Security and Resilience of ICT Infrastructures and Networks An EU Perspective 14 Mar, 2008 – GMU Arlington Jacques Bus, Head of Unit DG Information Society.
Download ReportTranscript Security and Resilience of ICT Infrastructures and Networks An EU Perspective 14 Mar, 2008 – GMU Arlington Jacques Bus, Head of Unit DG Information Society.
Security and Resilience of ICT Infrastructures and Networks An EU Perspective 14 Mar, 2008 – GMU Arlington Jacques Bus, Head of Unit DG Information Society and Media Content Policy activities R&D activities Future challenges International cooperation Network and information security: The European Policy Context Strategy for a Secure Information Society [COM(2006)251] Policy initiatives on: – fighting against spam, spyware and malware [COM(2006)688] – promoting data protection by PET [COM(2007)228] – fighting against cyber crime [COM(2007)267] Proposed package to reform the Regulatory Framework for ecommunications [COM(2007)697, COM(2007)698, COM(2007) 699] European Network and Information Security Agency, (ENISA) established in 2004 A policy initiative on CIIP is announced for 2008 [COM(2007) 640] Towards a secure Information Society DIALOGUE PARTNERSHIP structured and multi-stakeholder greater awareness & better understanding of the challenges Open & inclusive multi-stakeholder debate EMPOWERMENT commitment to responsibilities of all actors involved Empowerment: invitation to private sector to Develop definition of responsibilities for software producers and Internet service providers for the provision of adequate and auditable levels of security. Need support for standardised processes meeting commonly agreed security standards and best practice rules. Promote diversity, openness, interoperability, usability and competition as key drivers for security; stimulate deployment of security-enhancing products, processes and services to prevent and fight ID theft and other privacyintrusive attacks. Disseminate good security practices for network operators, service providers and SMEs as baseline levels for security and business continuity. Empowerment: invitation to private sector to Promote training programmes in business, i. p. for SMEs, to provide employees with the knowledge and skills for effective implementation of security practices. Affordable security certification schemes for products, processes and services that will address EU-specific needs (in particular with respect to privacy). Involve insurance sector in developing appropriate risk management tools and methods to tackle ICT-related risks and foster a culture of risk management in organisations and business (in particular in SMEs). EMPOWERMENT: NIS in the new EC Telecom package Security and integrity – Current framework (Art 23 Univ. Service Directive) • telephone network / fixed location – New proposal (Art 13 Framework Directive) • level of security appropriate to risks • prevent or minimise impact of security incidents on users and interconnected networks • focus on continuity of supply of services Responsibilities of operators – stronger obligations to ensure security and integrity (Art 13 Framework Directive) – Mandatory breach notification • to NRA (art 13 FWD): significant impact on operation • to consumers and NRA (art 4 e-privacy D): personal data compromised Dialogue & Partnership: EC 2008 Policy initiative on CIIP Objectives – Enhance the level of Critical Information Infrastructure Protection (CIIP) preparedness and response across the EU – Ensure that adequate and consistent levels of preventive, detection, emergency and recovery measures are put in operation Approach – – – – Build on national and private sector initiatives Engage relevant public and private stakeholders Adopt All-hazards Strengthen the synergies between 1st and 3rd pillar measures Dialogue & Partnership: Challenges for CIIP Organisational: build trusted relationships and engage the stakeholders at the EU level Policy orientations: achieve a better understanding and clarity on the guiding policy principles Issues: – – – – – – – – National vs. European information Infrastructures (criteria); long-term Internet stability & resilience; preventive, detection/early warning & responsive measures; recovery and continuity strategies; sharing knowledge and good practices; cross-sectors proactive information assurance methods; risk management culture and tools; inter-dependencies, in particular across heterogeneous infrastructures; etc. European Programme for Critical Infrastructure Protection (EPCIP) EPCIP Policy 2004: EU program on CIP (EPCIP) and CI Warning Info Network (CIWIN) 2006: Communication and Directive on EPCIP – sectoral approach 2007: Communication on Protecting Europe's Critical Energy and Transport Infrastructure 2007: INFSO consultation process for policy initiative in ICT CIIP sector ARECI study on Electronic Infrastructures CIP Research FP7 ICT-SEC (Nov 2007) ICT-Security Research Joint Call on Critical Infrastructure Protection Content Policy activities R&D activities Future challenges International cooperation Research Activities in NIS 2003-2008 ICT Programme – Trust and Security – FP6 2002-2006 – FP7 2007-2013 European Security – Preparatory Action for Security Research (20042006) – FP7 2007-2013 FP6: Towards a global dependability & security Framework (2003-2006) Research Focus: security and dependability challenges arising from complexity, ubiquity and autonomy resilience, self-healing, mobility, dynamic content and volatile environments Multi-modal and secure application of Biometrics Identification, authentication, privacy, Trusted Computing, digital asset management Trust in the net: malware, viruses, cyber crime Budget ~ 145 M€ FP6: Secure and resilient ICT infrastructures ~45M€ EU funding SEINIT, DESEREC, SERENITY, IRRIIS, RESIST, UBISEC&SENSE, HIDENETS, CRUTIAL, MEDSI, (FP6) SECURIST, CI2RCO, GRID Research priorities – secure and resilient network architectures and technologies – secure transmission of data and services across heterogeneous infrastructures – secure resilient and always available Critical Information infrastructures – risk assessment and management of interconnected and interdependent Critical Infrastructures FP6 - Building Trust in the Internet and Protection against Emerging Threats TRUST ANTIPHISH, FASTMATCH, MDS, PEPERS, S3MS, ESFORS BIOMETRICS 3DFACE, BIOSEC, BIOSECURE MTIT, Humabio, Digital Passport, SecurePhone eJustice ~10M€ EU funding Research priorities ~25M€ EU funding – Security and trust in dynamic and reconfigurable service architectures with managed operation across several administrative or business domains; – real time detection and recovery capabilities against intrusions, malfunctions and failures; – Biometric identification for lifelong secure access to data and services without compromising trust and privacy 7th EU Framework Programme for RTD 2007-2013 Total 50,521 M€ FP7 Cooperation Programme: 32,413 M€ The 10 Themes Space; 1430; 4% Socio-economics; 623; 2% Security; 1400; 4% Health; 6100; 19% Transport; 4160; 13% Food, …; 1935; 6% Environment; 1890; 6% Energy; 2350; 7% NMT; 3475; 11% ICT; 9050; 28% Strengthening Competitiveness through Co-operation Security and Trust in FP7 - ICT WP 2007-08 110 M€ Identity management, privacy, trust policies Network Dynamic, reconfigurable infrastructures service architectures 2 Projects 5.8 m€ 1 Project 9.4 m€ 4 Projects 3 Projects 4 Projects 11 m€ 20.5 m€ 18 m€ Critical Infrastructure Protection Enabling technologies for trustworthy infrastructures 20 m€ Biometrics, trusted computing, cryptography, secure SW 6 Projects: 22 m€ Coordination Actions Research roadmaps, metrics and benchmarks, international cooperation, coordination activities 4 Projects: 3.3 m€ Security in network infrastructures: 4 projects, 11 m€ EC funding Main R&D project priorities An integrated security framework and tools for the security and resilience of heterogeneous networks (INTERSECTION) A networking protocol stack for security and resilience across ad-hoc PANs & WSNs (Awissenet) A message-oriented MW platform for increasing resilience of information systems (GEMOM) Data gathering and analysis for understanding and preventing cyber threats (WOMBAT) Security in service infrastructures: 4 projects, 18 m€ EC funding Personalised Services Main R&D project priorities Assuring the security level and regulatory compliance of SOAs handling business processes (IP MASTER) Platform for formal specification and automated validation of trust and security of SOAs (AVANTSSAR) Data-centric information protection framework based on data-sharing agreements (Consequence) Crypto techniques in the computing of optimised multi-party supply chains without revealing individual confidential private data to the other parties (SECURE-SCM) Security enabling Technologies 6 projects, 22 m€ EC funding Main R&D project priorities Trusted Computing IP TECOM trusted embedded systems: HW platforms with integrated trust components Cryptography NoE eCrypt II Multi-modal Biometrics multi-biometric authentication (based on face and voice) for mobile devices (MOBIO) activity related and soft biometrics technologies for supporting continuous authentication and monitoring of users in ambient environments (ACTIBIO) Secure SW implementation providing SW developers with the means to prevent occurrences of known vulnerabilities when building software (SHIELDS) A toolbox for cryptographic software engineering (CACE) European security research Programme ESRIF (2007-2009) ESRAB (2005-2006) GoP FP7 Security Theme (2007 -2013) 1400 M€ national programmes (2003-2004) PASR (2004-2006) 45 M€ 2004 2005 2006 2007 2008 “European Security Research: The Next Steps” (Sept 2004) GoP report “Research for a secure Europe” (March 2004) 2009 2010 2011 2012 2013 time “Fostering Public-Private Dialogue in Security Research and Innovation” (Sept 2007) ESRAB report “Meeting the challenge: the European Security Research Agenda” (Oct 2006) PASR Preparatory Action for Security Research 2004 - 2006 Outside FP6 An overall budget of € 45M 3 calls: 15 M€ budget each and ~15x over-subscribed Participants from EU25 + EEA (2005 & 2006) Results (funded) 2004 2005 2006 Projects 123 (7) 120 (8) 121 (8 ) Supporting activities 50 (5) 36 (5) 44 Total 173 (12) 156 (13) 165 (7) (15) Security Research themes in FP7 2007 – 2013 4 Security missions / activities 1. Security of citizens 2. Security of infrastructure and utilities 3. Intelligent surveillance and border security 4. Restoring security and safety in case of crisis 3 Cross cutting activities 5. Security systems integration, interconnectivity and interoperability 6. Security and Society 7. Security Research coordination and structuring Content Policy activities R&D activities Future challenges International cooperation Challenges for RTD for a Trustworthy Information Society Technology – – – – Cyber-threats, cyber-crime The future of the Internet Critical (Information) Infrastructures Complex ICT Systems and Services Users – – Trust – Privacy and Human Values Empowerment Complexity and interdependencies The future Internet as a large collection of heterogeneous networks; Internet of things “The Internet is broken” Critical infrastructures being interdependent and controlled through vulnerable networks Service architectures and infrastructures need security and trust designed-in Data Collection and its dangers for business, to provide personalized innovative applications and services for citizens, to better communicate and interact, improve the quality of their life for governments to service citizens and business (e-government, e-education or e-health) for governments again, to provide public security (protection against crime or terrorism, border-control, protection of critical infrastructures, etc.) What about: security, proportionality, user-centricity Content Policy activities R&D activities Future challenges International cooperation International Cooperation Ongoing activities S&T Agreement between NSF and EU FP-RTD, within this framework we organised jointly: – Seminar Dublin (Nov 2006) – Seminar Illinois (Apr 2007) – Coordination Action INCO-Trust Ongoing discussions with US-DHS and EU Security and ICT programmes Cooperation between EU initiative on Future Internet and GENI/FIND (US), AKARE (JP) Trans-Atlantic Business Dialogue exist, as well as EUUS dialogue on Security and on the Information Society, as frameworks for decisions on joint actions. International Cooperation Why , What WHY Activities intrinsically cross border Attackers leverage power of laundering traffic internationally Internet facilitates international “underground economy” Nation-state cyberwarfare ? WHAT International coordination Sharing information via distributed sensors Cooperation in research for common goal International Cooperation Mutual Interest; Proposal US side NSTAC international R&D exchange Fed Interagency Committee Cyber R&D Plan GMU International Cyber Centre EU side EU policy actions: Secure Information Society, EPCIP (see above) EU research programmes (see above) ENISA, and new Telecom package proposal An International Forum on Network and Information Security where policy makers from US and EU administrations would yearly meet high level research managers to discuss issues of common interest ?? Within the international context (OECD, ITU, WSIS, ...) With a first meeting in Dec 2008 in the EU ?