cybersecurity strategic research agenda - cybercamp · cybersecurity strategic research agenda ......
TRANSCRIPT
NIS Platform WG3 Secure ICT Research & Innovation
Cybersecurity Strategic Research Agenda
Fabio Martinelli – CNR
Raul Riesco Granadino – INCIBE
(co-chairs)
Aljosa Pasic - ATOS
Agenda
Introduction
NIS Platform and WG3
Cybersecurity Strategic Research Agenda – SRA (Strategic
Research Agenda)
Conclusions
Introduction (references)
Letter of President Juncker to Comissioner Oettinger:
“Developing and implementing measures to make Europe more trusted
and secure online, so that citizens and business can fully reap the
benefits of the digital economy. I would like to work with the Vice-
President for Digital Single Market on a plan to make the EU a
leader in cyber security preparedness and trustworthy ICT, and to
increase the confidentiality of communications.”
Context
Promoting a Single Market forcybersecurity products
The Commission:
Launch in 2013 a public-private platform on NIS solutions todevelop incentives for the adoption of secure ICT solutionsand the take-up of good cybersecurity performance to beapplied to ICT products used in Europe.
Propose recommendations to ensure cybersecurity acrossthe ICT value chain, drawing on the work of this platform
The Commission asks ENISA to:
Develop technical guidelines and recommendations for theadoption of NIS standards and good practices in the publicand private sectors.
Fostering R&D investments and innovationThe Commission will:
Use Horizon 2020 to address a range of areas in ICT privacy andsecurity, from R&D to innovation and deployment. Horizon2020 will also develop tools and instruments to fight criminaland terrorist activities targeting the cyber environment.
Establish mechanisms for better coordination of the researchagendas of the European Union institutions and the MemberStates, and incentivise the Member States to invest morein R&D.
Promote early involvement of industry and academia indeveloping and coordinating solutions. This should bedone by making the most of Europe’s Industrial Base andassociated R&D technological innovations, and becoordinated between the research agendas of civilian andmilitary organisations;
The NIS Platform
(Launched June 2013)
The NIS Platform
• A key action of the EU Cybersecurity Strategy• Identify and develop incentives to adopt good cybersecurity practices
• Promote the development and the adoption of secure ICT solutions
• A public-private platform• More than 200 participants (still increasing)
• 18 MS + Norway: ministries, NIS agencies, NRAs, CERTs
• Research & academia
• Industry: ICT, finance, post, transport, healthcare, defence, energy, water sectors
• An open and inclusive multi-stakeholder Platform• Appropriate scientific, geographic, and sectorial coverage
• Driven by the participants
WG3 Scope and Objectives
• Scope– Address Cyber Security research and innovation in the context of
the EU Cyber Security Strategy and the NIS Platform.
– Identify key challenges and desired outcomes
– Promote truly multidisciplinary research that foster collaborationamong researchers, industry and policy makers
– Examine ways to increase the impact and commercial uptake of research results in the area of secure ICT
• Main objectives of WG3 within the NIS Platform– Contribute to the coordination of the European activities in Research
and Innovation in connection with the European Cyber Securitystrategy
– Produce high quality deliverables (regularly updated) summarizing itsmain findings
– As an open forum, to be one of the main sources of inspiration for thecrafting of H2020 Work Programmes
WG3 Steering Committee
The human factor
Secure ICT Research Landscape
Mari Kert, EOS Editor
Javier Lopez, U. Malaga Editor
Evangelos Markatos,
FORTHEditor
Bart Preneel, KU Leuven Editor
WG3 SC
Business cases and innovation paths
Zeta Dooly, WIT Editor
Paul Kearney, BT Editor
Strategic Research Agenda
Pascal Bisson, Thales Editor
Fabio Martinelli, CNR Editor / Co-Chair of WG3
Raúl Riesco Granadino,
INCIBEEditor / Co-Chair of WG3
Kai Rannenberg,
Goethe UniversityAoI#1 Leader
Gisela Meister, GI-DE AoI#1 Leader
Nick Wainwright, HP AoI#2 Leader
Jim Clarke, TSSG AoI#2 Leader
Steffen Wendzel, U.
Bonn AoI#3 Leader
Piero Corte,
EngineeringAoI#3 Leader
Herve Debar, Telecom
SUD ParisX-Analysis Leader
Volkmar Lotz, SAP X-Analysis Leader
Aljosa Pasic, ATOS X-Analysis Leader
Neeraj Suri, TU
DarmstadtX-Analysis Leader
Education and training for workforce
development
Maritta Heisel, U.
Duisburg EssenEditor
Claire Vishek, INTEL Editor
CO-CHAIRS
Fabio Martinelli, CNR
Raúl Riesco Granadino, INCIBE
Methodology – an EU Coordinated Action
• Interactive sessions within NIS WG3 + cross-synchronization with several EU initiatives (business, innovation, research, education…) (avg.>60 experts / session)
• Virtual / online meetings:• x7 subgroups (bi/weekly) / subgroup
(x1 dedicated to Business deliverable)• x1 Steering Committee (monthly) with all leaders
• >200 members (experts) inside NIS WG3 + several EU initiatives actively contributed i.e. CSA)
WG3 Main deliverables
https://resilience.enisa.europa.eu/nis-platform/wg3-secure-ict-research-
and-innovation/shared-spaces/snapshot-of-education-training-landscape-
for-workforce-development/Education-Training.pdf/view
https://resilience.enisa.europa.eu/nis-platform/wg3-secure-ict-research-and-
innovation/shared-spaces/the-strategic-research-agenda-sra/https://resilience.enisa.europa.eu/nis-platform/wg3-secure-ict-research-and-innovation/shared-
spaces/business-cases-and-innovation-paths/business-cases-and-innovation-paths-interim-version/view
https://resilience.enisa.europa.eu/nis-platform/shared-documents/wg3-
documents
Strategic Research Agenda (SRA)
https://resilience.enisa.europa.eu/nis-platform/shared-documents/wg3-documents
Process
Each area of interest was investigated separately
for
• Identifying challenges, enablers/inhibitors
(technical, policy, organizational) and research
gaps• Those elements are useful to stakeholders mainly interested to
one perspective
A cross analysis was then performed in order to
identify common emerging themes and possible
divergences.
AoI3
Three main areas of interest
Preserving privacy• Privacy Enhancing
Technologies
• Privacy-aware security
mechanisms
• ID management
Fostering assurance• Security Engineering
• Certification
• Cyber Insurance
Focussing on data• Data protection
• Data provenance
• Data-centric security policies
• Operations on encrypted data
• Economic value of personal data
Enabling secure execution• Secure platforms
• Intrusion Prevention/Detection
• Secure operating Systems
Managing cyber risks
• Dynamic, composable risk assessment
• Integrated risk metrics and indicators
• Managing complexity and system evolution
Increasing trust• Dynamic trust assessment
• Computational Trust Models
• Trust and big data
Standardization and Interoperability
• Crypto ("everywhere")
• Certification, assurance, risk, security metrics/indicators
• Information sharing
Education and awareness
• Multi-disciplinary focus
• Responsiveness to changes
• End-to-end skill development
• Continuous awareness
Achieving user-centricity• Focus on user centric design and
engineering
• Usability of security mechanisms
Protecting ICT Infrastructure
• Networks
• Cloud
• Mobile
• IoT, others
Summary of commonalities
Common focus
Fostering Assurance
Security / Privacy by Design
Security Requirements
Engineering
Secure Engineering Principles
Secure Languages and
Frameworks
Secure Computing
Security Validation
Metrics
Quantification of Risk
Cyber Insurance
Practical Certification Schemes
Interdisciplinary Research
(including economics)
Common focus
Focus on Data
Data protection
(confidentiality)
Data protection (integrity and
availability)
Provenance of data
Secure data processing
Operations on encrypted data
Query privacy
Data-centric policies
User empowerment
Privacy-aware Big Data
analytics
Economic value of personal
and business data
Enabling secure execution
Secure Execution Platforms
Operating Systems Security
Security-supporting Services
Control and Intrusion
Prevention Systems
Secure integration
Preserving privacy
Development of privacy-
preserving cryptographic
protocols
Private communication
networks
PETs for organizations and
infrastructure
Privacy Engineering practices
Usability of PETs
Data sanitization and
anonymization
Mobile privacy-preserving
applications
Surveillance monitoring tools
Privacy-preserving monitoring
tools
Partial identities
Scalable and interoperable of
Identity Management solutions
Increased Trust
Computational models of trust
Dynamic trust assessment
Privacy aware trust negotiation
Trust and big data
Common focus
Managing cyber risks
Methods to reduce and
manage systems complexity
Dynamic risk assessment and
management
Formal interoperable models
Statistical and predictive risk
analysis
Autonomous detection and
remediation by a man-machine
effective cooperation
Integrated risk metrics and
indicators
Visual decision making
governance frameworks
Legal risk assessment and
management
Incentives for adoption of risk
management best practices
and reducing barriers
Protecting the ICT
infrastructure
Security-enhanced technology
standards
Handling of Legacy Systems
Attack detection and
monitoring
Smart Phones / BYOD
Forensics and Fraud
Protection
Novel Malware/ Steganography
in the Network/Novel Data
Leakage
Big Data Security
Network virtualization and
management
Achieving User-centricity
User centric technologies
Engineering technologies for
users
Incentives of user centric
design and usability in
cybersecurity
Reduce digital divide
Technologies to reduce user
misbehaviour
Usability of security
mechanisms
Usability of authentication
Visualization techniques that
ease “intelligibility”
Usable secure public key
algorithms that cannot be
compromised by quantum
computing
19
Common focus
Standardisation and
interoperability
Critical Infrastructure
Protection: processes and
resources more adaptive,
decentralized, transparently
collaborative and efficiently
controlled
Interoperability to co-exist with
other legacy systems still
under depreciation
End-user to trust cross-
boundary interoperable and
privacy guaranteed
communications (as an
example)
Industrial transparency of
hardware and software
components and
functionalities
Key opportunity for EU to be
the reference for privacy and
security-by design to end
users
Transparency and a stronger
coordination and cohesion of
stakeholders groups
Education and awareness
Multi-disciplinary focus
Responsiveness to changes in
technology and societal
environment
End-to-end skill development
Alignment of curricula and
training with demand for skills
Using appropriate
methodologies for teaching
cybersecurity at all levels, from
awareness to focused
expertise
Bring all Member States to the
agreed upon baseline with
regard to cybersecurity
indicators
Topic / Timeframe Short (1-3) Medium (3-5) Long (5-8)
Security / Privacy by DesignSchemes for focused problem
areasGeneric theories and frameworks
Security Requirements
Engineering
Requirements specification and
elicitation languages for security,
privacy and trust
Tool support Fully integrated security
requirements engineering
Secure Engineering PrinciplesSecurity Guidelines, focused tool
support
Comprehensive methodology and
tools, Security IDE
Theoretical foundations and
supporting methods and tools
Secure Languages and
Frameworks
Secure Programming languages,
type systems
Integrated secure development
and operation frameworks
Secure Computing Individual schemes Generic schemesSignificant improvements on
efficiency
Security Validation Static and dynamic analysis Integrated analysisIntegrated analysis based on
formal semantic models
Metrics Security Process KPIs Security Quality KPIs
Quantification of Risk Risk metricsRisk assessment frameworks
based on publicly available data
Cyber Insurance Operational insurance schemes
Practical Certification Schemes Lightweight certification
Interdisciplinary Research
(including economics)Economic models Socio-economic models
Timeline Example (I)
Timeline Example (II)
Topic / Timeframe Short (1-3) Medium (3-5) Long (5-8)
Methods to reduce and manage
systems complexity
Methods and process for
managing risk interdependencies
Simpler tools and interfaces
available to support these
processes
Dynamic risk assessment and
managementAutomation of risk analysis
Advanced real time multi-
dimensional sensing capabilities
Significant improvements on real
time risk estimation
Formal interoperable models
Comprehensive set of formal
interoperable semantic models
based on ontologies.
Comprehensive set of guidelines
and interoperable standards
approved and established in
practice
Statistical and predictive risk
analysis
Theoretical foundations and
supporting methods and tools for
intentioned threats prediction
Statistical methods to estimate the
current strength of the system
against current and predictive
risks
Autonomous detection and
remediation by a man-machine
effective cooperation
Effective means of man-machine
co-operation
Pseudo-autonomous real-time
reasoning systems for detection
and remediation
Integrated risk metrics and
indicators
Auditable calculation methods for
risk metricsIntegrated KPI
Visual decision making
governance frameworks
New techniques for appropriate
risk decision making
Integrated visual decision
frameworks to support this new
techniques
Legal risk assessment and
managementLegal risk semantic formal models
Comprehensive legal risk
guidelines and interoperable
standards approved and
established in practice
Incentives for adoption of risk
management best practices and
reducing barriers
Research into the use and take-up
of risk management methods and
practices by SMEs
Lightweight certification and other
effective models
Contribution per each research topic (I)
Topic / Benefits Business Citizens SocietyFostering Assurance Business will be able to
operate across Digital Single
Market (DSM) thanks to more
uniform assurance/protection
requirements and achieved
levels.
Citizens will be able to compare
offerings and make informed
decisions based on
cybersecurity
assurance/protection levels, in
order to avoid “fake” or
misleading advertising of
security products and services.
Trust in digital space will
increase with the full trust
ecosystem of EU wide
assurance schemes, related
processes (auditing,
certification, labelling…), and
society awareness and
incentives actions.
Focussing on Data Business will be able to build
innovative data-driven
services while being compliant
with the data protection and
privacy legislation.
Citizens will have better means
to monitor and control data
usage, as well as to express
their preferences.
Wealth of data will be
exploited for various
purposes, from healthcare
research to fraud detection.
More effective use of
available data sources, while
maintaining trust, will be
enabled.
Enabling secure
execution
Business will save costs on
security management and
post-incident activities.
Citizens will enjoy higher level
of privacy protection in a
seamless and user-friendly
manner.
Integration and seamless use
of devices and data across
life domains (e.g. work and
home) will be achieved.
Preserving privacy Minimising the number and
impact of privacy breaches will
lead to the increase of trust,
for business compliant with
EU privacy legislations, thus
making this a competitive
feature.
Citizens will have more
guarantees that their privacy is
respected, as well as more
transparency and control in
usage of their data.
Societal values will be
preserved, such as respect of
minorities, dignity, etc.
Contribution per each research topic (II)
Topic / Benefits Business Citizens SocietyIncreasing trust Trust will be linked to
demonstrable and transparent
metrics and properties,
instead of marketing or
subjective perception, which is
improve e-service uptake.
Citizens will be enabled to
make more informed decisions,
based on recognised trust
labels, benchmarks, certificates
etc.
Society will evolve to trust
digital institutions in a similar
way to their trust in the
physical world.
Managing cyber risks More frequent and accurate
assessment will lead to more
effective use of resources.
Citizens will be able to make
instant decisions based on risk
"traffic lights".
Notion of cybersecurity risk
will become an
essential/fundamental part of
digital culture.
Protecting the ICT
infrastructure
Reduction of "out-of-business"
due to ICT infrastructure
downtimes and reduction of
industrial espionage.
Availability of services that rely
on ICT infrastructures.
Less disruptions in critical
services for society.
Achieving User-centricity More users, attracting
potential new customers, will
access digital services.
Simplification will increase the
use of advanced protection
mechanisms, including
automation for human-error
prone tasks or cumbersome
activities.
Wellbeing achieved by
citizens that feel comfortable
with new or complex
technologies.
Data
Mobile
Cloud
health
Smart Grids
….
Cyber security applicationdomains
Conclusion
SRA Highlights (I)
• A structured document of more than 200 pages.
• More than 70 contributors.
• Offers several different perspectives, from the protection of the citizen, the society
and the infrastructure.
• Very informative and truly representing the main findings of the different subgroups
working on it.
• The material seems sound although it leaves room for a more visionary perspective.
• The assessment work of the priorities might be extended in a quantitative way.
SRA Highlights (II)
In addition more general opportunities were identified:
• Fostering European cyber security and privacy cooperation and governance (i.e.
cPPP)
• Balancing cyber security and privacy issues
• Mitigating European dependencies on external knowledge/technology
NIS WG3 Assessment
• WG3 members worked well and in a truly cooperative manner in these two
years of operation
• The deliverables were produced mainly on time and according to the initial
terms of reference and instrumental for H2020 WP 2016-2017 definition
• The work was done on a volunteer basis
• The number of requests to join WG3 increases as we showcase the
activities in several fora
• Overall NIS WG3 represents a significant set of stakeholders, ranging from
MS representatives to industry/academia experts (likely an even wider
variety of expertise would be useful)
• The capability of working in a distributed manner through sub groups with
autonomous leaderships still with common goals is a plus of the NIS WG3
NIS WG3 next steps
• Publication of deliverables at ENISA portal. Done
• SRA in candidate release version as well as education one (for final comment).
Landscape and Business are in final, v2 and v1 respectively. Done
• NIS WG3 is committed to maintenance of the deliverables. On-going
• Further dissemination of NIS WG3 SRA and of the other deliverables. i.e.
Cybercamp
• Continue to build consensus also outside WG3 (with other research agendas) and
reinforce the coordination with all the main stakeholders, including SMEs. On-going
• Be ready to contribute to the contractual Public-Private Partnership (cPPP) on
Cybersecurity to be launched early next year in the framework of the Digital Single
Market initiative of the EC. On-going
Acknowledgments
We thank all WG3 members and WG3 Steering Committee (formed by all leaders and
editors) and overall WG3 members as well as WG1 and WG2 chairs/members that
contributed to our work.
We want to start by showing our appreciation with distinction to Dr. Afonso Ferreira (DG
CONNECT European Commission) who provided continuous support, insight and
expertise that greatly assisted all WG3 activities toward the completion of all deliverables
and the effective coordination among all stakeholders.
We would also like to show our gratitude to Paul Timmers, Jakub Boratynski, Pierre
Chastanet, Ann-Sofie Ronnlund, Martin Muehleck, Rafael Tesoro and H4 Secretariat
from DG CONNECT. In addition our colleagues from European Commission who were
responsible of the launch of NISP, Giuseppe Abbamonte, Gustav Kalbe, Olivier
Bringer, Alessandra Falcinelli and Virginie de Haan for sharing valuable comments
and suggestions with us during the course of WG3.
We thank Rossella Mattioli, Daria Catalui and Lionel Dupré (ENISA) for assistance
with Member States engagement, Education coordination activities as well as the
availability and support of the ENISA platform https://resilience.enisa.europa.eu.
NIS PlatformWG3 Secure ICT Research & Innovation
Thank you.