310 likes | 321 Views
This paper discusses the EU's perspective on the security and resilience of ICT infrastructures and networks. It examines policy initiatives, dialogue and partnerships, and the empowerment of all actors involved in creating a secure information society. It also highlights the challenges in critical information infrastructure protection (CIIP) and the European Programme for Critical Infrastructure Protection (EPCIP).
E N D
Security and Resilience of ICT Infrastructures and NetworksAn EU Perspective 14 Mar, 2008 – GMU Arlington Jacques Bus, Head of Unit DG Information Society and Media
Content • Policy activities • R&D activities • Future challenges • International cooperation
Network and information security:The European Policy Context • Strategy for a Secure Information Society [COM(2006)251] • Policy initiatives on: • fighting against spam, spyware and malware [COM(2006)688] • promoting data protection by PET [COM(2007)228] • fighting against cyber crime [COM(2007)267] • Proposed package to reform the Regulatory Framework for e-communications [COM(2007)697, COM(2007)698, COM(2007) 699] • European Network and Information Security Agency, (ENISA) established in 2004 • A policy initiative on CIIP is announcedfor 2008 [COM(2007) 640]
PARTNERSHIPgreater awareness &better understandingof the challenges DIALOGUEstructured and multi-stakeholder Open & inclusivemulti-stakeholderdebate EMPOWERMENTcommitment to responsibilitiesof all actors involved Towards a secure Information Society
Empowerment:invitation to private sector to • Develop definition of responsibilities for software producers and Internet service providersfor the provision of adequate and auditable levels of security. Need support for standardised processes meeting commonly agreed security standards and best practice rules. • Promote diversity, openness, interoperability, usability and competition as key drivers for security; stimulate deployment of security-enhancing products, processes and services to prevent and fight ID theft and other privacy-intrusive attacks. • Disseminate good security practicesfor network operators, service providers and SMEsas baseline levels for security and business continuity.
Empowerment:invitation to private sector to • Promote training programmes in business, i. p. for SMEs, to provide employees with the knowledge and skills for effective implementation of security practices. • Affordable security certification schemes for products, processes and services that will address EU-specific needs (in particular with respect to privacy). • Involve insurance sector in developing appropriate risk management tools and methods to tackle ICT-related risks and foster a culture of risk management in organisations and business (in particular in SMEs).
EMPOWERMENT: NIS in the new EC Telecom package • Security and integrity • Current framework (Art 23 Univ. Service Directive) • telephone network / fixed location • New proposal (Art 13 Framework Directive) • level of security appropriate to risks • prevent or minimise impact of security incidents on users and interconnected networks • focus on continuity of supply of services • Responsibilities of operators • stronger obligations to ensure security and integrity (Art 13 Framework Directive) • Mandatory breach notification • to NRA (art 13 FWD): significant impact on operation • to consumers and NRA (art 4 e-privacy D): personal data compromised
Dialogue & Partnership:EC 2008 Policy initiative on CIIP • Objectives • Enhance the level of Critical Information Infrastructure Protection (CIIP) preparedness and response across the EU • Ensure that adequate and consistent levels of preventive, detection, emergency and recovery measures are put in operation • Approach • Build on national and private sector initiatives • Engage relevant public and private stakeholders • Adopt All-hazards • Strengthen the synergies between 1st and 3rd pillar measures
Dialogue & Partnership: Challenges for CIIP • Organisational:build trusted relationships and engage the stakeholders at the EU level • Policy orientations:achieve a better understanding and clarity on the guiding policy principles • Issues: • National vs. European information Infrastructures (criteria); • long-term Internet stability & resilience; • preventive, detection/early warning & responsive measures; • recovery and continuity strategies; • sharing knowledge and good practices; • cross-sectors proactive information assurance methods; • risk management culture and tools; • inter-dependencies, in particular across heterogeneous infrastructures; etc.
European Programme forCritical Infrastructure Protection (EPCIP) EPCIP Policy 2004: EU program on CIP (EPCIP) and CI Warning Info Network (CIWIN) 2006: Communication and Directive on EPCIP – sectoral approach 2007:Communication on Protecting Europe's Critical Energy and Transport Infrastructure 2007: INFSO consultation process for policy initiative in ICT CIIP sector ARECI study on Electronic Infrastructures CIP Research FP7 ICT-SEC (Nov 2007) ICT-Security Research Joint Call on Critical Infrastructure Protection
Content • Policy activities • R&D activities • Future challenges • International cooperation
Research Activities in NIS 2003-2008 • ICT Programme – Trust and Security • FP6 2002-2006 • FP7 2007-2013 • European Security • Preparatory Action for Security Research (2004-2006) • FP7 2007-2013
FP6: Towards a global dependability & security Framework (2003-2006) Research Focus: • security and dependability challenges arising from complexity, ubiquity and autonomy • resilience, self-healing, mobility, dynamic content and volatile environments • Multi-modal and secure application of Biometrics • Identification, authentication, privacy, Trusted Computing, digital asset management • Trust in the net: malware, viruses, cyber crime Budget ~ 145 M€
FP6: Secure and resilient ICT infrastructures SEINIT, DESEREC, SERENITY, IRRIIS, RESIST, UBISEC&SENSE, HIDENETS, CRUTIAL, MEDSI, SECURIST,CI2RCO, GRID ~45M€ EU funding (FP6) • Research priorities • secure and resilient network architectures and technologies • secure transmission of data and services across heterogeneous infrastructures • secure resilient and always available Critical Information infrastructures • risk assessment and management of interconnected and interdependent Critical Infrastructures
FP6 - Building Trust in the Internet andProtection against Emerging Threats BIOMETRICS 3DFACE, BIOSEC, BIOSECURE MTIT, Humabio, Digital Passport, SecurePhone eJustice TRUST ANTIPHISH, FASTMATCH, MDS, PEPERS, S3MS, ESFORS • Research priorities • Security and trust in dynamic and reconfigurable service architectures with managed operation across several administrative or business domains; • real time detection and recovery capabilities against intrusions, malfunctions and failures; • Biometric identification for lifelong secure access to data and services without compromising trust and privacy ~10M€ EU funding ~25M€ EU funding
7th EU Framework Programme for RTD 2007-2013 Total 50,521 M€ StrengtheningCompetitivenessthrough Co-operation
Networkinfrastructures Identity management,privacy, trust policies Dynamic, reconfigurableservice architectures 1 Project 9.4 m€ 4 Projects 18 m€ 4 Projects 11 m€ Critical Infrastructure Protection Enabling technologies for trustworthy infrastructures Biometrics, trusted computing, cryptography, secure SW Coordination Actions Research roadmaps, metrics and benchmarks, international cooperation, coordination activities 4 Projects: 3.3 m€ 3 Projects 20.5 m€ 2 Projects 5.8 m€ 6 Projects: 22 m€ 20 m€ Security and Trust in FP7 - ICT WP 2007-08 110 M€
Security in network infrastructures: 4 projects, 11 m€ EC funding Main R&D project priorities • An integrated security framework and tools for the security and resilience of heterogeneous networks (INTERSECTION) • A networking protocol stack for security and resilience across ad-hoc PANs & WSNs (Awissenet) • A message-oriented MW platform for increasing resilience of information systems (GEMOM) • Data gathering and analysis for understanding and preventing cyber threats (WOMBAT)
Personalised Services Security in service infrastructures: 4 projects, 18 m€ EC funding Main R&D project priorities • Assuring the security level and regulatory compliance of SOAs handling business processes (IPMASTER) • Platform for formal specification and automated validation of trust and security of SOAs (AVANTSSAR) • Data-centric information protection framework based on data-sharing agreements (Consequence) • Crypto techniques in the computing of optimised multi-party supply chains without revealing individual confidential private data to the other parties (SECURE-SCM)
Security enabling Technologies6 projects, 22 m€ EC funding Main R&D project priorities • Trusted Computing IP TECOM trusted embedded systems: HW platforms with integrated trust components • Cryptography NoE eCrypt II • Multi-modal Biometrics multi-biometric authentication (based on face and voice) for mobile devices (MOBIO) activity related and soft biometrics technologies for supporting continuous authentication and monitoring of users in ambient environments (ACTIBIO) • Secure SW implementation providing SW developers with the means to prevent occurrences of known vulnerabilities when building software (SHIELDS) A toolbox for cryptographic software engineering (CACE)
ESRIF (2007-2009) FP7 Security Theme (2007 -2013) 1400 M€ ESRAB (2005-2006) GoP (2003-2004) national programmes PASR(2004-2006) 45 M€ 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 time “Fostering Public-Private Dialogue in Security Research and Innovation”(Sept 2007) “European Security Research: The Next Steps” (Sept 2004) ESRAB report “Meeting the challenge: the European Security Research Agenda”(Oct 2006) GoP report “Research for a secure Europe” (March 2004) European security research Programme
PASR Preparatory Action for Security Research 2004 - 2006 • Outside FP6 • An overall budget of € 45M • 3 calls: 15 M€ budget each and ~15x over-subscribed • Participants from EU25 + EEA (2005 & 2006)
Security Research themes in FP7 2007 – 2013 • 4 Security missions / activities • Security of citizens • Security of infrastructure and utilities • Intelligent surveillance and border security • Restoring security and safety in case of crisis • 3 Cross cutting activities • Security systems integration, interconnectivity and interoperability • Security and Society • Security Research coordination and structuring
Content • Policy activities • R&D activities • Future challenges • International cooperation
Challenges for RTD for a Trustworthy Information Society • Technology • Cyber-threats, cyber-crime • The future of the Internet • Critical (Information) Infrastructures • Complex ICT Systems and Services • Users • Trust • Empowerment • Privacy and Human Values
Complexity and interdependencies The future Internet as a large collection of heterogeneous networks; Internet of things “The Internet is broken” Critical infrastructures being interdependent and controlled through vulnerable networks Service architectures and infra- structures need security and trust designed-in
Data Collection and its dangers for business, to provide personalized innovative applications and services for citizens, to better communicate and interact, improve the quality of their life for governments to service citizens and business (e-government, e-education or e-health) for governments again, to provide public security (protection against crime or terrorism, border-control, protection of critical infrastructures, etc.) What about: security, proportionality, user-centricity
Content • Policy activities • R&D activities • Future challenges • International cooperation
International CooperationOngoing activities • S&T Agreement between NSF and EU FP-RTD, within this framework we organised jointly: • Seminar Dublin (Nov 2006) • Seminar Illinois (Apr 2007) • Coordination Action INCO-Trust • Ongoing discussions with US-DHS and EU Security and ICT programmes • Cooperation between EU initiative on Future Internet and GENI/FIND (US), AKARE (JP) • Trans-Atlantic Business Dialogue exist, as well as EU-US dialogue on Security and on the Information Society, as frameworks for decisions on joint actions.
International CooperationWhy , What WHY • Activities intrinsically cross border • Attackers leverage power of laundering traffic internationally • Internet facilitates international “underground economy” • Nation-state cyberwarfare ? WHAT • International coordination • Sharing information via distributed sensors • Cooperation in research for common goal
International CooperationMutual Interest; Proposal US side • NSTAC international R&D exchange • Fed Interagency Committee Cyber R&D Plan • GMU International Cyber Centre EU side • EU policy actions: Secure Information Society, EPCIP (see above) • EU research programmes (see above) • ENISA, and new Telecom package proposal An International Forum on Network and Information Security where policy makers from US and EU administrations would yearly meet high level research managers to discuss issues of common interest ?? Within the international context (OECD, ITU, WSIS, ...) With a first meeting in Dec 2008 in the EU ?