In this special, we sat down with Mr. Alex Tan, the Director of Sales for the ASEAN Region for Physical Access Control Systems from HID Global. We had a conversation about some of the emerging trends in the industry on the use of biometrics and security. One of the biggest issues we discussed was the use of biometrics and its implications on personal data privacy and security with the emergence of legislations such as the GDPR (General Data Protection Regulation) in the European Union and Malaysia’s own PDPA (Personal Data Protection Act). The issue brought us to talking about how personal technological devices can be a security risk with how they handle data collected by facial recognition and fingerprint reading technologies.
Mr. Alex Tan heads the strategic developmental and organisational growth of HID Global’s Physical Access Control business within the ASEAN Region. He has been in the security access control industry for about 19 years and has, prior to this, headed the sales and entreprise solutions at another leading access control manufacturer.
HID Global has over two decades of expertise in the security industry. The American company has its roots in radio frequency identification technologies and has over the years become a recognised brand when it comes to premise access and security as well as biometric technologies. You may recognise the company’s logos from the many devices and solutions it provides to buildings and businesses across the world. They may even be responsible for keeping you safe in your apartment building!
Take a listen to the podcast and let us know if you still have any unanswered questions when it comes to biometrics and personal data protection in the comments down below.
Sidestepping the first issue which sees Google and Apple aiming to implement their feature directly on a device’s operating system while the NHSX version requires a downloadable dedicated application, this article will focus on the issue of privacy arising from the second issue.
In essence, Apple and Google have insisted that if there is to be any collaboration between the NHSX and them for the purposes of contact tracing the storage of all data will have to be decentralised. The NHSX, on the other hand, is pushing for centralised storage of data.
What’s the difference?
Before deciding on one system or another, it’s best to understand the basics of the distinction between these systems.
A centralised system has a single storage point and controller of the data collected. The central controller of the data may grant access to other users but remains ultimately responsible for the system as a whole. A centralized system is relatively easy to set up and can be developed quickly. Such a system is very useful where continuous modifications to the parameters of the system are expected or where the use of the data needs to be adapted for different purposes.
In contrast, a decentralised system has multiple controllers of data all of whom collect and store copies of the data on their respective systems. This system allows for quicker access to data and less risk of downtime as a fault with one controller will not necessarily affect the others.
The third form known as a distributed system in which there is no single central owner at all and instead gives collective ownership and control to each user on the network is unlikely to be used by either party.
Each system has its advantages and disadvantages and to make a decision between a centralised and a decentralised system the NHS and the tech giants will need to take into consideration a range of issues including:-
The overall effectiveness of the technology;
The adaptability of the system to the shifting demands of research;
The cost of deployment and maintenance;
Whether or not the system is a security risk for the user;
Whether there are compliance concerns.
Why is a decentralised system so important?
Google and Apple have been clear that the reason for a proposed decentralised system is to avoid the risk of mass government surveillance presently or in the future. This is a genuine concern as the data being collected will be directly related to a user’s location and medical history. Although not absent from criticism, this position is the preferred option and has been supported by academics and numerous civil rights groups including the Electronic Frontier Foundation and the American Civil Liberties Union.
Still, the European position is split with the seven governments supporting the project known as the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) which proposes a centralised repository of data and a growing following for the Decentralised Privacy-Preserving Proximity Tracing (DP-3T) advocating a decentralised system.
The NHS itself may not be intent on surveillance however being publicly funded draws immediate speculation to its government links. In addition, both the NHS and the UK government have had a poor record of handling large scale IT projects such as the failed £11bn National Programme for IT, scrapped in 2011 and the plans for a paperless NHS by 2018 which could not even take off.
What about the NHS position?
Unfortunately, the focus on privacy risks coupled with the NHS’s bad track record in the field of technology projects have detracted from the core issue at hand – What does the NHS need right now to curb the spread of the Covid-19 virus?
Ross Anderson, an advisor to the NHS on its contact tracing application highlighted the problem with a decentralised system:-
“…on the systems front, decentralised systems are all very nice in theory but are a complete pain in practice as they’re too hard to update. We’re still using Internet infrastructure from 30 years ago (BGP, DNS, SMTP…) because it’s just too hard to change… Relying on cryptography tends to make things even more complex, fragile and hard to change. In the pandemic, the public health folks may have to tweak all sorts of parameters weekly or even daily. You can’t do that with apps on 169 different types of phone and with peer-to-peer communications.”
The Covid-19 virus took approximately 2 months to infect 100,000 UK residents and the spread has shown few signs of a slowing infection rate. Time is critical in this situation and correspondingly, flexibility in adapting to the constantly changing nature of the infection is a necessity. Decentralised systems do not allow for rapid evolution.
In addition, we should consider that unlike centralised systems, decentralised systems are often unencrypted. While trying to prevent a government from carrying out surveillance, the Google and Apple system may inadvertently open itself up to more security problems than expected. In fact, they have themselves admitted this risk stating that nothing is “unhackable”.
As a second consideration, the API that Google and Apple will release will likely have strict limitations on the type of data that may be collected. For example, the NHS would not be able to gather a list of every person a user has been in contact with based on user proximity. Instead, it will utilise a more manual version of contact tracing involving sending every phone in the system a list of other phones that have been reported as contagious, and asking the user whether they have “seen this user” Such a system relies heavily on user verification which is often incorrect or simply disregarded.
Key location data which may be used for developing population flow maps and anticipating the further spread of the virus will likely not be made available under Google and Apple’s current proposal. It is also important to note that data from contact tracing could be used beyond the scope of curbing the spread of the virus i.e. for decisions on directing the flow of emergency aid, development of temporary healthcare facilities, deployment of healthcare equipment and personnel.
What has been going on elsewhere?
Contrasting the UK’s situation, the Asian experience, having less stringent data protection regulations, have taken remarkably different approaches to Europe in general.
Hong Kong, for example, introduced the mandatory use of an electronic wristband connected to a smartphone application to enforce quarantine for arrivals from overseas. Users refusing to adopt this requirement are refused entry into the country.
South Korea won praise for both tracking and publishing data relating to affected person’s travel routes and affected areas, the data being collected through the government’s application as well as numerous independent applications. Residents also receive numerous location-based emergency messages and are not allowed to opt-out of this function.
China’s measures, which have come under considerable question, see a private entity collaboration through the Alipay Health Code. Citizens are given a ‘traffic light’ status that determines the restrictions that will be imposed on them. Although the exact basis for determining a person’s status is not known the status has widespread application including restriction of access to certain public facilities and payment systems.
Privacy concerns of these measures aside, all these countries have seen a considerable reduction in the spread of the Covid-19 virus. While it would be premature to suggest that this is solely attributable to the contact tracing measures implemented there is no doubt that the quick and extensive deployment of the technology has contributed to the battle against the virus’ spread which begs the question:
Is privacy getting in the way?
In 1890, Brandais and Wallace, pioneers of modern day privacy wrote:-
“…To determine in advance of experience the exact line at which the dignity and convenience of the individual must yield to the demands of the public welfare or of private justice would be a difficult task…”
The UK and indeed Europe are at this juncture and need to decide on the cost of the compromise as the death toll and infection rate continue to increase. History reminds us that the greatest privacy and surveillance violations occurred when the world was focused on a raging war and in fact it is times like this that we must be most vigilant about rights.
*This article is contributed by Myles Hosford, Head of Security Architecture, ASEAN, AWS*
Cybersecurity professionals see some threat
actors or outside-parties as the enemy. However, challenging this mindset is
important; you can better protect your organization against outside-parties if
you understand how they think and operate. With this in mind, businesses around
the globe have turned to hackers to test security infrastructure and develop
stronger, more robust security practices.
Before integrating penetration testing
into your security policy, it is important to understand the different types of
hackers that exist. Each group has differing motivations, and you must be clear
on which of their skills can be used to your organization’s advantage.
Black hat
Black hat hackers are cybercriminals
motivated by personal or financial gain. They range from teenage amateurs to
experienced individuals or teams with a specific remit. However, over recent
years, several high profile blackhat hackers have refocused on using their
cyber skills to protect organizations. An example is Kevin Mitnick aka Condor,
who was just sixteen years old when he gained access to a Department of Defense
computer. Following this and numerous
other hacks, Mitnick spent five and a half years in prison. Upon his release
set up his own company, Mitnick Security Consulting, which now runs penetration
tests for clients.
The issue of whether to work
with a previous black hat hacker is a contentious one. Some, including David Warburton, senior threat evangelist at F5 Networks,
believe that hiring ex-hackers is critical in staying ahead of the threat
landscape. However, others are concerned about allowing this group access to
corporate systems and customer data. The latter group should, however, consider
other approaches to working with hackers.
White hat
Often referred to as ethical hackers,
white hat hackers are employed by organizations to look for vulnerabilities in
security defences. Despite using the same tactics as black hat hackers, this
group has permission from the organization making what they do entirely legal.
While they use their knowledge to find ways to break the defences, they then
work alongside security teams to fix issues before others discover them.
Many of the biggest organizations in
the world, including General Motors and Starbucks, are turning to white hat
hackers to help identify fault lines and proactively enhance security posture.
White hat hacking can offer an interesting and lucrative career path for people
with technical skills. Drawing attention to the important role white hat
hackers play can encourage more talented individuals to take a positive path
instead of becoming black hat hackers.
Nurturing
talent
There are many programmes in place to
find, encourage and support the next generation of white hat hackers. An
example, supported by AWS, is r00tz Asylum, a conference dedicated to teaching
young people how to become white-hats. Attendees learn how hackers operate and
how cybersecurity experts defend against hackers. The aim is to encourage
people with technical expertise to use it for good in their career. By equipping aspiring cybersecurity
professionals with knowledge and skills, they can bake security into
infrastructure, from the ground up. AWS’s support for r00tz is our chance to
give back to the next generation, providing young people who are interested in
security with a safe learning environment and access to mentors.
Building on
solid foundations
For those responsible for maintaining
customer trust and protecting data, an end to end approach to security is
critical. As we have seen, working with ethical hackers is a powerful way to
view security posture from a cyber-criminal’s perspective to identify and
tackle vulnerabilities. However, it’s also important to remember that security
needs to be baked in throughout an organization’s infrastructure. This is where
partnering with a cloud platform can be beneficial; the best of these are
developed to satisfy the needs of the most risk-sensitive organizations. Cloud
platforms also offer automated security services, which can proactively manage
security assessments, threat detection, and policy management. In so doing,
these platforms take on a lot of the heavy lifting for security professionals,
including ethical hackers.
CISO stands for Chief Information Security Officer. From that description alone, we believe you would know what this report is about then. If you still do not; Cisco did a study for the cyber security field for 2019 by interviewing about 2,000 Chief Information Security Officers (CISO) or security professionals all over Asia Pacific. You would be glad to know also that about 10% of the participants in the study are Malaysian. While that does not change the nature of the study, the sample size should mean that there is some accuracy in the general scheme of things.
The Big Numbers
The big numbers for Malaysia are 44% of threat alerts are investigated, 46% of the recognised threats are neutralised, and 27% have faced downtime of longer than 24 hours due to a cyber security breach or threat. There are some good things about these numbers, and some bad things too. So it is not all roses and rainbows for Malaysia’s cyber security industry in 2019.
The first of the numbers are the investigated threats. This does not mean alerts. Receiving cyber threat alerts and investigating them are two different things. You can have threat alerts of more than 10,000 and still not investigate any of them for a number of reasons. Still, investigated threats are escalated from reported threats.
According to the Malaysian numbers, 44% of threats reported in Malaysia are investigated in 2019. That is 4% more than 2018, Malaysian CISOs are busier by 4% last year 2019 than in 2018 then. That could be due to the raised number of serious threats. It could also mean that awareness to cyber threats have increased in Malaysia. So while it does sound like Malaysia is being attacked more, it also means that Malaysians are now better prepared for cyber threats or breaches.
Out of all the verified threats, nearly half of them were remediated at 46%. That number is higher than plenty of Malaysia’s neighbours and the average in Asia Pacific at 43%. The other half? Maybe those cases could be a little tougher. Still, that also means that Malaysians are capable of handling cyber security issues. This number is also an increase from 2018.
The next big number is 27% of companies declared a downtime of more than 24 hours when they get attacked. This is a large increase from 2018’s 9%. While this may not seem like a good thing, there is a bigger story that than. For one, this also means that Malaysia is plenty more digital in 2019 than 2018. This increase could also be because of the increased threat detection in 2019. The result was also a higher resolution to each identified threat.
More Vendors, More Problems?
It seems only yesterday that having multiple layers of security is a good thing. Like plenty of things, throwing money at something should solve a problem. Those were the days.
There used to be a time when organisations like banks would recommend having about 10 security vendors to layer security in all parts of their organisation. In some sense, it works; but it is very expensive, and very inconvenient for users. That is not yet considering the fact that having multiple vendors and that many layers of security increases complexity in controlling and managing the solutions.
The new way to think about cyber security then is to keep the number of vendors down to as little as required. This reduces not just complexity of workflow and simplifies management, but also increases the efficiency of managing cyber threats.
From the Malaysian numbers though, this seems to be a slightly new concept with more than 35% of the responding organisations having more than 10 vendors. While this is slightly lower than 2018’s 39%, there is still a need to reduce that number even lower. Malaysians realise that too, with 90% of respondents finding it hard to manage that many vendors at the same time. Some experts suggests that having five to six vendors at a time is enough for a holistic cybersecurity system to be in place for any organisation.
The Problem With Cybersecurity Malaysia
There are still looming problems for a country that is going through a major digital transformation though. While the progress toward a digital Malaysia and Industry 4.0 has been a steady one in the region, there are still fundamental problems that might hinder progress or create holes in the cyber armours that the CISOs have put up or tried to put up. One of these enemies to cyber security is budget.
There are times where companies might have a large constraint over budget. For most SMEs and startups, it is quite understandable. They would probably need to pool their money in things that they might find more useful to them in the shorter run. That is not saying that it is not a problem for them or the general cyber security state in Malaysia. It is still a problem, but an inevitable one.
There are cases with large organisations that has restricted their budgets to cyber security because they do not yet see the value in cybersecurity. This becomes a major issue for CISOs. Despite the consensus that more money may not mean more protection, cyber security still needs a pool of money to work with. If not enough money is being poured into the department, not much can be done. With less protection, larger organisations are more vulnerable and thus, might lose even more money.
The biggest problem with cyber security, not just in Malaysia but most of the world, is always personnel; both the lack of skilled workers and awareness of the main issue. Thing is though, CISOs all over Malaysia are also making efforts to reduce this number down with plenty of awareness and skill training of personnel all over the company. The number of skilled personnel in terms of cyber security in Malaysia is also growing continuously, which also means that it is a problem that can be solved in time.
So What do We do in 2020?
2020 is meant to be the year of progress, of near complete digital revolution. It is the year of 5G and WiFi 6, the year where data is meant to be all covering and seamless. That potentially means more cyber security risks with bigger data bandwidth and less latency. It gives software less time to react. Which means that a DDoS attack could be a big thing in 2020.
Still, awareness is key to combating cyber attacks. With the availability of data in today’s world, having a VPN no longer cuts it. The only benefit of VPN these days is to ensure that whatever that you have accessed is not tracked by your data or service provider. You are still at risk of a cyber attack even via VPN.
The fact that you have multiple devices that are connected to the internet and each other is already a threat on their own. At every point and turn, you really have to be aware of what you are accessing on the internet and what you are vulnerable to. That allows you to be more alert on things like phishing attacks, malicious links, email scams and what not. That should be enough as the first layer of defense against common cyber attacks, maybe even big ones like ransomware and what not.
If you are planning on getting an Anti-Virus software protection on your PC, consider spending a little more than what you would pay for a generic Anti-Virus program. You might want to look into find an Anti-Virus program that covers the whole lot from spyware, adware, to even malware. That way, you are ensured of a holistic protection, at least on your own end.