On June 21, I will be hosting a workshop titled “Identity in Conflict” at Identiverse.
- Tuesday, June 21, 11:30 am – 12:20 pm MDT
- In times of instability and uncertainty, the reliability and trustworthiness of our identity systems become especially important. This workshop examines two areas in particular—identity management for displaced people, and the protection of government identity systems—and seeks to establish some ground rules to ensure that critical identity systems are robust and fit for purpose.
This session was realised after I proposed it to the organisers in response to the Ukrainian invasion that began on 24 February this year. I can only thank the organisers for squeezing it into a programme that was already full.
The challenges of identity in conflict can be broadly divided into two main categories
- Identity Management of the displaced people
- how to provide aid and other services (e.g. banking) to them
- how to protect them from targeted misinformation to the displaced and the people surrounding them
- Identity Management of the government systems
- how to fight off and protect their system from the enemy attack
- continuity strategy
Identity Management of the displaced people
Topic #1 alone spreads many aspects of identity management. For example,
- Identity proofing of displaced people.
- Core identity attributes;
- Information needed to establish necessary accounts (e.g., bank, phone, electricity, house) at the new locations
- Qualifications that are useful to re-establish their living in the new location (e.g., degree, diploma, etc.)
- Targeted attacks towards vulnerable populations (by filtering them using collected/observed attributes)
- Targeted Mis/Dis-information
- This can happen both to the displaced people as well as the people in the area accepting the former.
- Other Targeted Attacks
- Targeted Mis/Dis-information
- Attacks against aid agencies
- Getting aid by misrepresentation/masquerading
- Infiltrating as a refugee
- Scenarios to be taken into account:
- Refugees at supporter’s homes
- Refugee camps
- Oppressed or “forgotten” population within a country
are just some of them.
Identity Management of the government systems
Then topic #2 is another huge subject.
Since the invasion started, we have seen a 3000% increase in phishing attacks against the Ukrainian Government. In response, Yubico sent 20,000 Yubikey but that is not the end of the story. Many systems only accept smartcards with the GOST (Russian version of NIST) algorithm. This, combined with information from certain sources that almost all government systems have already been hacked, gives a lot to think about.
In this workshop, we are lucky to have someone fighting against aggression flying in from Ukraine. As such, I will devote most of the 50 minutes to topic #2 and will only mention the issues around #1 at the beginning, hoping that we can continue the discussion throughout the conference and after.
If you are going to be at the Identiverse 2022, please join the session.
Unfortunately, Oleg did not get permission to leave Ukraine so he could not come but John Bradley from Yubico filled in.
The slides I used is here:
Some of the comments heard during the discussions:
- Ukraine has seen a sharp rise in cyber attacks right after the invasion started. It included a lot of phishing attacks. Not many were very sophisticated though. Cybercriminals stayed out of the conflict.
- Yubico sent them 30,000 units of Yubikeys. However, there has been a deployment challenge as the documentation was not in English. People under stress have little capability to cope with technical documentation written in a foreign language. This language problem is not unique to Yubikeys but is there for most of the aids. A “localization” project is going on. Note that this is not only about the simple translation of language. Many concepts do not translate directly due to language construct, cultural background etc. (Implications to us the spec writers: take into the internationalization from the beginning. Do not assume “capital letters”, “alphabetic orders”, etc. ISO Directive Part 2 is good guidance for this.)
- Despite the slow deployment of Yubikeys, the phishing attack was largely thwarted. This is by the protection provided through Microsoft’s services.
- Economic sanction toward Russia is working. The equipment (software and hardware) being used to attack Ukraine is old and has limited capabilities. This is helping Ukraine.
- Life is going on “as usual” as much as it can be in the areas that are not under direct attacks by Russians. Citizens can do most of the government-related things with DIIA app. Folks are fixing fibre and cable that was cut by Russian bombs and striving to make it possible. Those civilians that are working on fixing them are falling victim to bombing etc. as well.
- It was observed that under this kind of stress, people lose the mental ability to remember passwords. People are resetting passwords every day. The same probably will happen on other stressful occasions like natural disasters so apps to be used in such circumstances should seriously consider a passwordless system.
- Systems engineers are getting jobs from all over the world. So, they can go on. It is not the case in other professions like designing, etc. (at least around Yuri.) Providing jobs in these areas would help them.
- Hideez, a war company helping the Ukrainian public sector free of charge needs funding. The funding is drying up. Any aid in the form of funding is appreciated.
- There is now a dedicated site for this activity: Helping to defend Ukraine cyberspace. Please look at it for further information. The site will be updated from time to time.