Conference on data security and supply security in Danish Parliament

posted Jun 3, 2015, 12:43 PM by Niels Jensen   [ updated Jun 5, 2015, 10:55 AM ]
Yesterday Safepark attended a one day conference on data security and supply security in the second chamber of the Danish Parliament. The conference was arranged by CheckPoint, and was a nice change form the usual one day IT conferences around Copenhagen. Our host in the Parliament building was co-chairman of the Danish Parliament Mr. Bertil Haarder. Mr. Haarder welcomed us to Christiansborg Palace, and pointed to the new modern paintings in this rather old building as well as the upcoming celebration of the 100th anniversary of the time women got to vote in elections in Denmark before turning to the topic of the day.  Mr Haarder mention among other things, that he believe paramedics should have access to patient information as the site of an accident in order to expedite the treatment. That suggestion created quite a stir in the Health Committee of the Parliament a few years ago.

The focus of the talks during the morning was data security and safety on the internet. Mr. Kim Aarenstrup from the National Cybercrime Center was to have given the morning keynote, but his talk was cancelled due to the ongoing election. In stead we listened to Rasmus Theede from one of the larger Danish IT companies, KMD. His message has not changed much from one he delivered at another conference we attended earlier this year. Worth mentioning is that KMD are developing teaching material for children about data security. This is to be released later this summer.The second speaker was Len Andersen from the Danish Data Protection Agency (Datatilsynet), and what a pleasant change. She focused on hear views of a proposed EU regulation for the protection of personal data, and highlighted some of the problems with the current proposal in the light of the large diferences among European countries in areas such as CCTV surveillance, where Denmark is rather restrictive compared e.g. with United Kingdom and Luxembourg.

The third talk of the morning was the real keynote of the day: "Staying One Step Ahead" by Amnon Bar-Lev, the President of CheckPoint. The message of this talk was, that we need to move a reactive approach to a pro-active approach, such as e.g. document encryption at the time of creation as well as CPU level threat protection. Wait! CheckPoint is not a chip maker, so how can they talk about CPU level protection? We never found out. This keynote was followed by a rather dull talk by Jacob Sharf, the former chief of PET. By the way the spelling error in his English slides to his Danish talk was "less unlikely" --> "less likely" about a current security threat.

The focus of the afternoon was that supply security and data security goes hand in hand. The afternoon started by a short case by the Direktor Carl-Emil Larsen of DANVA - Danish Association of Water Works on how attacks from cyperspace threatens the security of the water supply. DANVA after a wake-up experience based on a message from Anomymous in November 2012, has now based on a Swedish equivalent created a handbook for IT-security in the supply services. It can be freely downloaded from DANVA's homepage. The final talk of the day was by Kristian Sandberg from CheckPoint, who demonstrated and talked about attacks on process industry facilities, e.g. the complete destruction of a steel furnace in Germany recently, and the 2500 unprotected SCADA installations in Norway. And that VPN plus a terminal server is not the solution to the security problem.

The day finished by a panel discussion with four politicians. One from the Socialdemokraterne, one from Venstre, one from Socialistisk Folkeparti and one from Alternativet. The later representative wanted to solve all problems by using open source software everywhere, i.e. a different approach to one size fits all. Unfortunately these politicians don't see the every problems, which their laws create for companies and citizens. They have limited personal life experience - unfortunately. So I considered it a lost cause to attempt to explain to them the benefit of estimating and/or calculating the cummulative X-ray dose any person in the country has received. We already record whenever they get an X-ray performed (except for at the dentist). So it should be rather simple to extend the data with the number of pictures and the estimated dose per picture in mSi. Then as the accumulated does increase the patient and doctor could way the benefit of another x-ray much better. I did however ask for a consolidation of our three main public systems: the correspondance system e-boks, the tax system, and the health system. The tax system is clearly the most professionally and user friendly of the three.

The take away from the day: We need to be pro-active with data security! The process industry and the utilties are finally waking up here more than 5 years after Stuxnet.