Abstract
Computer Security Incident Response Teams (‘CSIRTs’) may exchange personal data about incidents. A privacy by design solution can ensure the compliance with data protection law and the protection of trade secrets. An information platform of CSIRTs is proposed, where incidents are reported in encoded form. Without knowledge of other personal data, only the quantity, region and industry of the attacks can be read out. Additional data–primarily from own security incidents–can be used to calculate a similarity to other incidents.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ENISA, Anna, S., Konstantinos, M.: Stocktaking, Analysis and Recommendations on the Protection of CIIs, p. 33 (2016)
Kuratorium Sicheres Österreich: KSÖ Rechts- und Technologiedialog – Whitepaper, 2nd ed., p. 20. Vienna (2016)
ENISA, Bourgue, R., Budd, J., Homola, J., Wladenko, M., Kulawik, D.: Detect, SHARE, Protect – Solutions for Improving Threat Data Exchange among CERTs, p. 8 (2013)
ECJ Judgement Case C-582/14 19 October 2016 (Breyer), ECLI:EU:C:2016:779
ECJ, C-582/14, no. 31
ECJ, C-582/14, no. 49
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, pp. 31–50, 23 November 1995
Federal Act concerning the Protection of Personal Data (DSG 2000), Federal Law Gazette I No. 165/1999
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, pp. 1–88, 4 May 2016
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, pp. 89–131, 4 May 2016
Article 29 Data Protection Working Party and Working Party on Police and Justice: The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data. 02356/09/EN, adopted on 01 December 2009
ENISA, Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J., Le Métayer, D., Tirtea, R., Schiffner, S.: Privacy and Data Protection by Design – from policy to engineering, p. iii (2014)
Balboni, P., Macenaite, M.: Privacy by design and anonymisation techniques in action: case study of Ma3tch technology. Comput. Law Secur. Rev. 29(4), 330–340 (2013)
Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. OJ L 157, pp. 1–18, 15 June 2016
Kalbfus, B.: Die EU-Geschäftsgeheimnis-Richtlinie. Welcher Umsetzungsbedarf besteht in Deutschland? GRUR 2016, pp. 1009–1018 (2016)
Wikipedia: Gebruiker:FIU.NET. https://nl.wikipedia.org/wiki/Gebruiker:FIU.NET
EUROPOL: EUROPOL joins forces with EU FIUs to fight terrorist financing and money laundering. https://www.europol.europa.eu/newsroom/news/europol-joins-forces-eu-fius-to-fight-terrorist-financing-and-money-laundering
Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, OJ L 141, pp. 73–117, 5 June 2015
Kroon, U.: Ma3tch: Privacy AND Knowledge. In: 2013 IEEE International Conference on Big Data
Schweighofer, E., Böszörmenyi, J.: A review of tools to comply with the proposed 4th EU Anti-Money Laundering Directive In: International Review of Law, Computers & Technology, vol. 29, Special Issue: BILETA 2014, pp. 63–77 (2015)
Balboni, P., Macenaite, M.: Privacy by design and anonymisation techniques in action: Case study of Ma3tch technology, pp. 332–333
Balboni, P., Macenaite, M.: Privacy by design and anonymisation techniques in action: Case study of Ma3tch technology, p. 334
Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services, OJ L 108, pp. 33–50, 24 April 2002
Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services, OJ L 337, pp. 37–69, 18 December 2009
ENISA, Tofan, D., Moulinos, K., Karsberg, C.: ENISA Impact Evaluation on the Implementation of Article 13a Incident Reporting Scheme within EU, p. 41 (2016)
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, OJ L 218, pp. 8–14, 14 August 2013
Mell, P., Grance, T.: Use of the common vulnerabilities and exposures (cve) vulnerability naming scheme (No. NIST-SP-800-51). National Inst of Standards and Technology Gaithersburg Md Computer Security Div. (2002)
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recogn. Lett. 51, 1–7 (2015)
Structured Threat Information eXpression (STIX™). https://stixproject.github.io/
Barnum, S.: Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX™). MITRE Corporation, 11 (2012)
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak specifications. Submission to NIST (Round 2) (2009)
Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptology 1(2), 77–94 (1988)
D’Amico, A., Whitley, K., Tesone, D., O’Brien, B., Roth, E.: Achieving cyber defense situational awareness: a cognitive task analysis of information assurance analysts. In: Proceedings of the human factors and ergonomics society annual meeting, vol. 49, No. 3, pp. 229–233. SAGE Publications, Sage CA (2005)
Acknowledgments
This work has received funding as part of the project Cyber Incident Situational Awareness (CISA) within the Austrian security research program KIRAS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Schweighofer, E., Heussler, V., Kieseberg, P. (2017). Privacy by Design Data Exchange Between CSIRTs. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds) Privacy Technologies and Policy. APF 2017. Lecture Notes in Computer Science(), vol 10518. Springer, Cham. https://doi.org/10.1007/978-3-319-67280-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-67280-9_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67279-3
Online ISBN: 978-3-319-67280-9
eBook Packages: Computer ScienceComputer Science (R0)