Numer 1 (1) 2022
Spis treści
Strony
Pobierz
|
|||||
|
|||||
Streszczenie The world is constantly changing. New, effective security systems require a better understanding of cyberspace and advanced technologies. Traditional cyber defenses cannot keep pace with the high access in 5G networks and IoT delivery, nefarious manipulation of data, malicious disinformation and global corporations. The exposure of cybersecurity vulnerabilities proves the need for more up-to-date scholarly research that will cross borders in technology, policy and application. National Research Institute NASK, a leader in cyber innovations in Poland, is creating a ground-breaking new scientific platform for research publication and multidivisional exchange of ideas in computer science and security studies. To address this gap in knowledge, we are launching a new open-access peer-reviewed scholarly journal Applied Cybersecurity and Internet Governance! Applied Cybersecurity and Internet Governance responds to contemporary challenges faced by modern civilization. Our ambition is to ensure sustainable technological development, promote crucial technological advances and present new research in machine learning. We are confident that interdisciplinary and multi-sectoral approaches to management of the Internet will enhance harmonious global cooperation... INFORMACJE O AUTORZE
Uniwersytet Warszawski
Naukowa i Akademicka Sieć Komputerowa – Państwowy Instytut Badawczy (NASK-PIB) |
|||||
Erwin Adi,
Zubair Baig, Sherali Zeadally Artificial Intelligence for Cybersecurity: Offensive Tactics, Mitigation Techniques and Future Directions
DOI: 10.5604/01.3001.0016.0800
2 – 24
|
|||||
Słowa kluczowe adversarial AI |cyber infrastructures |data analysis |supply chain compromiseStreszczenie Cybersecurity has benefitted from Artificial Intelligence (AI) technologies for attack detection. However, recent advances in AI techniques, in tandem with their misuse, have outpaced parallel advancements in cyberattack classification methods that have been achieved through academic and industry-led efforts. We describe the shift in the evolution of AI techniques, and we show how recent AI approaches are effective in helping an adversary attain his/her objectives appertaining to cyberattacks. We also discuss how the current architecture of computer communications enables the development of AI-based adversarial threats against heterogeneous computing platforms and infrastructures. INFORMACJE O AUTORACH |
|||||
Aaron Brantly
Utopia Lost – Human Rights in a Digital World
DOI: 10.5604/01.3001.0016.1238
25 – 43
|
|||||
Słowa kluczowe human rights |artificial intelligence |cybersecurity |governance |privacyStreszczenie The long progress towards universal human rights is regressing. This regression is pronounced within digital spaces once thought to be potential bulwarks of a new era in human rights. But on the contrary, new technologies have given rise to threats that undermine the autonomy, empathy, and dignity of human beings. Early visions of human rights being strengthened by networked technologies have instead crashed into technological realities which not only fail to advance human rights discourses, but rather serve to actively undermine fundamental human rights in countries around the world. The future of human rights is increasingly threatened by advances that would make George Orwell blush. Omnipresent data collection and algorithmic advances once promising a utopian world of efficiency and connection are deeply interwoven with challenges to anonymity, privacy, and security. This paper examines the impact of technological advances on the regression of human rights in digital spaces. The paper examines the development of human rights through changes in concepts of autonomy, empathy, and dignity, it charts their regression as technologies are used to increasingly prey on these very same characteristics that undergird human rights discourses. INFORMACJE O AUTORZE
Hume Center for National Security and Technology, Virginia Tech, USA
|
|||||
Vagelis Papakonstantinou
The Cybersecurity Obligations of States Perceived as Platforms: Are Current European National Cybersecurity Strategies Enough?
DOI: 10.5604/01.3001.0016.1237
44 – 55
|
|||||
Słowa kluczowe data localisation |digital sovereignty |national cybersecurity strategies |states as platformsStreszczenie Cybersecurity is a relatively recent addition to the list of preoccupations for modern states. The forceful emergence of the internet and computer networks and their subsequent prevalence quickly brought this to the fore. By now, it is inconceivable that modern administrations, whether public or private, can exist entirely outside the digital realm. Nevertheless, with great opportunities also comes great risk. Attacks against computer systems quickly evolved from marginalised incidents to matters of state concern. The exponential increase in the importance of cybersecurity over the past few years has led to a multi-level response. New policies, followed by relevant laws and regulations, have been introduced at national and international levels. While modern states have therefore been compelled to devise concrete cybersecurity strategies in response to potential threats, the most notable aspect of these strategies is their resemblance to one another. Such uniform thinking could develop into a risk per se: challenges may appear unexpectedly, given the dynamic nature of the internet and the multitude of actors and sources of risk, which could put common knowledge, or what may be called conventional wisdom, to the test at a stage where the scope for response is limited. This paper builds upon the idea of national states being perceived as platforms within the contemporary digital and regulatory environment. Platforms are in this context information structures or systems, whereby the primary role of states acting as platforms is that of an information broker for its citizens or subjects. This role takes precedence even over the fundamental obligation of states to provide security; it calls upon them first to co-create (basic) personal data, and then to safely store and further transmit such data. Once the key concept of states as platforms has been elaborated in section 2, this paper then presents the concrete consequences of this approach within the cybersecurity field. In section 3, former off-line practices for safely storing personal information, undertaken by states within their role as platforms, are contrasted with the challenges posed by the digitisation of information. The focus is then turned in section 4 to the EU, and the NIS Directive’s obligation upon Member States to introduce and implement national cybersecurity strategies, which are therefore examined under the lens introduced in section 2. Finally, specific points for improvement and relevant recommendations for these cybersecurity strategies are presented in section 5. |
|||||
Ali Shoker
Digital Sovereignty Strategies for Every Nation
DOI: 10.5604/01.3001.0016.0943
56 – 72
|
|||||
Słowa kluczowe autonomy |digital sovereignty |digital strategy |Nash Equilibrium |sovereign technologyStreszczenie Digital Sovereignty must be on the agenda of every modern nation. Digital technology is becoming part of our life details, from the vital essentials, like food and water management, to transcendence in the Metaverse and Space. Protecting these digital assets will, therefore, be inevitable for a modern country to live, excel and lead. Digital Sovereignty is a strategic necessity to protect these digital assets from the monopoly of friendly rational states, and the threats of unfriendly Malicious states and behaviors. In this work, we revisit the definition and scope of digital sovereignty through extending it to cover the entire value chain of using, owning, and producing digital assets. We emphasize the importance of protecting the operational resources, both raw materials and human expertise, in addition to research and innovation necessary to achieve sustainable sovereignty. We also show that digital sovereignty by autonomy is often impossible, and by mutual cooperation is not always sustainable. To this end, we propose implementing digital sovereignty using Nash Equilibrium, often studied in Game Theory, to govern the relation with Rational states. Finally, we propose a digital sovereignty agenda for different country’s digital profiles, based on their status quo, priorities, and capabilities. We survey state-of-the-art digital technology that is useful to make the current digital assets sovereign. Additionally, we propose a roadmap that aims to develop a sovereign digital nation, as close as possible to autonomy. Finally, we draw attention to the need of more research to better understand and implement digital sovereignty from different perspectives: technological, economic, and geopolitical. INFORMACJE O AUTORZE
King Abdullah University of Science and Technology (KAUST), Arabia Saudyjska
|
|||||
Ilies Benhabbour,
Marc Dacier NoPASARAN: a Novel Platform for Analysing Semi-Active elements in Routes Across a Network
DOI: 10.5604/01.3001.0016.1461
73 – 97
|
|||||
Słowa kluczowe security |conformance |firewall |IPSEC |man-in-the-middle |network |proxy |TLSStreszczenie In this paper, we propose a novel, collaborative distributed platform to discover the presence, or analyse the configuration, of what we call semi-active elements. By doing so, we revisit the ideas initially proposed in [1, 2] with the Netalyzr tool and in [3] with Inmap-t. Our contributions lie in a simplified and more powerful design that enables the platform to be used for a variety of tasks, such as conformance verification, security testing, network configuration understanding, etc. The specifications, design and implementation choices of the platform are presented and discussed. Two use cases are revealed to illustrate how the platform can be used. We welcome any interest shown by others in deploying our tool in different environments, and encourage any subsequent collaboration in improving its expressiveness. INFORMACJE O AUTORACH Ilies Benhabbour King Abdullah University of Science and Technology (KAUST), Arabia Saudyjska Marc Dacier King Abdullah University of Science and Technology (KAUST), Arabia Saudyjska |
|||||
Johannes Thumfart
The (Il)legitimacy of Cybersecurity. An Application of Just Securitization Theory to Cybersecurity based on the Principle of Subsidiarity
DOI: 10.5604/01.3001.0016.1093
98 – 121
|
|||||
Słowa kluczowe digital sovereignty |cybersecurity dilemma |desecuritization |securitization |securitization theory |societal security dilemmaStreszczenie The application of securitization theory to cybersecurity is useful since it subjects the emotive rhetoric of threat construction to critical scrutiny. Floyd’s just securitization theory (JST) constitutes a mixture of securitization theory and just war theory. Unlike traditional securitization theory, it also addresses the normative question of when securitization is legitimate. In this contribution, I critically apply Floyd’s JST to cybersecurity and develop my own version of JST based on subsidiarity. Floyd’s JST follows a minimalistic and subsidiary approach by emphasizing that securitization is only legitimate if it has a reasonable chance of success in averting threats to the satisfaction of basic human needs. From this restrictive perspective, cyber-securitization is only legitimate if it serves to protect critical infrastructure. Whilst Floyd’s JST focuses exclusively on permissibility and needs instead of rights, I argue that there are cases in which states’ compliance with human rights obligations requires the guarantee of cybersecurity, most importantly regarding the human right to privacy. My version of JST is also based on the principle of subsidiarity, in the sense that securitization should always include stakeholders directly affected by a threat. To strengthen this kind of subsidiarity, focused on the private sector, I argue for the legitimacy of private active self-defence in cyberspace and emphasize the importance of a ‘whole-of-society approach’ involving digital literacy and everyday security practices. Moreover, I argue that far-reaching securitization on the nation-state-level should be avoided, particularly the hyper-securitization of the digital public sphere, following unclear notions of ‘digital sovereignty’. INFORMACJE O AUTORZE
Vrije Universiteit, Bruksela, Belgia
Hochschule für Wirtschaft und Recht Berlin, Niemcy |
|||||
Sandra Schmitz-Berndt,
Mark Cole Towards an Efficient and Coherent Regulatory Framework on Cybersecurity in the EU: The Proposals for a NIS 2.0 Directive and a Cyber Resilience Act
DOI: 10.5604/01.3001.0016.1323
122 – 138
|
|||||
Słowa kluczowe cybersecurity |Cyber Resilience Act |EU legislative framework |NIS 2.0 directiveStreszczenie Cybersecurity regulation in the EU has long been implemented in a piecemeal fashion resulting in a fragmented regulatory landscape. Recent developments triggered the EU to review its approach which has not resulted in the envisaged high level of cyber resilience across the Union. The paper addresses the EU’s limited mandate to regulate cybersecurity and outlines how the internal market rationale serves as a basis to harmonise cybersecurity legislation in the EU Member States. In that regard, the recent Proposal for a NIS 2.0 Directive (adopted by the European Parliament in November 2022) and the Proposal for a Cyber Resilience Act (published in September 2022) highlight how the EU seeks to align legislation and reduce complexity between different, often sectoral reg- ulatory approaches to cybersecurity, while at the same time extending regulation in a view to achieve a high level of cybersecurity across the EU. As regards the latter, the paper also outlines how the Cyber Resilience Act will complement the NIS 2.0 Directive in order to close existing regulatory gaps. INFORMACJE O AUTORACH Sandra Schmitz-Berndt Uniwersytet Luksemburski (Université du Luxembourg) |
|||||
Veronika Nowak,
Johanna Ullrich, Edgar Weippl Cybersecurity is more than a Technological Matter – Towards Considering Critical Infrastructures as Socio-Technical Systems
DOI: 10.5604/01.3001.0016.2055
139 – 144
|
|||||
Słowa kluczowe cybersecurity |critical infrastructure |European power grid |socio-technical systemsStreszczenie Cybersecurity is still considered a purely technological challenge; however, despite all technological progress, this challenge remains unsolved – as emphasized by many high-impact attacks against public administration and industry worldwide. We postulate that the mere focus on technology fogs the bigger picture, since people generate, operate, and interact with all technological systems, thus making them socio-technical systems. Hence, in this commentary we argue for a change of perspective towards a holistic, interdisciplinary view on our technological infrastructure. By example of the European power grid – inarguably a critical infrastructure not only for daily life but also for the continuity of our polity – we show that through interpretation as a socio-technical system, systematic and interdisciplinary studies would allow to reveal how its (cyber)security is not only a technological matter. An interdisciplinary approach combining STEM disciplines and Social Sciences would additionally advance the understanding of stakeholders and their goals and mindsets as well as the manifold dependencies between technology and human actors. While interdisciplinary endeavours appear to be generally supported by funding agencies, reviewers, universities, and researchers, they rarely occur in practice. We discuss why this is the case and present ideas on how to facilitate more interdisciplinary research. INFORMACJE O AUTORACH |
|||||
Šárka Waisová
The Tragedy of Smart Cities in Egypt. How the Smart City is Used towards Political and Social Ordering and Exclusion
DOI: 10.5604/01.3001.0016.0985
145 – 154
|
|||||
Słowa kluczowe Egypt |exclusion |political and social ordering |smart cities |technology as instrument of controlStreszczenie Smart cities (SCs) are a new and rising phenomenon emerging across the globe. The present article focuses on the possible impact of SCs on socio-political life and structure, and the organisation of the target society. Here, SCs are critically considered as the spaces where people live, work and vote. The aim of the present article is to discuss SCs, and the digital technologies used in SCs, as a possible instrument of social and political ordering and of social exclusion. Drawing on empirical evidence from Egypt, particularly Egypt’s new capital, the article sketches out how the smart city has been used by political and military authorities to socially and politically order and engineer society as well as ef- fectively exclude certain groups, mainly political opponents. Life in the new smart capital has a Janus face. On the one hand, inhabitants of the city have access to excellent services, modern infrastructure, first-class education and health care, and high-tech digital technol- ogies which other Egyptians do not benefit from. On the other hand, these inhabitants are under permanent control and are prisoners of the system. Living segregated, with less free- dom than any other Egyptian citizens, they are excluded from natural life in the country and cannot experience any organic development of society. |
|||||
Michael Koppmann,
Christian Kudera, Michael Pucher, Georg Merzdovnik Utilizing Object Capabilities to Improve Web Application Security
DOI: 10.5604/01.3001.0016.0823
155 – 172
|
|||||
Słowa kluczowe Object Capabilities |secure design patterns |web securityStreszczenie Nowadays, more and more applications are built with web technologies, such as HTML, CSS, and JavaScript, which are then executed in browsers. The web is utilized as an operating system independent application platform. With this change, authorization models change and no longer depend on operating system accounts and underlying access controls and file permissions. Instead, these accounts are now implemented in the applications themselves, including all of the protective measures and security controls that are required for this. Because of the inherent complexity, flaws in the authorization logic are among the most common security vulnerabilities in web applications. Most applications are built on the concept of the Access-Control List (ACL), a security model that decides who can access a given object. Object Capabilities, transferable rights to perform operations on specific objects, have been proposed as an alternative to ACLs, since they are not susceptible to certain attacks prevalent for ACLs. While their use has been investigated for various domains, such as smart contracts, they have not been widely applied for web applications. In this paper, we therefore present a general overview of the capability- based authorization model and adapt those approaches for use in web applications. Based on a prototype implementation, we show the ways in which Object Capabilities may enhance security, while also offering insights into existing pitfalls and problems in porting such models to the web domain. INFORMACJE O AUTORACH |
|||||
Veronika Netolicka
Commentary: The Czech Approach to Supply Chain Security in ICT
DOI: 10.5604/01.3001.0016.0867
173 – 178
|
|||||
Słowa kluczowe security |national regulation |supply chain |the Czech RepublicStreszczenie Supply chain security is one of the challenges many countries are currently addressing. As this topic is a national security prerogative, the systems for screening also vary. The Czech Republic is preparing a legislative framework to protect strategically important infrastructure from high-risk suppliers. This commentary focuses on the Czech Republic’s progress in this area, particularly in the European context. |
|||||
Ladislav Cabada
Russian Aggression against Ukraine as the Accelerator in the Systemic Struggle against Disinformation in Czechia
DOI: 10.5604/01.3001.0016.0916
179 – 194
|
|||||
Słowa kluczowe propaganda |Czechia |disinformation campaigns |hybrid threats |RussiaStreszczenie In the last decade Czechia’s foreign and security policies were destabilised by the activities of external actors, with Russia in the leading role, and also by internal actors who followed the Russian and pro-Kremlin propaganda and disinformation campaigns and/or actively participated in such subversive activities. After 2015, within the set of crises and their securitisation, a disinformation network was developed in Czechia using social media and so-called ‘alternative online media’ for the dissemination of disinformation, misinformation, fake news and chain mails to spread these campaigns. As leading persons in the executive belonged to the disinformers, the government was not able to develop working strategies against the disinformation campaigns as the new hybrid threat until 2021. At the end of 2021, the new Czech government of Prime Minister Petr Fiala launched a new strategy regarding hybrid threats which contained disinformation. The one-year plan to establish a systemic platform for the struggle against such threats was challenged by Russian aggression against Ukraine. In this article, we analyse the development of the security eco-system in Czechia against these hybrid threats, specifically the acceleration and intensification of this activity after 24 February 2022. INFORMACJE O AUTORZE
Uniwersytet Metropolitalny w Pradze (Metropolitní univerzita Praha), Czechy
|
|||||
Jan Kleiner,
Jakub Drmola, Miroslav Mares How Are Czech Individuals Willing to Protect Themselves: A Comparison of Cyber and Physical Realms
DOI: 10.5604/01.3001.0016.1322
195 – 208
|
|||||
Słowa kluczowe survey |cybersecurity |cyber-physical comparison |state-endpoint user relationshipStreszczenie Endpoint users are usually viewed as the highest-risk element in the field of cybersecurity. At the same time, they need to be protected not just from the individual-level prism but also, from the state’s perspective, to counter threats like botnets that harvest weakly secured endpoints and forge an army of so-called zombies that are often used to attack critical infrastructure or other systems vital to the state. Measures aimed at citizens like the Israeli hotline for cybersecurity incidents or Estonian educational efforts have already started to be implemented. However, little effort is made to understand the recipients of such measures. Our study uses the survey method to partly fill this gap and investigate how endpoint users (citizens) are willing to protect themselves against cyber threats. To make results more valid, a unique comparison was made between cyber threats and physical threats according to the impact which they had. The results show statistically significant differences between comparable cyber-physical pairs indicating that a large portion of the sample was not able to assess the threat environment appropriately and that state intervention with fitting countermeasures is required. The resultant matrix containing frequencies of answers denotes what portion of respondents are willing to invest a certain amount of time and money into countering given threats, this enables the possible identification of weak points where state investment is needed most. INFORMACJE O AUTORACH |
|||||
Daniel Mider
Privacy on the Internet: An Empirical Study of Poles’ Attitudes
DOI: 10.5604/01.3001.0016.1459
208 – 223
|
|||||
Słowa kluczowe online behavior |online freedom |privacy paradox |privacy perceptionsStreszczenie The value system of Poles in terms of the phenomenon of privacy on the Internet was analysed. The following aspects were taken into account: privacy on the Internet as a moral value, privacy on the Internet as a subject of legal regulations (current or future) and actual actions taken by users to protect privacy. The differentiation of Polish society in terms of the three above-mentioned areas was also examined. Results were obtained on the basis of a quantitative empirical study conducted on a representative sample (N=1001) of adult Poles. The method of computer assisted telephone interviews (CATI) was used. Descriptive statistics and selected inductive statistics were used in the analyses. Intra-group differentiation was investigated using a method called two-step cluster analysis. Poles have low technical competences in the field of Internet privacy protection. This value is appreciated; however, it rarely translates into active protection of one’s own identity and information. A strong polarization of Poles’ attitudes towards the requirement to disclose their identity on the Internet was identified, as well as ensuring access to any user information by law enforcement agencies. Poles are willing to accept legal regulations preventing their profiling. We note a moderately strong negative attitude towards state institutions as a factor limiting privacy on the Internet and a significantly lower (but still negative) attitude towards Internet service providers. Poles differ in terms of attitudes towards privacy on the Internet (IT competences, age, education, gender, socioeconomic status and size of the place of residence). |
|||||
Remigiusz Rosicki
The Substantive Criminal Aspects of the Offence of Simulated Child Pornography under Polish Law
DOI: 10.5604/01.3001.0016.0690
224 – 234
|
|||||
Słowa kluczowe pornography |child pornography |sexual offences |information restriction |cybercrimeStreszczenie The objective scope of the research problem concerns the content and sense of the elements characterising one of the types of child pornography, criminalised under Art. 202 §4b of Poland’s Criminal Code, i.e. simulated child pornography. This offence is understood as producing, disseminating, presenting, storing and possessing pornographic material presenting a generated or processed image of a minor participating in sexual activity. The main goal of the article is the substantive criminal analysis of the act criminalised under Art. 202 §4b of the Code. The scope of the analysis has been elaborated with the following question: To what degree is the legal solution concerned with criminalisation and penalisation of the activities of »production, dissemination, presentation, storage or possession of pornographic material presenting a generated or processed image of a minor participating in sexual activity« usable, and realises the ratio legis intended by the legislator? The issue has been analysed using what is primarily an institutional and legal approach, involving textual, functional and doctrinal interpretations that have been supplemented by the author’s own conclusions and opinions. INFORMACJE O AUTORZE |
|||||
Marika Kosiel-Pająk
UK Border Digitalisation – a Commentary on the Current State of Affairs
DOI: 10.5604/01.3001.0016.1052
235 – 240
|
|||||
Słowa kluczowe Brexit |border management |contactless border |digital border |digital status |eGates |electronic travel authorisation |European Union Settled Scheme |immigration procedures |United Kingdom of Great Britain and Northern IrelandStreszczenie The commentary focuses on the current process of converting the British immigration procedures into an entirely digital format, as part of a reform brought about by Brexit and in the framework of broader digital strategies in the United Kingdom of Great Britain and Northern Ireland. The British government’s ambitious aim is to digitalise the immigration procedures by 2025, further support eGates and eventually enforce a contactless mode of arrival. The policy plan, its execution to date and its reception are analysed briefly. Taking into account that the government is revealing only selected aspects of the complex system rather than all the mechanisms and safeguards, neither British digital sovereignty in this matter nor the scope of protection of personal and meta-data could be fully examined. INFORMACJE O AUTORZE |
|||||