to Content

09: Cyber Security: A Fundamental Right

Breakout / Working Group
english language

The quality of today’s IT systems is determined by its resilience to existing and future technological and organisational security gaps. IT security always deals with future attacks on today’s IT systems. Apart from prevention it is of decisive importance to detect novel ways of attacks. On top of that, to guarantee civil security, privacy and transparency we also have to address legal requirements and the design of future IT systems (“right to be forgotten”, “data retention”, etc.).


Head of CERT-EU, Computer Emergency Response Team of the EU Institutions, Bodies and Agencies, Brussels Abstract
Since the Snowden revelations in 2013 a lot attention has been given to the legitimacy of blanket mass surveillance, impacting the citizens in the broad sense. For most people it came as a shock that the governments, including their own and those of allied countries, would indiscriminately gather and keep information about their private life.
In addition, people have woken up to the insight that the attractive and free internet services they had been using in the recent years had exposed them to government and private surveillance.
As a reaction, mainstream service providers have launched strong end-to-end encryption for their private customers converting the unease the revelations have created into a competitive advantage and a new positioning for their brand.
The discussion has recently reemerged in the wake of the terrorist attacks in Europe and the US. Diverging opinions on the necessity/drawbacks of government backdoors in systems have been publicized and discussed at length in public fora and in the IT security community.
How have these revelations and the subsequent technology developments influenced the environment in which governments work? What are the stakes and threats, how are these influenced by the vulnerabilities of the current technology? What can be done to mitigate the risks at the short term and longer term? These are some of the issues that will be discussed in this presentation, using concrete examples from the current landscape.
The risks of third parties accessing information managed by governments will be illustrated and future developments highlighted. Built-in exposure to these risks by the current IT and network technology will be explained and the current lack of mitigating measures exposed.
Suggestions for technological advances to increase future resilience will be presented, to nurture the discussion. Inherent to these suggestions is again the debate on possible backdoors in future systems and dependency on vendors.
Professor, Digital Content and Media Sciences Research Division, National Institute of Informatics; School of Multidisciplinary Sciences, Graduate University For Advanced Studies, Tokyo Abstract
Due to developments of the Internet of Things, computers, sensors and their networks are located in all places, and useful services can now be received at all times and in all spaces of our lives. On the other hand, however, there is now the actual problem at border between cyber and physical worlds that personal and confidential information is easily shot and shared in a second as a result of the popularization of portable terminals with built-in cameras and other sensors. So far conventional IT security and privacy focus on cyber world. Establishing security and privacy countermeasures are now essential requirements at border between cyber and physical worlds.
In this talk, our security challenges for overcoming analog-hole problems; techniques to prevent unauthorized copying of screens and displays utilizing the differences in spectral sensitivity characteristics between human beings and imaging devices will be described. Our recent privacy challenges for preventing privacy invasion through face detection from camera images through the use of a device (Privacy Visor) worn on the face that appends noise to photographed images which makes faces in images undetectable without affecting human visibility. For each challenge, testing of a prototype are shown through fruitful demonstrations.
Professor of Global ICT Law, Institute for Law, Technology, and Society, Tilburg University, Tilburg Abstract
"The Internet of Things (IoT) will change society in ways that we cannot imagine yet," says security expert Bruce Schneier in Forbes business magazine. He argues that the IoT will become the greatest robot in the world. This robot will collect all sorts of information, and will act in an autonomous way in due time. Thanks to IoT a sort of internet-robot materializes, with senses, the ability to think and to act. "We are building a global robot that is not equal to anything else and we don't even know it. IoT will change everything, but we shouldn't let us astonish too much by these rapid changes." This view is consistent with that of Daniel Burrus, as he stated in Wired magazine: "The Internet of things is much bigger than everyone thinks, because the focus is too much on machine-to-machine communication. This is only part of the story," says Burrus, "because it revolves around IoT sensor-to-machine communication and vice versa. Sensors collect data, but you can't use them if there is no infrastructure available to analyse these data in real time. IoT brings sensors and equipment together and helps develop new smart products and services''
Disruptive change
With the IoT, the online connectivity of applications, systems, surfaces and environments has increased. This is a major and fundamental change in our society. It is one of the most disruptive technologies in our time that offers many opportunities, similarly to the rise of the Internet. Our society will permanently change with the IoT. Success in the domain of IoT and taking advantage of the opportunities to improve prosperity, living comfort, health-care, operational efficiency and innovation has its price. The IoT is not only the connecting of smart devices and the analysis of data through the cloud, the IoT also calls for a need for security, privacy and trust.
The Three main pillars
Security, privacy and trust are the three main pillars upon IoT should be built upon. If we look at security, we see that many IoT devices and sensors entail new cyber security risks. The fact that devices are becoming increasingly interconnected, it creates new dependencies and, and thus reveals new vulnerabilities. Manufacturers are in a competitive "rat race" to launch new products to the market, causing many to pay not sufficient attention to the security of their hardware and software.
Concerning the second pillar, privacy, we see that more and more data are being collected and analysed. It is important to ask if consumers know what their personal data is being used. Do consumers have control over their personal data? Is it possible for them to intervene? Or is this control out of their hands?
The third pillar of IoT, and possibly the most important one, is trust. Users of IoT devices and services should be confident that the software and the hardware components are secure enough to be used for the purpose that is intended. If this trust is not consistent, and consumers feel that their data are being misused or that they might be impacted negatively, consumers will turn sway from IoT technologies. This effect would be detrimental to the economic growth of this market and to the possibilities for innovation.
These questions and potential negative consequences provide amble reasons for the need to discuss the future of the Internet of Things and figure out how the different sectors in society can benefit from this new technological phenomenon while at the same time ensuring high levels of cyber security.
Harmonizing duties of care in the EU
Establishing confidence in the IoT is possible with good regulation and a sense of responsibility for cyber security. Individuals, and society as a whole, will become increasingly dependent on IoT devices and services in the coming years. Disruption and misuse of hardware and data can negatively impact its users. The responsibilities of governments, industry and end-users should be clear in order to take adequate cyber security measures and show how they are accountable when incidents occur.
Yet, the question of who is responsible for ensuring cybersecurity is not easy to answer, in part due to the diversity among legal frameworks of EU Member States related to cybersecurity. The Digital Single Market strategy launched by the European Commission in May 2015 offers a clear momentum to address, in a uniform and harmonized way, this legal fragmentation and resulting uncertainty. The White Paper that will be provided before the Conference offers a framework for discussion among participants on the need to harmonize duties of care and diligence for cybersecurity of ICT goods and services offered to consumers.
The White Paper starts from the assumption that any individual who has suffered a loss because of a lack of cybersecurity should have effective legal remedies against the actor responsible for providing such security. In seeking to remedy these losses a consumer now encounters serious legal obstacles. It might first of all be difficult for a consumer to establish that the ICT provider owed a duty of care to him/her, what that duty implies given the circumstances, and whether the duty was in fact breached. While the fields of law applying to this context (sales, contract, unfair commercial practices, and tort law) offer various frameworks and concepts to provide answers to these pressing questions, they have so far only rarely been applied by courts in relation to cybersecurity issues. Consequently, there is little legal certainty as regards the question what actors in the ICT supply chain are required to do in terms of cybersecurity and, in turn, to what extent consumers can hold them to account for the lack of it. The question of who is responsible for the security of ICT goods and services is increasingly difficult to answer in the important development of the Internet of Things (IoT) as this development depends on the interconnection of multiple business actors in the provision of goods and services to consumers. Moreover, ICT providers typically use extensive exemption clauses to limit or exclude their liability in contracts concluded with consumers. Enforcement by public enforcement authorities is typically not concerned with providing remedies to consumers who suffered damages because of a security breach.
Consequently, there are few regulatory incentives for business actors in the ICT supply chain to ensure the security of the ICT goods and services they provide to consumers. The White Paper contends that a uniform legal benchmark requiring the use of appropriate technical and organizational measures (i.e. security by design) by ICT providers when placing on the market goods or services will provide important new incentives for the ICT sector to ensure cybersecurity across the entire ICT supply chain and increase legal certainty for both business and consumers around duties of care and diligence in cybersecurity.
The White Paper identifies a set of circumstances that must be considered significant when determining the relevant duty of care, after which it offers a number of recommendations, which will be topic of debate.
Professor and Head, Institute of Computer Science and Social Studies, University of Freiburg Abstract
Larry Lessing pointed in 1999 in his book "Code and Other Laws of Cyberspace" the difficult and maybe outdated relationship between democratic institutions and code, we all use. Multilateral security - an advancement from regulated security, e.g. like privacy protection, did not know the terms civil or public security. Security was something happening between partners. Privacy Algorithms depended upon 4 unrealistic assumptions, which prevent their success in a large scale till today. Firstly, privacy is a matter of authorization, secondly, Personal Identifiers determines the possibility to violate privacy, thirdly choice and consent is needed to allow good privacy decisions, and last but not least, data hiding is the best means to prevent misuse of personal data.
Societal challenges however, in a co-evolution with technical progress has now the objective to solve traffic congestion, energy scarcity, and climate change, automation manufacturing, but also optimizing leisure time, and optimize life with wearables to gain better health or nicer appearance. Smart infrastructures incorporate intelligence into everyday objects. This generates the desire for norms to guide systems but also societal interaction. Algorithms are a means to execute norms. They are needed to gain acceptance. The technical assumption of the talk is that "Internet of Things" reverses the present communication paradigm - where users adapt to machines - to a scheme where machines adapt to humans and anticipate human behavior, which may result in a loss of control or in other word makes it a matter of new norms establishing civil security.
E.G. a Chat-bot of Microsoft named TAY developed within hours into a racially biased member of Twitter; simple demand-supply economics made UBER raise tariffs to take advantage of a crisis in Sydney. Analysis about the impact of "code" showed a discrimination against women, when applications for higher paid jobs at the Carnegie Mellon University were selected. The Guardian claims that automatic classification for preselection of potential terrorists discriminates against Pakistanis. Similar, New York Times claims that Facebook prefers within its own "universe" fundamentally different sources of news as the rest of all media do. The objective is to use the popularity of Facebook to support the business objective to become the most influential media company.
The changing interfaces to the digital age seem to go along with a rising normativity of "code" and thus moving of security to a personal level - the civil security.
Professor and Head, Institute for Applied Information Processing and Communications, Graz University of Technology; Chief Information Officer of the Austrian Federal Government; Graz Abstract
Mobile Apps, Cloud, Internet of Things ... there is a real challenge with technology moving faster than society and perception of the broad public. Still all these technologies touch basically everyone and are used in everyday life. In case we continue as we do we will load the risk that comes with these technologies onto the shoulders of end-users where we know that they are increasingly unable to handle them.
Europe is to some extent trying to promote and make steps towards a safer cyber world. The NIS directive is one of these elements. However, coming out of the need for consensus ambitions of this directive are not extremely high and focus is limited to incidents and reporting. This is a highly needed element and creates awareness which is a security enhancing tool per se.
Incident reporting and learning from the past is essential, but not sufficient. To yield a bigger step forward, we need to empower citizens and SMEs that have a special need in this context, to offer resilient services. In the European landscape - and to an even higher degree in Austria - SMEs are the carrier for innovation and agile new technologies. Enabling and strengthening IT-security in their context is a highly competitive factor on an international perspective.
While still disregarded in wide areas of industry, the eIDAS regulation into force as of 1.7.2016 might be quite helpful. This piece of legislation is addressing a wide range of security aspects from electronic identities and electronic signatures to website authentication, as well as further elements. Being voluntary in the private sector it needs promotion and take-up by industry as well as society.
In many ways we are using quite old approaches when it comes to communications. Yet we know risk comes with exposure and communications. This makes it obvious that this field needs innovation where innovation has at least two faces: the technical face and the legal aspects. Where broad technology deployment is still slow, legal backing and clarification is even slower, despite the need that legal backing and certainty would be very helpful in the early phases of deployment.
While legislation applies in the cyber world just as in the physical world it is often perceived differently and practices are also different sometimes. Just as a result of missing evidence or even by intention applicable jurisdictions are complicated to be identified and complex due to communications infrastructures. On should just think of the fact that a simple phone call to the neighbour might be travelling through different countries and even outside Europe. This is simply because of cost of infrastructures. It would become even more dynamic when we speak about internet and data communications. Jurisdiction-aware communications and protocols would be a paradigm that gets the nations in charge and would enable them to follow their legal obligations.
Internet of Things is bringing in additional players also from the non-IT community and with much less awareness for security needs. The additional risks can only be estimated and households and SMEs will always be unable to run secure and robust services communications structures. The dynamics of evolution will make sure that this will be permanently the case. Changing communications paradigms can be a solution where devices paired with strong cryptography will allow "trusted families of devices". Combined with reversed services that allow client-only communications can be helpful in this area, as this avoids management of servers in non-experienced environments.
While such structures might reduce the surveillance potential for law enforcement due to their structure and technology, the benefit of reducing risk would pay off. It is often overlooked that smart criminals will go for surveillance proof communications anyway. We need a clear strategy so as not to lose both on the technical and commercial opportunities as well as on the security.
Professor and Head, COSIC - Computer Security and Industrial Cryptography Group, Department of Electrical Engineering, University of Leuven, Heverlee Abstract
Cybersecurity becomes more prominent in the media, with a growing number of reports on hacks and breaches. An increasing number of experts is developing ever more sophisticated techniques and more security technologies are deployed. The lawsuit between the FBI and Apple and the recent announcement of WhatsApp that they would start offering end-to-end encryption have brought the crypto and privacy debate back to center stage. Will the cloud and the Internet of Things offer us a secure infrastructure? Or are we heading for a security nightmare? In this presentation we reflect on the role of technology in the relationship between citizens, companies, and governments. The key point seems to be how information is controlled, which is decided by the architecture of our information infrastructure.
Head, Institute for Software Technology and Interactive Systems, Vienna University of Technology, Vienna Chair
Research Director, SBA Research; Associate Professor, Institute of Information Systems Engineering, Vienna University of Technology, Vienna Coordination


Head of CERT-EU, Computer Emergency Response Team of the EU Institutions, Bodies and Agencies, Brussels

1992-1996 Assistant, Director of Rights and Obligations European Commission DG HR
1996-1998 Head, Unit Communication European Commission Joint Research Centre, Brussels
1998-1999 Head, Unit Technology Transfer European Commission Joint Research Centre, Brussels
1999-2002 Head, Unit Internal Audit European Commission Joint Research Centre, Brussels
2002-2007 Head, Unit Corporate Development European Commission Joint Research Centre, Brussels
2003-2006 Acting Director, Programme and Resource Management European Commission Joint Research Centre, Brussels
2007-2012 Head, Unit External Audit European Commission DG CNECT, Brussels
2011-2016 Head, CERT-EU, Brussels


Professor, Digital Content and Media Sciences Research Division, National Institute of Informatics; School of Multidisciplinary Sciences, Graduate University For Advanced Studies, Tokyo

1995 B.S.(Applied Physics), Tokyo Institute of Technology
1997 M.S.(Applied Physics), Tokyo Institute of Technology
1997-2007 Systems Development Laboratory, Hitachi, Ltd.
2007-2014 Associate Professor, Digital Content and Media Sciences Research Division, National Institute of Informatics
2010 Visiting Professor, Institute of Computer Science and Social Studies, University of Freiburg
2011 Visiting Professor, University of Halle-Wittenberg
since 2014 Professor, Digital Content and Media Sciences Research Division, National Institute of Informatics

Ph.D. Lokke MOEREL

Professor of Global ICT Law, Institute for Law, Technology, and Society, Tilburg University, Tilburg

1989-2015 De Brauw Blackstone Westbroek N.V. (co-chair ICT department De Brauw Blackstone Westbroek, Amsterdam office), partner since 1998.
2000-2002 Partner ICT Department, Linklaters London

Dr. Dr. h.c. Günter MÜLLER

Professor and Head, Institute of Computer Science and Social Studies, University of Freiburg

1967 Graduation, Albert-Schweizer-Gymnasium, Leonberg
1972 Diploma, Business Economics, University of Mannheim
1976 Doctorate, Topic: Information Structuring in Databases, University of Duisburg
1983 abilitation,Topic: Endusersystems, WU Vienna
1974 - 75 IBM Germany, Data base Adfminsitrator
1975 Research Assistant, Data bases University of DuisburgIT Administrator IBM Factory Sindelfingen
1977 - 79 Postdoc position at the IBM Research Laboratory, Almaden, San Jose.
1979 Professional at IBM Scientific Center, Heidelberg
1981 Unit leader Computer & Communication, IBM Gemany
1985 Director of IBM Europe and Founder of IBM European Networking Center, Heidelberg, Liason to IETEF (Internet)
1983 Habilitation and University Lectures WU Vienna.
 Since 1990 Director Institute of Computer Science and Society
1990 Full Professor Telematics University of Freiburg
1994 Consultant to NTT Japan on Internet Security, Tokyo
1997 - now Consultant at Hitachi, Security and Electronic Trading Systems, Tokyo, Japan
1992 - 1999 Advisory Board Daimler-Benz, Ladenburg-Berlin
2011 - 2015 Consultant at SAP Walldorf, Business Process Security

Dipl.-Ing. Dr. Reinhard POSCH

Professor and Head, Institute for Applied Information Processing and Communications, Graz University of Technology; Chief Information Officer of the Austrian Federal Government; Graz

1971-1979 Researcher, Graz Research Center
1974-1984 Assistant Professor, Graz University of Technology, Graz
1979 Leave, Sperry Univac, Roseville, MN, USA
1984 LecturerHabilitation, Applied Information, Processing and Information Technology
1984 Professor, Applied Information Processing and Communications
since 1986 Head, Institute of Applied Information Processing and Communications Technology TU Graz
since 1999 Scientific Director, Austrian Secure Information Technology Center, Vienna
since 2001 Chief Information Officer, Government of Austria, Vienna


Professor and Head, COSIC - Computer Security and Industrial Cryptography Group, Department of Electrical Engineering, University of Leuven, Heverlee

1987-1993 Research assistant, FWO Flanders and KU Leuven
1993-1994 Research Fellow, Univ. of California at Berkeley
1994-1999 Postdoctoral Fellow, FWO Flanders and KU Leuven
1999-2000 Research Associate FWO Flanders
1997-2000 part-time Assistant Professor, KU Leuven
2000-2003 Associate Professor, KU Leuven
2003-2006 Professor KU Leuven
since 2006 Full Professor KU Leuven; 2005-2010 Scientific Advisor, Philips Research; 1997-2015 visiting professor at University of Ghent (Belgium), University of Bergen (Norway), Graz University of Technology (Austria), RU Bochum (Germany), DTU (Denmark)

Dipl.-Ing. Dr. techn. A Min TJOA

Head, Institute for Software Technology and Interactive Systems, Vienna University of Technology, Vienna

1979 Doctorate in Informatics, Johannes Kepler University Linz, Austria
1982 Associate Professor for Information Systems at the University of Vienna
1988-1994 Full Professor for WIRTSCHAFTSINFORMATIK at the University of Vienna
since 1994 Full Professor at TU Wien (Vienna University of Technology)
1999-2003 President of the Austrian Computer Society
2000-2003 Head of the Austrian National Interuniversitary Institute for Information Systems for Visuall Impaired (I3S3)
since 2004 Member of the Senate of the Christian Doppler Research Association
since 2006 Chairman of the COMET- Austrian Competence Center for Excellent Technologies Secure Business Austria(SBA)"
since 2008 Head of the Austrian Delegation to the United Nations Commission on Science and Technology for Development (CSTD)
since 2010 Vice-President of Infoterm (International Information Center for Terminology)
since 2011 Chairman of the IFIP Working Group Enterprise Information Systems"
since 2013 Executive Committee member and Honorary Secretary of the International Federation for Information Processing (IFIP)
2013-2014 President of ASEA-UNINET (ASEAN-European University Network)
2015-2017 Vice-Chairman of the United Nations Commission for Science and Technology for Development (UN-CSTD)


Research Director, SBA Research; Associate Professor, Institute of Information Systems Engineering, Vienna University of Technology, Vienna

2000-2001 Assistant Professor, Beloit College, Beloit, WI
2002-2004 Project Manager, ISIS Papyrus, Frankfurt; New York
2004-2006 Assistant Professor, Vienna University of Technology, Vienna
since 2009 Non-tenured Associate Professor, Vienna University of Technology, Vienna
since 2006 Research Director, SBA Research, Vienna

Technology Symposium

show timetable


13:00 - 13:10OpeningPlenary
13:10 - 14:15RTI TalkPlenary
14:30 - 14:50From Austria to Silicon Valley - Cyber Security as a Global FactorPlenary
14:50 - 16:10Cybernetics in Advanced Energy and Production SystemsPlenary
16:30 - 17:45Complexity and the New EnlightenmentPlenary
20:00 - 20:15Best of Art and ScienceCulture
20:15 - 21:15Tickets to Berlin: Falling Walls Lab Austria and Alpbach Summer School on EntrepreneurshipPlenary
21:30 - 23:00Career LoungeSocial
21:30 - 23:30Evening ReceptionSocial


09:00 - 10:30Digital MedicinePlenary
09:00 - 18:00Junior Alpbach - Science and Technology for Young PeopleBreakout
09:00 - 15:00Ö1 Children's University Alpbach - Science and Technology for KidsBreakout
10:30 - 12:30Cross-sektorale Kooperationen von ClusternPartner
11:00 - 12:30Personalized Cancer MedicinePlenary
12:30 - 13:00Lunch Snacks for the Participants of the Breakout SessionsSocial
13:00 - 18:00Breakout Session 01: Innovation by Making: Paradigm Shifts and New Innovation CulturesBreakout
13:00 - 18:00Breakout Session 02: Silicon Austria: A Game Changer for Austria as a High-Tech Location?Breakout
13:00 - 18:00Breakout Session 03: Creating the Future: How to Reinvent Innovation ProcessesBreakout
13:00 - 18:00Breakout Session 04: The Cycle of Innovation and its EcologyBreakout
13:00 - 18:00Breakout Session 05: Heavy Impact of Lightweight DesignBreakout
13:00 - 18:00Breakout Session 06: Looking Into the Unknown and Shifting HorizonsBreakout
13:00 - 18:00Breakout Session 07: Radical Innovations: More Courage to Take RisksBreakout
13:00 - 18:00Breakout Session 08: The Acceptance of Technologies by Pupils with Migration History - a Plea for Transcultural Competence as new EnlightenmentBreakout
13:00 - 18:00Breakout Session 09: Cyber Security: A Fundamental RightBreakout
13:00 - 18:00Breakout Session 10: Open Access & Open Innovation - Tools for a New Enlightenment?Breakout
13:00 - 18:00Breakout Session 11: Realities and Futures of RoboticsBreakout
13:00 - 18:00Breakout Session 12: Energiewende - Empowering ConsumersBreakout
13:00 - 18:00Breakout Session 13: Security of Supply as a Locational FactorBreakout
19:00 - 20:30Innovation Marathon: Ideas Made to Order - 24 Hours NonstopPlenary


09:00 - 10:30Art Meets Science and Technology - Towards a New EnlightenmentPlenary
10:45 - 11:45Open Innovation: New Enlightenment? Participation - Democratisation - New SolutionsPlenary
12:15 - 13:30ETH Zurich, this Year's Special Guest at the Technology SymposiumPlenary
13:30 - 14:00Snack ReceptionSocial