Dr. Detlef Eckert

DG Information Society and Media

European Commission

Information Security

23 September 2008

SecureComm 2008, Istanbul

Despite security problems the Internet has been growing dramatically

Of course, we security guys have done our best

A step back A step back

For a long time information security was mainly about “keeping a secret”– Today we speak of “confidentiality”

It was all about making and breaking code– Today we speak of “cryptography”

Information also needed to be accessible– Today we speak of “availability of service”

Assurance that information was authentic (unchanged)– Today we speak of “integrity”

Who was behind that information– In other words the identity of someone or something is the

information we want to authenticate– Today we speak of “identity” or “identity management”

How did we solve it?How did we solve it?

Paperless world– Use your imagination or better not

Paper world– Cryptography, signature, making copies, lockers

Telegraph and Telephone world– Physical access control, network integrity, telephone

number, <voice recognition>,<cryptography> Radio communication world

– Cryptography, telephone number, <voice recognition>, network integrity

What about the digital world?

Security in the digital world is Security in the digital world is trickiertrickier

Computer communication virtualises the real world– Crashing a computer can mean losing the information equivalent to

a library, but you may have a copy

Computers and the Internet are more complex than traditional communication means

Internet is not a centrally managed network– Not designed with security in mind– Much responsibility is pushed to the edge– And in the edge there are millions of users, most of them do

not understand much of a computer– Nevertheless people want freedom (and they love to click

on the “dancing pigs” link) => Security is becoming complex => This is why you guys have a job

What were our early headaches?What were our early headaches?

The encryption debate– National security concerns– Export control

Viruses and worms– A blow to Microsoft

Hacking– Prominent targets

Keeping pace with patches– Patches were of poor quality

SPAM– Costly and dangerous

How did we tackle them?How did we tackle them?

People deployed security technologies (FW, AV, ID, …)

SSL added a security layer to the Web– Arguably the widest deployed cryptographic

solution

Vendors wrote better code Export controls abandoned Changed user behaviour (somewhat)

– Partly enforced through secure configuration

Digital signatures (laws)– Have not really taken off yet

Information security costs a lot of money (spent that nothing happens)

… you cannot protect

everything, so I will make my money

Extrapolation of threats not Extrapolation of threats not really usefulreally useful

courtesy

The picture is more complexThe picture is more complex

Cloud computing lets Feds read your email Phorm to use BT customers to

test precision advertising system on net

La colère associative monte contre Edvige, le fichier policier de données personnelles

Web giants spark privacy concerns

Big Brother tightens his grip on the web

YouTube case opens can of worms on online privacy

Grosse faille du web, et solution en chemin

Revealed: 8 million victims in the world's biggest cyber heist

Phishing attacks soar in the UK

Cyberwar and real war

collide in Georgia

Internet securityCode red

The Evolution of Cyber Espionage

Lessons from SocGen: Internal Threats need to become a security

priority

Six more data discs

'are missing'

Big Brother Spying on Americans' Internet Data?

UK's Revenue and Customs losesUK's Revenue and Customs loses25 million customer records25 million customer records

Identity theft, pornography, corporate blackmail in the web's underworld, business is booming

Defenseless on the NetDefenseless on the Net

Internet wiretappingBugging the cloud

Privacy

Trust

Security

Number one threat is stolen or lost computer equipment (notably laptops)

Slowly people begin to realise that protecting data will be the battleground

We can see some patternsWe can see some patterns

Closed doors, physical isolation

Security as protection, perimeters

Defending data and systems

Avoid data use

Open, complex, interconnected

Trust and accountability

Sharing data: creativity and innovation

Regulated data use (privacy, identity)

From the ‘walled fortress’From the ‘walled fortress’ To the ‘open metropolis’To the ‘open metropolis’

We do not really know what is ahead of us

Maybe, but all I

want is to stay

ahead of you

Three major prerequisites for trust: Three major prerequisites for trust:

Looking for scalable and usable solutionsLooking for scalable and usable solutions Data protection and control

– Remember? The old problem of secrecy – Today data flow in all directions– Privacy enforcement

Identity layer for the Internet– How to scale authentication methods, e.g. PKI?

Security fabricated in systems, service architectures, and networks– Less a matter of security products, more part of the

architecture– Attention to the weakest link (today less the OS but

the application), end to end security– Reduce the role of the user, but sound security

policies to be implemented by professionals

Where are we?Where are we?

The market will decide about technologies and business models– Security is not absolute and costs money– No central decision making, distributed

solutions

Pre-competitive industry co-operation– Ex: Liberty Alliance, AntiPhishingWG, …

Regulation and Policy– Privacy law– Fighting cyber crime– Network security provisions

We also need research

Research Focus: security and dependability challenges arising

from complexity, ubiquity and autonomy resilience, self-healing, mobility, dynamic

content and volatile environments Multi-modal and secure application of

Biometrics Identification, authentication, privacy, Trusted

Computing, digital asset management Trust in the net: malware, viruses, cyber crime

Budget ~ 145 M€

FP6: Towards a global dependability & security Framework (2003-2006)

Coordination ActionsResearch roadmaps, metrics and benchmarks, international cooperation, coordination activities

4 Projects: 3.3 m€

Networkinfrastructures

4 Projects

11 m€

Dynamic, reconfigurableservice architectures

4 Projects

18 m€

Identity management,privacy, trust policies

4 Projects

22.5 m€

6 Projects: 22 m€

Enabling technologies for trustworthy infrastructuresBiometrics, trusted computing, cryptography, secure SW

3 Projects

9.8 m€1 Project

9.4 m€

9 Projects: 20 m€Critical Infrastructure Protection

110 M€

ICT Work Programme 2007-08ICT Work Programme 2007-0833 new FP7 projects in Security & 33 new FP7 projects in Security &

TrustTrust

Main R&D project prioritiesMain R&D project priorities An integrated security framework and tools for the security and resilience of

heterogeneous networks (INTERSECTIONINTERSECTION)

A networking protocol stack for security and resilience across ad-hoc PANs & WSNs

(AwissenetAwissenet)

A message-oriented MW platform for increasing resilience of information systems

(GEMOMGEMOM)

Data gathering and analysis for understanding and preventing cyber threats (WOMBATWOMBAT)

Security in network infrastructures:Security in network infrastructures: 4 projects, 11 m€ EC funding 4 projects, 11 m€ EC funding

Main R&D project prioritiesMain R&D project priorities Assuring the security level and regulatory compliance of SOAs handling business

processes (IPIP MASTERMASTER)

Platform for formal specification and automated validation of trust and security of SOAs (AVANTSSARAVANTSSAR)

Data-centric information protection framework based on data-sharing agreements (ConsequenceConsequence)

Crypto techniques in the computing of optimised multi-party supply chains without revealing individual confidential private data to the other parties (SECURE-SCMSECURE-SCM)

Security in service infrastructures:Security in service infrastructures: 4 projects, 18 m€ EC funding 4 projects, 18 m€ EC funding

Personalised Services

Main R&D project prioritiesMain R&D project priorities

Trusted ComputingTrusted Computing IP TECOMIP TECOM

trusted embedded systems: HW platforms with integrated trust components

CryptographyCryptography NoE eCrypt IINoE eCrypt II

Multi-modal BiometricsMulti-modal Biometrics multi-biometric authentication (based on face and voice) for mobile devices (MOBIOMOBIO)

activity related and soft biometrics technologies for supporting continuous authentication and monitoring of users in ambient environments (ACTIBIOACTIBIO)

Secure SW implementationSecure SW implementation providing SW developers with the means to prevent occurrences of known vulnerabilities when

building software (SHIELDSSHIELDS) A toolbox for cryptographic software engineering (CACECACE)

Security enabling TechnologiesSecurity enabling Technologies6 projects, 22 m€ EC funding6 projects, 22 m€ EC funding

Timetable for Work Programme 09-Timetable for Work Programme 09-1010

25-27 Nov Presentation in ICT Conference in Lyon (FR)

~ Apr 09 Closure Call 4

~ Oct 09 Closure Call 5 (Trustworthy ICT)

~ Febr 10 Closure Call 6

Becoming an expert?

https://cordis.europa.eu/emmfp7/

http://cordis.europa.eu/fp7/ict/security/home_en.html

Trustworthy Information

Society?

End-Users & the Society

Policy & Regulation

Technology & Innovation

Security, Privacy, Trust Security, Privacy, Trust in the Information Societyin the Information Society

• Global ICT - national “frontiers”Global ICT - national “frontiers”• “ “Economics of security”Economics of security”• Policies for privacy-respecting Policies for privacy-respecting T&I? T&I?

• Complexity, ease of use• Role of end-users• Society-protecting business models

• Protection of human values Protection of human values • Transparency, accountabilityTransparency, accountability• Auditing and Law enforcementAuditing and Law enforcement

Thank you!Thank you!