Free and Safe in Cyberspace – EU Edition 2016 was held in Brussels on September 22nd-23rd 2016 to catalyse a constructive dialogue and a wide informed consensus on new international standards and certification governance bodies for ultra-high assurance end-2-end IT systems – for communications, constitutional lawful access and autonomous systems – to deliver access to unprecedented and constitutionally meaningful e-privacy and e-security to all, while increasing public safety and cyber-investigation capabilities.Conceived by the Open Media Cluster (now called Trustless Computing Association), lead by Rufo Guerreschi, and co-organized by the EU EIT Digital Privacy, Security and Trust Action Line, lead by Jovan Golic.
Leading EU cryptographer and IT security and privacy expert.Director of KU Leuven COSIC group, organizers of the leading EU crypto conference Eurocrypt. Former President (2008-2014) of the International Association for Cryptologic Research. Consultant to NIST on governance reform. Project manager of the Network of Excellence ECRYPT II ECRYPT-NET (2015-2019) and ECRYPT CSA (2015-2017).
JAN PHILIPP ALBRECHT
Recent evidence suggests that nearly all IT devices and services are remotely, undetectably and scalably hackable by several actors, through state-sanctioned or state-mandated back-doors.
As a consequence, EU and US IT companies are struggling to seek ways to offer the levels of trustworthiness that both customers and constitutions require, by differentiating themselves sustainably on the basis of provable and meaningfully higher levels of trustworthiness.
We are told daily by nearly all privacy experts and government officials that we must to choose between meaningful personal privacy and enabling lawfully authorized cyber-investigations. But both are essential to democracy and freedom. What if it was not a choice of “either or”, a zero-sum game, but instead primarily a “both or neither” challenge, yet to be proven unfeasible?
Are key assets and capabilities of nations’ law enforcement, defense and intelligence themselves highly vulnerable to attackers – foreign, domestic and internal – due to the lack of sufficiently comprehensive, translucent and accountable socio-technical standards, such as in IT facility access, device fabrication or assembly? How vulnerable are AI-driven autonomous IT systems, movable and not, to attacks via their critical socio-technical low-level subsystems?
Can the paradigm “Trust but verify” still be a sufficient when the bribery, threatening or identity theft of a single person (rarely 2), in key role in the life-cycle of a single critical component or process, can enable concurrent compromise of every instance of a given critical IT system, including communication, state surveillance, or autonomous movable devices? Should the paradigm rather be “Trust or verify”, by deepening and extending oversight all the way to CPU designs and fabrication oversight? But how can that be made economical for wide spread adoption and compatible with feature and performance needs?
For more details on the context, see and contribute to our Challenges Backgrounder.