Interview with Lëtzebuerger Gemengen, translation by itrust consulting.
On 28 May 2018, the General Data Protection Regulation (GDPR) came into force in the EU. Three and a half years later, many organisations are slow to comply, considering it too complex. For Carlo Harpes, the situation is worrying. The Managing Director of itrust consulting recommends PIMS, a Privacy Information Management System, helping companies in order to comply with the GDPR requirements.
Explanations.
What is a PIMS?
A ‘privacy information management system’, abbreviated ‘PIMS’ even in French, is an ‘information security management system that manages the protection of privacy as potentially affected by the processing of personal data’. Personally, this is what I would have called a ‘management system to protect personally identifiable information’ and I would present it as a way to comply with the GDPR. To implement this, there are 1,001 solutions, usually valid for small organisations where data protection is not the primary concern. But for the past 26 months there has been one PIMS, which has been described so precisely that organisation can be certified on this basis, the one documented in ISO/IEC 27701.
Who needs it?
3,5 years was not enough time for most organisations to comply with the GDPR. How many have not appointed a DPO (although this is a legal requirement for any public entity)? How many do not have a register of processing that complies with the requirements? How many cannot prove to the CNPD their compliance with the principles of the GDPR, including the one requiring ‘appropriate technical and organisational measures’? Faced with the difficulty of knowing what is appropriate and how to demonstrate it, leaders (policy makers, mayors, heads of administration, CEOs and manging directors), often give up and hide behind the non-compliance of their neighbours. From my observations, this situation is worrying, and only the CNPD, which has the obligation to sanction, should be aware of this state. All the organisations involved here would have benefited from this PIMS.
Who defined this PIMS?
The Luxembourgish authority ILNAS, which I represented at ISO in multiple expert meetings dedicated to this standard since 2014, was arguing with its European partners for a fast and fully GDPR compatible standard. To support compliance with these requirements, we have made numerous suggestions for improvements to the overly complicated numbering and certain overly cumbersome wording. In France, the CNIL has welcomed its participation and encourages the adoption of this standard while leaving organisations the possibility to opt for other systems to create evidence of accountability.
Who supports PIMS in Luxembourg?
In Luxembourg, unfortunately, the CNPD has not communicated on this standard, which I perceive as a strategic mistake probably due to the absence of CNPD representatives at ISO or a lack of knowledge of management systems at all. This misjudgement also led it to create a national certification framework in 2018, which aimed at a Luxembourg certification that was very expensive to obtain, and I dare say, economically unjustifiable in the absence of international recognition. Given the multiple inaccuracies in the criteria for this certification, the establishment of dedicated certification processes (instead of using the recognised ISO 17065 process that has been practised for decades) the initiative remained an unused flop and the collateral damage remains the lack of support for other more mature and affordable standards and approaches.
So is the CNPD partly responsible for poor compliance?
Absolutely not. Every citizen is accountable to the law, and in no case can the police be held responsible for a crime they have not detected. Criticising the CNPD is a way for some people to look away from their own responsibilities. Of course, the CNPD also has an information and awareness-raising mission. They could have done more, but they have done this at other levels.
Where and how to get PIMS certification?
From any foreign certifier or from the only accredited certifier in Luxembourg, Certi-Trust, which issues certification under internationally recognised accreditation. Due to lack of demand, ISO/IEC 27701 certification is not yet available. In the meantime, a certification against ISO/IEC 27001 with an indication on the certificate of the full implementation of the ISO/IEC 27701 measures is possible. itrust consulting obtained it on 9 June 2020.
What are the advantages of this certification?
In the preparation of this certification, itrust consulting has made extensive use of this standard to draw up a data protection policy which lists all the measures proposed in this standard, the implementation choices and internal guidelines, e.g. references to other security measures, internal documentation or an indication of the responsibilities and processes to be followed by the employees. Thus, this policy, together with a risk analysis report and the register of processing activities, is the cornerstone for demonstrating that data are adequately protected, independently of a certification.
During an external audit by the certifier, the conformity to this policy and the correct application of the measures were verified. Without being able to guarantee 100% that there will be no incidents, this inspires the confidence of our clients, and ultimately of most Luxembourg citizens whose data might be processed by us.
‘3,5 years after the entry into force of the GDPR and 26 months after the definition of a PIMS’
What is the cost of certification and its limits?
The cost of certification (including audit) is on average 4 000 euros per year for an organisation with less than 25 employees but increases logarithmically with this number. An organisation that does not have adequate systems in place could have to spend up to 50 000 euros on consultancy, preparation and implementation of processes and measures. Of course, the cost is theoretically zero for companies that are already managing security and data protection in the right way. The costs of business process-specific security measures can also be substantial. However, these measures are not imposed by certification if this is aligned with the risk appetite and if the residual risk is accepted. In other words, certification does not ensure that there are no risks, nor that there is compliance with the GDPR, but only that all risks and compliance issues have been fully detected, understood and accepted by top management and that the interests of data subjects have been respected.
What is the philosophy behind the PIMS of ISO/IEC 27701?
This PIMS is based on the information security management system, i.e. on specific requirements related to understanding the context, leadership, planning, support (e.g. staff training), day-to-day operation of processes, performance evaluation. In other words, it starts from the idea – often overlooked from a legal perspective – that it is pointless to spend time reviewing the specific rights of a data subject if the processing fails to protect the confidentiality, integrity, and availability of the information (CIA). However, protecting CIA is not sufficient in terms of privacy protection: risks shall be considered from the perspective of the data subjects and the rights of the data subjects under any applicable legislation. These requirements are comprehensively reflected in 48 controls that are set out in the standard with requirements and implementation guidance. It is also guided by pragmatism and the fact that a law is not complied because of penalties, but by upgrading the management of any organisation that must comply with it.
Dr Carlo Harpes to explain the potential of the EU Certification initiative, the role of regulators and public procurement to require certification, the pitfalls in certification such as with the LU CARPA initiative, the need for collaboration among all actors, the need to learn and improve ICT development lifecycle and testing, the danger of dependency after mergers of today's certification authorities and the importance to care about 'high' certification that should stay feasible for innovative company, not only for market leaders.
An SES-driven consortium that seeks to develop a satellite-terrestrial quantum communication infrastructure and the roadmap for wider European integration, setting the path for next-generation cybersecurity.
To design the LuxQCI, Luxembourg has put in place a consortium comprising InCert, itrust consulting, LuxConnect, LuxTrust and the University of Luxembourg (SnT), that is led by SES’s fully owned affiliate SES Techcom.
Interview by Adeline Jacob from SmartCities, translation by itrust consulting.
There are viruses that attack bodies while there are others that attack computer systems. Neither type will have spared us in 2020, challenging both health and cybersecurity experts. Carlo Harpes, founder and managing director, and Guillaume Schaff and Matthieu Aubigny, Security Consultants at itrust consulting, analyse these current events and present the solutions proposed by the company to best navigate in this cyber-insecurity climate.
Has Covid-19 resulted in a more favourable setting for the resurgence of cyber-attacks?
Carlo Harpes: We were astonished when, at the beginning of the pandemic, the Luxembourg authorities announced that there had been no measured increase in cyber-attacks. This message went against our perception and our predictions. Finally, in August, Avast stated that the threat had increased by 27% for Luxembourg citizens. Most recently, we also learned that certain pieces of American security software had been breached. Almost at the same time, the world witnessed the longest shutdown of authenticated services from Google, WhatsApp, etc., in the world. We can indeed say that insecurity is increasing.
Guillaume Schaff: Studies have shown that phishing attacks increased significantly during the first lockdown (1). Hackers play a lot on human emotions to achieve their goals. The climate of fear in which we lived in March was therefore beneficial to them.
Matthieu Aubigny: In addition, there has been stress phenomenon at the telecommunications infrastructure level, and small vulnerabilities have probably become more significant as a result. These failures, however, have had the virtue of increasing the level of resilience of a certain number of tools.
In the United States, one attack, in particular, made a lot of noise...
Carlo Harpes: The Treasury Department and the National Telecommunications Administration were victims of a cyber-attack orchestrated by expert hackers inventoried APT29 who, according to the FBI, are linked to the Russian government. The attack in question on the Orion management software (network control/surveillance tool) of the American company SolarWinds was indirectly aimed at its clients: in addition to American federal agencies, the malware infiltrated leading companies in the IT world such as Cisco, Intel, Nvidia, Belkin or Microsoft without us knowing its real impact. To this day, it remains an unknown and a risk, because anyone capable of using SolarWind to penetrate Microsoft could also have used Microsoft to infiltrate its customers. These are speculations, but the underlying method, called a supply chain attack, is dangerous because it is difficult to detect. To such an extent that companies like Microsoft are calling for coordinated, international, legal and technical initiatives to deal with this problem (2). It is therefore legitimate to ask whether it is always advisable to use tools that are used on a large scale and therefore attractive to cyber-attackers. In general, we note that managers tend to invest in market-leading software more easily than to consult an expert who will know how to correctly use a less widespread product and set up real monitoring procedures via this product. This is a mistake. It is better to use lighter and simpler tools, ideally Open Source, and to use the services of a specialist to deal with anomalies.
Matthieu Aubigny: To use an image, let’s say that people tend to invest in the best tanks, but have neither a crew to observe the opponent’s movements nor a driver to defend themselves. What is needed is someone behind the screen who can spot failures and counter-attacks. Even in this age of Big Data and artificial intelligence, there is no substitute for a trained expert. You have to be aware that security products are necessarily in the sights of the attackers, since they have to be fooled before they can go any further. On the other hand, given the mass of data to be processed, the experienced expert will also have to use artificial intelligence and automatic learning to discover what is often a needle in a haystack.
What services do you offer when it comes to data protection issues?
Guillaume Schaff: Since May 25th 2018, we have been assisting our clients in complying with the GDPR by establishing registers of processing activities and preparing Data Protection Impact Assessments (DPIAs). In a basic approach, we also propose the establishment of security policies as well as data privacy notices pertaining to the processing of personal information. We also offer an external Data Protection Officer (DPO) service - mainly used by public entities - as well as incident management measures, for example in case of personal data breaches. In addition, we offer a wide range of documents to support our clients in their compliance and help them adopt good practices.
Carlo Harpes: We have also improved our security management system after introducing around 50 measures in line with the ISO 27701 standard, which provides recommendations on privacy management (PIMS). itrust is the first company to be certified for this under the OLAS accreditation.
‘It is better to use lighter and simpler tools (...) and use the services of a specialist’
What tools are you currently developing?
Carlo Harpes: First of all, we have refined our documentation to generate pandemic plans and deploy 'templates' that take into account 'Privacy by Design' and 'Security by Design'. Secondly, we are carrying out a research project to develop a lightweight tool in terms of deployment and cost to provide intrusion detection capabilities and a Luxembourg-based support service for both industrial and private clients with no security knowledge. And, finally, as part of the Quartz project, with partners such as SES, we are developing new algorithms and sophisticated tools to secure a satellite-based quantum key distribution service. In this way, we will help to ensure the confidentiality of communications in a future where attackers will have quantum computers at their disposal. In parallel, we want to carry out research to develop security tools based on post-quantum cryptographic algorithms (i.e. secure against attacks by quantum computers), simulators and components for these computers, along with associated test tools.
Has the pandemic caused delays in the implementation of certain security or data protection measures?
Carlo Harpes: At our customers’ premises, many projects aimed at reducing IT risks have been logically postponed due to the unavailability of people or stagnating revenues. These companies have therefore agreed to act with greater than expected, but still acceptable risks. On the other hand, none of our customers have suspended their security certification or discontinued measures already in place. The majority of our customers used the opportunity to refine their crisis and pandemic plans.
Guillaume Schaff: Although our customers focused on their business activities at the beginning of the crisis, we are now seeing an increase in demand for Business Continuity Management, i.e. maintaining business activity in the event of a crisis, and for secure teleworking. We had detected shortcomings on both these levels in March, but I think that top management has really become aware of the need but also of the risks of accelerating the digitalization of their activity.
What do you expect to see in 2021?
Carlo Harpes: The past year has been very demanding. Our teams are exhausted by a workload that is likely to increase again this year. However, we are hopeful that this lack of human resources will strengthen solidarity and cooperation between the public and private sectors. It is by joining forces, with longer-term partnerships, that we will have the greatest impact.
(1) Dominique Filippone, « Avec le coronavirus, le phishing augmente de 667% en mars », https://www.lemondeinformatique.fr/actualites/lire-avec-le-coronavirusle-phishing-augmente-de-667-en-mars-78582.html
(2) https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/
The 'Russian attack on US' by loosly protected update of the security software 'Orion' was well explained as 'universal espionnage attack on the world', by 'Bruce Schneier'.
Our hint: 'Basically don’t trust market leader software providers; they are a spying attack vector! Rather use niche products and open source software'.
'Fostering synergies between our consulting and research activities'
Interview by Martina Cappuccio from Lëtzebuerger Gemengen (LG) with Carlo Harpes (Managing Director), Arash Atashpendar (HoD RDI) and Matthieu Aubigny (Senior IT Security Consultant) from itrust consulting s.à r.l. about the new Research and Development strategy.
itrust consulting took advantage of the period of confinement to rethink its Research and Innovation department and review its priorities. With a new manager at its head, the department intends to build a research strategy of its own, independent of the financing of isolated projects. Carlo Harpes, founder and Managing Director of itrust consulting, Matthieu Aubigny, Security Consultant, and Arash Atashpendar, Head of Research, Development and Innovation (RDI), tell us about the company's flagship research projects.
What changes are taking place within itrust consulting?
Carlo Harpes: Our company has always put its resources at the service of projects for which it found funding without having its own research strategy. Today, we would like to make a paradigm shift and organise our activities according to the priorities we identify by observing the flaws that exist in our modern infrastructures. We have therefore recruited a new head for the department of Research, Development and Innovation, Arash Atashpendar, in order to build a research strategy of our own. We will try to release funds, mainly from the FNR, to finance our team as a whole and no longer just certain isolated projects. The aim is also to supervise more doctoral students on an ongoing basis, as a university institute would do.
At the same time, we strive to promote synergies between our consulting and research activities. Our strength lies in the close cooperation between these two departments. Researchers know that their work will be used in the field by their collaborators in consulting, just as they know that the turnover generated by our consulting activities allows us to invest in research in order to update our tools and skills.
Matthieu Aubigny, you have handed over to Arash Atashpendar at the head of the RDI department. What are the reasons for this change?
Matthieu Aubigny: This change came at a significant moment when the projects I was leading were coming to an end and others were evolving more in Arash's area of specialisation, that of quantum cryptography and algorithmics. As for me, I had more and more work to do at the consultancy level, so this transition came about naturally. Of course, we remain in collaboration and I have taken over the role of defending the expectations of customers in the definition of our research activities!
Arash Atashpendar: As head of this department, currently I supervise a research team of four people, including students writing their master's thesis and planned to be hired for our projects. At the same time, I evaluate the work carried out and determine whether it can lead to scientific articles that would support our funding requests.
My area of specialisation is cryptography and quantum computing. When I joined itrust consulting, the teams were already working on the QUARTZ project. The premise of this project is based on a simple observation: the infrastructure that currently secures our communications and data flow will be threatened in the years to come by quantum attackers. Indeed, if malicious actors succeed in developing a stable and scalable quantum computer, which would for example be capable of effectively executing Shor's factorisation algorithm, a number of cryptographic algorithms used today to secure our modern infrastructure, particularly in banking, would be seriously threatened. The world of quantum computers needs, among other things, key exchange and a new family of algorithms in the field of post-quantum cryptography. In accordance with the national strategy of the Ministry of the Economy, supported by European initiatives, we have chosen this subject as the long-term vision of our own strategy: we want to anticipate certain threats that do not yet exist.
One idea is to use key establishment mechanisms that are not vulnerable to attacks by adversaries equipped with a quantum computer, such as quantum key distribution. In the framework of the QUARTZ project, itrust consulting plays an important role and designs and secures an application for quantum key distribution, carried out by satellites.
Are you working on other research projects?
Arash Atashpendar: We are working on a second pillar in the short term, whose main project is CRITISEC. The aim of this initiative is to create a tool capable of detecting intrusions into industrial computer networks and smart houses. The long-term objective would be to create a network with devices costing less than 100€ to detect attacks, alert the user in the event of an anomaly and, if necessary, inform a centralised expert system. The latter then analyses these anomalies by using significant computing power and human expertise in order to alert the other devices as well; a significant amount of research work is required to solve the performance problem, but this will only be possible if a certain budget is allocated to it, independently of the daily business objectives. We want to build up our own strategies and develop research in these areas, because users today already expect to be warned as soon as dangerous and malicious network activity is detected.
Carlo Harpes: Once our monitoring tool has been finalised and tailored for the control of domestic networks, we will have to find a critical mass of activity to create a competence centre that would be equipped with the research tools and more sophisticated algorithms to update and develop our detection devices.
Matthieu Aubigny: Often these attacks use distributed computing resources that infect one computer after another before moving on to a major attack. The idea is to be able to spot small intrusions and react right from the start. This requires having probes throughout the system and being able to consider and assess the threat in advance. This is one of our core activities: risk analysis in relation to vulnerabilities.
There is also a need for more collaboration at the European level to create solutions that do not depend on external systems that we do not have the source code for and that we do not always fully understand.
What are the strengths of your research team?
Carlo Harpes: At itrust consulting, we are willing to take risks - perhaps quantum cryptography will not sell tomorrow - by mixing these risks with the short-term goals of creating products with guaranteed useability such as cyber-attack detection.
We also show true team spirit! Each person is complementary and strives to assist the others. Finally, when hiring, we focus on the potential of candidates rather than their experience and we plan to train them internally and give them responsibilities. We offer them a training platform and challenges in the development of new products in collaboration with the team while allowing them to have design autonomy.
itrust consulting referenced for an evaluation of progress in quantum cryptography in an IBM Qiskit report on simulation frameworks for quantum key distribution (QKD), August 19, 2020.
itrust consulting renewed the certification of its Information Security Management System (ISMS) and extended it with the compliance of its Privacy Information Management System (PIMS), valid for three years as of July 9, 2020.
itrust consulting is the first LU company certified ISO/IEC 27001, under OLAS accreditation, for a scope including all ISO/IEC 27701 controls to protect privacy.
The new certification scope statement is the following:
‘Both the Information Security Management system (ISMS) and the Privacy Information Management System (PIMS) of itrust consulting cover all business services provided by itrust consulting to its customers as well as all assets owned or managed, including all customer related information, personal identifiable information, and services such as information security and computer security consulting, auditing, R&D, training, ICT, CERT, and pseudonymization; in accordance with the Statement of Applicability, version 3.4 of 5th of June, 2020 including all controls of ISO/IEC 27001 and 27701.’.