Categories
Articles

BEREC Net Neutrality Guidelines: good news for security

BEREC, the board of European Telecoms Regulators, has just published its updated guidance on enforcing the Network Neutrality Regulation. Jisc has been working with the Forum of Incident Response and Security Teams (FIRST) for nearly five years to ensure that this legislation and guidance didn’t discourage legitimate practices to secure the operation of networks: this […]

Categories
Articles

New Presidency: new ePrivacy progress?

It seems a long time since I wrote about the ePrivacy Regulation. This was supposed to come into force alongside the GDPR, back in May 2018, and provide specific guidance on its application to the communications sector. You may remember it as “Cookie law”, though it was never just that. Unfortunately its scope grew and, […]

Categories
Articles

Choose the right metaphor

I’ve been reading a fascinating paper by Julia Slupska – “War, Health and Ecosystem: Generative Metaphors in Cybersecurity Governance” – that looks at how the metaphors we choose for Internet (in)security limit the kinds of solutions we are likely to come up with. I was reminded of a talk I prepared maybe fifteen years ago […]

Categories
Articles

COVID-19 Cyber Threat Coalition and GDPR

[Notes: This isn’t legal advice, but I hope it will reassure anyone considering supporting the COVID-19 Cyber Threat Coalition that the data protection risks should be very low; This only covers the use of data for defending systems, networks, data and users; use for offense, including attribution and evidence, is covered by separate legislation, which […]

Categories
Articles

BEREC clarifies that permanent network security measures may be OK

Four years ago, Jisc responded to the Board of European Regulators of Electronic Communications (BEREC) consultation on network neutrality to point out that some security measures cannot just be temporary responses by the victims of attacks, but need to be permanently configured in all networks to prevent them being used for distributed denial of service […]

Categories
Articles

Reducing your vulnerability to insider threat

Monica Whitty’s keynote at the FIRST Conference (recording available on YouTube) used interviews at organisations that had been victims of insider attacks to try to understand these attackers – and possible defences – from a psychological perspective. It turns out that thinking about stereotypical “insider threats” probably doesn’t help. Notably, disgruntled employees were responsible for […]

Categories
Articles

The Big Bad Smart Fridge

Leonie Tanczer’s FIRST 2019 keynote (recording now available on YouTube) looked at more than a decade of European discussions of whether/how to regulate the Internet of Things (no, I didn’t realise, either) and how we might do better in future. This is particularly relevant to an incident response conference as – as Mirai and other […]

Categories
Articles

Rebuilding trust in the Internet’s building blocks

Merike Kaeo’s keynote “Waking Up the Guards” at the FIRST 2019 conference (recording now available on YouTube) highlighted how attacks on the internet core no longer target a single service (naming, routing, signing) but move between these to achieve their hostile result. Defenders, too, need to consider the consequences of their implementation choices as a […]

Categories
Closed Consultations

Portability right: a data protection challenge

[Update: Jisc has responded to the Working Party’s invitation to comment on these guidelines] The General Data Protection Regulation contains one new right for individuals – data portability (Article 20). Some commentators have suggested that this is just a digital form of the existing subject access right, but the Article 29 Working Party’s new guidance […]

Categories
Articles

Janet and the Internet of Things

Organisations connecting to Janet are required to implement three policies: the Eligibility Policy determines who may be given access to the network; the Security Policy sets out responsibilities for protecting the security of the network and its users; the Acceptable Use Policy identifies a small number of activities that are not permitted on the network. […]