 Welcome to the ITU studio in Geneva. We're very pleased to be joined today by Kevin Butler who is from the University of Florida And he's also part of the security work stream for the Fiji security infrastructure and trust working group Kevin welcome to the studio Thank you very much now. Thanks for joining us here We're now looking at a Fiji security clinic, which is what's happening in the next few days And and you're here as part of the Fiji security infrastructure and trust working group Which is developed a security assurance framework for DFS or digital financial services providers I wanted to ask you what's the main objective of the security assurance framework perhaps you can tell us a little bit about it And why is it needed? Absolutely sure so the security assurance framework is designed to Be used by various stakeholders throughout the digital financial services ecosystem. This is everybody from customers to Mobile network operators to DFS providers to even third-party providers who interface with the financial system So really understanding what the what the ecosystem looks like and what are the Importantly, what are the security threats and the vulnerabilities that are faced by each of those individual stakeholders within the entire ecosystem now the goal of the document was to Go into some detail in terms of what those threats risks and vulnerabilities are and to provide a tangible ways In which each of those stakeholders can provide controls or mitigations for each of these threats and vulnerabilities So without being overly prescriptive We wanted to really capture. What are the fundamental issues that were at play and have a document that would provide some tangible means by which These issues could be it could be dealt with can you let us into a couple of those sure So as an example, we we structured the document largely around the types of threats that that the ecosystem faces things like hijacking of accounts by adversaries or Threats from insiders to the system So we would look at those those threats from the perspective of a variety of stakeholders whoever would be most affected by those particular threats and Categorizing the vulnerabilities that will lead to those threats in terms of the it x805 security Variables and we would and we would provide some specific instances of what you could do specifically based on a threat So for example When it comes to the insider threat things like robust access control and authentication measures and logging and audit All of those are important and so depending on who you are in the ecosystem The controls that we would suggest would be a difference. So it's meant to be something that would be immediately useful to a Regulator or to an MNO or mobile network operator Who is looking to deploy or maintain a DFS? Service what about the stakeholders on the other side of the coin? What about the the users? What should they be worried about most sure? So that's a that's a great question because really the the the viability of DFS really relies on the confidence of users and so this is a it's really important for users to understand how they're You know what what are the security risks that they face so that they can be confident that they're their data is being handled securely so there are a number of of Things that can be done for users in terms of how the applications themselves are structured The security practices being used there and things that MNOs can do and DFS providers to assure that users are Using the safest Infrastructure for conducting a DFS transactions so not going through unsecure networks and that kind of thing exactly Yes, so the way that you that you access the network the quality of the the security that's used to set up your communications between The user and their mobile device and the DFS provider Ensuring that the device itself hasn't been Loaded with malware as a is a high integrity device those sorts of things that a provider can do to make sure that Their customers are safe one of my applications What's the best one of the best practices for application security that's being recommended by the the feature security infrastructure and trust working group right? We developed a template for for application security best practices and we go into a little more technical detail in terms of What an application provider can do so part of those and involve the way in which data is encrypted and The way in which integrity is performed and we we suggest a specific algorithms based on best practices that are used That are recommended by regulators and used in industry. We recommend how information should be stored how to use specific Existing and emerging capabilities on mobile devices Which are broadly increasing in terms of the capabilities that they offer including the types of security that they can provide things like trusted hardware Trusted execution using those types of mechanisms to ensure that data is safe as well as best practices around Information handling what's going to say our digital financial services providers becoming more savvy in the way that they are Be able to protect themselves against vulnerable parts of their systems I think that there is a there is a recognition that that the DFS is a uniquely challenging type of data because of the fact that we're dealing with money and So much trust relies on the safe handling of that data that it's really in Everybody's best interest from the DFS provider to the application developer through the mobile provider to really provide the most secure experience in order to keep The usability and the security of the system high for users So I think that that message is is is becoming increasingly clear and what about regulators What role should regulators played ensuring the security of digital financial services? That's a great question I think that regulators certainly have a role to play. I would I think that the industry does It's there are a number of playways in which the regulators can interface with with industry. There's a industry bodies There's mobile network operators I think it's a good idea for regulators to know what's going on in in their ecosystem and to work in Concert with the various providers to effectively assure security for the for the end users and for the system as a whole and finally what What what's what's your your feeling about the digital financial services and in terms of safety and security? Do you think that that we're going to get to a stage where people will be able to trust? Trust their digital financial service providers implicitly, right? Well as a I'm a security person So I'm always looking for for for ways in which things can be What weaknesses are but I think that the types of technologies that we have that are that are that are available the way that Smartphones and for example have become more secure in the way that Networks are shaping provides me with hope that we can create a system that is That that is secure and and that users can use with confidence I think that it's I think if the best practices that we that we suggest in the security framework are Deployed then we will go a long way towards ensuring a safer ecosystem. Okay, so not infallible but relatively watertight I think that we can we can definitely do I I'll never say never because That's the nature of you don't know what the threats are and that's actually that's a great point is that the the framework itself is designed to be a Living document it's not designed to be set in stone that these are the regulations and because the technologies are changing the types of attacks are changing and so being Knowing what is what is sort of state-of-the-art in terms of attacks in terms of vulnerabilities in terms of the technologies is Important to ensuring the best experience Anticipate going back and revising such a document and that regulators would use some of the principles and adapt them to their particular environments But we think that we've got a great basis for for for ensuring a safer ecosystem based on that Well, thank you for joining us in the studio and of course at the the Fiji security clinic Which I'm sure will benefit very much from your your valuable insights and everything that you've learned over the last few years And thank you again, and hopefully we'll catch up with you again at some stage in the near future Well, thank you very much. I really appreciate the opportunity to talk with you. Kevin Butler. Thanks a lot