the hard privacy issues with the same energy we devote to creating mechanisms to collect and exchange data in the Web Services area.
31
Critical Infrastructure Protection, Cyber Security and Privacy
32
! Electricity! Emergency Services! Financial Services! Government Services
– Federal, State, Local! Health Services! Information Technology! Oil & Gas! Telecommunications! Transportation ! Water! ….others
Systems, organizations, personnel & facilities 80% of the infrastructures are privately owned in the United StatesAll are interdependent IT systems & networks are key components
Systems, organizations, personnel & facilities 80% of the infrastructures are privately owned in the United StatesAll are interdependent IT systems & networks are key components
Critical Infrastructures
33
Transportation
Big Business
Government
Banks/Finance
Mom & Pop Candies
Small Business
Mom & Pop Candies
People
Phone
Satellite
Homes
Energy/Power
Fax
WALL ST.WALL ST.
Wall Street
We depend on critical infrastructures for daily life,economic health, global competitiveness
Infrastructure Interdependencies
34
In our traditional national security model, expertise concerning national security threats and U.S. defensive capabilities has long been centered
in the Federal Government and its supporting contractors.
Most Data
Private ExpertsPrivate Experts
Federal Gov’tFederal Gov’t
State/Local Gov’tState/Local Gov’t
Owner/Operator/BusinessOwner/Operator/Business
More Data
Some Data
Minimal Data
The National Security Pyramid –Applicable to CIP?
35
The Critical Infrastructure Pyramid:Knowledge and authority to act are inverted.
Owner/Operator/BusinessOwner/Operator/Business
Private ExpertsPrivate Experts
State/Local Gov’t State/Local Gov’t
Federal Gov’tFederal Gov’t
Most Data
More Data
Some Data
Minimal Data
36
Warfare
Espionage
ComplexSystems
UnintendedConsequences
PoliticalObjectives
TheChallenge
Revenge
Economic Gain Terrorism
and
InsidersCriminals
Hackers & VandalsSub/Transnational Groups
Economic CompetitorsIntelligence Services
Nations
The Private Sector as a first line of defense
$ Automated attack tools make it very difficult to evaluate who the attacker is or the motivation.
$ There is no national Indications and warning capability.
$ The ability to maintain and/or restore system integrity is in the hands (and heads) of the private sector.
37
Critical Infrastructure Protection and Cyber Security
! History of studies and reports" President’s Commission on Critical
Infrastructure Protection, 1996" “Trust in Cyberspace,” National Research
Council, 1999" National Security Telecommunications And
Information Systems Security Committee Report (CNSS), 2001
" “Cybersecurity Today and Tomorrow: Pay Now or Pay Later” – National Research CouncilReport (2002)
! Impact of September 11 attacks ! Draft National Strategy to Secure Cyberspace! Department of Homeland Security
38
Cyber Security – Contrary Views! “Assessing the Risks of Cyber Terrorism, Cyber War
and Other Cyber Threats” - December 2002! Author: James A. Lewis, Center for Strategic and
International Studies (www.csis.org)" “…network vulnerabilities are an increasingly serious
business problem but …their threat to national security is overstated.”
" “Critical infrastructures…are more distributed, diverse, redundant and self-healing than a cursory assessment may suggest, rendering them less vulnerable to attack.”
" “In all cases, cyber attacks are less effective and less disruptive than physical attacks.”
" Terrorists or foreign militaries are likely to be disappointed as cyber attacks are less damaging than physical attacks.
" Digital Pearl Harbors are unlikely.
39
Significant Risk – No Significant Risk?! But…vulnerability of critical infrastructure to cyber
attack could change if three things occur:" societies move to a ubiquitous computing environment when more
daily activities have become automated and rely on remote computer network
" more industrial and infrastructure applications, especially those used for SCADA (Supervisory Control and Data Acquisition), move from relying on dedicated, proprietary networks to using the Internet and Internet protocols for their operations
" countries do not balance the move to become more networked and more dependent on Internet protocols with efforts to improve network security, make law enforcement more effective, and ensure that critical infrastructures are robust and resilient
! Have we begun these things? How will we know when will these truly become critical?
40
January 24-25 Case: SQL Slammer Worm
! Bank of America and Canadian Imperial Bank of Commerce ATM’s
! Internet Service: South Korea, Finland, Japan! 50% average increase in download times at major
Web sites – some sites unavailable all day! State, Commerce, Agriculture, and some DOD
Agencies! Philadelphia Inquirer and Atlanta Journal-Constitution
publication delays! Others….Source: Ted Bridis, Associated Press, January 26, 2003 and Anick Jesdanun, AP Internet
41
Cyber Security Issues Needing Attention
! How do we develop a warning, detection, and analysis capability for cyber attacks?
! How do we share protection-related information? ! Can we detect if we under attack? Is there a national
security threat? ! Has our decision space -- response space -- been
reduced?! How can we respond? Who responds?
! What is the role – and relationships - of the private sector and the government?
! How do we manage information privacy?
42
U.S. Public-Private Partnerships
! Critical Infrastructure Protection Board ! Department of Homeland Security
" National Infrastructure Protection Center (NIPC) and InfraGard Program, CIAO, and FedCIRC
! National Security Agency Education Programs! Electronic Crimes Task Forces (ECTFs)! Carnegie-Mellon University CERT! PCIS (Partnership for Critical Infrastructure Security)! ISACs (Information Sharing and Analysis Centers)! SANS Institute…Computer Security Institute ! Corporations, small business, consumers-citizens
" e.g., Virus Information Center www.ca.com/virusinfo
CompaniesCitizens
NGOsConsortia
Government
43
Information Sharing and Analysis Centers -ISACs
! Sector-specific information sharing and collaborative networks
! Exchange of threat, vulnerability information while protecting business privacy
! Sector-focused analytic capability! Self-interest and national interest! While interdependent, reflect sector differences in
regulatory tolerance, relationship to government, etc. ! Linkages to government
44
With Sector-Government ISACS: Additional Risk Exposure
Exposure to ThreatsEmergency Services
Financial Services
Water
Health Services
Information Technology
Transportation
Increased Risk Exposure
Open networks
Increased Access
External Trust Systems
‘Closed’ Systems
Defined Trust Models‘Localized’ controls
SectorOrganizations and
Systems
External Systems:ISACs and
Government
Electricity
Oil and Gas
Government Services
45
Critical Infrastructure Protection (CIP)Privacy Issues
! Collection and processing of data from sources subject to agreements and privacy rules
! Data provided to ISACs (Information Sharing and Analysis Centers) by business and government under categories of disclosure restrictions
! Data provided to ISACs across sectors and to government
! Multiple trust dimensions, including citizens and business and users of data in ISACs, Government, Command and Control Centers
! Integration of security and privacy controls in information sharing systems across jurisdictional boundaries
46
IT-ISAC
! The IT-ISAC " Non-profit corporation" Pro bono part-time board" Outsourced operations
! Founded by Major IT Companies! Share information among member companies
" Threat" Vulnerability" Countermeasures/Response
! Strengthen industry-wide cooperation and protection! Use IT industry expertise to help other sectors! www.it-isac.org
47
IT-ISAC Information ClassificationCategories – Business Privacy Rules
! Non-Confidential Member Information (unmarked)! Member Confidential Information (MC)
" not disclosed to public" Available to members only
! Member Confidential Trending and Analysis Only (TA)" Raw data not available to members
! IT-ISAC Confidential Information (OC)" Available to members only
! Non-Member Confidential Information (NMCI)" Available to members only
48
Classification Rules Must Work Across Sectors
! ISACs and government as part of CIP infrastructure require policy and technical interoperability
! Confidentiality and disclosure rules differ and require policy mapping
! New rules need to be developed ! Bridging trusted systems for “need to know”
information a challenge" Including clearances for government classified data
! Should build from private sector to government
49
Industry Action is Possible! CIP Information sharing policies, technical
architectures, systems, functions, features must incorporate privacy and security requirements
! Technical tools and products are available, for example:" Scalable X.500 directories" PKI and PKI-enabled protocols" Security hardware and software" Business rules software" ISTPA Framework, model policies and rules
! Security and privacy standards, models, reference implementations must be developed.
50
Managing Information Privacy:A Challenge We Can Address
What Can We do together?
51
A Call to Action
! Actively participate in organizations building new CIP Cyber Security systems: IT-ISAC and other ISACs
! Collaborate in industry-neutral organizations, venues, and projects to address e-government privacy issues
! Create public interest and support through outreach and broad access to these collaborative efforts
52
A Call to Action
! Exploit synergies among industry organizations having shared interest in solving information privacy challenges for e-Government and Cyber Security:" Smart Card Alliance, ISTPA, ISSEA, IT-ISAC,
Other ISACs, OASIS ..collaborating together! Commit our personal time and creative energies
as leaders in the IT industry