My cybersecurity book - Philosophy of Cybersecurity
Philosophy of Cybersecurity by Lukasz Olejnik. Book about cybersecurity, risks, including cyberwar. Read More
Preliminary assessment of Digital Euro
The European Commission presented a proposal for a regulation introducing the digital currency euro. It is the so-called CBDC (central bank digital currency). Unfortunately, the content of this regulation is disturbing. Let's start with the fact that reconciling the very idea of "decentralization of payments" and Read More
Cyber Escalation Ladder model based on international law
This post about cybersecurity, cyberwarfare and international law is exploring the cross sections between technology, law, and policy. Previously I analysed some strategic documents of various States (e.g. 1, 2, 3, 4, 5, 6). So to speak: I know this landscape quite well. In 2023 the landscape is mature Read More
Why would you want to hack Electric Vehicle Charging Stations?
A Russian zero-day exploit purchase site is interested in tools for hacking of Electric Vehicle Charging Stations. This raises a number of questions. Why would anybody want to hack such targets? Also, why would Russian entities (in particular) be interested in such targets? The best answer to these is “good Read More
Improving communication in cyber threat intelligence reports
This is the year of cyberwarfare. Activities during the Russian war in Ukraine show it very clearly. But this post is about reports, cyber threat intelligence, and communication of the kind. Crucial at high-tension times, they should be crisp. We should consider/expect high level of quality/competencies when composing Read More
Permissions Policy as a key configuration component of site privacy and security
As privacy engineering is getting more and more mature as a field in some settings experts are creating a "privacy checklist" of things to have. It's useful in design, development, and deployment, but also audits. Many useful things could be added to such a list. Of Read More
Privacy architectural changes in the web are coming
In 2019 I argued and explained that we are in the midst of a perfect storm that the privacy debate has caused. I predicted the impact on the web architecture, and the web platform. The thing that billions of people use every day, that is. These very basic building fabrics Read More
Regulating the fight with disinformation
The European Union is regulating disinformation. Well, sort of. While the issue is indeed discussed in regulations such as the Digital Services Act, it seems that the “executive” arm is the Code on Disinformation, as of now strengthened. It builds on the previous 2018 version which I criticised here. The Read More
GDPR fines, how does this system work? Part two.
Some time ago I wrote about “how GDPR fines work”, be calculated, including what technical aspects may be considered during such a calculation, the article is here, and it is quite a case study. It’s still good and all, but this time, finally, EU data protection authorities agreed on Read More
Transparency of cyber capabilities and US building Stuxnets 2/3/4?
Is the US building Stuxnet 2/3? Cyber tools that can act behind isolated (even air-gapped) networks to cause physical destruction, sometimes called “cyber weapons”, a generalised term, not exactly justified considering how such tools work (but in simplified cases, it is sometimes used). This was the functionality of Stuxnet Read More
Dangerous cyber tools spotted and analysed - potentially lethal
A very dangerous cyber tool has been identified and analysed. It’s targeting industrial control systems - the hardware/software that is often running at industrial sites (like manufacturing, but also power grids, nuclear plants, and go figure). Based on these analyses, I make a big picture assessment. Created by Read More
Privacy analysis of European eID Regulation proposal
Privacy and data protection assessment of the eID Regulation. This assessment is prepared in response to a request by the LIBE Secretariat in the name of the MEP Cristian Terhes (rapporteur of eID file; requested on 19.01.2022). The focus of this assessment is data protection and privacy. Although Read More
Solving phishing is not simple - can anti-phishing training make it even worse?
Can phishing precautions and training cause harm? It turns out this may be true in many cases. Phishing is the act of gaining a victim's confidence to convince them to engage in self-harming activities, for example leading to self-hacking their systems, parting with money, or data. Or of Read More
Cyber insurance and cyber war
I already devoted some space to cyber insurance. Since then, the situation evolved. Oh no, cyber insurance Cyber insurers have a big problem: it is unclear how to “assess” the risk. Some events might be especially tricky. This means a lot of risk to the insurers. They are, for example, Read More
EU ideas for transparency of political content targeting
Europe is continuing its fight against mechanised political influence, propaganda, disinformation. Package restricting the use of targeted political ads is the new chapter. In this note, I critically analyse the proposals. This analysis will also help to understand what might lie ahead for non-political ads in the future. It’s Read More
French doctrine of information operations - engaging over information space
France presented their military doctrine for information operations. They will be seriously active in this space. Let me recall that previously I looked at the: * Highlights of the French cybersecurity strategy, developments in cyber - France - combattants cyber et l’arme cybernetique * French application of international rules to cyberwarfare Read More
Designing technologies with Values? Possibility - Necessity - and European story.
Should technology be based on some set of moral values? Actually, technology is always based on some set of values. There is no denying that this or another way, technology is a vehicle for some kind of values. Whether these are capitalist, ordoliberal, digital Leninism, some form of digital sovereignty, Read More
On civilian harms from military cyber operations
Whether we want it or not, cyber operations by militaries are today’s reality. They are here to stay. But admittedly this fraction of statecraft is quite new. So it’s notable that the International Committee of the Red Cross just published its report (here) on military cyber operations. Previously Read More
German views on international cybersecurity and cyberwarfare rules
Germany recently published ("Application of International Law in Cyberspace") their stance concerning the applicability of international law and rules to cybersecurity, cyberattacks, and cyberwarfare. The document is interesting and I briefly describe the important takeaways. Previously I had a look at a similar stance, for example, by the Read More
Technically-focused analysis of AI Regulation - AI Governance and technical assessments
Artificial Intelligence and AI Governance are hot topics in this decade. European Union has a pretty ambitious attempt to regulate AI (project here). In this post, I have a look at the proposal through the technical lens, including paying attention to cybersecurity and privacy. The goal of the regulation is Read More
European Union regulating AI - allowing the use of deepfakes
After the success of the GDPR, Europe is doubling down on setting the standards in Artificial Intelligence. It should be clear to everyone, especially after a version of the “REGULATION ON A EUROPEAN APPROACH FOR ARTIFICIAL INTELLIGENCE” project leaked. While it contains interesting AI governance ideas, I will withhold further Read More
The Risk of Cyberattacks on Weapons Systems
We often hear about cyberattacks, cyber operations, and malware infections that target computer systems or smartphones. Attacks against civilian infrastructure facilities such as hospitals, water sanitation systems, and the energy sector similarly get a lot of airtime. But there is another type of high stakes system that gets much less Read More
Updated Russian technology policy relating to cybersecurity - Cyber Agency to reconcile cyber conflicts?
Russia just released an interesting strategic document concerning “information security” (in their nomenclature this includes cybersecurity and more) with a view to “determine the main threats to international information security”, it supposedly complements the doctrine of information security, and more. I'll go through a few points below. Unlike Read More
Privacy of Google’s Privacy Sandbox 2 - Federated Learning of Cohorts leaking user’s visited websites?
Is Privacy Sandbox’s Federated Learning of Cohorts leaking information about web browsing history? Let's find out. Federated Learning of Cohorts is computing a SimHash on a user's web browsing history (the lists of visited websites) to obtain the cohort ID. In principle, it is a Read More
Governance of privacy-preserving digital advertising systems?
Research works conducted in the previous two decades bore fruits. At many organisations or companies, privacy has become elevated in importance. One of such potentially recent developments in the discussion around the changes to the web platform that could support the work of privacy-preserving digital advertising systems, the design of Read More