liberal heart of the eu
TRANSCRIPT
zo
ne
30In
fosecu
rity Tod
ayM
ay/June 2005
The Benelux countries of Belgium,Netherlands and Luxembourg lie
on a fault line that runs throughEuropean history and culture.To thenorth and east lie the Anglo-Saxonnations while to the south, west andfurther east lie the Latin lands. It isalso at the interface between the twomain schools of Christian belief,Catholicism and Protestantism.Historically, the Benelux has alwaysbeen a corridor for trade and abattlefield for stronger powers.
These qualities make it apt that theBenelux is at both the physical andintellectual heart of the EuropeanProject. Even so, national differencespersist and colour people's attitudesto IT security issues.
Jihad meets liberal EuropeTwo factors appear to dominateattitudes. One is the threat of loss of assets and/or terrorism motivatedby religious or political goals. Fromthis arise the issues of proofs of
identity, identitytheft and their associatedtechnologies.The other isconsumer apathy. Byand large, one cansay that traditionallythe ProtestantAnglo-Saxons stressliberal values andrestrict state accessto personal datamore than do theirCatholic Latincounterparts.
The Netherlandshas long been acentre of liberalpolitical thoughtand action. But thathas changed since9/11 and themurder of film
maker Theo van Gogh, artist Vincentvan Gogh's great-great-grandnephew,by Muslim extremists.The murder ofVan Gogh, a libertarian, echoed the2002 killing of the right-wingpolitician Pim Fortuyn by an animalrights activist.
The Dutch are ambivalent aboutthis.Their Anglo-Saxon passion fororder and correctness meant that inWorld War Two, when the Germansinvaded Holland, the Gestapo hadcomplete records of all the Jewsliving in the country. It was thuseasy to round them up and shipthem to murder camps. No-onewants to repeat that, but the statehas a duty to protect its citizens.
The bankers of LuxembourgGerard Lopez, chairman ofSecurewave, a Luxembourg-basedsoftware house, says that of thethree Benelux countries,Luxembourg, with its long traditionof banking secrecy, is the mostaware of the needs for security withrespect to personal information andreliable IT services.“This is why itattracted all the accounting andbanking for iTunes (the musicdownload service) and Skype (thevoice over IP service developed bythe inventors of KaZaa, the peer topeer file sharing service).” Lopez isalso the founder of MangroveCapital Partners, a venture capital
Benelux lies between the UK and Germany on the one hand and theLatin countries on the other. Its infosec culture bears the marks of thistorsion. Ian Grant stakes out the territory.
Liberal heart ofthe EUIan Grant
zo
ne
31In
fosecu
rity Tod
ayM
ay/June 2005
firm with holdings in both Skypeand Securewave.
“Luxembourg is like a well-runcorporation in that it can be morenimble than other governments,”hesays.As a result, the duchy's 200-oddbanks (for 462,000 citizens plus a lotof people who prefer to keep theirfinancial details private) face stringentaudits of both accounts and ITsystems. Legal penalties for abuse ofpersonal and financial data are toughand targeted.“Most of the risk comesfrom outside Luxembourg,” says Lopez.
Lopez claims the duchy's bankersas well as the British Ministry ofDefence have welcomedSecurewave's products. In contrastto other anti-virus or anti-spywaresuppliers, which rely on signaturesto identify and stop malware,Securewave stops all unauthorizedexecutable code from running, hesays.
Because banking so dominates theenvironment, Lopez reckonsLuxembourg IT security scales up asfollows: retail banking in on a level
with the UK and Germany; onlinebanking is more advanced, withcommon use of tokens due to the largenumber of non-resident accounts; fundadministration requires highly reliablesystems for 24x7 transactionprocessing; finally, private banking,where security is such that some partsof a bank may transact without evenknowing who is the account holder.
But this is not the only issueaffecting the Benelux. Moves tointroduce electronic health cards toreplace the E111 forms for travellersare well advanced.
In addition the US is insisting thatvisitors to its shores carry passportswith the holders' biometric details.
And there is talk of an electronicEuropean identity card.Already halfa million such cards are incirculation in Belgium, and from2009 all Belgian citizens will have tocarry one (although this does justreplace the paper ID card).
Dutch discontentAmong the Dutch, these moves havedriven data privacy way up theagenda.“'Need to know' has becomevery important," says technicalsecurity consultant Arno Molenaar,who is dealing with the issue for hismunicipality near Amsterdam.“Whenyou start to link identity withpassport and health recordselectronically, well… There havebeen a number of questions inParliament and we've been givenassurances, but we can't say for sure(what those are worth)”, he says.
Electronic ID cards or tokens havebenign uses too, says Bart Preneel.Preneel is a professor in the ComputerSecurity and Industrial Cryptography(COSIC) research group in theelectrical engineering department atthe Catholic University of Leuven.TwoCOSIC graduates,Vincent Rijmen andJoan Daemen, developed the Rijndaelalgorithm that became the AdvancedEncryption Standard (AES).Apart frommanaging several European encryptionand privacy projects, Preneel also
consults to Philips and the SWIFTinterbank funds transfer network.
ID cards to empower citizensA firm advocate of strong identity andprivacy protection, Preneel says the e-card could provide citizens withquick and easy access to facilities andservices. He is more sceptical aboutusing tokens for accessing things likethe internet or chat systems.“Ifpeople use chat then they usually usepseudonyms,” he says.“How can youpositively identify them then?”
Preneel believes that mostopposition to electronic ID cardscomes from Anglo-Saxon countries.Indeed, this is where most of theproblems of identity theft are mostapparent. So far. But despiteintensive research, the technologyto provide widespread affordablestrong protection is still five yearsoff, he reckons.
Guy Kindermans, senior writer
with Data News, a Belgian ICT
publication, agrees. He points to the
recent request from the European
Commission to the US to postpone
the ban on non-biometric passports
for a year.The reason, he says, is that
the biometric technology is so far
unreliable.
Intermediate technology, such as
certain types of smart card, have
proved crackable, he says.“What's
really needed is three level
protection — something you know
(such as a password), something you
have (such as an electronic token)
and something you are (such as a
fingerprint or retina scan). Once
you've got that you can use the card
securely,” he says.
Securing biometricsA key issue then is how to store and
access biometric information. Does
one store it on the card? In a backend
corporate database? Encrypted? Then,
who has access to the data? What for?
And who can change it? Under what
circumstances? Preneel's colleagues
in COSIC are looking for plausible
answers to these and other questions.
Professor Bart Preneel: eID cards canbe benign, Ango-Saxon protestationsnotwithstanding
zo
ne
32In
fosecu
rity Tod
ayM
ay/June 2005
Because tokens such as smartcards are expensive, it may be thatonly governments can insist on theiradoption by enough people to bringcosts down.
But Preneel and Kindermans bothpoint to the vested interests of themajor credit card companies.Visaand Mastercard both have morecustomers than many countries havecitizens, they say.The issue iswhether governments will let themdisplace their contractualresponsibility for damages that arisefrom the fraudulent use of theircards.
The question is what other usesgovernments, banks and others wantto load onto the identity document.Kindermans believes that electronicpassports are a matter for nationalgovernments. It is tied up with thenature of their sense of nationalsovereignty, he says. But he andMolenaar agree with Preneel thatthe US has the power to forceothers to toe its line.
American reachIndeed, Newsweek reported in Aprilthat the US refused to allow a KLMflight bound for Mexico into itsairspace because two passengerswere on the FBI's 70,000-strong listof suspects. Because the flightwasn't landing in the US, KLM wasnot obliged to tell the US who wason the flight; the US had got thepassenger list from the Mexicans.
Although the two men wereapparently innocently on their wayto visit an ill father, Newsweekreported they fitted a suspiciousprofile.They were Saudis, brothers,pilots (one had trained at the sameArizona flight school as one of the9/11 hijackers), and headed forMexico, which has a porous borderwith the US. So far consumerirritation at such incidents has beenmuted.
Preneel reckons governmentsgenerally take a laissez-faire line tocomputer security unless forced.This is partly because there is littlecoordination between the relevantauthorities, and cost.
Belgian awareness low?Kindermans reckons securityawareness at all levels in Belgium islow.“Belgium has not had a largepublic computer crime, andalthough there is lots of homebanking, there have been no seriousreported breaches,” he says.“Besides,there is no legal obligation to reportbreaches; people will only becomeaware of something if they find theirpersonal data is misused.”
Kindermans thinks awareness islow partly because the universitiesare not teaching security awarenessor secure programming atundergraduate level.This is ironic,given Belgium's acknowledgedexpertise in cryptography, and,indeed, Bart Preneel takes issue here.“Our university has three courses oninformation security, two forcomputer science students, adn onefor electrical engineering students.And there are similar courses in otherBelgian universities”.
Still, Kindermans can push his pointwith respect to the general populace:“A lot of people think they areadequately covered with firewalls andanti-virus measures, but a new report(for the Belgian Computer Society)suggests this is not so,” he says.
Luc Golvers, the man responsiblefor it, says the report is presently a
draft.“The survey was made on thebasis of a multiple choicequestionnaire that deals with ICTsecurity in terms of the physical,logical and organisational measuresimplemented in Belgian companies,the incidents they faced during thelast three years and the consequentialdamages.
“Some 550 companies replied,which gives us a sound statisticalsample.We conducted a similarsurvey in 1998.The evolutionbetween the two surveys is of greatinterest,” he says.The report is due inlate May/early June.*
All those interviewed seem to agreethat IT security will rise up bothpolitical and personal agendas.However, as Preneel notes, peoplewill sell details of their shoppinghabits for �50, and others havereported UK office workers partingwith their passwords for a chocolatebar.At the consumer level, presentsecurity is too much hassle, they say.
Kindermans suggests that perhapsthe solution is to set up a centralrepository of cleaned and verifiedpersonal data.This data could be heldin escrow, and made available withthe owner's permission on a need toknow basis, he says.This would savethe consumer and service providerfrom mistakes and duplications.
No doubt this is true; but whocould you trust to run it?
Ian Grant is a freelance writer and
editor
* Survey performed by the Belgian
Computer Security Club:
www.clusib.be.
Infosecurity Belgium next takes place
from 22-23 March 2006, Brussels Kart,
Brussels, Belgium.
Infosecurity Netherlands takes place
from 9-10 November 2005, Jaarbeurs
Utrecht, Utrecht, The Netherlands
Guy Kindermans, Data News: generalBelgian security awareness low