E.U. and Global Cyber Security Briefs
West Is Taking Fight Against Terrorism Online
Personal Data Protection Under Threat in EU Treaty Draft
Europe's Concern Over UK Data Protection 'Defects' Revealed
European Data Protection Supervisor Concerned for Data Protection Standards
Global Cybersecurity Roadmap Unfolds
Privacy Threats Are No Longer 'Terra Incognita'
The Lesson of Estonia
West Is Taking Fight Against Terrorism Online
International Herald Tribune (09/30/07) Carvajal, Doreen
Western nations are moving forward to establish online security perimeters with proposals to impede Web sites and to issue emails containing spyware that would keep an eye on jihadists, even though critics caution that such measures could give rise to censorship and privacy infringement. A series of anti-terrorism proposals will be unveiled by EU justice commissioner Franco Frattini in November, and included in the proposals will be a package for the development of technology to block Web sites that post bomb-making recipes and other terrorist how-tos, and for the criminalization of online terrorist enlistment. "The Internet, as we all know, is abused for terrorist propaganda and also for disseminating information on how to make bombs," notes Frattini spokesman Friso Roscam-Abbing. "What we want to achieve is to make that phenomenon punishable." Sweden, Germany, Australia, and other countries are individually seeking additional powers and technologies to ostensibly thwart terrorism online. Frattini and other public officials pledge that governments are balancing free speech and security to guarantee that Web sites are not used to share data in a way that constitutes a threat to public safety. Critics are worried about these plans since the EU nations are already moving to adopt a "data retention directive" mandating that ISPs will need to hold on to information about communications from six to 24 months to help in the identification of terrorism networks. "One way of viewing these trends is that the terrorists have won," says University of Cambridge computer security researcher Richard Clayton. "They're making us change our society to counteract, not what terrorists are doing, but what they're threatening to do."
Personal Data Protection Under Threat in EU Treaty Draft
EU Observer (09/27/07) Mahony, Honor
Questions about the future retention and access of citizens' personal data have been raised by negotiations over the new EU treaty, whose current draft dictates that such data could be distributed to third countries without the oversight of the European Parliament and the European Court of Justice. The current language says independent authorities will oversee compliance with data protection rules, and on Sept. 26 German Member of European Parliament Elmar Brok advised member states to re-examine the wording immediately or risk a potentially "huge debate" when the treaty is in the process of being ratified. "We mustn't give the impression that Europe is being used [with] questions of protection of data disappearing into bureaucratic processes rather than being something we uphold in a democratic European Union," he stated. The EU has faced controversy concerning the tension between data protection and counter-terrorism efforts, especially regarding the United States, which requires a wide assortment of personal data from travelers because of the 2001 terrorist attacks. The method and duration of retention, along with who has access to the information, has been a major point of conflict, with EU civil liberties groups complaining vocally about the data-sharing scheme. The current wording of the treaty's data protection article is the result of British worries that the EU court should not have jurisdiction in this area. Technical experts from EU member states are still trying to settle on language that is universally appropriate. "The fear of the majority of the member states is that the British could opt in at the start of negotiation on a piece of law, could seek during the course of the negotiation to change its direction or to reduce its force ... and then at the end of the negotiation opt out," said U.K. MEP Andrew Duff.
Europe's Concern Over UK Data Protection 'Defects' Revealed
Guardian Unlimited (UK) (10/01/07) Dyer, Clare
The European Commission has raised concerns about the way Britain's Data Protection Act and other legislation have implemented 11 articles of the 34-article European data protection directive. Although the investigation into these concerns has been underway for more than three years, the European Commission has not revealed the details of those concerns until now. As part of a freedom of information request, the EC revealed that it is concerned that Britain is not giving its information commissioner, Richard Thomas, enough power to make sure individuals' privacy is protected when their personal data is processed and used. The EC also said it is concerned about the conditions for processing sensitive personal data, the transmission of data outside the European Union, and the amount of recourse individuals have if their rights are breached. The EC has said that it could take Britain to the European court of justice in Luxembourg if negotiations over the alleged shortcomings fail. For its part, Britain maintains that it has implemented the European data protection directive correctly.
European Data Protection Supervisor Concerned for Data Protection Standards
PublicTechnology.net (09/21/07)
European Data Protection Supervisor Peter Hustinx said on Sept. 20 that he welcomed the Portuguese Presidency's continued efforts to reach an agreement on the Data Protection Framework Decision in police and judicial cooperation in criminal matters, though he was concerned about the agreement by the Council of the European Union to limit the scope of the DPFD so that it only applies to the cross-border exchange of personal information. Hustinx said reducing the level of protection for personal data provided in police and judicial cooperation in criminal matters was a mistake because doing so will make it more difficult for police services to meet their international obligations. Since the DPFD was first proposed in 2005, Hustinx has issued three opinions calling for higher standards of protection of personal data in the area of police and judicial cooperation in criminal matters. He has specifically called for the principles in the DPFD to closely resemble those in Directive 95/46/EC. In addition, Hustinx has emphasized the need to distinguish between different categories of data subjects, such as suspects, criminals, witnesses, and victims.
Global Cybersecurity Roadmap Unfolds
MediaCaster (10/09/07)
The International Telecommunications Union announced the development of a foundation for a global response to the constantly evolving nature of cyber threats and increasing sophistication of cyber crimes. "The legal, technical, and institutional challenges posed by cyber threats and cybercrime are global and far-reaching, and can only be addressed through a coherent strategy taking into account the role of different stakeholders and existing initiatives, within a framework of international cooperation," says Dr. Hamadoun Toure, Secretary-General of the International Telecommunication Union. The first meeting of the High-Level Experts Group for the Global Cybersecurity Agenda took place in Geneva on Oct. 5, where about 60 high-level experts from governments, industry, academia, research institutes, and regional and international organizations from around the world gathered to collaborate on taking real action toward eliminating the threats related to the information society. President of the Republic of Costa Rica, Nobel Peace Prize Laureate, and Patron of the Global Cybersecurity Agenda Dr. Oscar Arias Sanchez emphasized the magnitude and importance of the task. "New and emerging threats to cybersecurity cannot be solved by any one nation alone," Sanchez said. "There is an urgent need for an international framework, giving us international principles and allowing rapid coordination between countries at the regional and global levels. I invite you to join me in supporting ITU's urgent effort, because peace and safety in the virtual world will become an ever more essential part of peace and safety in our everyday lives."
Privacy Threats Are No Longer 'Terra Incognita'
The Star Online (10/01/07) Geist, Michael
Hundreds of privacy commissioners, government regulators, business leaders, and privacy advocates from around the world met for three days in Montreal in late September to gain a better understanding of how new technologies such as ubiquitous computing, radio frequency identification devices, and nanotechnology will impact privacy protection. The theme of the International Data Protection and Privacy Commissioners conference was "Terra Incognita," a reference to not knowing what lies ahead as technology rapidly changes. At the conference U.S. Secretary of Homeland Security Michael Chertoff argued that governments will need to collect more data if they are to protect citizens in the years to come. For example, Chertoff said fingerprints can be used to increase surveillance, and he noted that a single fingerprint taken from a vehicle used in a bombing in Iraq was matched to one taken years ago at a U.S. border crossing. Although the idea of a broad surveillance society made many privacy advocates cringe, Chertoff suggested that there will be little they can do about it. The conference focused on current privacy protection strategies such as privacy audits, privacy impact assessments, trust seals, and global cooperation. Although such measures have become more effective, there was a general feeling among the participants that more needs to be done, writes Michael Geist.
The Lesson of Estonia
Information Security (09/07) Vol. 10, No. 8, P. 12; Denning, Dorothy E.
It seems unlikely that the cyberattack against Estonia in the spring of 2007 was an act of government-sponsored cyberterrorism, but the assault still deserves consideration, as it drove online activism to an unprecedented and troubling level, writes Dorothy E. Denning of the Naval Postgraduate School. Internet-based protests have existed for over a decade, and automated software has been developed for bombarding targeted Web sites with page requests. More recently, the botnet, which hijacks computers into a network that can send spam or launch DDoS attacks, has emerged as a powerful cyberattack tool. Allegedly, Estonian attackers used botnets in their DDoS assaults. That the hijacked computers came from around the world makes it less probable that the Russian government was behind the cyberattack, as some have speculated. Denning says the salient aspect of the cyberattack on Estonia is that the siege was able to persist for weeks and inflict costly and disruptive damage without the resources of a government sponsor. This implies that a few unaffiliated individuals can wreak substantial damage on a national scale. Al-Qaida and other terrorists already employ cyberattacks to cause financial damage and interrupt Web sites. Although current cyberterror lingo has been inflated to hype proportions, the United States and other nations must acknowledge the actual risk and grow more serious about defending against new cyberattack tools, Denning says.