5G Operators, Suppliers and their Clients: Liability Management based on the Contract
Contracts are a valuable tool, provided they comply with public policy provisions. Within a context of complex relationships or in the presence of numerous actors, contracts become even more valuable as a tool for managing roles and responsibilities. Once the contractual scheme of roles is laid out, a matrix of assigned responsibility can be drafted between the stakeholders. This matrix will describe the various commitments of each party in the construction and operational phases of the project. A Service Level Agreement can also be entered into by the parties, if they choose to, which will impact their liability.
Sylvie Jonas is a lawyer at the Paris Bar. She specializes in Information Technology, Telecommunications and Cybercrime.
Sylvie began her career as a lawyer with Norton Rose Law Firm, then continued with Salans Law Firm before assisting in the creation of the Information Technology Department at EY Law (law firm). In 2003, Sylvie founded LEXVIA law firm, dedicated to Information Technology. She mainly advised companies, as well as regulated professions, in defining their policy of dematerialization of processes and exchanges. She also accompanied them in the development and negotiation of their contracts and in their digital transformations. She co-founded the law firm AGIL’IT in 2017, where she strengthens its telecommunications activity and advised MVNO’s (Mobile Virtual Network Operators) on regulatory and contractual aspects. She also developed the cybercrime activity in order to quickly and effectively assist her clients, victims of offences (such as, intrusion into information systems, identity theft and fraud, extortion, breach of trust, invasion of privacy, defamation, disclosure of trade secrets, data “theft”, breach of e-reputation and false websites).
Author of :
- « La Cybercriminalité en 11 fiches et plans d’actions » (Cybercrime in 11 factsheets and action plans) LGDJ Editions Lextenso
- « Digitalisation et contrôle des systèmes industriels cyber-physiques » (Digitalization and Controlling of Industrial Cyber Physic Systems), coordinated by O. Cardin, W. Derigent, D. Trentesaux – Chapter on Ethics and Liability. © ISTE Editions 2021
Lecturer, Courses on:
- « Specialized contractual practice – IT Contracts » Master 2 Applied Intellectual Property from the University of Paris XI (Sceaux), and
- « GDPR and digitalisation » DJCE (Corporate jurist diploma) from the University of Montpellier
- Dalloz formation (vocational training) – « Cybercrime: anticipate and react effectively » and « Cybercrime and data breaches »
A4Cloud: Accountability in the Cloud
This talk will review the main objectives and findings of the A4cloud project on accountability in the cloud. Accountability consists in defining governance to comply in a responsible manner with internal and external criteria, ensuring implementation of appropriate actions, explaining and justifying those actions and remedying any failure to act properly. We will describe the approach of A4Cloud, considering the three perspectives considered during the project: Technical, legal and governance. In order to tackle the different perspectives A4Cloud designed and developed a ser of tools that could be classified into Preventive, Detective and Corrective Tools.
Carmen Fernández-Gago is an Associate Professor at the University of Malaga (Spain). She got her PhD in Computer Science at the University of Liverpool (United Kingdom) in 2004, where she also worked as Postdoctoral Research Assistant. In 2006 she joined the University of Malaga as a member of the NICS (Network Information and Computer Security) lab. Her research activities are focused on the formal specification of security protocols, paying special attention to the area of trust and reputation management. She has published numerous research papers in this area. Also, she is a member of numerous Program Committees and has participated and participates nowadays in European and national research projects in the area of cybersecurity.
A Trust Based Recommendation System Using Self Organized Map for Service Selection
To improve efficiency of the existing applications and explore new opportunity for IoT and mobile time-sensitive applications, new paradigms related to the field of distributed and cloud computing have been developed, such as mobile cloud computing, fog computing and mobile edge computing. Fog and edge computing paradigms bring cloud services closer to end users directly at the edge of the network such as access points, base stations, cloudlets or even end users’ devices. With the distribution of IT services and the proliferation of service providers, it becomes important to select the services according to trust indicators. Considering that a user does not know the trust indicator of all services and that these indicators vary from one user context to another, a personalized trust indicators prediction is required for service selection. The selection that we used in this work relies on the similarity of the services as well as the similarity of the users. Hence, we propose a new trust-prediction model that uses the Self Organisation Map (SOM) to compute the similarity for users and services. The choice of SOM is motivated by the fact that it is an unsupervised machine learning technique that maps input data from a high-dimensional space onto an ordered two-dimensional one, while preserving the topological relations in the data space. SOM is combined with the collaborative-filtering technique that uses feedbacks to predict rates.
The aim of this presentation is to detail the approach that has been developed to design a trust recommendation system in IoT and mobile outsourced service ecosystem.
Note: This work has been conducted during the PhD thesis of Mr Youcef Ould Yahia with the collaboration of Mr Meziane Yacoub (associate-Professor at Cnam, France) and Mrs Hanifa Boucheneb (Professor at Ecole Polytechnique de Montréal, Canada).
Samia Bouzefrane is Professor at the Conservatoire National des Arts et Métiers (Cnam) of Paris. She received her PhD in Computer Science from the University of Poitiers (France) in 1998. After four years at the University of Le Havre (France), she joined in 2002 the CEDRIC Lab of Cnam. She is the co-author of several books (Operating Systems, Smart Cards, and Identity Management Systems). She is a lead expert in the French ministry. Her current research interests cover Security, Industrial Internet of Things, and Trusted Computing using AI. Webpage: https://samia.roc.cnam.fr
Trusted, Trustworthy and Accountable Digital Ecosystems
With any emerging technology, or combination of existing technologies, one tends to focus on the technology itself. However, the technology should not be the focal point as it in itself is not the solution. This also goes for connected, inter-connected or even hyper-connected digital ecosystems, cyber-physical or otherwise (‘Digital Ecosystems’), the promising functionalities, capabilities and benefits these can or otherwise promise to bring, enable, facilitate and augment.
The contribution by Arthur van der Wees, of Arthur’s Legal, Strategies & Systems, will present notions and guidance to make Digital Ecosystems work; not just function but also to have it prepared by design with embedded non-functional for when things may go wrong and other risks it may encounter or cause. All this for Digital Ecosystems to help making ‘it’ work, being addressing societal challenges, grasping related opportunities, achieving related objectives, and addressing.
This tiered approach provides value propositions that effectively address societal challenges, for which relevant Digital Ecosystem functionalities in symbiosis with risk-based non-functionalities can be designed, deployed and continuously improved. In this Digital Age this approach is aimed to result into valuable and feasible, human-centric, secure, safe, sustainable and otherwise trusted and trustworthy and otherwise accountable Digital Ecosystems. With that, the symbiotic, dynamic equation of both functional and non-functional is one of the main success factors for future-proof Digital Ecosystems and related value creation.
Arthur van der Wees is founder and managing director of Arthur’s Legal, Strategies & Systems, an international strategic law firm with a global reach. Arthur is attorney at law, standardization and policy expert, entrepreneur, strategist and frequent speaker worldwide and has in-depth experience and is well-connected in the world of digital, data, human-centric emerging technologies, autonomous (eco)systems, spectrum, accountability, dynamic assurance & digital sovereignty. He is founding member of the Alliance for IoT Innovation (AIOTI), where he is co-leading the Security in IoT Taskforce and Privacy in IoT Taskforce. He is (co-)author of various publications about innovation, digital transformation, data, IoT, AI, computing, spectrum, security and privacy and trust, and he has contributed to several EU and other regulations, standards and policy instruments for the Digital Age. Furthermore, he is advisory board member respectively partner in more than 15 European projects, including consortium partner of CONCORDIA (Strategies, Ethics, Policy & Rule of Law), and board member of several institutes including the Institute for Accountability the Digital Age.
Responsibilities and Certification in Cybersecurity Space
Cybersecurity has become a core aspect in many industrial decisions. It is no longer reserved for very specific security products such as smart cards and HSM. Infrastructures and OIV/OSE in vertical domains are now also concerned due to the increased connectivity, the explosion of the number of smart objects, and the growing appetite of cybercriminals.
This talk will introduce the “technical” tools we have to address cybersecurity issues (risk analysis, pen test, regulation, certification), the reason why the responsibility distribution is crucial to improve cybersecurity of products and systems. Examples will be given to illustrate the way responsibilities between stakeholders could be organized.
After a PhD in Formal methods from the University of Grenoble, managing R&D and security consulting teams at Bull (now ATOS), at Trusted Labs and Gemalto (now Thales), mainly on smart cards, Claire Loiseaux founded Internet of Trust in 2014 to address cybersecurity and certification topics for devices and for infrastructures.
In 20 years, Claire built a solid track record of successful certification projects and is the author of numerous protection profiles and security requirements. She has been working on system certification and 5G security related topics for 5 years with operators and 5G equipment suppliers. She is now investigating various discipline that can play a role in systems Cybersecurity including the distribution of the responsibilities.
5G Device Security Certification
The presentation is about how to generate trust in 5G infrastructures taking into account certain risks related to the supply chain and how certification supports liability & accountability of operators and manufacturers.
Challenge: Tackling the 5G security issue
The 5G technology will put forward soaring benefits, such as superior performance and speed, lower latency, and enhanced efficiency. But it will also entail risks with it. With an expected huge number of devices and imminent use of virtualization and the cloud, the 5G standard will give rise to more 5G security threats and a larger, multifaceted attack surface. To comprehend a healthy and strong communications future, the industry needs to preserve a laser focus on 5G security.
The Importance of 5G Security
From a modernization viewpoint, 5G is a flare of light, but from a cybersecurity viewpoint, 5G is a breeding ground for a new period of exaggerated cyberwar. Cybersecurity researchers will be greatly concerned over attacks on Denial-of-service or DDoS. Devices like light bulbs, thermometers, and even refrigerators will be able to come online because of 5G. Users will be able to check on these appliances remotely by accessing a simple app, but these devices can also be seized by malicious characters. Big name sites may be down for days due to this increased power and connectivity, city utility capabilities even may get affected. Government agencies and private entities are also susceptible to this threat and hence have plans in place in the event a DDoS attack occurs.
While end users can only wait and see what exactly happened with the rollout, industries across the board will wish for harnessing the benefits of 5G. However, organizations and consumers in a similar way need to be alert in terms of how 5G could be used to facilitate, or hinder, us in the future. Rest it is guaranteed that even if a malicious player makes use of this technology, the security approach will continue to maintain pace with the ever-changing threat scenario.
Organizations making use of the 5G operator’s network will need to trust that their sensitive applications and data are well protected. Similarly, the network operator needs the confidence to trust that the rest of the resources of its network and its commitments to other customers are fully protected against wrong use by any single enterprise user. So, to prevent wide-scale service disruption to corporate connectivity, malicious use of IoT devices and millions or likely billions in losses, it becomes inevitable to tackle the 5G security issue.
Beside appropriate regulations to protect consumers and generate a level playing field for manufacturer and operator, management and assessments of implemented system security is of high importance to prevent threats and detect anomalies.
Assessment of the 5G Blocks generate trust into the 5G networks
The intention is to regularly or even continuously assess selected components, devices and services from the angle of availability and integrity of data of critical services. Assessments should be able to verify proper implementation of defined security functionalities, detect functionalities to shut off the network or parts of it, detect backdoors and continuously analyze anomalies in the behavior related to implemented security.
A Trusted Reference Infrastructure (TRI) is a test environment as a mirror of the live environment with functional blocks of the 5G infrastructure as Point of Reference is necessary. This gives the opportunity to
- detect variances and anomalies against behaviors of the live system and associated reference patterns
- assess patches of firmware and applications
- assess the Supply Chain (development, EMS, deployment, operations, end-of-life)
- give a reference analysis of each device of the architecture as reference
- sign assessed SW blocks by trusted independent third parties
- analyze possible “Switch shut down” functionalities due to high risk of shut down mobility, traffic, communication, production, etc.
Certification of involved HW and SW
To achieve legal certainty for the following partner in the supply chain, to be able to stress associated insurances in case of incidents and to avoid cheating parties within the supply chain Certification of involved HW and SW is well known and accepted tool.
Purpose of third-party assessments is to find vulnerabilities, flaws and backdoors in initial products. A full white-box (WB) approach includes specification, design and source code. An appropriate assurance level can to be selected based on the associated risk.
Any assessed SW will to be digitally signed. Any HW will to be verified in a first certification before deployment to the live environment including randomly checks of the delivery chain. It is also of highest importance to get cheating under control to not remain exposed via backdoors. To avoid cheating a combination of conformity assessment and market surveillance can be introduced like it is done in other domains according to EU Regulation 765 and Decision 768.
Supporting test methodologies will be the ‘EU Toolbox for 5G security’, several ‘national lightweight certification schemes’ as well as NESAS also in the context of national lightweight schemes.
NESAS, e.g., includes the Accreditation of vendors’ product development processes and of the vendors’ product lifecycle processes as well as the network equipment product evaluation according to 3GPP standardized tests but it does not include the Certification by an officially recognized authority, the Proof of absence of certain functionality (e.g., backdoors), nor the security of interfaces between network equipment or the need for end-to-end security.
Conclusion: The complexity of HW and SW is very high and includes millions of lines of code and requires a large number of experts. It is a challenge to compare specimen of HW and FW against delivered HW and FW and the use of the verified and digitally signed SW.
That means the goal of a trusted 5G network can only be achieved jointly based on a common approach which starts with the extension of the certification schemes including specific tests to search for hidden functionality and evaluation of the product and development life cycle with onsite visits plus adding Market surveillance (cf. also Reg. 765 and decision 768) including infield network analysis in cooperation with the MNOs, to reduce the 5G risk while generating trust in this highly beneficial technology and systems. Examples will be given to illustrate the way responsibilities between stakeholders could be organized.
Jacques Kruse Brandao is Global Head of Advocacy at SGS Cybersecurity Services. Jacques is in the identification industry for more than 18y. Today Jacques advocates our partners on how to generate trust into products and services in the hyper-connected world explaining the related needs for Security and Privacy and available solutions to be able to test, validate and certify products, services and systems. Before Jacques was Global Head of Political Affairs and Public Co-creation at NXP Semiconductors, the leading supplier of secure components for Governments, Banking, Automotive and the IoT. Jacques is continuously contributing in several cybersecurity initiatives and associations like European Cyber Security Organization (ECSO), Charter of Trust, TIC-Council, Alliance of IoT Innovation (AIOTI), EUROSMART, a.o. and also contributes as a speaker at policy related conferences. His patience is to generate trust for a smarter connected world.
What Happens Next? Beyond Security via Liability in Future Networks
Multi-party and multi-layer nature of 5G networks implies the inherent distribution of management and orchestration decisions across multiple entities. Therefore, responsibility for management decisions concerning end-to-end services become blurred if no efficient liability and accountability mechanism is used. In this talk, we present the design, building blocks and challenges of a Liability-Aware Security Management (LASM) system for 5G. We describe relevant challenges of trustworthy and secure 5G and highlight our motivation and the drive for liability in the INSPIRE-5G+ project. The INSPIRE-5G+ approach is also presented as a specific technical example. We show existing security concepts such as manifests, root cause analysis, and trust and reputation models can be composed and enhanced to take risk and responsibilities into account for security and liability management. To this end, we introduce key concepts and terminology, and open issues and research challenges for liability in future networks.
Chrystel Gaber received her PhD from University of Caen in 2013 in Computing Systems. After an experience as project coordinator and R&D engineer in Fime, she joined Orange as a researcher & project coordinator. She contributes to several projects related to cyber-physical security, security management and certification. She participated in the FP7 project MASSIF and ensured the coordination lead of the CELTIC-PLUS project ODSI. She currently participates to the H2020 Project Inspire5G+ where she leads the task 4.4 related to Liability Management in complex infrastructures such as 5G networks or Software-Defined IoT.
Managing Dependencies in the 5G Environment through MUD Files
The advent of the 5G technology and its close relationship with IoT promises to realize the vision of a hyper connected society, in which humans and devices compose complex interconnected systems leading to a strong cybersecurity interdependence. In this scenario, the final network becomes much more complex and heterogeneous and therefore it can be much more feasible for a vulnerability to affect many more systems and to be propagated very quickly. The borderless nature of the infrastructures and threats involved also means that any vulnerability or security incident in one country can have disastrous consequences in the whole European Union.
While Europe is leading large initiatives to guarantee the security of these systems, such as the Cybersecurity Act or the 5G toolbox, it is still not yet clear how to deal with vulnerability dependencies in an environment as complex as 5G.
We propose a novel approach to manage security dependencies within the 5G context, combining the usage of the recently standardized Manufacturer Usage Description (MUD) with the cybersecurity certificate of a system, in a way the dependencies can be traced when a new threat is discovered. On the one hand, the certificate indicates certified subcomponents that the system has, and in the other hand, the MUD file indicates the connections with other services not certified or not considered in the certificate. With this information, the proposal is to construct a dependencies tree to have a global vision of the affected systems. Moreover, we also propose a mechanism to share mitigations with the affected systems using the NIST threat MUD file.
In this way, the proposal guarantees an effective action when a security breach is detected. We not only identify the systems that may be affected, but we also design a mechanism based on a standard (MUD) to communicate the existence of said threat and the mitigations that should be applied to avoid more damage.
Dr. Sara N. Matheu is a postdoctoral researcher at the University of Murcia, Spain. She received the B.S. degree in mathematics and the B.S. and M.S. degrees in computer science from the University of Murcia, Spain, in 2015 and 2016, respectively. She obtained the international Ph.D. in 2020, conducted by Dr. Antonio Skarmeta, and Dr. José Luis Hernández Ramos. She has participated in several projects such as ARMOUR, CyberSec4Europe, INSPIRE-5G or BIECO, in which she is currently leading the WP related with cybersecurity certification and evaluation. She has also participated in several initiatives from ECSO, ETSI or DG-CNECT, among others, and she has published more than 10 research articles in international journals and conferences. Her main research interests are related to the security certification and evaluation and in the security lifecycle management. Contact her at saranieves.matheu(Replace this parenthesis with the @ sign)um.es.
Root Cause Analysis for 5G based on Similarity Learning
The Root Cause Analysis (RCA) is a systematic process for identifying the “root causes” of problems or events and an approach for responding to them. It is an essential component required by network operators for establishing liability and trust. RCA is based on the idea that the effective management requires more than merely detecting and solving problems, but also finding ways to prevent and avoid them. In the context of the INSPIRE-5Gplus project, the RCA enabler that will be presented relies on machine learning algorithms to determine the most probable cause(s) of anomalies detected, or situations that could lead to anomalies, based on knowledge of similar anomalies observed in the past.
Edgardo Montes de Oca graduated as engineer in 1985 from Paris XI University, Orsay both in electronics and computer science. He has worked as research engineer in the Alcatel Corporate Research Center in Marcoussis, France and in Ericsson’s Research Center in Massy, France. In 2004, he founded Montimage, and is currently its CEO. His main interest are in building critical systems that require the use of state-of-the-art fault-tolerance, testing and security techniques; the development of software solutions with strong performance and security requirements; and, designing and building tools for monitoring the security and performance of fixed and mobile networks. He has published more than 30 papers, and book chapters related to 5G. He is leader of the dissemination and exploitation activity of the H2020 INSPIRE-5Gplus project; member of the piloting committee of the System@tic Digital Infrastructure and IoT hub; and board member of the 5GPPP SME and TVM working groups.