After editions in Brussels, New York and Brazil, the 5th Edition of Free and Safe in Cyberspace was held on May 4th 2018 in Berlin (at Betahaus). We met in the heart of EU digital freedoms activist scene, to ponder how we can radically improve freedom and safety in cyberspace, by challenging the status quo, and debunking deeply ingrained misconceptions.
As we have since our 1st edition – with amazing speakers – we sharply focused around detailing solutions to the most important challenges of this Digital Age: (A) Can we create a new IT and AI security certification body, and widely available compliant systems, that radically exceed the security and accountability of current military and civilian state-of-the-art systems? and (B) Can we do so while at once increasing public safety and preserving legitimate and constitutional lawful access capabilities?
Speakers will included IT, blockchain and GDPR experts, and digital civil rights activists; as well as current and former top cybersecurity officials of Deutsche Telekom Labs, the Austrian CIO, the German Armed Forces, Germany Ministry of Interior, and European Defence Agency.
Can we solve Challenge (A)? if so how? What are the key paradigms? How do we maximize the accountability, proficiency and morality of the governance of the certification and oversight? Should such certifications governance be international and primarily non-governmental? What scale of investments are needed? The role of uncompromising “zero trust” security-by-design paradigms? The role of transparent and extreme review and oversight of all critical lifecycle components and human processes?What is the role citizen-witness and citizen-jury processes? Is it realistic to secure enough CPUs and chip fabrication oversight? The role of free/open-source software and testing by expert “ethical” hackers? The role of blockchains, quantum computing, artificial intelligence?
If we can solve (A), do we necessarily also need to solve (B) in order to avoid major public security issues and/or its outlawing? If YES, can we solve (B) and how? Can the same radically unprecedented technical and organizational safeguards needed for (A) also – within current laws – mitigate the inevitable added risks of voluntarily providing lawful access compliance such that it’ll still radically exceed the security of the best IT solutions available, that do not provide such access?
While German and EU banks, enterprises, security agencies and military seem to understand the dire need for (B) – though hardly suggesting a solution – most EU civil rights organizations, think tanks,and many EU politicians think that solving (B) is either not needed and/or not possible. Are they right?
Can IT compliant to such certifications radically mitigate the risks and costs of cybercrime and GDPR? What are the economic opportunities for public and private organizations that are pioneering such new ecosystems? Can we imagine a parallel ultra-secure hardware and software computing universe, as a user-friendly supplement to every-day computing devices? Can mandating adoption of such new certifications for state bulk and targeted cyber-investigations programs radically increase their effectiveness, integrity and resilience from abuse? Can mandatory adoption for elected officials, presidential candidates (!) – and critical military and civilian IT – increase both citizens’ and state sovereignty and public safety.
Recent Intel, AMD and Ledger hacks reveal how critical vulnerabilities – mostly inserted or “let be” by states – run deep, down to CPU and chip fabrication, and their certifications. Meanwhile, Shadow Brokers and CIA Vault 7 revelations further show how these state-grade hacks are ever more widely available to criminals.
Need for a whole new level of security is increasing in enterprises, banks, governments and citizens for their communications and transactions, and more so with GDPR mandatory disclosure requirements. After the Cambridge Analytica scandal, a great need is emerging for ways to meaningfully enforce algorithmic transparency and security for Artificial Intelligence and social media. Adoption of blockchains is hampered by severe open security challenges due the severe lack of adequate standards and certification for core software, smart contracts, ecosystems governance and client endpoints.
Although, cybersecurity spending has grown 30 times in the last 10 years to $120 billion in 2017 – and forecasted at $1 trillion in 2021 – the cost of cybercrime will skyrocket to a forecasted $6 trillions per year in 2021. Nevertheless, market demand remains almost entirely latent because current cybersecurity certifications are proven ever more inadequate in depth, comprehensiveness, and independence to deliver the security needed for critical scenarios and enabling users to even compare high-security solutions, except based on reputation.
However, the slow progress of new certifications plans in EU and the unresolved NSA efforts to undermine NIST standards add up to other evidence that this state of affairs is not a “by accident” but “by design”. It is primarily due to the need of nations to prevent “at all costs” criminals to use IT devices that are resistant to a duly authorized lawful access order. Soon after algorithmically unbreakable encryption was made widely available in 90s and nations felt the need to resort to breaking everything below it in the lower technical and lifecycle stacks.
The Head of ENISA agency, former President of German BSI, recently highlighted the centrality of deeper certifications: “From a certification perspective, a regulation perspective, it would be a good idea to look into these kinds of hardware products, protocols, and think about how to do a certification scheme for these… If you start in hardware from the beginning, you build on top of it. Everything is secure from the beginning”.
The EU and EU members states invest in R&D and centers to promote strong encryption, with one hand, while they increasingly invest and share to break those same technologies, with the another. In fact, although overall state security agencies have not “gone dark” nor are “going dark“, the availability of the proposed new certifications and IT systems would by definition create a “could be going dark” problem.
Prospects for a wide availability of meaningfully-secure IT may, therefore, be inextricably linked to ensuring that a legitimate privacy-respecting lawful access to such systems is somehow granted.
Thomas J. Ackermann
Lead expert blockchain, quantum computing, cyberWarfare, exoWarfare. Entrepreneur in Residence at the Strategy & Rapid Innovation – KdoCIR – German Federal Armed Forces. Commanded to Cyber Innovation Hub (2017-2018) and Ministry of Defense (2018).
Executive Director at Trustless Computing Association. Project Lead at the User Verified Social Telematics project and the Trustless Computing Initiative. Long-time activist for the promotion of democracy within and through the use of IT.
Cybersecurity, IoT, blockchain expert. Lead Architect of Asvin, an open source solution for a secure update of IoT edge devices. Since 2017, the technical consultant for Blackpin Secure Communication. Member of the Expert Group on Security in the Internet of Things at ENISA. Member of the IOTA Evangelist Network (IEN) since 2018.
(Unable to participate due to last-mimute personal issues)
Director at the BAAINB of the German Armed Forces (the Federal Office for Equipment, Information Technology and Use). Formerly Head of Information Superiority of the European Defence Agency. (2014-2016), and Assistant Director Research & Technology (2010-2013).
Anthony J. Ferrante
(Unable to participate due to urgent last-minute business conflicts)
Managing Director & Head of Cybersecurity at FTI Consulting. From 2015-2017 he was Director of Cyber-incident Response & Director of Cybersecurity Policy at the US National Security Council of President Barack Obama. Formerly Chief of Staff of the Cyber Division of the FBI (2014-2015).
CEO and Co-Founder of MADANA, which is a GDPR compliant platform for data analysis that uses Blockchain technology allowing participants to get in on the data market with their own data and simultaneously preserving their privacy by design. Before, Christian participated in various Blockchain projects as business development lead at the CryptoTec AG.
Carlo Von Lynx
Founder of Secushare.org, a free software distributed social network that runs on users’ devices with end-to-end encryption and anonymization. Formerly head of symlynX multicast, and tech lead at STERN magazine. Inventor of URL shortening and prototype content delivery networks. Contributor to IRC, XMPP. Main author of PSYC.
Founder & Managing Partner at Anchor Point. Formerly Senior Research Fellow at Brandenburg Institute for Society & Security. Technology writer, analyst & consultant. Formerly, tech reporter for the Wall Street Journal.
Technology Consultant, and Digital Civil Rights Researcher. Focusing on emerging technologies, bridging tech minority gaps, and data privacy and protection for underrepresented groups. Cyber Security Teacher at the ReDI School of Digital Integration and Event Co-Organizer with Google’s Women Techmakers Program.
Cybersecurity research fellow at Brandenburg Institute for Society & Security. Primarily focused on the EU-funded Horizon 2020 research project HERMENEUT. Previously digitalization and a domestic security research fellow to MP in the State Parliament of North Rhine-Westphalia in Düsseldorf.
Chief Technology Officer and Head of Research at Adaptant Labs, managing research for cutting-edge cloud security systems. Co-founder and ex-Director of the Australian chapter of the Internet Society. Formerly he deployed military-grade encrypted mobile VoIP systems, emergency broadcast radio networks in Syria and Africa, and secure Enterprise WiFi systems.
Computer Scientist. Lead scientist and founding partner of Berlin Innovation Ventures, a Berlin VC founded solely by R&D experts, investing into ventures in blockchain, zero knowledge and machine learning.(Slides)
CEO at techGDPR, an emerging consultancy for consulting in GDPR compliance, cybersecurity and risk management. VP marketing/sales Europe for DLT Labs, an established Toronto-based blockchain development house.
Cybersecurity author. Vice President of PR & Media Communications @ Global Institute for IT Management (GIIM). Executive Partner @ Brooks Consulting International. Onalytica’s 2018 Global Top 100 Digital Transformation Influencers.(Slides)
Co-founder & CEO at Statice which helps companies to leverage private customer data in a privacy-preserving manner by using synthetic data to foster a variety of collaborations with external data owners and data experts.
Legal and technical expert of privacy by design blockchain, GDPR. International speaker and author.
Free Software expert, activist, and lawyer. Freelance IP and free software license consultant. Formerly Network coordinator for a major NGO for the promotion of free software. Master in International and Comparative Law from Trento University.
May 3rd, 2018
18:00-21:00 Aperitif at TBD location for highlight speakers, media.
May 4th, 2018
08:30 – Coffee
09:00 – Introduction by Organizers: Rufo Guerreschi – (Slides)
09:15 – Keynote by Reinhard Posch “Prospects for pan-European initiatives to create ultra-high assurance IT and ecosystems for critical societal domains” – (Slides)
09:30 – Keynote by Michael Sieber “Can we afford “fake security”? A plea for a whole-of-society approach to Cyber Security” (abstract)
09-45 – Keynote by Thomas J. Ackerman TBD – (Slides)
- What are the key paradigms? What is the role of uncompromising“zero trust” security-by-design paradigms, via transparent and extreme review and oversight of all critical lifecycle components and processes? the role of free/open source software and ethical hackers? the role of certification and oversight governance? How about Blockchains, Quantum Computing, Artificial Intelligence? what about citizen-witness and citizen-jury processes? Can we realistically secure enough CPU design and chi fabrication oversight? What scale of investments are needed? Can we imagine a parallel hardware and software computing universe, as a user-friendly supplement to every-day computing devices?
Panelists: Calian, Sieber, Posch, Reisen, Ackerman, Hunter, Burns
- Can the same extreme technical and human processes safeguards that are needed to deliver ultra-high assurance also enable voluntary compliance to lawful access request – at least in some EU states – that overall reduce the risk of privacy rights abuse of end-users by anyone to levels that are radically or substantially lower than any of the other alternative secure IT systems which do not offer such voluntary processing?
Could or should such processes rely on a provider-managed voluntary data and/or key recovery scheme that is certified and overseen by primarily-non-governmental radically citizen-accountable, independent and competent international body? Could the inevitable added risk be essentially shifted from technical systems to in-person organizational processes?
Panelists: Posch, Verbin, Sieber, Ackerman, Feltrin.
12:00 – Keynote by Roberto Gallo (video Link)
- Intro to Trustless Computing Certification Body proposal by Rufo Guerreschi, Trustless Computing Association.
Since 2013, leading public and private partners, and spin-off startup, have been building a new certification body, and an initial compliant open computing base, ecosystem, and service, CivicNet. (Slides PDF) (46-pager Position Paper PDF)
13:00 – LUNCH BREAK
15.00 – (Berlin Innovation Ventures) “Blockchain and Zero Knowledge: Challenges and Adoption”– (Slides)
- Most enterprises are by ready for basic GDPR compliance, in terms of diligent human processes and”best effort” technological setups. But the Regulation also mandates, at a hefty cost, the reporting of breaches, not only of customers’ data but also of the communications, negotiations, and transactions of executives, boards or partners. This adds substantially to traditional costs associated with those breaches, in terms of reputation, lost competitive advantage, blackmail, and more. What are new emerging technologies, certification, approaches, and processes that can substantially or radically mitigate such costs and risk?
Panelists: Junger, Gummer, Weyer, Trujillo, Szanto, Erbguth
- Could a new transparent international certification, downward-compatible with a “Security made in Germany” label, and lead by Germany, Austria and Italy, lead to extensive economic development? Can we envision the development in Munich, Berlin, Vienna of a lively open general-purpose computing platform and ecosystem around such new cybersecurity certifications? Can we merge the most secure open source providers of blockchains and uncompromising endpoint security (and other techs) to develop a sort of Arduino ecosystem and platform, but ultra-secure?!
Moderator: Chase Gummer
Panelists: Blendl, Verbin, Ackerman, Steininger, TBD
17.40 – QA with the audience on Challenge A, B, and C
17:55 – Closing by organizers.
18:00-21:00 – Dinner/Aperitif for panelists, media, speakers.
*Definition of “Ultra-high Assurance“: In civilian and military IT security, “high assurance” is used to refer to systems of the highest trustworthiness in confidentiality, integrity and/or availability. Perfect trustworthiness will never exist but we have learned that even current “high assurance” technologies, standards and certifications are radically inadequate for the needs of citizens, enterprises, democratic institutions, critical societal systems, and autonomous systems.