Cybersecurity and Technology Industry Reformation
These points are for discussion. We seek to marshal needed resources and the will to reform our technology industry and strategically address our unending and escalating cybersecurity catastrophe.
Our security, privacy and liberty are under attack both from within and without.
Kevin O’Neil, CISSP
CYVA Research Corporation
1) It is essential to understand that the unending and escalating cybersecurity catastrophe we are experiencing is entirely manmade.
2) There has been a war raging for years over who owns and controls personal information and we are the losers. By design, our personal information is weak, vulnerable, easy prey.
3) Core to our manmade cybersecurity catastrophe is the fact that primitive data types (data objects) were never designed to be secure, to be self-protecting, self-governing.
Common primitive data types include:
integers (62, 1000, -37)
booleans ('true' 'false')
characters ('x' '$' '2')
floating-point numbers (21.003, -500.89)
alphanumeric strings (‘today is Friday’).
Primitive data types (data objects) and file formats such as JSON and XML files, these basic, atomic building blocks of information systems cannot protect or govern themselves. This is by design.
4) Our industry is stuck in and perpetuates a primitive/dumb data paradigm. We are blinded and constrained by this idea of protecting an object that was never designed to protect itself, that was never designed to govern itself.
5) Perpetuating primitive/dumb data is essential to the status quo and a business model and strategy of maximum control and exploitation of personal information by crony big business (greed and power-driven) and corrupt big government (power-driven).
6) For approximately 85 years automobile safety belts were not standard equipment. Ralph Nader claimed American automobiles were generally unsafe to operate. Unsafe at Any Speed: The Designed-In Dangers of the American Automobile became an "immediate bestseller but also prompted a vicious backlash from General Motors (GM) who attempted to discredit Nader". Our data has no safety belts. This is by design.
7) Information technology manufactures, as were the automobile manufactures of the past, should be required to build information technology with mandatory human-centric security, privacy and liberty protection and enforcement capabilities. These human-centric capabilities augment humans with the power to directly protect and control their personal information, their human digital person wherever they exist.
8) Our data has no capability to self-protect, to self-govern and certainly no capability for you and me to directly control our information. Examples of human-centric control include: lock at will, unlock at will, audit at will, erase forever at will, author and change our governing security, privacy and liberty policy (rules) at will, derive value (e.g., monetize) and/or benefit (e.g., discounts) as we determine.
We should be able to maintain and operate secure mobile anonymous, pseudonymous, and fully identified identities that we control wherever they exist.
9) Security Rule #1: Trust No One. Especially do not trust any individual or organization that does not respect and protect our human right to protect and control our personal information wherever it exists.
Data can be used for us (good) and against us (evil).
And right now, we have essentially no ability to prevent or even know evil people are planning (making secret list of people to be executed) to or going to use our personal information against us. Our information is by design, weak, vulnerable, easy prey.
10) Data protect officers (DPO), chief information security officers (CISO), chief privacy officers (CPO), security and privacy managers are ethically responsible to assure humans whose personal information is under their organization's administration have the capability to directly protect and control their personal information wherever it exists within the organization (data controller) and its data processor(s).
A person's chosen custodian must be able to enforce the primary data subject's right to protect and control their human digital person, their personal information wherever it exits.
If these security and privacy officers and managers fail to perform and/or circumvent this responsibility they are to be tried and if found guilty punished.
If, however, they duly inform the CEO, Chairman or board citing explicitly the necessity of a human-centric security, privacy and liberty capability they can avoid prosecution.
Punishment should be equivalent to punishments due those who violate slavery, human trafficking and kidnapping laws.
Punishment should include having their professional certifications (CIPP, CISSP, CISM,…) publicly revoked.
11) Privacy, informational self-determination is not an absolute right. Namely it is not true that humans should control their personal information in all situations. There are limits to the human right of informational self-determination, the right of humans to protect and control their personal information.
There are circumstances where it is necessary to override an individual’s right of informational self-determination.
Example: criminal trials are public and conviction records are available to the public. Once due process has been properly exercised a convicted person’s record is made available to the public.
In 1983, in response to a controversial national census, the German Federal Constitutional Court issued a decision that established Germany’s current legal concept of privacy. The doctrine of “Informationelle Selbstbestimmung” (informational self-determination) states:
This Fundamental Right insofar authorizes each individual to determine on the circulation and the use of his own personal data. A limitation of this Right on ‘Informational Self-Determination’ will only be allowed in the case of prevalent public interest.
Accordingly, "the protection of the individual against unrestricted inquiry, storage, use, and circulation of his personal data” is a constitutionally derived and fundamental human right in German law.
It is important to note the seriousness of protecting this Fundamental Right in the context of German history. These German judges in 1983 were most likely not academics in regard to what it meant to live in a totalitarian state. They knew of and could easily conceive of the dire use of personal information to murder millions and exercise totalitarian power. Present day computers and networks could be used to amplify this horror.
It will be important to specify limits on the right of informational self-determination, providing a context wherein people and authorities can decide what the limits are and in what specific cases.
Fighting cybercrime, cyber terrorism, cyberbullying will require identifying perpetrators and making their identities known to individuals and communities in serving a prevalent, overriding public interest, justice, due process and lawful retaliation (lex talionis).
12) Encrypting primitive data is not enough as the explosion in Ransomware has demonstrated: encryption being used against us.
Encrypted message:
0DD8CC1D95853D9F6CF9149810EE100C267881337E66199682B8BB19A410D87ECA3AE298F64B62AD7C3457FF3C1E10A9
If you encrypt a data file, share that encrypted file and later provide the recipient the decryption key, do you have any control over the decrypted file?
No. You have zero control.
Plain Text: "Meet me at location jubilee at 1300 hours."
The recipient can do whatever they want (operations: read, update, send) with the decrypted data.
We need to go beyond encryption as its purpose is to hide/distort the meaning of, scramble data, not Control the Operations performed on the data.
13) CYVA Research has designed a new class of human-centric, self-protecting, self-governing mobile information objects, a Self-Determining Digital Persona™ that enforces security, privacy and liberty. The SDDP (HW/SW) is the basis for a Personal Information Agent (PIA) and other types of human-controlled identity and information asset management agents. The PIA augments humans, amplifying our capabilities for security, privacy and liberty.
These technologies are being built in accordance with our guiding architecture principles: Human Digital Dignity™, Human Digital Integrity™, Human Digital Liberty™.
14) We all should respect Human Digital Dignity. We have a human digital existence. Our data is our image, our likeness and is by nature valuable as all human life is valuable. God has given all human beings dignity, personhood, rights and responsibilities. It is natural and appropriate that this dignity be recognized in our human digital person, our existence as human digital beings.
15) Human Digital Integrity™: never separate a person’s data from their policies, their security, privacy and liberty rules and choices and the capability to enforce them.
Today we artificially separate policy from data. Our design, our architectural principle is to never separate a person’s rules, their security and privacy choices from their data; a person’s rules, their policy travels with their data.
To separate a person’s security, privacy and liberty rules from their data violates their human digital integrity. It is a harmful act to violate a human’s bodily integrity, namely severing a limb or stabbing a person’s body. Likewise it is dangerous and harmful as it denies a person’s ability to protect self, to exercise liberty in the physical, psychological, economic and political spheres of life.
16) Human Digital Liberty™ is the right of people to protect and control their personal information wherever it exists, to be secure in their human digital existence and free to derive value and/or benefit from the trustworthy use of their digital identity and information assets in accordance to their terms and conditions.
17) Human Digital Trafficking, the Data Slave Trade and the Anti-Liberty Police State are grounded in the dehumanizing greed and lust for power of both crony big business and corrupt big government. Our personal information is weak, vulnerable, easy prey. This is by design.
18) Our technology industry is in a state of pervasive willful negligence as it relates to cybersecurity, privacy and protection of human digital liberty. Corruption and greed driven self-interest undergird the intentional weak, vulnerable, easy prey state of our information and information systems.
19) We need a unified approach to privacy and human digital liberty. Our present U.S. laws and regulations are a mind-numbing confusion of ad hoc sectorial laws and regulations. A universal ethic should be recognized, and both clearly and unambiguously expressed in our constitution and our technological implementations, the hardware and software of our human digital person.
A person’s security, privacy and human digital liberty laws, their rules and explicit policy choices should be embedded with, assigned to their personal information and fully and freely operative, able to execute in an assured trusted execution environment, fully protecting the individuals rights and responsibilities (respecting others rights) at all times and places.
20) These are self-evident truths: human trafficking is evil, human digital trafficking is evil. Both are rooted in dehumanizing greed. “For the love of money is a root of all kinds of evil.” 1 Timothy 6:10
21) Evil protects and promotes evil.
Human Digital Trafficking and the Anti-Liberty Police State are evil: dehumanization, subjugation, slavery, exploitation and tyranny.
Individuals who protect and promote the Data Slave Trade and the Anti-Liberty Police State are evil.
22) Why is it that we as individuals are not allowed to directly and authoritatively protect and control our personal information? We are deliberately and systematically denied this right, this power necessary to security, privacy and liberty.
This imbalance of power must be corrected, reversed, inverted.
We are the people. We are the government. We should return to a government created by and for the people. We must, in our high principle-centric, human-centric controlled government recognize the necessity to respect and protect the sanctity, security, privacy and liberty of our human digital existence.
High-principle refers to: “We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the Pursuit of Happiness.”
23) Our enemies, cyber terrorist and criminals do not fear us.
This is demonstrated by the unending data breaches, stolen intellectual property, and escalating attacks on our infrastructure.
This is largely due to the fact our government has failed to aggressively prosecute our enemies.
Governing authorities have a solemn responsibility to protect the innocent and punish the wicked.
Too often our governing authorities are given to preserving their power – not serving the people, but themselves.
Yes, their primary interest is self-interest. They are addicted to power and privilege and seek to continually expand their powers and their outlandish and irresponsible spending budgets.
Just think if they, the terrorists were driven out of business, captured or killed or God help them mercifully and miraculously transformed at their core.
Example: Taysir Abu Saada was once a PLO sniper known as “The Butcher,” and a personal chauffer for the late Yasser Arafat. But then his life was transformed by a new-found faith in Jesus.
Saada was a committed enemy of Israel, now he is a friend of Jews and a peacemaker.
24) Government has inconsistently prosecuted our cyber enemies, given a pass to cyber terrorist and criminals making excuses for not aggressively prosecuting them wherever they exist.
25) Government should support private companies in aggressively protecting themselves contracting with professionals who can get the job done, less time, less money. International cyber bounties and bounty hunters should be encouraged.
26) A favorite excuse is we cannot prosecute these people without positive attribution. If we do not know who these cyber terrorist and criminals are, that is a monumental intelligence failure.
Again, I don’t see accountability, I don’t see positive results, but more and more breaches and successful attacks.
What I do see is more self-interested deep state actors doing what they do best: keeping their jobs while not doing their jobs. Arrogant as usual, covering their butts with lies and deceitful ploys to take attention off their failures and criminal conduct.
27) The designed in danger of data repurposing is a threat to all of us. Data by design is weak, vulnerable, easy prey and can be repurposed without the knowledge or consent of us all. Data collected for one purpose is easily repurposed, again the data is purposely unable to protect or govern itself.
28) Human Digital Integrity principle:
My governing data access and processing rules should be bound to, tied to, inseparable from my data. Never separate a person’s security, privacy and liberty rules from their data.
29) Liberty equation. Security + Privacy = Liberty.
30) Anti-Liberty equation. Security - Privacy = - Liberty [anti-liberty police state].
31) The right of privacy is the right of informational self-determination, the human right to control our personal information wherever it exists.
32) Monopolistic technology companies have too much power, as they have too much information about all of us and can secretly manipulate news and information to fit their ideological agenda. Recent documented anti-free speech behavior and purposeful censoring of ideas these firms do not like is a clear and present danger to our security, privacy and liberty.
33) Google’s Dragonfly technology is one example of an effort to maintain tyrannical power and persecute people who have the wrong beliefs and ideals according to ruling Chinese communist. The suppression of truth, the suppression of speech is on its face evil.
34) The out-of-control surveillance is another clear and present danger to our security, privacy and liberty.
35) Millions of people today, like the black African woman of the Transatlantic Slave Trade (15th – 19th centuries) are de-humanized, declared property, subjugated for life.
We now exist as ethereal dark digital matter captured and chained (controlled) in a vast network of machines.
36) Like the Transatlantic Slave Trade (16th to the 19th century) our human digital person is violently captured (always-on-surveillance), chained (subjugated/controlled), branded (declared property) and put to work for life (involuntary servitude) generating billions for search, advertising, social media firms - the data slave traders and human digital traffickers.
The data slave industry is vast and powerful and owns far too many politicians who maintain this rigged-for-enslavement, rigged-for-tyranny world we call cyberspace.
37) People should take control of their human digital person, their personal information wherever it exists and abolish the data slave trade and the anti-liberty police state.
38) Presently it is far too easy to secretly manipulate primitive data, our personal information to harm, intimidate and coerce individuals and potentially vast populations.
We are all potential targets of terror. And the more information you have about a person the greater capacity for evil.
Historical example: Special Prosecution Book-Poland (German: Sonderfahndungsbuch Polen, Polish: Specjalna księga Polaków ściganych listem gończym).
The Gestapo ("Secret State Police") with help from some members of the German minority living in pre-war Poland identified more than 61,000 members of Polish elites: activists, intelligentsia, scholars, actors, former officers, and prominent others, who were to be interned or shot on the spot upon their identification following the invasion on September 1, 1939.
People in the Special Prosecution Book were either killed outright by Einsatzgruppen and Volksdeutscher Selbstschutz or sent to concentration camps to die.
39) Personal information should be under the direct, authoritative control of the individual wherever it exists.
40) Cause and Effect
There are both direct and indirect cause (contributory cause) and effect relations between an information process involving personal information and an intentional effect such as physical, psychological, economic and political harm to humans.
Cyberbullying is an example of cause and effect where a torrent of abusive online messages, communications via social media are used to directly harm a target. Slander, false accusations and calls to harass spread and are amplified by social network platforms and can be significantly harmful.
Slander on its face is Satanic, evil, a tool of the wicked.
Thou shalt not bear false witness against thy neighbor. Exodus 20:16.
Slander of Naboth, by Jezebel
Jezebel was guilty of murderous slander, having hired two scoundrels to falsely accuse Naboth. She and her husband Ahab were severely punished.
[1Ki 21:10 NIV] 10 But seat two scoundrels opposite him and have them bring charges that he has cursed both God and the king. Then take him out and stone him to death."
[2Ki 9:32-33 NIV] 32 He looked up at the window and called out, "Who is on my side? Who?" Two or three eunuchs looked down at him. 33 "Throw her down!" Jehu said. So, they threw her down, and some of her blood spattered the wall and the horses as they trampled her underfoot.
It is critical to call out slander and punish those responsible.
[Deu 19:19 NIV] 19 then do to the false witness as that witness intended to do to the other party. You must purge the evil from among you.
41) A Human Digital Liberty (HDL) Framework should be developed.
a) The Human Digital Liberty Framework (HDLF) Initiative (HDLFI) is a set of resources comprised of a Human Digital Liberty Reference Model, a Human Digital Liberty Architecture Framework, a Human Digital Liberty Reference Architecture, and a methodology for conceptualizing, analyzing, designing, engineering, integrating, testing, deploying, administrating, governing, operating and continuously improving Human Digital Liberty Systems.
b) HDL Reference Model: The collection of entities, their definitions, semantics, relationships, capabilities, functions, services, interactions, and resources defined and modeled for the Human Digital Liberty domain.
c) HDL Architecture Framework: Defines how to organize the structure and views associated with documenting and describing the components of Human Digital Liberty solutions. Provides a framework or toolbox in which HDL architectures are analyzed, defined, developed, utilized, and maintained.
d) HDL Reference Architecture: These are predefined Human Digital Liberty architectural patterns and supporting guiding architecture principles and axioms such as Human Digital Dignity, Human Digital Integrity, Human Digital Liberty, and supporting artifacts. The reference architecture provides a starter kit for those learning about, evaluating, and building HDL Systems and customizing these starter kit artifacts for more specialized or specific uses.
e) HDL Methodology: is a set of methods, rules, processes, tools, practices, guiding principles and axioms employed by HDL practitioners in the conception, analysis, design, development, continuous improvement of an HDL System and Architecture.
42) Security, privacy and liberty concepts need to be advanced individually and as related constructs that have cause and effect relationships and have the potential to support or undermine overriding ethical, cultural, political, spiritual, and economic objectives.
a) Abolish the Anti-Liberty Police State, abolish Human Digital Trafficking, the Data Slave Trade, maximize Human Digital Liberty, maximize the ability of humans to derive value and/or benefit from the trustworthy use of their personal information as they determine, protect and enforce Human Digital Integrity: never separate a person’s data from their governing rules, are examples of system and mission objectives.
b) In the domain of security, the confidentiality, integrity, availability (CIA) triad should be expanded especially as it pertains to Control, the operational control of information, the data objects wherever they exist.
c) A human’s direct, authoritative control over the use and processing of their personal information is essential to security, privacy and liberty.
d) As mentioned above an HDL Reference Architecture should contain design patterns that are somewhat like a DNA molecule.
“Deoxyribonucleic acid is a molecule composed of two chains that coil around each other to form a double helix carrying the genetic instructions used in the growth, development, functioning and reproduction of all known living organisms and many viruses.” Wikipedia
I like the idea of using analogous DNA like sequences (codes) to describe the design and architecture of a Human Digital Person, a Personal Information Agent.
CYVA Research has patented its Self-Determining Digital Persona, “Personal Information Security and Exchange Tool” invention which is an example of a system designed to put people in direct authoritative control of their human digital person, their digital identity and personal information wherever they exist.
CYVA’s re-engineering of primitive data as a self-protecting, self-governing mobile identity agent (HW/SW) is one effort to address security, privacy and liberty concerns and objectives.
Some example patterns or sequences: CIA HCC SPI2A SGI2A HD2 HDI HDL PIPD
CIA: Confidentiality, Integrity, Availability
HC2: Human-Centric Control: Human-centric control wherein a human has the capability to control their personal information and information assets wherever they exist. Informational self-determination. Privacy.
SPI2A: Self-Protecting Identity & Information Agent: Identity and information being re-engineered to be a self-protecting identity and information agent (HW/SW).
SGI2A: Self-Governing Identity & Information Agent: Identity and information being re-engineered to be a self-governing identity and information agent (HW/SW).
HD2: Human Digital Dignity
HDI: Human Digital Integrity
HDL: Human Digital Liberty: Information being re-engineered to amplify a human’s capability for security, privacy, and liberty. The freedom to derive value and/or benefit according to the person’s rules and conditions, to continuously control my human digital person wherever I exist. The ability to author and change my security, privacy and liberty rules at will.
PIPD: Personal Information and Policy Dictionary: Governance, administration and cross-domain, cross-culture, cross-community inventories of data element and policy element definitions, meaning, uses, values, relationships, synonyms, naming convention, traceability.
A policy manager capability should be able to support policy templates, actions – operations permitted (e.g., display, read, update, exchange, play, store, transform), identity agent based, group based, attribute based actions, metered time, date range, agent location, information license for value, information license for benefit, warning, audit, agent lockdown, erase forever, in-case-of-emergency, digital signature, encryption and information masking policy types.
43) Human-centric control includes the following capabilities.
a) Lock at will.
b) Erase forever at will.
c) Audit at will.
A forensic log of the who, what, where, when, how and why of personal information access and processing should be securely maintained and under the direct control of the data subject.
The log should detail the operations performed on the data such as display, create, read, update, delete, transfer, extract, transform, load, mine, analyze, compare and store.
The reason for the data operation such as “contract performance” should be included for every data operation on a single or group of data objects.
Audit log details should include authentication type such as two-factor and what standard(s) were employed. Example standards include FIDO2, FIDO UAF, FIDO U2F, W3C WebAuthn, CTAP.
d) Derive value and/or benefit according to the person’s terms and conditions.
e) Author and change a person’s security, privacy and liberty rules at will.
A human’s governing security, privacy and liberty rules are a type of personal information that are essential to human-centric control.
These rules need to be unambiguous, executable and enforceable wherever the personal information and rules exists.
It is essential that rule and data processing be performed in a trustworthy environment, examples include: ARM TrustZone Trusted Execution Environment (TEE), Apple Secure Enclave, Intel Trusted Execution Technology (TXT), Intel Software Guard Extensions (SGX).
44) Those who argue you must give up your privacy for security are not to be trusted. This is propaganda, a lie promoted by tyrants with evil intentions.
Remember, Security Rule #1: Trust No One. Especially do not trust any individual or organization that does not respect and protect our human right to protect and control our personal information wherever it exists.
Again, privacy is not an absolute right. There are circumstances where an individual’s adjudicated record as a convicted criminal (e.g., sex offender, rapist, murderer) is made available to the public, for public safety, for public protection.
Our American tradition and ethic regarding government is clear. We are a nation under God. Our rights come from God, not men, not false Gods or idols or supreme leaders created and promoted by man.
45) Love must be sincere, hate what is evil and cling to what is good.
Slavery and tyranny are evil in all their forms.
Liberty to do what is right, to protect the innocent and punish the wicked is the kind of liberty I advocate vs. the narcissistic self-love that seeks to do whatever I want, when I want.
46) We all have a duty, a solemn responsibility to protect the integrity of the chain of command across all spheres of life.
If someone violates that integrity (e.g., lying to superiors, hiding evidence of a crime, misusing their authority for personal gain, denying justice to people) we all have a duty to confront and if necessary remove that person, with all due care, all due diligence, in order to restore the integrity of the chain of command.
47) Presently, our U.S. government has failed to recognize and enforce the 13th Amendment, the prohibition of slavery and involuntary servitude in cyberspace, which is our present cyber reality.
The Thirteenth Amendment (Amendment XIII) to the United States Constitution abolished slavery and involuntary servitude, except as punishment for a crime.
It is an emerging self-evident truth, that search, social media and many tech industry players such as Google and Facebook are human digital traffickers, data slave traders and arrogantly promote an anti-liberty police state.
We have a human digital existence, we are human digital persons. They have declared us all sub-human, denying our human digital dignity, denying us human digital liberty.
Like the Transatlantic Slave Trade (16th to the 19th century) our human digital person is violently captured (always-on-surveillance), chained (subjugated/controlled), branded (declared property) and put to work for life (involuntary servitude) generating billions for search, advertising, social media firms - the data slave traders and human digital traffickers.
The data slave industry is vast and powerful and owns far too many politicians who maintain this rigged-for-enslavement, rigged-for-tyranny world we call cyberspace.
48) The only rights you have are those you fight for. Our human digital person by design must be able to self-protect, self-govern, to fight for human digital liberty wherever we exist.
49) Written laws and regulations are worthless without enforcement and the determination to require compliance. It is essential our laws, our personal rules for security, privacy and liberty be self-enforcing, built into our human digital being our human digital person (HW/SW).
50) Another aspect of the Data Slave Trade and crony big business is our modern-day pharaohs, these self-aggrandizing CEO billionaires who oversee a sea of unfairly underpaid and undervalued workers.
According to the Economic Policy Institute:
“CEO compensation surged in 2017. The 2017 CEO-to-worker compensation ratio of 312-to-1 was far greater than the 20-to-1 ratio in 1965 and more than five times greater than the 58-to-1 ratio in 1989…
Exorbitant CEO pay therefore means that the fruits of economic growth are not going to ordinary workers.
CEOs are getting more because of their power to set pay, not because they are more productive or have special talents or more education.”
This too needs reform.
51) There is only one person in the universe that possesses intrinsic authority, that is Holy Creator God. God has delegated authority to mankind (governing authority) for purpose of maintaining justice for all, protecting the innocent and punishing the wicked.
An illegitimate authority, an authority that does not serve that purpose and intent is no authority, it is illegitimate, a fraud and danger to us all.
Such illegitimate or counterfeit authority should be confronted and with all due care and duty removed peaceably. If peaceful and legitimate removal is not possible then let the full force (war) of duty bound men and women who seek to restore the integrity of the chain of command prevail.
We do not make absolute allegiances to men (e.g., Hitler, Stalin, Mao), but Holy God and for the sacrificial love of all mankind, our brothers and sisters. John 15: 13 Greater love has no one than this: to lay down one’s life for one’s friends.
https://cyva.com
https://humandigitalliberty.com
Last update December 15, 2018