1. Dr. Detlef Eckert DG Information Society and Media European Commission Information Security 23 September 2008 SecureComm 2008, Istanbul

2. Despite security problems the Internet has been growing dramatically Of course, we security guys have done our best

3. A step back  For a long time information security was mainly about “keeping a secret” –Today we speak of “confidentiality”  It was all about making and breaking code –Today we speak of “cryptography”  Information also needed to be accessible –Today we speak of “availability of service”  Assurance that information was authentic (unchanged) –Today we speak of “integrity”  Who was behind that information –In other words the identity of someone or something is the information we want to authenticate –Today we speak of “identity” or “identity management”

4. How did we solve it?  Paperless world –Use your imagination or better not  Paper world –Cryptography, signature, making copies, lockers  Telegraph and Telephone world –Physical access control, network integrity, telephone number,,  Radio communication world –Cryptography, telephone number,, network integrity  What about the digital world?

5. Security in the digital world is trickier  Computer communication virtualises the real world –Crashing a computer can mean losing the information equivalent to a library, but you may have a copy  Computers and the Internet are more complex than traditional communication means  Internet is not a centrally managed network –Not designed with security in mind –Much responsibility is pushed to the edge –And in the edge there are millions of users, most of them do not understand much of a computer –Nevertheless people want freedom (and they love to click on the “dancing pigs” link)  => Security is becoming complex  => This is why you guys have a job

6. What were our early headaches?  The encryption debate –National security concerns –Export control  Viruses and worms –A blow to Microsoft  Hacking –Prominent targets  Keeping pace with patches –Patches were of poor quality  SPAM –Costly and dangerous

7. How did we tackle them?  People deployed security technologies (FW, AV, ID, …)  SSL added a security layer to the Web –Arguably the widest deployed cryptographic solution  Vendors wrote better code  Export controls abandoned  Changed user behaviour (somewhat) –Partly enforced through secure configuration  Digital signatures (laws) –Have not really taken off yet

8. Information security costs a lot of money (spent that nothing happens) … you cannot protect everything, so I will make my money

9. Extrapolation of threats not really useful courtesy

10. The picture is more complex Cloud computing lets Feds read your email Phorm to use BT customers to test precision advertising system on net La colère associative monte contre Edvige, le fichier policier de données personnelles Web giants spark privacy concerns Big Brother tightens his grip on the web YouTube case opens can of worms on online privacy Grosse faille du web, et solution en chemin Revealed: 8 million victims in the world's biggest cyber heist Phishing attacks soar in the UK Cyberwar and real war collide in Georgia Internet security Code red The Evolution of Cyber Espionage Lessons from SocGen: Internal Threats need to become a security priority Six more data discs 'are missing' Big Brother Spying on Americans' Internet Data? UK's Revenue and Customs loses 25 million customer records Identity theft, pornography, corporate blackmail in the web's underworld, business is booming Defenseless on the Net Internet wiretapping Bugging the cloud Privacy Trust Security Number one threat is stolen or lost computer equipment (notably laptops) Slowly people begin to realise that protecting data will be the battleground

11. We can see some patterns Closed doors, physical isolation Security as protection, perimeters Defending data and systems Avoid data use Open, complex, interconnected Trust and accountability Sharing data: creativity and innovation Regulated data use (privacy, identity) From the ‘walled fortress’ To the ‘open metropolis’

12. We do not really know what is ahead of us Maybe, but all I want is to stay ahead of you

13. Three major prerequisites for trust: Looking for scalable and usable solutions  Data protection and control –Remember? The old problem of secrecy –Today data flow in all directions –Privacy enforcement  Identity layer for the Internet –How to scale authentication methods, e.g. PKI?  Security fabricated in systems, service architectures, and networks –Less a matter of security products, more part of the architecture –Attention to the weakest link (today less the OS but the application), end to end security –Reduce the role of the user, but sound security policies to be implemented by professionals

14. Where are we?  The market will decide about technologies and business models –Security is not absolute and costs money –No central decision making, distributed solutions  Pre-competitive industry co-operation –Ex: Liberty Alliance, AntiPhishingWG, …  Regulation and Policy –Privacy law –Fighting cyber crime –Network security provisions  We also need research

15. Research Focus:  security and dependability challenges arising from complexity, ubiquity and autonomy  resilience, self-healing, mobility, dynamic content and volatile environments  Multi-modal and secure application of Biometrics  Identification, authentication, privacy, Trusted Computing, digital asset management  Trust in the net: malware, viruses, cyber crime Budget ~ 145 M€ FP6: Towards a global dependability & security Framework (2003-2006)

16. Coordination Actions Research roadmaps, metrics and benchmarks, international cooperation, coordination activities 4 Projects: 3.3 m€ Network infrastructures 4 Projects 11 m€ Dynamic, reconfigurable service architectures 4 Projects 18 m€ Identity management, privacy, trust policies 4 Projects 22.5 m€ 6 Projects: 22 m€ Enabling technologies for trustworthy infrastructures Biometrics, trusted computing, cryptography, secure SW 3 Projects 9.8 m€ 1 Project 9.4 m€ 9 Projects: 20 m€ Critical Infrastructure Protection 110 M€ ICT Work Programme 2007-08 33 new FP7 projects in Security & Trust

17. Main R&D project priorities INTERSECTION  An integrated security framework and tools for the security and resilience of heterogeneous networks (INTERSECTION) Awissenet  A networking protocol stack for security and resilience across ad-hoc PANs & WSNs (Awissenet) GEMOM  A message-oriented MW platform for increasing resilience of information systems (GEMOM) WOMBAT  Data gathering and analysis for understanding and preventing cyber threats (WOMBAT) Security in network infrastructures: 4 projects, 11 m€ EC funding

18. Main R&D project priorities IPMASTER  Assuring the security level and regulatory compliance of SOAs handling business processes (IP MASTER) AVANTSSAR  Platform for formal specification and automated validation of trust and security of SOAs (AVANTSSAR) Consequence  Data-centric information protection framework based on data-sharing agreements (Consequence) SECURE-SCM  Crypto techniques in the computing of optimised multi-party supply chains without revealing individual confidential private data to the other parties (SECURE-SCM) Security in service infrastructures: 4 projects, 18 m€ EC funding Personalised Services

19. Main R&D project priorities  Trusted ComputingIP TECOM  Trusted Computing  IP TECOM  trusted embedded systems: HW platforms with integrated trust components  CryptographyNoE eCrypt II  Cryptography  NoE eCrypt II  Multi-modal Biometrics MOBIO  multi-biometric authentication (based on face and voice) for mobile devices (MOBIO) ACTIBIO  activity related and soft biometrics technologies for supporting continuous authentication and monitoring of users in ambient environments (ACTIBIO)  Secure SW implementation SHIELDS  providing SW developers with the means to prevent occurrences of known vulnerabilities when building software (SHIELDS) CACE  A toolbox for cryptographic software engineering (CACE) Security enabling Technologies 6 projects, 22 m€ EC funding

20. Timetable for Work Programme 09-10 25-27 NovPresentation in ICT Conference in Lyon (FR) ~ Apr 09Closure Call 4 ~ Oct 09Closure Call 5 (Trustworthy ICT) ~ Febr 10Closure Call 6 Becoming an expert? https://cordis.europa.eu/emmfp7/ http://cordis.europa.eu/fp7/ict/security/home_en.html

21. Trustworthy Information Society? End-Users & the Society Policy & Regulation Technology & Innovation Security, Privacy, Trust in the Information Society Global ICT - national “frontiers” “Economics of security” “Economics of security” Policies for privacy-respecting T&I? Policies for privacy-respecting T&I? Complexity, ease of use Role of end-users Society-protecting business models Protection of human values Protection of human values Transparency, accountability Transparency, accountability Auditing and Law enforcement Auditing and Law enforcement

22. Thank you!