Thoughts on Intel’s “Global Digital Infrastructure Policy” document

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

 

On July 16, 2010, Intel released a thought and policy document titled "Global Digital Infrastructure Policy".   In this document, Intel shared with the readers what it has been doing regarding driving elements of security into the global infrastructure (as they termed, GDI); what they are doing with regards to working with certain governmental organizations; and what they hope other entities – commercial or governmental, would agree to do in order to facilitate the stated vision.

In this entry, I put forth my thoughts on their ideas.   Some I criticize, but most I applaud, and I am glad that a company the stature of Intel has the excellent understanding to design such views into its own plan.   I am no kool-aide drinker, however, and one must remember that Intel, just like other organizations, has and will always put forth ideas that help them first and foremost.   This is a lens that must be acknowledged before any policy documents are understood and appreciated.

 

The GDI

Intel proposes a definition of global digital infrastructure as "GDI".   I have not met that definition before, but I do value the comparison of the GDI to the central nervous system in the human body.   In fact, those of us who favor "Terminator" movies, would liken it to 'Skynet'…, albeit a positive, benevolent one.   

As the GDI concept is integral to this entire paper, it is important to note that Intel is focusing on a global element, and not on any particular political subdivision.   This is the strength of this paper, but also its weakness:  to include information assets that may be in countries as diverse as the United States or North Korea may assume connectivity and the ability to 'synchronize' across those resources.  An ability that, alas, is less than realistic in today's world.

 

The Global Conundrum

The paper makes a very important statement, which bears repeating here: "As reliance by individual and businesses on the GDI increases, there is a corresponding increase in the value users place upon the security of the network and…data traversing the network".

While I agree that such is a desirable state, I disagree that users, far and large, see the situation as such.   It is true that Privacy, in particular, has seen a spike in importance in the US over the last few years.   What might not be correct is that all users, or even most, understand, the degree to which their information is accessible, by not-previously-authorized eyes and ears, on the network.    The laws, rules and regulation framework which all users rely on is simply not suited, in general, to the level of sophisticated threats which security professionals see day in and day out.  I do not disagree with Intel's intent, just with the reality of what I see in the marketplace.

Similarly, the call for a development of a global GDI Policy is seen by me as a desired, yet probably unattainable, call.  For example, as I discussed in my article "Time for a Cyber NonProliferation Treaty?"  the US has had years to cooperate with Russia or the EU regarding electronic crime policies.  Even those policies, which have a more direct and measurable results, have failed to be embraced worldwide.

 

A Tricky Subject

The paper continues by calling for "an end to import, export and use restrictions on cryptography for COTS and public research".   While such a call may sound liberating, it is a hopeless desire.   Imagine what could happen if commercial entities, some of which invested billions in development of cyphers, are free to export those to countries which may be at one time or another in a state of war with the origin country.   Two 'issues' would come to mind:   firstly, the job of Intelligence agencies would become much more difficult (think Nokia-Siemens in Iran in the service of the Iranian government) and second, those cypher methodologies may enhance the development of even more robust cypher for military use worldwide.   Consider al-qaida using US made high-level encryption – would YOU want to be responsible for the free export of such tools to Afghanistan?

 

Standards

In my past, I was responsible for standard adoption at Symantec.    Doing so enabled me to see, in a limited fashion, 'around corners', and understand better what would come down the pike next.   The paper's call for a global adoption of a framework or standard on security is applaud-worthy.  I would suggest to start with the ISO's adoption of the British Standards of ISO 27001 and 27002 (and 3, 4,5…) and only then consider jumping into the Common Criteria.   Common Criteria, which I discussed in my paper on "The Strategy to Secure the Federal CyberSpace", is an important element in certifying systems and processes.   But the world must learn to walk before it can compete in marathons, and CC might be just that.

 

Partnerships

I applaud the paper's call for deepening government and private sector partnerships, especially on cybersecurity research.  Again, in my "The Strategy to Secure the Federal CyberSpace", I called for such an effort, which is also now been made a priority for Howard Schmidt, the National Cyber Security Coordinator for the US.  This is an essential element:  industry would bring innovation and the government could bring intelligence and forewarning.

 

Geo-Politics

Intel's statement that "..a siloed, country-specific regulatory approach may…disrupt (the GDI)" is correct.   However, reality dictates, as Intel notes later in the paper, that we are not one 'species' only, but we have cultural, religious and other differences that suggest, nay, require, such regulatory differences.   I could give examples here, but they should be self understood by the reader.  We are simply too different, perhaps even more than 20%…

A bit later in the document the statement is made that "governments around the globe should apply..principles such as technology neutrality..".  I once more agree with the intent, but think that there are reasons such is not the case today.  Some countries protect their own manufacturers, others, such as Russia, require to see source code of every vendor coming into the country.   I am afraid the distance to make Intel's vision a reality is quite substantial.

 

The Triangle of Trust

In the 6th page of the document Intel introduces a concept which is new to me.   The Triangle of Trust itself is not, but as it is represented here, the sides are Industry, NGOs and Government:

Triangle of Trust

I applaud Intel once more for making the sharing and working together a clear one.   Not one of these sides alone can further our security.   We must share knowledge and responsibility more freely to assure our success.

 

 

Summary

All in all, a good paper.   I would have liked to see more suggestions on practically approaching the global synchronization.

 

So, share with me and other readers your thoughts of Intel's "Global Digital Infrastructure Policy" paper!

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedIn

Proposed Changes to HIPAA / HITECH, Part I

On July 8, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued its long awaited (and for some, dreaded) proposed changes to HIPAA.   While several of the changes are merely ‘procedural’, I find that there are significant changes to certain sections – with some loopholes closed.
I listed below these changes that are not merely procedural, and included my thoughts as to their meaning.   As always, I am available to consult – and repeat: “I am not an attorney”.
 

The changes

Subcontractors

  1. The first major change is to Subpart A—General Provisions, Section 160.103—Definitions.  OCR proposes a change whose purpose is to close the loopholes around the definitions of a ‘business associate’.   This is significant, because until now the assumption in some circles was that subcontractors were exempt for many HIPAA provisions.   Of course, that lead to some organizations creating their own ‘subcontractors’ for purposes of sheltering from the regulations.

 

Medical Error Finders

  1. Another change suggested is the inclusion of Patient Safety Organizations.  These organizations, from their very essence, must handle PHI and thus already should have been included.   OCR is requesting specific inclusion of these organizations, or, in their words: “to more clearly align the HIPAA and Patient Safety Rules.”

 

Data Brokers

  1.  The next change relates to the request to specifically include Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records.  Again, OCR notes that HITECH (Section 13408) includes these types, but is asking for specific, explicit, inclusion
     

I see dead people

  1. The next change requests a declaration that a person’s health records are no longer covered under the Acts if fifty (50) years or more have passed since his death.   That is an interesting change, and I wonder what prompted it.
     

What is a State?

 

  1. This change notes that the US Virgin Islands and American Samoa were left out (by error?) from the original bill and asking for the correction to include these territories.

Privacy

  1. With regard to Subpart C—Compliance and Investigations, Section 160.310—Responsibilities of covered entities, the proposed changes would have large PRIVACY impact.   Currently the HIPAA law only allows the secretary of HHS to disclose PHI under very limited guidelines.   Under the proposed change, to which I am adamantly opposed, the Secretary will now be allowed to share Personal HEALTH data with many other agencies (imagine the IRS knowing which hospital you are in and why).

More to come in the next blog entry.

You can find the proposed changes to HIPAA and HITECH also here (PDF)

 

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedIn