Devices, networks, and services and insecure yet they process more data

There should be no barriers to timely fixes in security -- including updates, patches, and workarounds -- particularly considering implications for users of various socio-economic status and citizenship. Security updates should be distinguishable from feature updates.

What we would like to see

Security researchers will be able to and encouraged to test the products and services to break security and privacy. Open and transparent security research identifies defences necessary for cyber-physical security and safety and challenges information asymmetry.  

Cyber security will be considered a common good, which benefits everyone. Policies and initiatives must not advantage only some people over others. This means that a national government policy should not disadvantage people outside that country, or certain sectors of society.

What this will mean

Industry will have to commit to patches and updates for their systems, and create an environment where bugs are sought and reported, and fixed for users globally. 

Listening and always on devices that are under the control of the service provider will be patched so long as it is processing for that provider. 

Essential reform actions

Cybersecurity policies must ensure that they protect all people across economic and geographic boundaries and promote end-to-end encryption.

Manufacturers and/or vendors must be responsible for the security and privacy design in the products they manufacture and sell, throughout a clearly identified period.

What we would like to see

Data minimisation will be implemented across all devices and platforms by design. Less data generation and processing means that less data that can be misused or breached. 

Industry will have to clearly articulate the length of time for which they will commit to security updates for a given service or product. It is essentially statement of expiration of the security viability of that connected service. 

Listening and always on devices that are under the control of the service provider will be patched so long as it is processing for that provider. 

Essential reform actions

Companies will have to notify individuals of the life-span of technologies and the period for which they will maintain security updates.

Consumer protection policy should reflect the security responsibilities of manufacturers and/or vendors.

 

Data should be protected from access by persons who are not the user. 

What we would like to see


End-to-end encryption will be the default in devices, networks and platforms for data in-transit and at-rest. If deviation from the default is to occur, other essential and equivalent safeguards in law are required.

Data minimisation will be implemented across all devices and platforms by design. Less data generation and processing means that less data that can be misused or breached. 

What this will mean

Cybersecurity policies must ensure that they protect all people across economic and geographic boundaries and promote end-to-end encryption.

Initiatives promoting the ‘Fourth Industrial Revolution’ and the ‘data revolution’ must place privacy at the centre of their policies where the minimisation of data is essential to a safe and secure future.