Monday, 11 September

Welcome from Host & Conference Chairs
Francis Beland, Executive Director, OASIS Open
Jassim Happa, Lecturer in Information Security, Royal Holloway, University of London
John Sabo, Chair, OASIS IDtrust

Keynote Address: Security & Privacy: Two sides of the same coin?
Paul Hopkins, Global Head of Cyber Strategy, Vodafone
Mikko Niva, Group Privacy Officer/Head of Legal – Privacy, Security, & Content Standards, Vodafone Group

Perspectives on our journey in protecting the security and privacy of customers in a complex world
and large scale. How do we combine security & privacy? What are the key threats and risks
and challenges dealing with them. What methods & tools do we employ to embed security & privacy. 
What are some of our and industry's future challenges of doing this at scale?  

[Track 1]
(Panel) Privacy Engineering: How to deliver assured data protection in complex systems & applications
John Sabo, Chair, OASIS IDTrust (moderator); Srinivas Poosarla, CPO, Infosys; Gershon Janssen, Director, Reideate; Chiljon Janssen, Founder, Privacy Compliance Solutions

The panel will address the challenges of privacy engineering - emphasizing the complexity of integrating privacy functuality into system and software engineering processes across interdependent, networked applications. The role of the privacy engineer will be explored, including the steps necessary to identify and recommend privacy control requirements in operational systems. The integration of PII and non-PII functionality in lifecycle software development will be examined, highlighting the need for joint assessment by privacy engineers and data privacy officers. The importance of standards-based and interoperable technical tools to support privacy engineering will be emphasized, with a use-case demonstrating the complexity of data protection and the potential of graph database tools.

[Track 2]
Digital standards - Who makes them and why should we care?
Eva Ignatuschtschenko, Head of Digital Standards & Internet Governance Department for Science, Innovation and Technology

Digital technical standards have become an increasingly important topic in global discussions. They are a core part of the functioning of the internet, telecommunication networks, and emerging technologies. How they are developed and deployed can strengthen or weaken cyber security. And governments have started to pay more attention. China, the EU and the US have all published their own strategies on standards for critical technologies and even the UN has recently started to look at the relationship between human rights and technical standard-setting processes for digital technologies. In the UK’s National Cyber Strategy 2022, the UK government set out its objectives for engagement in global standards bodies. The presentation will cover the UK government’s strategic approach to shaping global digital technical standards and their relevance for UK cyber security, including takeaways for how to engage effectively in the standards world and what challenges to look out for. 

[Track 1]
(Panel) Privacy Engineering Panel (continues)

[Track 2]
Cyber dimension of conflict and impacts of cybersecurity breaches on stability
Alma Oracevic, Lecturer in Cybersecurity, University of Bristol

During this presentation, the speaker will discuss the impact of cyberattacks on the conflict in Ukraine and its stability. Russia significantly increased its targeting of users in Ukraine and NATO countries in 2022, aiming to disrupt communication and create chaos. The cyberattacks included DDoS attacks, power grid hacking, and the destructive NotPetya malware. The conflict also involves censorship of cyberspace to shape public perception and undermine international support for Ukraine.

Takeaways:
1. An understanding of how cyberattacks are used during a conflict.
2. How impactful these attacks can be during the conflict - making military invasion more effortless and less demanding, furthermore creating a sense of urgency and desperation.
3. The need and importance of the protection of cyber-physical systems and the overall economic and financial consequence of cyber breaches. 

[Track 1]
GoodFlows: A framework for automating compliance of business processes and data processing workflows
Dr. Mariza Koukovini, Senior Research Engineer, ICT abovo P.C.

GoodFlows is a solution designed to help organizations ensure compliance with data protection requirements, particularly the GDPR. It consists of two pillars: a semantic policy-based access and usage control framework, and a process planning and re-engineering framework. The access and usage control framework allows for the specification of expressive rules and real-time decision-making on access authorizations. The process planning and re-engineering framework provides a methodology for automating compliance assessment and transformation of process models. GoodFlows aims to streamline compliance efforts, reduce human errors, and support scalability and maintainability. It can be extended to other types of compliance, including Trustworthy AI. The presentation will cover compliance challenges, the main pillars of GoodFlows, and real-world examples.

Takeaways:
1. Semantic modelling of organisational assets and entities, along with their associations.
2. Comprehensive access and usage control rules specification and reasoning thereof.
3. Compliance requirements and patterns in process-based systems.
4. Automation of compliance-driven process planning and re-engineering.

[Track 2]
(Panel) Developing a Clear NCS and an Implementation Plan – Efficacy and efficiency through collaborative efforts
Orhan Osmani, Head a.i, Cybersecurity Division, International Telecommunication Union (ITU)
Jerry Ketteringham, Specialist Consultant for the UK Home Office, National Cyber Risk Assessment (NCRA)

Join us for an engaging panel discussion as we explore the power of developing a clear Needs, Challenges, and Solutions (NCS) framework and an effective Implementation Plan. Discover how organizations can enhance efficacy and efficiency by harnessing the collective strength of collaborative efforts. Gain valuable insights into streamlining processes, optimizing resources, and fostering effective teamwork to drive successful implementation and achieve impactful outcomes.

Discussion topics include:
1. Understanding the NCS Framework
2. Developing an Effective Implementation Plan
3. The Role of Collaboration in Enhancing Efficacy and Efficiency
4. Overcoming Challenges and Maximizing Success
5. Case Studies and Practical Insights

In conclusion, our panel of experts has shed light on the significance of collaborative approaches in developing a clear NCS framework and implementation plan. By leveraging the collective expertise and engagement of stakeholders, organizations can enhance efficacy, optimize resources, and drive efficient implementation for successful outcomes. We hope that the discussions today will inspire attendees to adopt collaborative strategies in their own organizational journeys.

[Track 1]
Adopting privacy preserving techniques for cooperative threat hunting
Paolo Di Prodi, CTO, Priam Cyber AI ltd.
Toon Segers, Cofounder, Roseman Labs

Threat sharing is crucial for responding swiftly to evolving threats, but it requires a balance between speed and privacy. To address this, we have developed a groundbreaking threat sharing platform that enables security teams to share evidence early in the incident response cycle while ensuring strong privacy protections. Our platform allows operators to query various native cyber entities using open standards like STIX 2.1, ATT&CK, and CACAO, leveraging cryptographic techniques such as Secure Multi-Party Computation (MPC) and differential privacy. The National Cyber Security Centre (NCSC) in the Netherlands has already deployed our platform for sharing threat intelligence between public and private organizations and the government. In this presentation, we will showcase the platform's features, including open standards, privacy techniques, practical examples, and a glimpse into the SecureNed platform used by NCSC.

Takeaways:
Attendees will learn about three main success factors to sharing incident response data effectively and responsibly, to include --
1. The adoption of fundamental data models which are the STIX2.1, VerisDB, ATT&CK, AttackFlow standards and storing them in a database to allow cross referencing.
2. The application of privacy based techniques such as differential privacy and multi party computation to such structured data.
3. And finally, the use of a (real-time) peer-to-peer approach to reduce the lag of the dissemination phase.

[Track 2]
Developing a Clear NCS and an Implementation Plan Panel (continues)

[Track 1]
Lessons learned from running the UK-US PETs prize challenges
Dave Buckley, Senior Technology Adviser, Centre for Data Ethics and Innovation

In this presentation, we will share valuable insights and lessons learned from the design and execution of the UK-US Privacy-Enhancing Technologies (PETs) Prize Challenges. The challenges aimed to foster innovation in approaches to privacy-preserving machine learning, with participants tasked with training classification models on federated datasets for two use cases in financial crime detection and pandemic forecasting. The objective of this presentation is to provide a comprehensive overview of the challenges, highlight their significance, discuss the main outcomes, and describe the key tradeoffs involved in the challenge design.

Takeaways:
1. Understanding of the breadth of solutions developed for the UK-US PETs prize challenges.
2. Challenges faced when designing and running a competition in privacy enhancing technologies, and design tradeoffs involved.
3. Methods for evaluating the performance of privacy-preserving systems.

[Track 2]
The New ‘Normalized’ – Standardizing security data using the Heimdall Data Format
Mike Fraser, VP & Field CTO of DevSecOps, Sophos
Gregory Arts, Product Manager, Sophos

Security tools generate data in unique formats that require multiple dashboards and utilities to process. This security data can be results from static analysis, dynamic analysis, Common Vulnerability Enumeration (CVE) scanning, Common Weakness Enumeration (CWE) scanning, security event auditing, intrusion detection sensors, software bill of materials, and more. Several teams in the security community have begun to form security data for specialized domains, however software teams lack a standard format to exchange cybersecurity data within and between security domains to determine their security posture. Members of the OASIS cybersecurity community came together to develop an open, standard, and normalized format for exchanging security and risk information data between cybersecurity tools called OASIS Heimdall Data Format (OHDF). OHDF enables vendor-agnostic sharing, exchange, and standard presentation of risk information sources between different tools, applications, and systems without the need for customized integrations. OHDF does not wish to replace the core format of any single tool but rather ease information sharing between tools. It allows vendors, service providers, and government agencies a standardized specification to simplify risk analysis and streamline information exchange.

Takaways:

1. Learn about how OHDF can be used.
2. How it compares to other standards.
3. And real world examples of how OHDF is being used in tools and technology.

[Track 1]
The future of passwordless authentication
Christina Hulka, Executive Director & Chief Operating Officer, FIDO Alliance

In the presentation, the focus will be on the work of the FIDO Alliance, an organization dedicated to addressing the issue of password dependence and promoting secure and user-friendly authentication methods. It will delve into the current state of password usage and the associated vulnerabilities and challenges. The speaker will discuss the vision and objectives, highlighting efforts to develop open and interoperable authentication standards that offer stronger security and a better user experience. Additionally, the presentation will provide insights into the ongoing advancements and future direction to eliminate passwords and establish more secure authentication practices globally.

[Track 2]
Enabling the Security Lifecycle – The MITRE Security Automation Framework as a force multiplier
Aaron Lippold, Chief Engineer, The MITRE Corporation

Organizations face the challenge of maintaining security requirements while deploying applications quickly, given the faster deployment of vulnerable software and the rising security threats. The MITRE Security Automation Framework (MITRE SAF) addresses this issue by shifting security left, integrating security controls and processes throughout the development and operational lifecycle. By proactively identifying and resolving security issues, teams can avoid costly fixes and deployment delays. The MITRE SAF promotes standards for security compliance, provides actionable guidance documentation, and offers converter libraries to normalize security data using the OASIS Heimdall Data Format (OHDF). This streamlines security automation, allowing for efficient integration with tools and pipelines, enabling the validation, visualization, and reporting of security data. The presentation will explore how the MITRE SAF facilitates the implementation of evolving security requirements while ensuring rapid application deployment in line with DevOps principles.

Takeaways:
1. Examples and patterns for security automation and standardization.
2. Real world libraries and tools to operationalize security. 

[Track 1]
Protecting Lives, Safety and Security : BroadEU.net : Towards the EU Critical Communication system
David Lund, Board Member, Public Safety Communication Europe (PSCE) Forum and Founder, SafeNetics

Police and rescue services keep us safe and secure every day, often in the shadows unless we are individually in danger. They use 25year old mobile technology which was developed to be secure, reliable and is highly trusted. During this year's recent annual Black Hat USA conference, new vulnerabilities were announced. It’s time for our trusted public safety responders to receive a mobile comms upgrade.

BroadEU.net is preparing a new Mission Critical mobile broadband capability to realise Operational Mobility - the ability for responders to to carry our their crime fighting and life saving operations wherever they are, whenever they need to and in collaboration with whoever they need to, wherever they are.

Geopolitical boundaries will no longer be a barrier, and our responders will be enabled with better and more resilient communication technology than those who want to disrupt us.

[Track 2]
Transforming Vulnerability Management - How CSAF, VEX, SBOMs & SSVC work together
Justin Murphy, Vulnerability Analyst, U.S DHS, CISA

There is no such thing as a "vulnerability-free" product. As we get more insights into our supply chains, we can easily be overwhelmed by the number of potential vulnerabilities. All of our manual processes are failing. Instead of burning people out with tedious manual tasks, we need to change the way we handle vulnerability management. The presentation will show the interconnection and relationship of different standards, like the Common Security Advisory Framework (CSAF), the Vulnerability Exploitability eXchange (VEX), the Known Exploited Vulnerability (KEV) catalog, Stakeholder Specific Vulnerability Categorization (SSVC) and Software Bill of Materials (SBOM). It will cover what needs to change to keep up with the vulnerabilities and threats discovered today. Taking the November 2022 blog post Transforming the Vulnerability Management Landscape by Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity, as a starting point, the presentation will shed light on how the US government believes the situation can be improved. It will also cover the actions necessary to support the ecosystem to transform its vulnerability management. That includes the support of tools, use of procurement regulation, education and much more.

Takeaways:
1. Things needs to change to keep up with the vulnerabilities and threats discovered today, and we need to change the way we as community think about and approach vulnerability management.

2. Automation, simplified means & clear understanding of risk, and prioritization of resources is the key.

3. CISA believes CSAF, SBOM, VEX, SSVC, and the KEV are critical steps to help in the transformation of the vulnerability management ecosystem. 

4. The US government believes the situation can be improved through the support of tools, use of procurement regulation, education and more.

Charting a Secure Course: Safeguarding maritime navigation through authenticating AIS
Sophie Hawkes, PhD Researcher, Royal Holloway, University of London

Maritime cyber security is crucial due to the significant role of maritime transportation in UK imports and exports. The Automated Identification System (AIS) is widely used for vessel tracking but lacks proper security measures, making it susceptible to spoofing and GPS spoofing events. Research has proposed cryptographic authentication methods to enhance AIS security, including schemes aligned with IEEE 1609 and the use of TESLA protocol. Additionally, a certificateless maritime identity-based cryptography (mIBC) solution has been suggested, offering varying levels of security and privacy. This talk will cover AIS functionality, real-world attack examples, a comparison of cryptographic authentication schemes, and future research directions.

Takeaways:
1. AIS is used by ships for navigation and tracking, but currently has no authentication mechanism.

2. Multiple current real-world attacks affecting AIS functionality.

3. Several different proposals to add authentication to AIS, which are all impacted by the specific challenges within the maritime cybersecurity context.

4. Additional research to be done in this emerging area of security and privacy.

Enhancing Consumer privacy via accountability and verifiable credential interoperability
Abbie Barbir, Board Member, Accountable Digital Identity Association and Secretary, OASIS LVCSP TC
Shahrokh Shahidzadeh, CTO, SecureAuth Corporation

Online digital identity verification is crucial for secure interactions, and W3C Verifiable credentials offer a promising solution. However, the current verifiable credential landscape is fragmented, hindering interoperability. To address this, a new OASIS working group aims to define a standardized lightweight identity credential schema based on the W3C Verifiable Credential standard. This schema will enable individuals to securely share their verified identity attestations across platforms and services, with a focus on KYC, KYB, and financial institutions' credentials. The talk will discuss the scope, purpose, and deliverables of this working group's efforts.

Takeaways:
1. New interoperability option for verifiable credentials and ways you can contribute to the work.
2. Enhanced passwordless user login experience.

Guest Speaker: Designing & Delivering Global Privacy and Security (livestream)
Ann Cavoukian, Creator of Privacy by Design Framework and
Executive Director, Global Privacy & Security by Design

Ann Cavoukian, internationally recognized leader in data protection and developer of the globally referenced
and adopted Privacy by Design Framework, brings to the conference her insights on the importance of integrating security and privacy in the context of data protection, what she views as the most important challenges facing practitioners today, and a path to managing data protection risks.

Igniting Dialogue and Discovery with Attendees 

This session invites participants to actively share their perspectives, raise questions, and delve deeper into the topics discussed during the conference. It bridges the gap between expert insights and audience input, fostering a collaborative environment where diverse viewpoints contribute to a more comprehensive understanding
of the subject matter. Through this interactive discourse, speakers and attendees collectively shape
the conversation, driving meaningful insights and promoting a robust exchange of ideas.

Exploring Cyber Risks of Drone Swarms in Urban Airspace &  Demonstrations
Darren Hurley-Smith, Senior Lecturer in Information Security, Royal Holloway, University of London

Integrating various autonomous systems - to form cooperative networks - is a stated objective of city
planners, a key challenge for funding bodies (such as the EPSRC), and a potential competitive edge for
enterprise. Unmanned aerial vehicle (UAV) swarms are an excellent example of an autonomous system that
must cooperate with networking, air traffic control, and other complex systems to operate securely, safely,
and effectively. Law enforcement, emergency response, surveyors, and even individual tradespersons have
adopted UAV technologies, but appropriate regulation and supporting infrastructure for fully autonomous
systems are in the early stages of discussion. The next logical step is automation in key areas: routine
surveying, road accident recovery & response, law enforcement, and events/crowd management are all areas
in which autonomous swarms of UAVs can provide a significant advantage in planning and time-constrained
high-risk decision making. These use cases raise trust, privacy, and traffic control concerns at the technical level, before one even considers the added complexity of cooperation and data sharing between UAV swarms.

This talk will provide an overview of the Cyber risks associated with UAV coordination and control in complex environments, focusing on trust requirements in air traffic planning and conflict resolution.

Omnidrome Research & Innovation Centre
Facility Tours

Reception in the North Quad Colonnade

Dinner in Picture Gallery
'Celebrating OASIS 30 Year Anniversary'