torsdag den 26. februar 2009

Intelligent Energy Systems

On February it was announced that IBM would join the so-called Edison-consortium.
The EDISON consortium (Electric Vehicles in a Distributed and Integrated Market using Sustainable Energy and Open Networks) consists of IBM Denmark, IBM Zurich Research Lab, Denmark's largest (National-wide) energy company DONG Energy, the regional energy company of Oestkraft, Technical University of Denmark, Siemens, Eurisco (Plant Genetic Resources) and the Danish Energy Association. Due to the environmental benefits of the electric vehicle technologies, the research will be partly funded by the Danish government.
At the Technical University north of Copenhagen a large scale computing system will be established based on websphere, SOA-technology and IBM Blades. The idea is to use this to build advanced simulation and calculation models to determine the optimum time to charge electric car batteries given the surplus from electrical windmill generators. Denmark is one of the foremost countries in the World when it comes to deployment, production and development of windmills. (See Vestas homepage)

This is perfectly in line with the Danish Government’s drive towards a consensus at the upcoming climate summit in Copenhagen later this year, and it also matches perfectly with IBM’s declared strategy to support green technologies on a World Wide basis. The Green Agenda at IBM was in fact one of the most solid outcomes of a World-Wide so-called Jam, that IBm conducted with it’s 350.000 employees and more than 400 private and public business partners and customers in October 2008. The results are now being launched as recommendations, programs and new investment areas under the Smarter Planet initiative – including the Green agenda. Read about IBM Smart Planet drive

Sam Palmisano already met with Obama and his staff (click link to see video) during the transition period to advice on how technology could help save energy and how this could be matched with Obama’s vision of a turn around scheme for the US economy creating new jobs.

IBM currently is running more than 20 energy-related major innovative projects around the World, and the first one that was announced was the Island-state of Malta, home of the Templar Knights.
Here IBM won a contract to supply the small country’s energy system with more than 250.000 intelligent meters with the intention to optimize usage of electricity, balance pricing with consumption and help consumers to time heavy use of energy.

Many more projects are bound to come up – also aiming at the consumption of energy within the IT business in itself. With a projection of energy consumption going up 10-30% pr. Year, even the current IT consumption at 2% of all the World’s energy resources will soon be very visible.
The Green Datacenter is bound to be a focus item for any large organisation.

søndag den 15. februar 2009

Cyberwarfare – Is the IT-infrastructure protected?

Already during his election campaign Barack Obama stressed the need to improve the protection of US against Cyber Warfare and to set up an organisation to improve protection level.

As cited by Wired in July 2008, he said:

“As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me.

Once the election was over Obama and Biden declared at the transition website for the President elect what would be the policy when they took office. The key areas of an increased effort against cyberwar would be (of course) to defeat terrorism Worldwide, to prevent Nuclear Terrorism, To strengthen American bio-security and to protect information networks.

At the same level the importance of improving Intelligence Capacity and at the same time protect civil liberties (a different recepei than George Bush!) plus the objective to protect American citizens from terrorist attacks and natural disasters. Protect American infrastructure and to Modernize the aging American infrastructure.

Particularly the policy to Protect Our Information Networks seems to be a new approach, as the New President is knowledgeable and capable of understanding what Cyber warfare could really do to a modern society, where most of the infrastructure - from communication networks, Media, to trains and airplanes to power stations, to sewers and drinking water - is controlled by IT systems that may be the target for cyber attacks.

As was stated also by the Frontpage in January 2009, this policy was further defined by these focus areas:

Strengthen Federal Leadership on Cyber Security:
Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.

Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure:

Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.

Protect the IT Infrastructure That Keeps
America’s Economy Safe:

Work with the private sector to establish tough new standards for cyber security and physical resilience.

Prevent Corporate Cyber-Espionage:

Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.

Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit:

Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.

Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.

Where did Obama get these ideas from? Undoubtedly from having studied what took place in Estonia in 2007, where a Russian led protest against the movement of a Russian war-memorial from the centre of Tallin to some outskirts initiated a denial of service attack that blocked the better part of the Estonian Financial Sector as well as most of the central and local government web sites for weeks. This in turn led to NATO’s profound interest in extending the defence lines of the alliance to include cyber war, so according to Computerworld, May 2008, NATO is launching a centre to detect, prevent and protect member states against cyber attacks.

The official NATO statement can be found here

But President Obama’s very first task was to launch an in-depth analysis of the security threats against US, due in 2 months from now, according to The Register.:

“This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cybersecurity initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.”

The importance of the coordination with the private sector is that the threat is not only being seen as directed towards the public net services, and the analysis will be a 360 degrees review. Also it is clearly stated that privacy laws and regulations and respect for personal integrity has to maintained in parallel with an increased level of security against cyber attacks.

Also the German Bundeswehr is building up capacities and a national center consisting of 76 highly skilled specialists to oversee, predict and prevent cyberwarfare. The article in Der Spiegel February 7, 2009, states that the reason for this is an increased number of cyber attacks against German ministries and public websites.

Other very recent examples of cyber warfare was the cyberattack on Israel as a result of the attack on Gaza, and even in the former Russian Republic of Kyrgystan the Government felt the anger of the hackers (presumably either from inside Russia or – worst case – maybe endorsed by Russia) to try to down the feeble Kyrgystani network before consenting anything to US’ wish to have an airbase in the country. As stated by Computerworld UK:

“Since 18 January, the two biggest Internet service providers (ISPs) in Kyrgyzstan have been under a "massive, sustained distributed denial-of-service attack," said Don Jackson , the director of threat intelligence for SecureWorks. “

The attack followed almost similar pattern as a cyberattack against Georgia during the conflict with Russia in 2008. Seems the hackers are getting their act together based on a lot of practice by now!

The Danish Super-blogger Dorte Toft noticed that as 8000 Danish net bank users were locked out of their net bank because they had been affected by the so-called ‘Donadup’ worm this clearly illustrated the vulnerability of the Danish IT Infrastructure. As the work had a clearly identifiable Russian origin, we may be looking into the same family of super hackers as the other recent cases.

In a later blog dated February 8 2009, Dorte Toft notes that Denmark clearly lacks a central organisation to supervise and protect us against massive cyber attacks, and that the way the Financial sector handled the case of 8000 infected PC’s is a clear sign of misunderstood restrictive communication to the general public.

In fact this is not the first time the attention has been brought to the need for a more coordinated defence against cyber attacks in Denmark. In May 2004 the Danish Technology Council published a report on a project called ‘How vulnerable is the Danish IT Infrastructure?’ . This report concluded that the threat is real, it is increasing and it has to be met by a ‘total defence’ view led by a coordinating organisation. A number of other practical suggestions were proposed, but only a few of them seem to have been followed. So it seems that Dorte Toft is absolutely right in her conclusion and it would be about time that the warnings from 2004 are being heard – and followed. It is not enough to rely on a NATO centre, we have to have a coordinating, practical body with sufficient level of expertise and with legal power to coordinate sector organisations like Finansrådet – The Danish Bankers’ Association - but also other sector organisations like the Telesector, the Energy sector, the transportations sector and of course Danish Industry including the IT industry.

It is not a moment too early that the Government and the heavy ministries – Ministry of Defence, Ministry of Justice – together with the Ministry of Technology - start to do something. They have got a clear advice not only from Teknologirådet /The Technology Council but also from the IT industry ITEK and the Danish Industry Security Committee. And from Dorte Toft as well.

tirsdag den 3. februar 2009

User Centric Identity Management

During 2009 the New Danish Digital Signature will be rolled out; already before availability, critics have stated that it seems to be complicated to install and to use. Usage requires a one-time code to be entered, and there is no single recommended or secure external media to ensure mobility.

However, the major advantage of the new Digital Signature is that it is a cross-sector solution supported by the public and by the financial sector. But, as I have stated earlier, it’s usability in my eyes is limited because it does not give the citizens any new kind of Identity Card.

The requirements for an electronic identity is increasing, not least because of the explosion of the take-up of social networks – both by NGO’s, companies, media, private citizens and now also more and more by the public sector. These networks holds some part of the individual’s profile and rightfully need to be protected – but maybe not using the full power of a qualified digital certificate.

In some countries the public sector have ambitions to set up a ‘one stop shopping’ portal for access to all public services; in US the primary purpose is to ensure and control who is allowed inside, in a number of European countries the aim is to increase use of on line services with a minimum of user inconvenience by setting up a centrally managed authorization and control system – single sign on.

But why should everybody need to use a strong certification for accessing everyday type of information or standard services, where only the citizenship, maybe age, sometimes postal number, is of importance?

It was interesting to note that the German law on digital identities offered a user-centric way of controlling how much PII (Personally Identifiable Information), each citizen would like to reveal.

So my suggestion is that a web 2.0 enabled World will require user centric identity management, not a centralized monolithic control mechanism. Yes, access to personalized health information requires a real strong identification. But does participation in a chat room concerning the local city planning aspects? Hardly.

IBM’s Zurich Laboratory has been one of the driving forces in a consortium - consisting of 20 scientific institutions as well as private companies - called PRIME - PRIME - Privacy and Identity Management for Europe :

“PRIME aimed to develop a working prototype of a privacy-enhancing Identity Management System. To foster market adoption, novel solutions for managing identities had been demonstrated in challenging real-world scenarios, e.g., from Internet Communication, Airline Passenger Processes, Location-Based Services and Collaborative e-Learning.”

As such the project was extremely successful and in 2008 it was awarded the award of IPPA - International Association of Privacy Professionals – for it’s novel approach to user centric ID Management.

From the PRIME Homepage:

“The success of PRIME is evidenced by the number of offspring projects, including “PrimeLife”, PICOS and PrivacyOS—bringing privacy high up on the European research agenda. “PrimeLife”, also coordinated by IBM’s Zurich Research Lab, is the direct successor project of PRIME and aims at empowering users to manage and control their personal data and privacy throughout their entire lifetimes, whenever they participate in Web 2.0 technologies, such as social networks or virtual communities, which raise substantial new privacy challenges.”

IBM Zurich’s major contribution to the project is the solution called IDEMIX, somewhat misleading mentioned as ‘anonymous authentication’. The main author of IdeMIX, Jan Camenisch from IBM Research Center, in his presentation describes that the idea is to have the user control how much PII to reveal by having one secret, private key but multiple public keys signifying different levels of PII. In fact, the term Pseudonymity would have been more appropriate.

User-centric identity systems (sometimes referred to as Identity 2.0) are an attempt to put the

control back into the user's hands. In this way a user gains consent as to what information

about them is disclosed to which sites and for what purpose. One of the other benefits of user-centric identity systems is that they can be loosely coupled relationships. The relying party does not necessarily need to have a pre-existing trust relationship with the identity provider (be it a managed identity provider or self-issued). This arrangement allows for a non-password-based account bootstrapping process, which is easier for both users and

relying parties.

Currently there are 3 standards available that supports this type of User Centric Identity Management (also supported by IBM’s Tivoli Federated Identity Manager):

Microsoft Windows Cardspace

Identity Selector (Eclipse Higgins Project) (The one used by IdeMIX)


If you look carefully at these 3 solutions, it seems that the Eclipse-based solution holds the best potential for an a multi-level open, future oriented standard. OpenID is a practical ID-solution, but does not offer the granularity and level of ID revealed that is characteristic for IdeMIX and the Eclipse solution.

One of the reasons for stating this is also that the eclipse solution has been used as a foundation to develop a new generation XML-based policy management solutions – XACML - eXtensiveAccess Control Markup Language which is ideal for developing and implementing privacy and security policies in existing applications without change.

This is typically a problem when you have large, complex database transaction systems, like health service solutions. Patients’ data are protected (HIPAA or similar compliance regulations) and must not be revealed unless consent has been obtained. This can then be combined with a multi-level user centric identity management model, so that consent from a patient (with highest level of identification proof) stating that ‘any doctor’ could be allowed access, or even make access granular, so that basic health information could be revealed to any person employed by the health sector.

This example illustrate that the whole idea of User Centric ID management first and foremost is to help the citizen obtain control of her own data – and make this control a practical and easy tool.

In Europe the Commission has begun preparation to renew and re-design the Data Privacy and Protection Directive from 94, which many now considers outdated. It is highly likely that a revision will further strengthen the need for user centricity, ownership and control over personal data.