Jacques Bus, Head of Unit

1
Security and Resilience of ICT Infrastructures
and NetworksAn EU Perspective 14 Mar, 2008
GMU Arlington

• Jacques Bus, Head of Unit
• DG Information Society and Media

2
Content

• Policy activities
• RD activities
• Future challenges
• International cooperation

3
Network and information securityThe European
Policy Context

• Strategy for a Secure Information Society
  COM(2006)251
• Policy initiatives on
• fighting against spam, spyware and malware
  COM(2006)688
• promoting data protection by PET COM(2007)228
• fighting against cyber crime COM(2007)267
• Proposed package to reform the Regulatory
  Framework for e-communications COM(2007)697,
  COM(2007)698, COM(2007) 699
• European Network and Information Security Agency,
  (ENISA) established in 2004
• A policy initiative on CIIP is announced for 2008
  COM(2007) 640

4
Towards a secure Information Society
5
Empowermentinvitation to private sector to

• Develop definition of responsibilities for
  software producers and Internet service providers
  for the provision of adequate and auditable
  levels of security. Need support for standardised
  processes meeting commonly agreed security
  standards and best practice rules.
• Promote diversity, openness, interoperability,
  usability and competition as key drivers for
  security stimulate deployment of
  security-enhancing products, processes and
  services to prevent and fight ID theft and other
  privacy-intrusive attacks.
• Disseminate good security practices for network
  operators, service providers and SMEs as baseline
  levels for security and business continuity.

6
Empowermentinvitation to private sector to

• Promote training programmes in business, i. p.
  for SMEs, to provide employees with the knowledge
  and skills for effective implementation of
  security practices.
• Affordable security certification schemes for
  products, processes and services that will
  address EU-specific needs (in particular with
  respect to privacy).
• Involve insurance sector in developing
  appropriate risk management tools and methods to
  tackle ICT-related risks and foster a culture of
  risk management in organisations and business (in
  particular in SMEs).

7
EMPOWERMENT NIS in the new EC Telecom package

• Security and integrity
• Current framework (Art 23 Univ. Service
  Directive)
• telephone network / fixed location
• New proposal (Art 13 Framework Directive)
• level of security appropriate to risks
• prevent or minimise impact of security incidents
  on users and interconnected networks
• focus on continuity of supply of services
• Responsibilities of operators
• stronger obligations to ensure security and
  integrity (Art 13 Framework Directive)
• Mandatory breach notification
• to NRA (art 13 FWD) significant impact on
  operation
• to consumers and NRA (art 4 e-privacy D)
  personal data compromised

8
Dialogue PartnershipEC 2008 Policy initiative
on CIIP

• Objectives
• Enhance the level of Critical Information
  Infrastructure Protection (CIIP) preparedness and
  response across the EU
• Ensure that adequate and consistent levels of
  preventive, detection, emergency and recovery
  measures are put in operation
• Approach
• Build on national and private sector initiatives
• Engage relevant public and private stakeholders
• Adopt All-hazards
• Strengthen the synergies between 1st and 3rd
  pillar measures

9
Dialogue Partnership Challenges for CIIP

• Organisational build trusted relationships and
  engage the stakeholders at the EU level
• Policy orientations achieve a better
  understanding and clarity on the guiding policy
  principles
• Issues
• National vs. European information Infrastructures
  (criteria)
• long-term Internet stability resilience
• preventive, detection/early warning responsive
  measures
• recovery and continuity strategies
• sharing knowledge and good practices
• cross-sectors proactive information assurance
  methods
• risk management culture and tools
• inter-dependencies, in particular across
  heterogeneous infrastructures etc.

10
European Programme forCritical Infrastructure
Protection (EPCIP)
EPCIP Policy 2004 EU program on CIP (EPCIP)
and CI Warning Info Network (CIWIN) 2006
Communication and Directive on EPCIP sectoral
approach 2007 Communication on Protecting
Europe's Critical Energy and Transport
Infrastructure 2007 INFSO consultation process
for policy initiative in ICT CIIP sector ARECI
study on Electronic Infrastructures
CIP Research FP7 ICT-SEC (Nov 2007) ICT-Security
Research Joint Call on Critical Infrastructure
Protection
11
Content

• Policy activities
• RD activities
• Future challenges
• International cooperation

12
Research Activities in NIS 2003-2008

• ICT Programme Trust and Security
• FP6 2002-2006
• FP7 2007-2013
• European Security
• Preparatory Action for Security Research
  (2004-2006)
• FP7 2007-2013

13
FP6 Towards a global dependability security
Framework (2003-2006)

• Research Focus
• security and dependability challenges arising
  from complexity, ubiquity and autonomy
• resilience, self-healing, mobility, dynamic
  content and volatile environments
• Multi-modal and secure application of Biometrics
• Identification, authentication, privacy, Trusted
  Computing, digital asset management
• Trust in the net malware, viruses, cyber crime

Budget 145 M
14
FP6 Secure and resilient ICT infrastructures
SEINIT, DESEREC, SERENITY, IRRIIS, RESIST,
UBISECSENSE, HIDENETS, CRUTIAL, MEDSI,
SECURIST, CI2RCO, GRID
45M EU funding (FP6)

• Research priorities
• secure and resilient network architectures and
  technologies
• secure transmission of data and services across
  heterogeneous infrastructures
• secure resilient and always available Critical
  Information infrastructures
• risk assessment and management of interconnected
  and interdependent Critical Infrastructures

15
FP6 - Building Trust in the Internet
andProtection against Emerging Threats
BIOMETRICS 3DFACE, BIOSEC, BIOSECURE MTIT,
Humabio, Digital Passport, SecurePhone eJustice
TRUST ANTIPHISH, FASTMATCH, MDS, PEPERS, S3MS,
ESFORS
10M EU funding
25M EU funding

• Research priorities
• Security and trust in dynamic and reconfigurable
  service architectures with managed operation
  across several administrative or business
  domains
• real time detection and recovery capabilities
  against intrusions, malfunctions and failures
• Biometric identification for lifelong secure
  access to data and services without compromising
  trust and privacy

16
7th EU Framework Programme for RTD 2007-2013
Total 50,521 M
Strengthening Competitiveness through Co-operation
17
Security and Trust in FP7 - ICT WP 2007-08
110 M
18
Security in network infrastructures 4 projects,
11 m EC funding

• Main RD project priorities
• An integrated security framework and tools for
  the security and resilience of heterogeneous
  networks (INTERSECTION)
• A networking protocol stack for security and
  resilience across ad-hoc PANs WSNs (Awissenet)
• A message-oriented MW platform for increasing
  resilience of information systems (GEMOM)
• Data gathering and analysis for understanding and
  preventing cyber threats (WOMBAT)

19
Security in service infrastructures 4 projects,
18 m EC funding

• Main RD project priorities
• Assuring the security level and regulatory
  compliance of SOAs handling business processes
  (IP MASTER)
• Platform for formal specification and automated
  validation of trust and security of SOAs
  (AVANTSSAR)
• Data-centric information protection framework
  based on data-sharing agreements (Consequence)
• Crypto techniques in the computing of optimised
  multi-party supply chains without revealing
  individual confidential private data to the other
  parties (SECURE-SCM)

20
Security enabling Technologies6 projects, 22 m
EC funding

• Main RD project priorities
• Trusted Computing ? IP TECOM
• ? trusted embedded systems HW platforms with
  integrated trust components
• Cryptography ? NoE eCrypt II
• Multi-modal Biometrics
• ? multi-biometric authentication (based on face
  and voice) for mobile devices (MOBIO)
• ? activity related and soft biometrics
  technologies for supporting continuous
  authentication and monitoring of users in ambient
  environments (ACTIBIO)
• Secure SW implementation
• ? providing SW developers with the means to
  prevent occurrences of known vulnerabilities when
  building software (SHIELDS)
• ? A toolbox for cryptographic software
  engineering (CACE)

21
European security research Programme
22
PASR Preparatory Action for Security Research
2004 - 2006

• Outside FP6
• An overall budget of 45M
• 3 calls 15 M budget each and 15x
  over-subscribed
• Participants from EU25 EEA (2005 2006)

Results (funded) 2004 2005 2006
Projects 123 (7) 120 (8) 121(8)
Supporting activities 50 (5) 36 (5) 44 (7)
Total 173 (12) 156 (13) 165 (15)
23
Security Research themes in FP7 2007 2013

• 4 Security missions / activities
• Security of citizens
• Security of infrastructure and utilities
• Intelligent surveillance and border security
• Restoring security and safety in case of crisis
• 3 Cross cutting activities
• Security systems integration, interconnectivity
  and interoperability
• Security and Society
• Security Research coordination and structuring

24
Content

• Policy activities
• RD activities
• Future challenges
• International cooperation

25
Challenges for RTD for a Trustworthy
Information Society

• Technology
• Cyber-threats, cyber-crime
• The future of the Internet
• Critical (Information) Infrastructures
• Complex ICT Systems and Services
• Users
• Trust
• Empowerment
• Privacy and Human Values

26
Complexity and interdependencies
The future Internet as a large collection of
heterogeneous networks Internet of things The
Internet is broken Critical infrastructures
being interdependent and controlled through
vulnerable networks Service architectures and
infra- structures need security and trust
designed-in
27
Data Collection and its dangers
for business, to provide personalized innovative
applications and services for citizens, to
better communicate and interact, improve the
quality of their life
for governments to service citizens and business
(e-government, e-education or e-health)
for governments again, to provide public security
(protection against crime or terrorism,
border-control, protection of critical
infrastructures, etc.)
What about security, proportionality,
user-centricity
28
Content

• Policy activities
• RD activities
• Future challenges
• International cooperation

29
International CooperationOngoing activities

• ST Agreement between NSF and EU FP-RTD, within
  this framework we organised jointly
• Seminar Dublin (Nov 2006)
• Seminar Illinois (Apr 2007)
• Coordination Action INCO-Trust
• Ongoing discussions with US-DHS and EU Security
  and ICT programmes
• Cooperation between EU initiative on Future
  Internet and GENI/FIND (US), AKARE (JP)
• Trans-Atlantic Business Dialogue exist, as well
  as EU-US dialogue on Security and on the
  Information Society, as frameworks for decisions
  on joint actions.

30
International CooperationWhy , What

• WHY
• Activities intrinsically cross border
• Attackers leverage power of laundering traffic
  internationally
• Internet facilitates international underground
  economy
• Nation-state cyberwarfare ?
• WHAT
• International coordination
• Sharing information via distributed sensors
• Cooperation in research for common goal

31
International CooperationMutual Interest
Proposal

• US side
• NSTAC international RD exchange
• Fed Interagency Committee Cyber RD Plan
• GMU International Cyber Centre
• EU side
• EU policy actions Secure Information Society,
  EPCIP (see above)
• EU research programmes (see above)
• ENISA, and new Telecom package proposal
• An International Forum on Network and
  Information Security where policy
  makers from US and EU administrations would
  yearly meet high level research managers to
  discuss issues of common interest ??
• Within the international context (OECD, ITU,
  WSIS, ...)
• With a first meeting in Dec 2008 in the EU ?