EICAR 2013: Data protection <> data security?

The 22nd EICAR Conference was held last month at the Leibniz University of Hannover, home of the prestigious Institute for Legal Informatics. One of the aims of this year’s event was to discuss the related topics of data protection and data security alongside each other, rather than in isolation.

As has become tradition, the event started with some pre conference lectures which were given by students from the French ESIEA institute on MS x64 assembly and CARBEP. After that, gripping opening speeches were given by Peter Kruse (CSIS) on the Tinba banking trojan, and by Prof. Dr Nikolaus Forgo (Leibniz University) on data protection and privacy.

An unscheduled presentation was made by Righard Zwienenberg – a short tribute to Péter Ször, well known security researcher and friend of Righard (and myself), who died unexpectedly just days before the conference. Péter was a regular presenter at the EICAR conference in its early days.

This year, the conference was divided into two tracks: ‘scientific/technical’ and ‘scientific/legal’. A broad selection of highly respected German speakers, including Prof. Peter Gola and Prof. Dr Michael Schmidt, presented papers in the legal track on topics that included big data, cloud security, and even the NSA-PRISM-related problems. As the conference went on, ‘data privacy’ emerged as possibly the most well-used term during the event. Whereas in the past 20 years, the word ‘privacy’ was barely uttered in any speech at any security conference, it now seems to turn up in almost every presentation. Until we reach a worldwide recognition of and agreement about data privacy laws, we will continue to come across a lot more contradiction and problems relating to privacy. This is one of the big challenges for the coming years. It could be handled with better international laws and optimized programming, but a lot of work still needs to be done. Big data is a good example of this and it is already becoming both a solution and a problem in itself.

BYOD is an important trend in the IT industry and was another important topic of the conference. Whereas legal compliance of BYOD can be achieved by taking the right steps, it should always be considered whether or not the option to provide employees with company-owned devices (which may be used privately as well as in the workplace and which, in addition, may be chosen freely by the employees within certain boundaries) would not constitute a significantly easier model, combining the advantages of BYOD with the safety of full technical and better legal control of devices. A BYOD model must be thoroughly adapted to the company’s business model and processes within the IT infrastructure, in particular regarding hardware and software ownership and maintenance, data ownership, IS security policy, data security and liability.

This year’s ‘Best Student Award’ was given to the paper ‘Automatic Code Features Extraction Using Bio-inspired Algorithms’ by Ciprian Oprisa and Georges Cabau of Bitdefender, and Adrian Colesu from the Technical University of Cluj-Napoca.

This year’s event was a good one, but the EICAR board feels that more effort needs to be put into having even more interesting papers and even better presentations next year. That’s part of the reason why EICAR is set to move in a different direction: why not combine two good meetings, events or conferences? I have always been in favour of bringing people together and, being on the boards of both AMTSO and EICAR, I have always liked the idea of combining the two events. Next year, we plan to hold the annual EICAR conference at the same venue as the autumn AMTSO meeting (immediately following it). I am pleased to announce that, if all goes according to plan, the EICAR conference will be held in mid to late October 2014 in Canterbury, UK. We aim to have two separate tracks once again: one academic/scientific/legal-related track and a security/malware-related track, with several internationally well-known keynote speakers.

EICAR is also looking into other initiatives and we hope to hold a one-day expert meeting (possibly in February) in Bochum, Germany. Details of the subject, exact date and venue will be announced soon on the EICAR website (http://www.eicar.org/). I am already looking forward to the opportunities to meet new people and exchange ideas on new projects – maybe making the world a little bit safer.