Dr. Detlef Eckert DG Information Society and Media European Commission Information Security 23 September 2008 SecureComm 2008, Istanbul
Despite security problems the Internet has been growing dramatically Of course, we security guys have done our best
A step back For a long time information security was mainly about “keeping a secret” –Today we speak of “confidentiality” It was all about making and breaking code –Today we speak of “cryptography” Information also needed to be accessible –Today we speak of “availability of service” Assurance that information was authentic (unchanged) –Today we speak of “integrity” Who was behind that information –In other words the identity of someone or something is the information we want to authenticate –Today we speak of “identity” or “identity management”
How did we solve it? Paperless world –Use your imagination or better not Paper world –Cryptography, signature, making copies, lockers Telegraph and Telephone world –Physical access control, network integrity, telephone number,, Radio communication world –Cryptography, telephone number,, network integrity What about the digital world?
Security in the digital world is trickier Computer communication virtualises the real world –Crashing a computer can mean losing the information equivalent to a library, but you may have a copy Computers and the Internet are more complex than traditional communication means Internet is not a centrally managed network –Not designed with security in mind –Much responsibility is pushed to the edge –And in the edge there are millions of users, most of them do not understand much of a computer –Nevertheless people want freedom (and they love to click on the “dancing pigs” link) => Security is becoming complex => This is why you guys have a job
What were our early headaches? The encryption debate –National security concerns –Export control Viruses and worms –A blow to Microsoft Hacking –Prominent targets Keeping pace with patches –Patches were of poor quality SPAM –Costly and dangerous
How did we tackle them? People deployed security technologies (FW, AV, ID, …) SSL added a security layer to the Web –Arguably the widest deployed cryptographic solution Vendors wrote better code Export controls abandoned Changed user behaviour (somewhat) –Partly enforced through secure configuration Digital signatures (laws) –Have not really taken off yet
Information security costs a lot of money (spent that nothing happens) … you cannot protect everything, so I will make my money
Extrapolation of threats not really useful courtesy
The picture is more complex Cloud computing lets Feds read your Phorm to use BT customers to test precision advertising system on net La colère associative monte contre Edvige, le fichier policier de données personnelles Web giants spark privacy concerns Big Brother tightens his grip on the web YouTube case opens can of worms on online privacy Grosse faille du web, et solution en chemin Revealed: 8 million victims in the world's biggest cyber heist Phishing attacks soar in the UK Cyberwar and real war collide in Georgia Internet security Code red The Evolution of Cyber Espionage Lessons from SocGen: Internal Threats need to become a security priority Six more data discs 'are missing' Big Brother Spying on Americans' Internet Data? UK's Revenue and Customs loses 25 million customer records Identity theft, pornography, corporate blackmail in the web's underworld, business is booming Defenseless on the Net Internet wiretapping Bugging the cloud Privacy Trust Security Number one threat is stolen or lost computer equipment (notably laptops) Slowly people begin to realise that protecting data will be the battleground
We can see some patterns Closed doors, physical isolation Security as protection, perimeters Defending data and systems Avoid data use Open, complex, interconnected Trust and accountability Sharing data: creativity and innovation Regulated data use (privacy, identity) From the ‘walled fortress’ To the ‘open metropolis’
We do not really know what is ahead of us Maybe, but all I want is to stay ahead of you
Three major prerequisites for trust: Looking for scalable and usable solutions Data protection and control –Remember? The old problem of secrecy –Today data flow in all directions –Privacy enforcement Identity layer for the Internet –How to scale authentication methods, e.g. PKI? Security fabricated in systems, service architectures, and networks –Less a matter of security products, more part of the architecture –Attention to the weakest link (today less the OS but the application), end to end security –Reduce the role of the user, but sound security policies to be implemented by professionals
Where are we? The market will decide about technologies and business models –Security is not absolute and costs money –No central decision making, distributed solutions Pre-competitive industry co-operation –Ex: Liberty Alliance, AntiPhishingWG, … Regulation and Policy –Privacy law –Fighting cyber crime –Network security provisions We also need research
Research Focus: security and dependability challenges arising from complexity, ubiquity and autonomy resilience, self-healing, mobility, dynamic content and volatile environments Multi-modal and secure application of Biometrics Identification, authentication, privacy, Trusted Computing, digital asset management Trust in the net: malware, viruses, cyber crime Budget ~ 145 M€ FP6: Towards a global dependability & security Framework ( )
Coordination Actions Research roadmaps, metrics and benchmarks, international cooperation, coordination activities 4 Projects: 3.3 m€ Network infrastructures 4 Projects 11 m€ Dynamic, reconfigurable service architectures 4 Projects 18 m€ Identity management, privacy, trust policies 4 Projects 22.5 m€ 6 Projects: 22 m€ Enabling technologies for trustworthy infrastructures Biometrics, trusted computing, cryptography, secure SW 3 Projects 9.8 m€ 1 Project 9.4 m€ 9 Projects: 20 m€ Critical Infrastructure Protection 110 M€ ICT Work Programme new FP7 projects in Security & Trust
Main R&D project priorities INTERSECTION An integrated security framework and tools for the security and resilience of heterogeneous networks (INTERSECTION) Awissenet A networking protocol stack for security and resilience across ad-hoc PANs & WSNs (Awissenet) GEMOM A message-oriented MW platform for increasing resilience of information systems (GEMOM) WOMBAT Data gathering and analysis for understanding and preventing cyber threats (WOMBAT) Security in network infrastructures: 4 projects, 11 m€ EC funding
Main R&D project priorities IPMASTER Assuring the security level and regulatory compliance of SOAs handling business processes (IP MASTER) AVANTSSAR Platform for formal specification and automated validation of trust and security of SOAs (AVANTSSAR) Consequence Data-centric information protection framework based on data-sharing agreements (Consequence) SECURE-SCM Crypto techniques in the computing of optimised multi-party supply chains without revealing individual confidential private data to the other parties (SECURE-SCM) Security in service infrastructures: 4 projects, 18 m€ EC funding Personalised Services
Main R&D project priorities Trusted ComputingIP TECOM Trusted Computing IP TECOM trusted embedded systems: HW platforms with integrated trust components CryptographyNoE eCrypt II Cryptography NoE eCrypt II Multi-modal Biometrics MOBIO multi-biometric authentication (based on face and voice) for mobile devices (MOBIO) ACTIBIO activity related and soft biometrics technologies for supporting continuous authentication and monitoring of users in ambient environments (ACTIBIO) Secure SW implementation SHIELDS providing SW developers with the means to prevent occurrences of known vulnerabilities when building software (SHIELDS) CACE A toolbox for cryptographic software engineering (CACE) Security enabling Technologies 6 projects, 22 m€ EC funding
Timetable for Work Programme NovPresentation in ICT Conference in Lyon (FR) ~ Apr 09Closure Call 4 ~ Oct 09Closure Call 5 (Trustworthy ICT) ~ Febr 10Closure Call 6 Becoming an expert?
Trustworthy Information Society? End-Users & the Society Policy & Regulation Technology & Innovation Security, Privacy, Trust in the Information Society Global ICT - national “frontiers” “Economics of security” “Economics of security” Policies for privacy-respecting T&I? Policies for privacy-respecting T&I? Complexity, ease of use Role of end-users Society-protecting business models Protection of human values Protection of human values Transparency, accountability Transparency, accountability Auditing and Law enforcement Auditing and Law enforcement
Thank you!