Disruptive Technologies and Cyber Security: A CRC Perspective

1. Disruptive Technologies and Cyber Security:A CRC Perspective Jean Luc B�rub� Vice-President, Network Technologies PST 2010, August 2010 [Speakers Notes] [Speakers Notes]

2. Overview An introduction to CRC Disruptive technologies as related to communications and security� �that have been, �that are, �and that could be. Related CRC research and development [Speakers Notes] When talking about disruptive techs that �are� � add the word �arguably� [Speakers Notes] When talking about disruptive techs that �are� � add the word �arguably�

3. Communications Research Centre Canada, Industry Canada [Speaker Notes] Usual intro words[Speaker Notes] Usual intro words

4. CRC Research Cognitive Radio Software defined radio Spectrum monitoring Cyber security Advanced technologies for mobile and broadband communications DTV transition, Mobile TV, 3D TV White space use Green ICT �and many more [speakers notes] more usual words[speakers notes] more usual words

5. [speakers notes] -- Technology evolves very quickly. We don�t know how quick it has been evolving but it is �very very� quick !!! -- Security tries to catch up with this evolution. Sometime security is ahead, e.g.: we have beautiful theories (intractable problems, Church-Turing principle, quantum computing, etc�) to build a perfectly secured world. But in most practical situations security is well behind: we use a technology first, then think about how to make it secure. -- Bad news: it will most likely continue to be that way. Good news: people keep working on security; new and practical solutions are being proposed.[speakers notes] -- Technology evolves very quickly. We don�t know how quick it has been evolving but it is �very very� quick !!! -- Security tries to catch up with this evolution. Sometime security is ahead, e.g.: we have beautiful theories (intractable problems, Church-Turing principle, quantum computing, etc�) to build a perfectly secured world. But in most practical situations security is well behind: we use a technology first, then think about how to make it secure. -- Bad news: it will most likely continue to be that way. Good news: people keep working on security; new and practical solutions are being proposed.

6. Disruptive technologies that have been� New communications technologies introduced unexpected security considerations at the same time as new capabilities Security was originally proprietary and centralized Disruptive technologies included Telephone (land lines) Personal Computers Internet World Wide Web Mobile telephony [speakers notes] -Take some time to talk here about definition(s) of disruptive technologies: - Clayton Christensen in 1995 article Disruptive Technologies: Catching the Wave first coined the term: Process by which a product or service takes root at the bottom of a market and then relentlessly moves �up market�. Displaces established competitors and allows a new population of consumers access to a product or service. -Point out these old technologies while mentioning what impact they had on security (privacy mostly)[speakers notes] -Take some time to talk here about definition(s) of disruptive technologies: - Clayton Christensen in 1995 article Disruptive Technologies: Catching the Wave first coined the term: Process by which a product or service takes root at the bottom of a market and then relentlessly moves �up market�. Displaces established competitors and allows a new population of consumers access to a product or service. -Point out these old technologies while mentioning what impact they had on security (privacy mostly)

7. Disruptive technologies that are� We are currently living in an era characterized by technology that facilitates collaboration and openness The new capabilities and methodologies bring security challenges Disruptive technologies include: Open source movement Crowd-sourcing Peer-to-Peer networking Distributed computing Social networking Mobile computing Just-in-Time processing Virtualization Open source: Operating systems Office Suites Firewall, IDS, anti-virus software Wikipedia [David � I see this as part of the open source movement] [Fr�d�ric � I think is it important to make the difference between (open, free and collaboration) since the term open source does not necessarily relate to free and collaborative work, although open source software is very often developed in a public (free), collaborative manner] [David � I agree. Perhaps a few words to this effect when explaining would be good]. Can we add more tech here? [Fr�d�ric] - Should botnets (it is a technology believe me) be part of this list? - I believe virtualization should be here and not in the �could be�, but I wont argue about it if you want to live it there. [David] � I agree with Fred: Vitulization here, Cloud computing �could be� Security implications: Peer-to-peer networking: basis for popular file sharing applications like BitTorrent where instead of a single server, one downloads information from multiple distributed sources so the load on the network is spread across multiple servers. Information integrity and access control are primary security concerns, similar to the cloud computing case. [Fr�d�ric] Moreover, peer-to-peer technology is now used for the command and control of botnets. Virtuous circleOpen source: Operating systems Office Suites Firewall, IDS, anti-virus software Wikipedia [David � I see this as part of the open source movement] [Fr�d�ric � I think is it important to make the difference between (open, free and collaboration) since the term open source does not necessarily relate to free and collaborative work, although open source software is very often developed in a public (free), collaborative manner] [David � I agree. Perhaps a few words to this effect when explaining would be good]. Can we add more tech here? [Fr�d�ric] - Should botnets (it is a technology believe me) be part of this list? - I believe virtualization should be here and not in the �could be�, but I wont argue about it if you want to live it there. [David] � I agree with Fred: Vitulization here, Cloud computing �could be� Security implications: Peer-to-peer networking: basis for popular file sharing applications like BitTorrent where instead of a single server, one downloads information from multiple distributed sources so the load on the network is spread across multiple servers. Information integrity and access control are primary security concerns, similar to the cloud computing case. [Fr�d�ric] Moreover, peer-to-peer technology is now used for the command and control of botnets. Virtuous circle

8. Observations Communication, collaboration and convergence are key to many disruptive technologies On one hand, thin clients appear to be making a comeback On the other, increasingly powerful convergent devices (often in the form of semi-disposable consumer devices - iPhone anyone?) are growing in popularity For both, the real value lies in communication For both, huge problems in security and privacy [Speaking Notes] Thin clients make for a loss of control for users ( � a need for trust!) Secure information does not mean private information Geolocation, good and bad[Speaking Notes] Thin clients make for a loss of control for users ( � a need for trust!) Secure information does not mean private information Geolocation, good and bad

9. Disruptive technologies that could be� We expect continuing convergence, increasing capability, and a reduced footprint Extant security threats remain, while new threats emerge more quickly than humans can respond Disruptive technologies may include MANETs Autonomic computing Cloud computing Semantic Web Mobile Code Secured Identity Trust Management Green ICT b[David] Should MANETs go here? There are already a bunch around now. Or are we talking about their potential? [Steve] MANETs exist in potentia largely, their potential is perhaps disruptive, their current state is far too immature to be called disruptive as yet. [Fr�d�ric] I think David has a good point here and a good question about MANETs.[Fr�d�ric] As I mentioned, I think virtualization should go on �disruptive technologies that are�. There are already a lot of organizations using it today and the virtualization products are now mature. [Steve] Moved it [Fr�d�ric] I think we should add Web Browser Operating System (e.g., Google Chrome) because I think it could change a lot the security paradigm we are currently working in. Reference: http://www.youtube.com/watch?v=0QRO3gKj3qw. [David] I�d argue that was a step on the road to cloud computing. Added to speaking notes [Speaking Notes] -It�s valid to assume that the trends of convergence will continue, although we can argue about whether thin or convergent devices, or centralized vs distributed control, will ultimately win. The fact remains that existing security concerns will not go away, others will appear from what already exists and has not been exploited yet (scary), and yet others will appear because of new technologies with their own, often unexpected, consequences. In the meantime, we can see trends that allow us to postulate on some potetnial disruptive technologies, for instance: MANETs - exist, but immature, and have great disruptive potential, as yet unrealized, Cloud computing � no storage or processing power in your terminal � it�s all out in the cloud. A kind of web browser operating system. Secured Identity � global issuesb[David] Should MANETs go here? There are already a bunch around now. Or are we talking about their potential? [Steve] MANETs exist in potentia largely, their potential is perhaps disruptive, their current state is far too immature to be called disruptive as yet. [Fr�d�ric] I think David has a good point here and a good question about MANETs.[Fr�d�ric] As I mentioned, I think virtualization should go on �disruptive technologies that are�. There are already a lot of organizations using it today and the virtualization products are now mature. [Steve] Moved it [Fr�d�ric] I think we should add Web Browser Operating System (e.g., Google Chrome) because I think it could change a lot the security paradigm we are currently working in. Reference: http://www.youtube.com/watch?v=0QRO3gKj3qw. [David] I�d argue that was a step on the road to cloud computing. Added to speaking notes [Speaking Notes] -It�s valid to assume that the trends of convergence will continue, although we can argue about whether thin or convergent devices, or centralized vs distributed control, will ultimately win. The fact remains that existing security concerns will not go away, others will appear from what already exists and has not been exploited yet (scary), and yet others will appear because of new technologies with their own, often unexpected, consequences. In the meantime, we can see trends that allow us to postulate on some potetnial disruptive technologies, for instance: MANETs - exist, but immature, and have great disruptive potential, as yet unrealized, Cloud computing � no storage or processing power in your terminal � it�s all out in the cloud. A kind of web browser operating system. Secured Identity � global issues

10. Security Research at CRC Objective is to advance science and technology to better secure information and communications Traditional approach Technology development, analysis and prototyping Interdisciplinary approach Applying natural sciences, human sciences, and network science to the security domain Pursuing understanding of both technological and human aspects of security Application areas Public Safety National Defence Industry Standards Inter- and Intra-Governmental Communications [David] I think we need to make sure we don�t make it sound as if we are only using an interdisciplinary approach. I know I�m not (really). Added another bullet to try and make distinction. [Speakers Notes] [David] I think we need to make sure we don�t make it sound as if we are only using an interdisciplinary approach. I know I�m not (really). Added another bullet to try and make distinction. [Speakers Notes]

11. Experimental Security R&D Malware Analysis Can we study malware in a contained environment? Can we use malware behavioral properties to develop a taxonomy? How is malware evolving through time? How are different malware families interacting one with another? Intrusion Detection Can we test Intrusion Detection in a contained environment? Can we derive Intrusion Detection Systems desirable properties from these test results? How are existing Intrusion Detection Systems reacting in the presence of new threats? How are these new threats affecting the development of Intrusion Detection Systems? [David] Would the title �Internet Security R&D� be a better title? [Fr�d�ric - Speakers Notes] All the questions asked in these slides are related to a biological approach to cyber security. If we see the Internet as nature. We need to see software or computer programs as animals. Welcome to The Matrix;) Consequently, we study security threats (e.g., malware) and security systems (e.g., Intrusion Detection System) similarly to animals. Thus, we develop approaches (research solutions) to study these security threats and systems within an isolated environment and in the wild (i.e., Internet), we study how they adjust to the evolution of their environment (i.e., Internet), how they impact their environment and how they evolved through time. More than math, beyond math and engineering= social �science� = real science (predictable) or best guess? Imprecision leads to guess, build model[David] Would the title �Internet Security R&D� be a better title? [Fr�d�ric - Speakers Notes] All the questions asked in these slides are related to a biological approach to cyber security. If we see the Internet as nature. We need to see software or computer programs as animals. Welcome to The Matrix;) Consequently, we study security threats (e.g., malware) and security systems (e.g., Intrusion Detection System) similarly to animals. Thus, we develop approaches (research solutions) to study these security threats and systems within an isolated environment and in the wild (i.e., Internet), we study how they adjust to the evolution of their environment (i.e., Internet), how they impact their environment and how they evolved through time. More than math, beyond math and engineering= social �science� = real science (predictable) or best guess? Imprecision leads to guess, build model

12. Using Social Norms to Unlock Complex Problems Societal Norms have evolved over millennia to accommodate different approaches to similar situations Complex communication technologies, autonomous and human-oriented, can learn much from how people live, work, and play together where they cannot control others Includes Rituals, Norms, and Reasoning Technologies at CRC include: Computational Trust Device Comfort Trust-Reasoning Network Security [Speaking Notes] Computational Trust A disruptive technology in its own right! Trust underlies much of the security concerns of today Our efforts are focused on understanding, formalization, and use in context Device Comfort Uses convergent device capabilities as input to social reasoning How does the device feel about task, location, user� Includes �Comfort Zones� - location-based trust management controlled from device Trust-Reasoning Network Security Instrument network at and between nodes with trust-reasoning, social, autonomous entities Use trust as opposed to control to monitor, protect network Applications in security and Critical Infrastructure Protection[Speaking Notes] Computational Trust A disruptive technology in its own right! Trust underlies much of the security concerns of today Our efforts are focused on understanding, formalization, and use in context Device Comfort Uses convergent device capabilities as input to social reasoning How does the device feel about task, location, user� Includes �Comfort Zones� - location-based trust management controlled from device Trust-Reasoning Network Security Instrument network at and between nodes with trust-reasoning, social, autonomous entities Use trust as opposed to control to monitor, protect network Applications in security and Critical Infrastructure Protection

13. [David] Is this title better? [David] BTW � these networks have been around for a while (they used to be called packet radios) so they�re not exactly new. They are evolving and becoming more widely used - Therein lies the security risk! [Dang--] would say: -With the evolution of technologies, the communication networks also have more users, become more ad hoc and mobile. That means the communications should rely less on the heavy infrastructure of the centralized servers, etc. -This implies new security concerns. For examples: how to authenticate and trust a new user when we do not know the profile of every user in advance? Or how to ensure a secured collaboration between them? Steve: This needs notes for better understanding and applicability/link to middle section. Dang, can you accomplish? [David] I see a lot of good problems, but I don�t see disruptive answers. What are you using to solve these problems Dang and why are they disruptive? [Dang--] I move this slide to here [to middle, since moved back, let�s discuss - steve] in order to link with the previous slide [which is �could be� - steve], and thus with the middle section. This slide, IMHO, should be regarded as an example of what we are doing at CRC about security for the next generation of networking technologies (if we agree that MANET is an example of disruptive ?network? technology). Otherwise, the presentation would (seem to me) restrict the scope of CRC?s perspectives on cyber security only to malwares and IDS. Both of these are excellent examples of cyber security. I only think that they could be considered as system security as opposed to network security. Steve: Dang, I moved this back here because it�s �what we do� and here is in context with that. However, can you use the next day to address David�s Q�s?[David] Is this title better? [David] BTW � these networks have been around for a while (they used to be called packet radios) so they�re not exactly new. They are evolving and becoming more widely used - Therein lies the security risk! [Dang--] would say: -With the evolution of technologies, the communication networks also have more users, become more ad hoc and mobile. That means the communications should rely less on the heavy infrastructure of the centralized servers, etc. -This implies new security concerns. For examples: how to authenticate and trust a new user when we do not know the profile of every user in advance? Or how to ensure a secured collaboration between them? Steve: This needs notes for better understanding and applicability/link to middle section. Dang, can you accomplish? [David] I see a lot of good problems, but I don�t see disruptive answers. What are you using to solve these problems Dang and why are they disruptive? [Dang--] I move this slide to here [to middle, since moved back, let�s discuss - steve] in order to link with the previous slide [which is �could be� - steve], and thus with the middle section. This slide, IMHO, should be regarded as an example of what we are doing at CRC about security for the next generation of networking technologies (if we agree that MANET is an example of disruptive ?network? technology). Otherwise, the presentation would (seem to me) restrict the scope of CRC?s perspectives on cyber security only to malwares and IDS. Both of these are excellent examples of cyber security. I only think that they could be considered as system security as opposed to network security. Steve: Dang, I moved this back here because it�s �what we do� and here is in context with that. However, can you use the next day to address David�s Q�s?

14. [Dang--] would say: -At CRC, Mobile Network Security revolves around two main themes: -How to make use of existing technologies, in particular cryptography and networking technologies, to provide security in the new context of large, mobile and ad hoc communication networks. We are working on new authentication methods and encryption key management that can be applied into these networks. -For a disruptive technology like Collaboration, it is a tool and also a topic for research in security. We use collaboration with appropriate encryption methods to evaluate and propagate trust metrics in a network. Collaboration also need to be secured in a distributed environment where we do not have a strict control over the identity of the participants. [Dang--] would say: -At CRC, Mobile Network Security revolves around two main themes: -How to make use of existing technologies, in particular cryptography and networking technologies, to provide security in the new context of large, mobile and ad hoc communication networks. We are working on new authentication methods and encryption key management that can be applied into these networks. -For a disruptive technology like Collaboration, it is a tool and also a topic for research in security. We use collaboration with appropriate encryption methods to evaluate and propagate trust metrics in a network. Collaboration also need to be secured in a distributed environment where we do not have a strict control over the identity of the participants.

15. Autonomic and Cloud Computing Autonomics is about devices managing themselves For network devices, this includes configuration, healing, optimisation and protection (i.e. security). By providing devices with the ability to reason and react to their environment in real time they will be faster at detecting and countering security threats than operator in the loop, BUT you have to trust the machine� Cloud Computing is about a new utility Companies provide computing storage and processing power (for a price) that can be accessed from anywhere, anytime. There is then no need for clients to worry about security, ASSUMING you trust the company� [Speakers Notes] Autonomics:We are looking at using an automation system called policy-based network management to control monitoring and security features in mobile networks, specifically low bandwidth military tactical networks for the army. By looking at all stages of data communications from the physical radio to the application itself an autonomic node can adjust it�s operation in real time to deal with jamming, changes in mission and other technical and tactical needs � all without input from a tech-savvy user. Cloud Computing: (This is more of a personal interest of mine as it has to do with privacy.) From a CRC and Industry Canada point of view it�s important to look at the standards and legislation required to protect both commercial and public interests. From a public point of view, the privacy implications are very important, but there is existing legislation PIPEDA. (Wikipedia: The�Personal Information Protection and Electronic Documents Act�is a�Canadian�law relating to�data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of�electronic documents �.) The issue of companies that monitor and store information about the communications and data shared between the user and host companies is a serious problem. Similar to the problems faced by of mobile code (need to protect the customer and vendor).[Speakers Notes] Autonomics:We are looking at using an automation system called policy-based network management to control monitoring and security features in mobile networks, specifically low bandwidth military tactical networks for the army. By looking at all stages of data communications from the physical radio to the application itself an autonomic node can adjust it�s operation in real time to deal with jamming, changes in mission and other technical and tactical needs � all without input from a tech-savvy user. Cloud Computing: (This is more of a personal interest of mine as it has to do with privacy.) From a CRC and Industry Canada point of view it�s important to look at the standards and legislation required to protect both commercial and public interests. From a public point of view, the privacy implications are very important, but there is existing legislation PIPEDA. (Wikipedia: The�Personal Information Protection and Electronic Documents Act�is a�Canadian�law relating to�data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of�electronic documents �.) The issue of companies that monitor and store information about the communications and data shared between the user and host companies is a serious problem. Similar to the problems faced by of mobile code (need to protect the customer and vendor).

16. Summary Disruptive communications technologies create security issues and concerns CRC pursues solutions that revolve around improved collaboration and convergence Security considerations continue to lag communication technologies Technology advances exponentially (Moore�s Law) while our understanding of security (and privacy) concerns advance in a more linear fashion CRC is pursuing promising new research, including applying natural sciences, social sciences, and network science to the security domain [Speakers Notes] -Go back to telephone example and talk about disruptions new technologies can have � especially for security -Emphasize that security seems to always be the dog trailing after, but we need that dog! -Finish with a pitch for CRC, offer for people to come visit the lab to see what we�re going, etc. etc.[Speakers Notes] -Go back to telephone example and talk about disruptions new technologies can have � especially for security -Emphasize that security seems to always be the dog trailing after, but we need that dog! -Finish with a pitch for CRC, offer for people to come visit the lab to see what we�re going, etc. etc.