Category Archives: Privacy Policy

The future of Cybersecurity Technology and Policy (IoT)

 

The future of Cybersecurity Technology and Policy

 

Abstract

This paper addresses the emerging cybersecurity technologies primarily related to (IoT) internet of things.  How these new technologies can show hope for change and innovation in the field.  Also, looking at government policy that has been lagging in its ability to step in and catch up with the dynamic change in technology and cybersecurity policy.  Understanding the technology and satisfying the initial need is completely two different things.  Also, we look at the overall impact that the government policy that is being used in cases against a hotel company and mobile device vendor is taking a toll on the innovation of IoT in this field.

Countering cyber-attacks at all levels

One of the fastest growing areas in technology is the introduction of the concept (IoT) Internet of things.  IoT is a very broad area.  It ultimately encompasses everything connected.  In fact, (Forbes & Morgan, 2004) says, “that by 2020 there will be over 26 billion connected devices… That’s a lot of connections (some even estimate this number to be much higher, over 100 billion)” As many attempts to try and define IoT there hasn’t been much of a great definition until the past year.  (Gartner Research, n.d.) defined it by saying, “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”  Forbes went to greater lengths to simplify IoT as, “Simply put, this is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other).”  This includes but not limited to smartphones, smart electrical grids, toasters, and Fitbit’s and other wearables to show the range that we’re discussing.  Much like the definition which can be slightly vague, cybersecurity policy and mitigation is also heavily undefined in this area.  The upside to IoT is that it reduces human involvement along with improving accuracy and efficiency, resulting in economic benefit, (CHALLA et al., 2017, p. xx). According to the (IEEE) the institute of electrical and electronic engineers there are emerging technology that show positive signs of hope in this fast-growing new area, which are application authentication and key management practices, computed trust nodes, and lightweight security protocols for cloud-based Internet-of-Things (IoT) applications for battery-limited mobile devices.

 

Benefits to Cybersecurity

Each of these emerging technologies offer a different approach in establishing a level of trust in cybersecurity.  One emphasizes a solution built around secure authenticated key establishment scheme, another improves on a trust system or creation of trusted nodes within a network, and the last dives deeper into creating a lightweight protocol concentrating on cloud based cybersecurity.

Signature Based Authenticated Key Establishment Scheme

The basic premise for this new technology is that IoT as a concept has a high potential for invalid security and privacy.  Largely due to the inability to establish security at the design level for each connected object.  This is where most of the security challenges come into play.  Key contributing features that makes this a very promising emerging methodology or practice are:

  • An authentication model for IoT to follow. This model defines a term of mutual authentication.  Where a user authenticates through a gateway node and the IoT device authenticates through the gateway node as well.  Through this mutual authentication the users are then authenticated on the IoT device by proxy.
  • A secure signature based authentication and key agreement scheme. A legal user can access the information from a sensing device in the IoT applications if both mutually authenticate each other, (CHALLA et al., 2017, p. xx). After their mutual authentication, a secret session key is established between them for future communication.

Ultimate benefits of the wide use of this technical methodology have

concluded very efficient in communication and computational costs.  Which helps to solve the problem of identity on IoT devices.  The proposed scheme also protects itself from replay attacks by using random number generators as well as current timestamps.  The assumptions are that all users in the IoT environment are synchronized with their clocks.  There are eight phases to implementation:

  • System setup
  • Sensing device registration
  • User registration
  • Login
  • Authentication and key agreement
  • Password and biometric update
  • Smart card revocation
  • Dynamic sensing device addition

This new best practice can be applied to many different industries in regard to IoT much like the cybersecurity frameworks established by NIST for its categorizations of authentication in web based applications.  This could potentially be incorporated to help satisfy some of the “reasonable security measures” that FTC a government agency which has been known to uphold.  More on this later in the paper.  Establishing standard frameworks for cybersecurity in IoT may allow some businesses that are on the fence to moving to this technology to start implementing and eventually start innovating in the area.

 

Optimal Trust System Placement in SCADA Networks

Privacy and trust are also a large concern to the US smart grid system.  Mainly because the smart grid network itself highly depends on information and communication technology (ICT).  Supervisory control and data acquisitions (SCADA) are integral part of the modern day smart grid system.  Its primary function is control messages and measurements.  At the current moment, the system is in its fourth generation of architecture, which introduced two key new advanced technologies, (Hasan & Mouftah, 2016, p. xx).  The first would be cloud computing and the second IoT making the smart grid more susceptible to complete outage.  Slight modifications of these systems may cause a complete outage across the entire grid.  Smart grid operators use trust systems to monitor network traffic to and from different nodes.  These nodes are called trust nodes.  The nodes themselves include both a firewall and intrusion detection system.  Within making the decision of which nodes are the best to deploy these trust systems in a network there are two factors which need to be considered capital expenditures and operational expenditures, (Hasan & Mouftah, 2016, p. xx).  To deploy the trust system properly considering operational expenditures and capital expenditures.  Nodes can house only a fixed number of trust systems deployed to them due to budgetary constraints.  The SCADA networks need to be segmented to minimize the amount of cyber-attack traffic and for the trust nodes to be more effective.   There are some potential risks that these SCADA systems need to watch out for.  There are three main types of attacks that are at risk in the current SCADA network.

  • Targets power plants. Disrupts operation or generation.
  • Targets power distribution and control systems. Disrupts state information that may lead to instability.
  • Targets consumer premises. It could potentially cause an increment in the load that could damage the grid.

The focus of the new emerging technology is on the optimal placement of the trust nodes on the SCADA network.  The ultimate solution was producing an algorithm where minimum spanning trees (MST) would represent the smaller segments and then would determine the least expensive method of determining these segments and deploying the trust systems to these trust nodes.  Thereby segmenting the electrical grid enough to protect in from cyberattacks and in the most cost-efficient way possible.  The emerging technology directly effects not only the US smart grid and its efficiency, but also on a local level being able to apply this algorithm to other industries where cost is an issue possibly in the automotive and more factory related industries with clearly large systems that need to be segmented for better protection.  With this new technology and the high priority to moving towards smaller micro grids, this technology is essential and the energy industry globally should be able to benefit from this.

CP-ABE Scheme for Mobile Devices

The last emerging technology is the development of the CP-ABE Scheme for battery limited mobile devices.  In the IoT world many new applications have an emphasis on one device in general that’s the smartphone.  The ability to create secure applications is a must.  This emerging tech focuses on the encryption mechanisms of (CP-ABE) Ciphertext Policy Attribute Based Encryption.  The problem is that most CP-ABE schemes are based on bilinear maps and require long decryption keys, ciphertexts and incur significant computational costs, (Odelu, Das, Khurram Khan, Choo, & Jo, 2017, p. xx).  These limitations prevent the CP-ABE scheme from being deployed on mobile battery limited devices.  The new emerging technology is the ability to create RSA based CP-ABE that has a constant length of secret key.  The ultimate key decryption and encryption times are O (1) of time of complexity which is ground breaking as other solutions have failed to be this efficient up until this point.

CPE-ABE has been around for years but the efficiency that this new method has brought has now made this more applicable to modern IoT technologies primarily the smartphone but not limited to this.  The implementation of the RSA based CPE-ABE is broken down into four main algorithms:

  • Setup – This algorithm takes a security parameter and the universe of attributes as inputs and then outputs a master public key and its corresponding master secret key
  • Encrypt – This algorithm takes an access policy the master public key and plaintext as inputs. The encryption algorithm outputs a ciphertext
  • KeyGen – The inputs are an attribute set, the master public key and the master secret key. The key generation then outputs a user secret key corresponding to the attributes.
  • Decrypt – It takes a ciphertext generated with an access policy, the master public key and the secret key and outputs plaintext using the decryption algorithm, (Odelu, Das, Khurram Khan, Choo, & Jo, 2017, p. xx).

Real world usage for this kind of technology isn’t limited to mobile phones.  Since this is an attribute based encryption system this can be used almost anywhere where attribute based encryption is used.  Which includes token based authentication in JSON Web Token and the creation of JWE or an encrypted JSON Web Token which is used in OAuth system all over the internet in almost every authenticated application.  JSON Web Tokens are used currently right now as an attribute based system.  Instead of attributes the RFC calls them claims where claims are encrypted and sent with a token to the user trying to authenticate.  The claims are then evaluated and the user is given a long-lived token for subsequent requests until the token is expired.  This creates a stateless session for any web application user experience.  OAuth is a security framework that is widely used to authenticate a user across multiple services.  With the emergence of this new technology businesses will be able to use this new RSA based system much like the current systems that are using claims in JWT’s.  The entire online web community will take advantage of this new emerging technology in the coming years.

Federal Government Nurturing the Technologies

Cooperative efforts between the government community and the technology community is needed when discussing the new technology concepts such as IoT.    There is still a lot of work to be done.  A good place to start would be the Federal Trade and Commission’s (FTC).  In an Act, there is a requirement “reasonable security measures” which the agency uses to regulate unfairness.  (IEEE & Loza de Siles, n.d.) says, “Under the Act, this agency regulates conduct involving the Internet and otherwise as that conduct relates to consumers and competition.”    In this act, there are three main components that categorizes unfair or deceptive acts:

  • The act or practice results in substantial consumer injury
  • The consumer cannot reasonably avoid that injury
  • The harm caused by the act or practice is outweighed by countervailing benefits to consumers or to competition.

An actor’s unfair act or practice may not be the cause of consumer injury for the actor to be liable under the Act, (IEEE & Loza de Siles, n.d.).     The FTC prosecuted several Whyndam companies for unfair acts or practices as to the Cybersecurity risks to hotel guests’ personal information where hackers ended up exploiting those risks on three separate occasions, injuring 619,000 consumers.  (IEEE & Loza de Siles, n.d.) continues, “Under the FTC’s unfairness authority, IoT and other companies must use “reasonable security measures” to protect consumers’ data.”  This is very promising that consumers are being protected in this manner as this is long overdue.  However, the vagueness again much like the definition of IoT is still the issue.  There needs to be more policy writing that will foster more concrete laws that move with the dynamic changing landscape.  This does show the overall support of the government agency in the protection of this newly emerging field.

 

HTC is another example of how the FTC was willing to go after offenders in this grey area of this Act.  The FTC alleged that HTC failed to implement reasonable security measures where HTC, among other illegal conduct, introduced permission re-delegation vulnerabilities in its customized, pre-installed mobile applications on Android-based phones and thereby undermined the operating system’s more protective security model, (IEEE & Loza de Siles, n.d.).  This shows how even though the policy is archaic there is still a government entity looking to look out for consumers. Accordingly, the important take-away regarding the FTC’s Tried and True Guidance is that what constitutes “industry-tested and accepted methods” of data security is dynamic and a constantly moving target, (IEEE & Loza de Siles, n.d.).   But when does this “reasonable security measures” end.  One could clearly see how this may deter innovators from pursuing such areas of interest.  In the end, there needs to be more capable policy writers to keep up with the times. It looks as though there are severe re-writes that need to happen in the next five to ten years.  Only then will innovators and security experts truly see eye to eye.

Conclusion

One of the fastest growing areas in technology is the introduction of the concept (IoT) Internet of things.  However, a very exciting time.  There is a some very important new emerging technologies to take note of.  That will allow for more innovation in the IoT field.  As the field continues to grow there will allows be more potential risks.  The emerging security solutions and methodologies are grossly behind.  The policy is even more behind the technology to help combat some of the threats that IoT faces.  For this field to get the growth it needs cyber policy needs to be written to allow for innovators in the field to have comfort in developing in this space.  Until this is done there will not be enough significant innovation to elevate all the security threats due to the inability to in fuse a startup in this space without thinking an investment is going to go directly to liability issues in a few years or even worse in its first year.  The ability to see the government take initiative to protect is however very refreshing.

 

References

CHALLA, S., WAZID, M., KUMAR DAS, A., KUMAR, N., REDDY, A., YOON, E., & YOO, K. (2017). Secure signature-based authenticated key establishment scheme for future iot applications. IEEE Access5, 3028-3043. Retrieved from http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7867773

Forbes, & Morgan, J. (2004, May 13). A simple explanation of ‘the internet of things’. Retrieved from https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/#697fb71f1d09

Gartner Research. (n.d.). Internet of things defined – tech definitions by gartner. Retrieved from http://www.gartner.com/it-glossary/internet-of-things/

Hasan, M. M., & Mouftah, H. T. (2016). Optimal trust system placement in smart grid scada networks. IEEE Access4, 2907-2919. doi:10.1109/access.2016.2564418

IEEE, & Loza de Siles, E. (n.d.). Cybersecurity Law and Emerging Technologies Part 1 – IEEE Future Directions. Retrieved from http://sites.ieee.org/futuredirections/tech-policy-ethics/may-2017/cybersecurity-law-and-emerging-technologies-part-1/

Odelu, V., Das, A. K., Khurram Khan, M., Choo, K. R., & Jo, M. (2017). Expressive cp-abe scheme for mobile devices in iot satisfying constant-size keys and ciphertexts. IEEE Access5, 3273-3283. doi:10.1109/access.2017.2669940

RFC 7516 – JSON Web Encryption (JWE). (n.d.). Retrieved from https://tools.ietf.org/html/rfc7516

RFC 7519 – JSON Web Token (JWT). (n.d.). Retrieved from https://tools.ietf.org/html/rfc7519

 

New Privacy Issues Related to Cyberspace

In the streaming media industry privacy issues are a very large problem.  As you watch your favorite movie or listen to your favorite playlist services collect an extraordinary amount of data.  This includes location data, personal identifiable information, behavioral data and others.  In this industry each of the companies that we’ll analyze is looking to get an edge on the other to make a completely customizable experience for their customers.  The question is how do the company’s privacy policies compare to one another?  We’ll take a look at Netflix, Walmart VUDU, and Xbox streaming services.

Netflix

Netflix is one of the largest streaming services in the world.  It’s a subscription based service much like the others that provides on demand movies either by streaming but also by mail.  According to Forbes Netflix is worth 25 billion dollars.

Mission Statement

Netflix’s mission is to provide streaming services to its customers.  (Farfan, n.d.)  says, “[Netflix] doesn’t have an “official” published mission statement, but at the Dublin Founders conference in October, 2011, co-founder and CEO Reed Hastings expressed a clear vision for the future of Netflix.”  Netflix is striving to become the best global entertainment company.  It is also seeking to license entertainment content all around the world (Farfan, n.d.).  The CEO continues by saying that Netflix is also creating markets for filmmakers around the world.

Privacy Policy

Netflix’s privacy policy is laid out with a very simplistic and easy to read method.  It discusses the three main points of who, what, and why.  The privacy explains who Netflix gives your personal identifiable information to.  It also discusses what types of information that it captures from its user base.  It also discusses why by stating the California Online Privacy Protection Act or COPPA and what this act mandates.  It also explains how it collects some of the data.  This includes the ability for a user to remove themselves from getting certain emails and disclosing other information.

Recommendation

When comparing the Netflix privacy agreement, it reads very brief.  The only section that are robust in detailed are the section concerning the COPPA and Email regulations that it needs to find.  I would suggest to clarify in more detail exactly what the company was using the information for.  Stating that the company was just using information to enhance the customers experience seems to be very vague.  Telling Netflix’s customers exactly what they’re doing with the information will allow the customer base to have more trust in the streaming service.  The second part of their mission statement says that it’s creating markets for filmmakers.  The privacy policy should state as to where the PII information is being used and for what.  This shows that the Netflix user base aren’t aware of the demographic data which is being built and or how long it’s being stored for.

 

Walmart Mission Statement

Walmart is a giant in the retail industry has a very simple mission statement.  Saving people money so they can live better.   (“Walmart corporate – we save people money so they can live better,” n.d.) states, “Our everyday low price model and next-generation approach to seamlessly integrating the online and in-store shopping experiences to meet the evolving needs of our customers, have delivered growth, leverage, and returns for our shareholders.”  Walmart has a streaming service called VUDU.  Much like Netflix it delivers streaming movies and entertainment content to its customers.

Walmart Privacy Policy

Walmart’s privacy policy is very thorough and easy to read.  It discusses the four main questions who, what, why and how.  It also lays the privacy policy out similar to Netflix as it looks like a Frequently Ask Questions section of their website.  Walmart does a great job in disclosing not only that in distributes your personal information to third parties but it also takes it a step further by describing who and why and they do.  (Walmart) states, “We share personal information about you with service providers that help with our business activities, including shipping vendors, billing and refund vendors, payment card processors, and companies that help us improve our products and services.”  Compared to the other two privacy policies especially Netflix this is worded in a very clever way that allows customers to feel comfortable without giving away their business process.  As a added bonus Walmart also goes into different emergency scenarios that they would disclose your PII data.  Which isn’t present on either the Microsoft privacy policy as well as the Netflix policy.

Walmart Recommendation

Walmart as a whole covers a lot of different products and services.  It’s privacy statement had little mention of streaming services and what it’s using your PII for in the conjunction with their VUDU offering.  A recommendation would be to isolate the streaming service and put a section on how it’s used.  Currently the way the privacy policy is laid out it states usage around it’s bread and butter services and product lines which is retail and ecommerce.  Walmart should look to create a larger more directed section towards this service.   (“Five potential privacy pitfalls for app developers mozilla hacks – the web developer blog,” n.d.)   says, “Despite your best intentions to respect user privacy, legal requirements and user expectations can vary widely – a challenge made especially acute now that apps are available to a global audience.”  Walmart has to watch out as their audience may change from there retail and ecommerce offerings to their streaming service.

Microsoft Mission Statement

Microsoft is a global company dominating in the streaming service space as well.  Much like Walmart, Microsoft has a variety of product and service offerings to its consumer other then it’s streaming movie service.  Microsoft’s mission is to enable people and businesses throughout the world to realize their full potential.

Microsoft Privacy Policy

Microsoft also has a very thorough privacy policy.  It allows a customer to clearly read what they are opting into and the types of information that it’s capturing.  Unlike Walmart, Microsoft seems to be disclosing a large amount of its business to the consumer.  The policy not only states that it’s using PII from information that’s offered willingly but it also goes into detail about how the company uses third party services to get other information on customers to build profiles.  It also uses verbiage to increase customer experience.  Highlights also discuss how Microsoft uses Kinetix camera’s to take pictures and upload to the Microsoft servers once connected.

Microsoft Recommendation

Microsoft should really consider how much data is needed for each service and or product offering.  It’s detail in its policy not only makes it difficult for the company to maintain but it also gives a sense of distrust from the customer.  The company also seems to have the same approach as Walmart which is the one size fits all approach.  Privacy policies should be more specific to the service and or product so that the user knows in which service their PII is being used and how.  Instead of being vague when discussing which service or product.

References

Farfan, B. (n.d.). Netflix mission statement – mission, values, global vision, founders facts, and trivia about netflix movie rental website. Retrieved from http://retailindustry.about.com/od/retailbestpractices/ig/Company-Mission-Statements/Netflix-Movies-Mission-Statement.htm

Microsoft accessibility mission, strategy, and progress. (n.d.). Retrieved from https://www.microsoft.com/enable/microsoft/mission.aspx

Privacy policy » what’s on netflix? (n.d.). Retrieved from http://whatsonnetflix.com/privacy-policy/

Privacy statement. (n.d.). Retrieved from https://privacy.microsoft.com/en-us/privacystatement

Walmart corporate – we save people money so they can live better. (n.d.). Retrieved from http://corporate.walmart.com/

Walmart Privacy Policy. (2015, March). Retrieved from http://corporate.walmart.com/privacy-security/walmart-privacy-policy