Workshop - Cybersecurity and Data Protection - First Principles (March 2015)

[ Galexia Dots ]

Related Galexia services and solutions

Related Galexia projects

Related Galexia news

[Download presentation slides (PDF) »]

Slide 1: Presentation at Expert Meeting on Cyberlaws and Regulations for Enhancing e-Commerce (UNCTAD)

Chris Connolly
March 2015, Geneva

Slide 2: Overview

  • The tension between cybersecurity and data protection
  • The increased role of cloud computing services (and related challenges)
  • The role of Government
    • The ‘Do No Harm’ principle
    • Improving cybersecurity infrastructure
    • Mutual legal assistance
    • Ensuring global rights
  • The role of the private sector
    • Global companies - global responsibilities
    • The failure of Intermediaries

Slide 3: Major Tensions between cybersecurity and data protection

  • Persistent issues
    • Mass collection and retention of data (usually communications meta-data)
    • Identity and authentication of individuals v anonymity
    • Governance, oversight, transparency and legal redress
  • Newer issues
    • Cross-border surveillance
    • Forum shopping and outsourcing illegal surveillance practices
    • Attacks on privacy enhancing technology and infrastructure

Slide 4: The increased role of cloud computing services

Positive impact
Negative impact

The most innovative development in computing for years

Benefits not spread evenly, especially in developing countries

Significant cost savings, allowing re-allocation of resources

Potential for dominance by multinational vendors

Multiple fail-safes and backups that reduce the risk of data loss

Lack of standards / consistency in security certifications and audits (although now improving)

Privacy protection ‘layers’ rather than a single point of privacy protection

Massive data sets now a ‘honey pot’ for attacks

Data held offshore subject to law enforcement / security access

New opportunities for ‘big data’ analysis and collaboration

Potential for exploitation of data and concerns about the absence of data custodians

For more analysis refer to the UNCTAD Information Economy Report 2013, The Cloud Economy and Developing Countries, <>

Slide 5: The role of Government (1)

  • The ‘Do No Harm’ principle
    • First Principle for Governments should be to avoid harm to individual rights and security infrastructure when pursuing cybersecurity objectives.
    • Examples of harm include the deliberate undermining of encryption standards, requiring ‘back door’ access to IT infrastructure etc.
  • Improving cybersecurity infrastructure

Slide 6: The role of Government (2)

  • Mutual legal assistance
    • Complex labyrinth of multinational and bi-lateral agreements
    • Each agreement contains a different data protection test
    • The strongest test is that surveillance requests should be ‘necessary, proportionate and narrowly tailored’ (EU-US terrorist finance tracking program - TFTP 2010)
    • Many agreements only state ‘necessary and proportionate’
    • However, some agreements have no test
  • Ensuring global rights
    • Important for countries to extend human rights protections to all residents / consumers, not just “citizens’, to ensure global coverage and protection

Slide 7: The role of the private sector

  • Global companies - global responsibilities
    • Key participants in cybersecurity (through innovation, PPPs, reporting to CERTs, community education etc.)
    • Important to keep egos in check and collaborate for the common good
    • The Do No Harm principle should also apply to the private sector
  • The failure of Intermediaries
    • Banking / payments sector failing to restrict cybercrime
    • Trustmark and security certification schemes failing to protect consumers

Slide 8: Outstanding Issues?

  • There are still significant gaps in basic cybersecurity infrastructure
  • Complex and overlapping international agreements on cybersecurity legal assistance often lack strong data protection tests
  • Disappointing that intermediaries have not played their part in managing cybersecurity and data protection (a single intermediary might manage thousands of companies)
  • Important to recover trust in law enforcement, national security and the private sector through developing global protections and following the Do No Harm principle

[Download presentation slides (PDF) »]

[ Galexia Dots ]