1 / 30

Europe's Response to eSecurity Challenges: Vision 2015 & Big Challenges

Explore how Europe is tackling new eSecurity challenges in a changing digital landscape. This conference discusses vision, challenges, and solutions for eliminating attacks, ensuring trustworthy societal applications, and implementing quantitative risk management.

kathydawson
Download Presentation

Europe's Response to eSecurity Challenges: Vision 2015 & Big Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISSS / LORIS 2004 Conference Gerald.Santucci@cec.eu.int ISSS / LORIS 2004 eSecurity: How is Europe Facing the New Challenges?

  2. Agenda • ICT in the Future • Two Alternate Futures • e-Security: Vision 2015 • e-Security 2015: Four Big Challenges • Elimination of Epidemic-style Attacks • Trustworthy Societal Applications • Quantitative Risk Management • Security and Privacy • Trust and Security in FP6 IST - Call 1 Year 2003 • MEDSI • FIDIS • SECOQC • Conclusions

  3. ICT in the Future • Smaller, cheaper, embedded computing • Ubiquitous computing, ubiquitous communication, intelligent interfaces (Ambient Intelligence) • Global reach and global participation • Growing volumes of data • Growing population of user-centric services • Internet commerce • eGovernment • On-demand services • Telework • Individualised entertainment

  4. Overwhelming unsolicited, junk emails Rampant ID theft Frequent network outages Frequent manual intervention Largely unchecked abuses of laws and rights No ‘spam’ or viruses User-controlled privacy Uninterrupted communications Hassle-Free computing Balanced regulation and law-enforcement Two Alternate Futures

  5. e-Security: Vision 2015 • Intuitive, controllable computing • Reliable and predictable • Supports a range of reasonable policies • Adapts to changing environment • Enables rather than constrains • Supports personal privacy choices • Security not as an afterthought, but as an integral property

  6. e-Security 2015: Four Big Challenges • Eliminate epidemic-style attacks within the next decade • Develop tools and principles that enable development of large-scale systems for highly trustworthy societal applications • Quantitative risk management of information-systems • An Ambient Intelligence Space that gives end-users security they can understand and privacy they can control

  7. Elimination of Epidemic-style Attacks (1) • Viruses and worms • ‘SPAM’ • Denial of Service attacks (DOS)

  8. Elimination of Epidemic-style Attacks (2) • Epidemic-style attacks can be fast • Price of entry is low for adversaries • Unpredictable attack techniques and sources • Polymorphic worms and viruses • Anonymous attackers • No organised active defence • Poor visibility into global Internet operations • No emergency global control

  9. Elimination of Epidemic-style Attacks (3) • Cost of attacks are tremendous • Costs to enterprise operations • Decreased productivity • Loss of confidence in information infrastructure • Internet is being used today for critical infrastructure • Hospitals, ATM networks, utilities, Air Traffic Control • Eliminating malicious software will: • Support emerging applications in areas of general interest (e.g. telemedicine) • Increase trust and confidence

  10. Elimination of Epidemic-style Attacks (4) • Nobody ‘owns’ the problem • Finger-pointing among developers, network operators, system administrators, and users • Lack of Internet-scale data • Lack of Internet-sized testbeds • Lack of legislative support • Conflicting economic interests

  11. Elimination of Epidemic-style Attacks (5) No more: • Internet worms • Internet-wide service interruptions • Massive spam attacks against ISPs, email providers, and businesses Internet protection: • Supplied standard on all new computers, routers, large & small appliances • A mitigation strategy is available for existing infrastructure

  12. Trustworthy Societal Applications (1) • Patient medical record databases • Fully supported electronic elections • Law enforcement databases, ...

  13. Trustworthy Societal Applications (2) • Ambient intelligence pervades all aspects of society • Systems are being built and deployed now that may not be fully trustworthy • Critical applications must be trustworthy

  14. Trustworthy Societal Applications (3) • Reconciling various legal regimes with technological capabilities • Provision with acceptable cost • Achieving balance of privacy with security in record-keeping • Integration/replacement of legacy applications having lesser (or no) protections

  15. Trustworthy Societal Applications (4) • e.g., create online medical databases that survive severe disasters and attacks without human intervention • Confidentiality: no authorised disclosure of records • Integrity: no unauthorised alteration of records • Auditability: record all attempts to access online info • Availability: maximum downtime less that 2 minutes per day, and an average of less that 5 minutes per month • Accessible globally

  16. Quantitative Risk Management (1) • There is no sound and efficient management without measure: if you don’t have a measure, either you under-protect or you over-spend • What you measure is what you get • Measuring the wrong thing is as bad or worse as not measuring anything at all • The measures ultimately need to be consistent, unbiased, and unambiguous

  17. Quantitative Risk Management (2) • Getting the model right, picking the right measures, gathering the right data • No one wants to be first to disclose information • Data sharing and common terminology are required • Legal, cultural, business, and scientific issues • The “I don’t want to know” mentality

  18. Quantitative Risk Management (3) • Ability to predict outcomes • Ability to ‘titrate’ – choosing our point on the cost vs. risk curve • Businesses and governments can take more risk and gain more reward • Ability to communicate across the boundaries of shareholders, suppliers, regulators, the market… • Risk transfer for information security can achieve liquidity

  19. Security and Privacy (1) • Technology can easily outrun comprehensibility • Security implementation must not make this worse • End-user should not lose control of his/her information, privacy, location

  20. Security and Privacy (2) • The looming future • Instant access to information • Exploiting the benefits of ICT everywhere • Convenience, safety, empowerment • Why a challenge for this community? • Avoid the high pain of leaving these concerns for later • Product-makers should not be the only stakeholders in the design process • Threats to privacy are a critical concern • Multicultural issues

  21. Security and Privacy (3) • It’s important to get in at the beginning • The Internet experience informs us: • It’s also a social system, not simply a technology • Once we give up privacy or security, we may not be able to regain it • Important to assert a leadership role while we can

  22. Security and Privacy (4) • User needs are much broader than traditional security models • Dynamic environments and device heterogeneity are challenging • Multiple competing stakeholders • Difficulty to make things usable • Real-life user security requirements and policies are hard to express in terms of current mechanisms

  23. Security and Privacy (5) • Societal acceptance • Does the user feel in control of this world she now lives in? • Has the user in fact lost control of his information, his privacy? • Emergence of a ubiquitous cyber space that is: • Simple and easy to use • Dependable, reliable • Trustworthy • Not overly intrusive

  24. IST in FP6 - Call 1 Year 2003 • CZ Participation in Proposals • 12 participations (out of 1127, i.e. 1.06%) • No co-ordination (PL 2, BG & HU 1) • CZ Participation in Projects • MEDSI (STREP) 2 • FIDIS (NoE) 1 • SECOQC (IP) 1

  25. MEDSI “Management Decision Support for Critical Infrastructures” 18 months - 11 participants • Rationale • Asymmetric threats ==> it is necessary to provide a new open framework for data sources fusion and interpretation • Objectives • An innovative system providing an integrated set of services to crisis managers and planners in order to protect critical infrastructures • Main innovations • A tool to define and manage crisis scenarios for CIP • A scalable system inter-operating with other existing or under development systems ==> huge quantities of information accessible • A new concept of GIS and simulation integration • Czech Contractors • T-SOFT spol. s.r.o. (crisis management) • GISAT s.r.o. (remote sensing and geoinformation service)

  26. FIDIS “The Future of Identity in the Information Society” 60 months - 24 participants • Rationale • New concepts of identity emerge with the development of e-Society, e.g. multiple identity, pseudonymity, anonymity • At the same time, needs for identification and authentication are growing, in particular for official activities • Objectives • Shaping the requirements for the future management of identity • contributing to the technologies and infrastructures needed • Main innovations • overcome the fragmentation of research into the future of identity • durable integration of the implementation of research efforts • Czech Contractor • Masaryk University Brno (cryptography, privacy, biometrics)

  27. SECOQC “Development of a Global Network for Secure Communication based on Quantum Crytography” 48 months - 42 participants • Rationale • Currently used encryption systems are vulnerable (e.g., increasing power of computing technology, emergence of new code-breaking algorithms, imperfections of PKI’s) ==> quantum cryptography • Objectives • To specify, design and validate the feasibility of an open Quantum Key Distribution infrastructure dedicated to secure communication • Main innovations • Novel and reliable methods for secure long-range communication • Increased trust in applications (e.g., e-vote, e-commerce) • Czech Contractor • Palacky University (Department of Optics), Olomouc

  28. Conclusions • Europe is confronted with major challenges in the field of Security • Immediacy of threat has led so far to excessive focus on short-term R&D • Lack of a culture of security across Europe • Enlargement represents both another challenge and an opportunity to devise European solutions • Policy lags innovation • Problems include yet go beyond national defence

  29. More Information • http://europa.eu.int/index-en.htm • http://europa.eu.int/information_society • http://eeurope-smartcards.org • http://www.cordis.lu/ist/ • http://www.cordis.lu/ist/ka2/smartcards.html Jacques.Bus@cec.eu.int (new Head of ‘Security Research’ Unit)

  30. Děkuji!

More Related