🚨NEW REPORT🚨 In "User in the Middle: An Interoperability and Security Guide for Policymakers," CSI’s Maia Hamin & Alphaeus Hanson examine how interoperability and security intersect in digital tech, scrutinizing common arguments and mapping key concepts. https://lnkd.in/e-7FFydr
First off — what is interoperability anyway? The IEEE defines it as "the ability of two or more systems or components to exchange information and to use the information that has been exchanged." Interoperability can be both vertical (up and down the stack – think software running on hardware), and horizontal (across it – think data sharing between applications). Technologies take different paths to interoperability, from intentional design, to coalescing on common standards, to adversarial interoperability or policy intervention, and the paper discusses examples from the internet and telecommunications to document file formats and banking data.
But what does this all mean for security?
For one, different companies have used security arguments to push back against opening their systems to interoperation in the past. Interoperability does have real interactions with security: it often means developing a trust relationship with another party, whether by granting them access to user data, or allowing them to manage security-relevant functions. Managing trust is a core requirement in information security, so this doesn’t mean that interoperability cannot be done securely — but it does mean that interoperability requirements should be paired with technical and organizational protections. Then, there are core security primitives like encryption and identity that are key building blocks of secure and interoperable systems, which are important (and not always trivial) to get right when it comes to building secure interoperable technology.
Throughout these security interactions, the paper emphasizes, the key north star for policy should be user choice. Companies should be empowering users to make informed choices about their security decisions, rather than foreclosing users’ choices in the name of security. The paper concludes with recommendations for policy including empowering agencies to take up interoperability issues, using procurement to advance adoption of secure interoperable tech, enshrining data rights, and investing in technical infrastructure and standards development.
Read all about it here and then let us know what you think – interoperability is a complex and important issue, and we really want to feed the fires of the policy conversation here.
