Fabrizio Baiardi

Fabrizio Baiardi

Fabrizio Baiardi is a Full Professor at Università di Pisa where he has chaired one of the first degree on security of ICT infrastructures. His main research interests are formal approaches to risk assessment and resilience of critical ICT infrastructures. Fabrizio Baiardi has been involved in the risk assessment and management of several systems and of industrial control systems with SCADA components. He has authored several papers on ICT security and currently teaches university courses on security related topics.

In a Data-Driven World, Privacy is King and Security is Queen

According to this curve, in 2017 more than 40% of US heterosexual couples met online. This confirms Marc Andreessen prediction that ‘software is eating the world’, and everything we are doing is done by interacting with some piece of code running on some piece of hardware. In most cases, we do not own the software, we do not own the hardware and we do not know how the software and the hardware work, which information they are collecting and storing, where the storing memory is located and how long it will maintain this information. This point outs two critical problems.
The first one is that technical problems are becoming more and more important. We cannot speak about our privacy, our personal information without considering technical properties that can no longer be discarded as details that are interesting only for a few techies.

The second point concerns regulation. Building systems that properly protect and manage all the information they collect is expensive. This is the reason why security is always a feature of the next release, rather than of the current one. Hence, we cannot hope that the market per se will force the development and the adoption of secure and robust system. Regulation by the state or by supranational entities such the EU is fundamental to recover the market failure. This is the reason of the NIS Directive, the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The directive aims to promote a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Companies in these sectors that are identified by the Member States as operators of essential services have to take appropriate security measures and to notify serious incidents to the relevant national authority. The Directive requires that also key digital service providers (search engines, cloud computing services and online marketplaces) comply with the security and notification requirements .

However, a much larger number of infrastructures is involved in our security and our privacy. As an example, the infrastructure that supports the online meeting service stores important information for a large number of people and this is the reason for the GDPR directive about protection of personal data. Is this enough? A first doubt arises because of the recent attack against Garmin. The attacked server store information about the time when someone is training, where the training occurs and, as an example, further people training with a person. The attackers have an access to this information that was not protected according to GDPR. Further doubts arise when we consider that the information sources of a huge number of people are social networks such as Twitter, Facebook and so on. Attacks that manipulate the information on these networks may have a dramatic impact on a society. Hence, some directive should be adopted also for these networks, their software stack, their hardware infrastructure. Hoping in self regulation may be useless. Consider, as an example, how Alexandria Ocasio-Cortez pressed Facebook’s Mark Zuckerberg for answers during a House Financial Services Committee about when the social media giant will fact check posts shared on its platform.

A last note concerning regulation: how long are we willing to delegating regulation to people that have no idea on the underlying software and hardware infrastructures? The hope that this will enable them to produce regulation that works with respect to any software/hardware solution has never worked and there is no reason to believe it will when software is eating the world. As someone said some time ago “Insanity is doing the same thing over and over again and expecting different results”.

More to explore

Leave a Comment

Your email address will not be published. Required fields are marked *

en_US
it_IT en_US