WORLD CYBER SECURITY TECHNOLOGY RESEARCH SUMMIT · PDF fileThe fourth World Cyber Security...
Transcript of WORLD CYBER SECURITY TECHNOLOGY RESEARCH SUMMIT · PDF fileThe fourth World Cyber Security...
Belfast 2014: Briefing BRIEFING #BELFAST2014 REPORT
4TH WORLD CYBER SECURITY
TECHNOLOGY RESEARCH SUMMIT
BELFAST 2014
SECURING OUR DIGITAL TOMORROW
Belfast 2014: Report 2
ABOUT CSIT
The Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast is
the UK’s Innovation and Knowledge Centre (IKC) for Secure Information Technologies
and a UK Academic Centre of Excellence in Cyber Security Research (ACE-CSR).
At CSIT we are building a global innovation hub for cyber security. Our annual Summit
is a rallying point for world leading researchers, policy makers and leaders from the
global cyber security industry to meet and share knowledge, insights and challenges
through open innovation in an environment which encourages information sharing and
frank discussions to take place.
ABOUT BELFAST 2014
The fourth World Cyber Security Technology Research Summit – Belfast 2014 – saw the event come full circle once again
as we sought to horizon scan the cyber security landscape and define research challenges which will form the basis of new
programmes here at The Centre for Secure Information Technologies (CSIT) and other world leading institutions in the
coming years. This year’s Summit was the biggest ever both in terms of numbers of attendees and also in terms of the
activity programme which saw two new parallel streams added in addition to the core “Cyber 100” stream familiar to many.
The new streams – PRECYSE and Techstars – added new dimensions in terms of supporting new cyber security start-ups
gain access to experienced industry veterans and funders as well as acting as an outlet for the PRECYSE consortium to
disseminate findings from their project and seek input from a broad spectrum of end-users.
Attendees pictured under The Rotunda at Belfast City Hall, location for the Summit Gala Dinner
Belfast 2014: Report 3
EXECUTIVE SUMMARY
Belfast 2014 benefited from a new multi-stream format and was CSIT’s largest World Cyber Security Technology Research
Summit to date. The event theme of “Securing our Digital Tomorrow” enabled organisers to expand participation and
extend invites to some of the most promising cyber security entrepreneurs in this cluster to take part in the Techstars
stream where they benefited from the collective experience of leading industry, academic, venture capital and government
figures. Furthermore the PRECYSE stream enabled those with interests in cyber security for critical infrastructure to have a
deeper understanding of the scope, challenges and outcomes of this significant collaborative European project of which
CSIT is a partner.
At 13 the number of keynote speakers was significant and included high level government speakers from the US
Department of Homeland Security, UK GCHQ, UK Technology Strategy Board, Estonia’s Information Security Authority as
well as Korea’s Information Security Agency. Industry representatives came from Intel Corporation, Sophos, Facebook,
Techstars UK and Ireland’s BH Consulting. Finally academic input featured Hangyang University, Korea, Queen’s University
Belfast and The Royal College of Surgeons in Ireland.
People
A recurrent theme over the course of the two days was people. People are a significant weak link in the security chain both
in terms of threat actors and the demand for skilled cyber security professionals. In his keynote, Doug Maughan from DHS
said ‘With regard to threats in cyber security, the user is the weakest link and cyber criminals are people’. Jaan Priisalu
underlined that Estonia is undertaking cyber security but is hampered by its small population and a lack of people to
provide cyber security. Mary Aiken from RCSI proffered that the online disinhibition effect dictates that people do things
in the virtual world that they would not do in the real world. Mark Crosbie highlighted Facebook’s disruption of the malware
economy by making cyber-crime less valuable, e.g. it offers money for people finding Facebook security vulnerabilities.
Breakout sessions
Substantive output from the Summit included presentations on the top challenges, future technologies and practical steps
required by research organisations following two sets of four breakout sessions. Summaries of those sessions follow.
Secure Digital Assets
The topics of discussion focused on monetizing personal data, privacy protection, greater transparency from data
aggregators as well as the need for greater education for citizens in terms of how data sources can be linked to produce a
bigger picture of an individual. Finally technical solutions to the right to be forgotten problem were discussed.
Secure Digital Devices
Discussions focused on the theoretical security implications of two commodity digital devices, namely, a $30 smart TV
dongle and a $5 smart light bulb. This bounded the discussions in terms of user expectation of security at such a low price
point, who pays for security updates, device lifecycle and who is liable when things go wrong. They then progressed to
proposing new interoperability frameworks, automatic rating of devices on the fly connecting to home hubs, trust models
and rounded out by discussing educational opportunities for teaching citizens to manage their own critical infrastructure.
Secure Digital Citizens
Data ownership, profiting from citizen data and social inclusion featured prominently in these sessions. The groups touched
on the issue of data retention, and whether an individual has the right to be ‘forgotten’ or the choice to be invisible or
anonymous on the internet.
Blue Skies
In these sessions, privacy and trust, system resilience, liability for cyber-crime, technologies that enable new privacy models
(multiple personas etc) and self-healing networks and systems all featured. The opportunity for tailored trustworthy spaces
for various security specific contexts was also discussed.
Belfast 2014: Report 4
OPENING ADDRESSES
PROFESSOR PATRICK JOHNSON, PRESIDENT AND VICE CHANCELLOR, QUEEN’S
UNIVERSITY BELFAST The Summit was opened by the Vice Chancellor and President of Queen's University, Belfast who welcomed guests and
delegates to CSIT, Queen's University of Belfast and the 4th World Cyber Security technology Research Summit. He
outlined the importance of the conference, referring to its international significance for innovation and excellence in cyber
security.
He explained that one of his tenets as the new Vice Chancellor will be to make Queen's University global, presenting
excellence and solutions for society. He indicated that CSIT had all of these hallmarks, providing a leading part in cyber
security worldwide, thinking in the field, encouraging dialogue and shaping issues
important to society - in only 5 years, CSIT had grown into a global innovation hub
in cyber security, having an excellent peer review standing.
Professor Johnson spoke of his recent role as Chair of the Cancer Bill of Rights in
Strasbourg, the rationale of which is to break down barriers, providing even cancer
care throughout Europe. This will only materialise if we have secure technology
and data transfer thus there is a great need for Institutes like CSIT. A key feature
of CSIT is open innovation, working at the boundary of knowledge with different
people to produce new technology, increasing collaboration between academics, governments and industry.
The skills gap and the need for graduates skilled in cybersecurity was discussed, with the Vice Chancellor stating his long
term commitment to CSIT's leadership in cyber security and contribution to education illustrated by the creation of a new
MSc in Cyber Security, and designed in part with industry. Cyber security presents problems and opportunities, working
together provides the best chance to meet these problems and by developing innovative solutions.
SIMON HAMILTON MLA, MINISTER OF FINANCE AND PERSONNEL Mr Hamilton commenced by saying how happy he was to be at the Summit and extended his warm welcome to all
academic, industry and government representatives. He appreciated how critical cyber security is in business and
government, and that the work of CSIT was crucial for tackling cyber security risks. In 2013 the UK market in cyber security
was £2.8 billion, this is predicted to grow to £9 billion by 2016.
CSIT and cyber security companies are meeting this demand, particularly with the CSIT open innovation model stimulating
collaboration between industry, government, SMEs, and hi-tech Foreign Direct Investment (FDI) companies in Northern
Ireland. The Summit is very worthwhile in this respect, providing a valuable opportunity for collaboration and discussion of
cyber-crime issues, and, with the addition of blue skies sessions, encouraging frank and open discussion leading to fresh
thinking.
Online commerce is a very important retail mode, particularly in the UK. It,
however, also attracts increasing levels of crime. The UK government is tackling
this in various ways: issuing a statement on cyber-crime, encouraging cyber
security information sharing in trusted environments, setting up a national crime
unit in cyber security and providing cyber security information to business. This
remains a work in progress, and to further this work, we turn to professionals like
you.
As Finance and Personnel Minister, Mr Hamilton, is responsible for IT security in
the NI civil service and the provision of resilient secure systems for NIDirect government to public communications. In this,
there is a need to reassure citizens of increased resilience to attack and secure data communications.
Belfast 2014: Report 5
Cyber breaches worldwide are increasing and there remain threats, which are not always technical. It is vital to protect
information important to the viability of business and the field of cyber security is therefore key to mitigating such risks. Mr
Hamilton concluded by hoping that the attendees' time in Belfast proved interesting and rewarding, leading to new
insights, contacts and work, helping us to stay one step ahead in cyber security.
PROFESSOR JOHN MCCANNY, CSIT PRINCIPAL INVESTIGATOR Professor McCanny added his welcome to CSIT and the 4th Cyber Security Summit. He highlighted that the Summit attracts
many senior representatives from industry, government and academia and provides discussion on major cyber security
challenges and threats.
The Summit is consistent with the role taken by Queen's University in the NI
Science Park. From its creation in 2009, the purpose of CSIT is to be a UK Centre
for cyber security, accelerating the economic impact of new ideas and research to
deliver commercial and business impact. In CSIT research is juxtaposed with work
from business, understanding its challenges and needs and working new research
into proof of concept demonstrators to overcome the 'valley of death' for
innovations. The CSIT membership comprises both SMEs and large companies,
forming partnerships.
The contribution of the Royal Society was discussed, whose major policy action is delivering evidence, input and thoughts
on cyber security. In this year's Summit, there will be a stream encouraging the involvement of young entrepreneurs with
the welcome participation of venture capitalists, Techstars, Kernel and Amadeus. In addition, the PRECYSE Consortium
Summit stream tackles critical infrastructure threats.
The Summit 2014 aims to take a long term view of cyber security and threats, providing a summary of where we are now
and encouraging a global perspective on the future of cyber security research. Professor McCanny finished by thanking
the Delegates for their repeated support.
Belfast 2014: Report 6
KEYNOTES
DR DOUGLAS MAUGHAN, US DEPARTMENT OF HOMELAND SECURITY The Threat Landscape – A U.S. Perspective. Presentation: http://bit.ly/1mZ4EeF
The first keynote presentation started by discussing the cyber security threat space, and the consideration of this from a
technical angle but also from a human angle, as humans are part of the threat, this needs more thinking. From a
Department of Homeland Security (DHS) perspective, as a large agency, it is concerned about globalisation, borders,
extremists, natural disasters. In cyber space, criminals, hackers, insider threats, the
use of malware etc. and social engineering, all define the threat landscape.
The consideration of the impact of people in cyber security is important. The
White House 2009 cyber space definition talks about equipment, but is missing
people. With regard to threats in cyber security, the user is the weakest link and
cyber criminals are people. As an example, phishing to compromise machines is
the primary threat vector for the DHS.
The speaker then presented his assessment of various top technical and policy
challenges in cyber security. In the USA, critical infrastructure (CI) is the principal cyber security challenge. 16 different
sectors of CI have been designated, the particular concern is loss of life, but financial and intellectual property losses are
also important. President Obama has issued an Executive Order and Presidential Policy Directive for CI cyber security,
proposing a model for industry and academia to secure CI in partnership with the private sector. The DHS works closely
with other bodies in this area and has been tasked to provide a national R&D plan in CI cyber security. In its dialogue with
CI owners, the attitude has been 'we do oil and gas, not cyber security', the CI owners are not used to doing CI security.
The most difficult problem is economics, how to get CI owners, SMEs, individuals, etc. to buy and use cyber security
technology, this needs education and awareness and incentivisation.
The next cyber security challenge discussed was the vulnerability of software, e.g. the US national healthcare platform is
riddled with software problems and there is generally a lack of healthcare software. Again economics is an issue, illustrated
by the large costs involved in producing quality software and also the costs of a lack of software quality. The significant
evolution of software in terms of increased lines of code and the evolution of software languages is also an issue. Looking
at these issues in terms of security has led to the DHS development of SWAMP, a globally-available software test and
evaluation platform and marketplace.
Mobile devices present a growing challenge in cyber security. The numbers of devices is predicted to double in 5 years.
The security of devices is a problem - all device types have been compromised. The security of software on mobile devices
is also a concern, along with security issues in apps, many of these store usernames and passwords and are vulnerable to
man-in-the-middle attacks.
The use of DDoS attacks to compromise machines and knock out infrastructure and companies is a further cyber security
challenge. Attacks have even been seen on 911 centres. The volume of traffic used in DDoS attacks is currently about 400
Gbits per second, but this is increasing rapidly, an increase to 4 Tbits per second could happen and current security
solutions cannot handle this. There is a need to develop new defences and tools for DDoS attacks, the best product is 15
years old.
Cyber physical systems, for example cars, medical devices, smart cities, drones, is another area where cyber security is
needed, as such systems have software that can be compromised. Systems are often designed without security in mind,
there is a need to work with companies producing cyber physical systems. The DHS has issued a recent solicitation for
research in cyber physical systems and CI.
An additional threat posed to cyber security is the security workforce shortage. Cisco report a shortage of more than 1
million security personnel and various other studies support this. The US Department of Defense requires more security
Belfast 2014: Report 7
personnel and 8 other countries report the same problem. IBM is working with 200 universities to bridge the cyber security
skills gap. In the US, this is a national problem, and national initiatives on cyber security awareness and education have
been launched, along with programs in schools and evolving professions and competitions in cyber security to increase
hands on security experience.
Privacy and civil rights is a challenge in cyber security. It is important to conduct security R&D in a legal and ethical manner.
For example, in some circumstances there is a need to access cyber-attack infrastructure, e.g. botnets, to do research,
which raises consideration of legal and ethical issues. The Menlo report addresses the ethical principles guiding ICT
research, this has similarities with the Belmont report for human subject research.
In summary, cyber security must focus on the human / user issue and producing the next generation of security personnel.
Collaboration is essential, as this is a global issue with a need for emphasis on cyber security technology transfer.
CHRIS ENSOR, CESG Mobile on the Cyber ‘Frontline’.
CESG is the security arm of GCHQ and as such focus on this one area. In investigating the security of businesses, CESG
have found other matters e.g. the disclosure of IP of a business. CESG want to increase the awareness of cyber security
issues in business, they have produced Board level information on cyber security to enable the development of a cyber-
security risk posture. This has got good recognition and is still in use.
What needs to be protected? Medical, power, financial, IT, critical infrastructure
systems and information - all of these get compromised in the same way. Do we
have the skills to implement protection? Control of these systems is needed to
manage cyber security risks. Ceding control to Cloud services and WiFi operators
and to the actual owner of devices we use, increases cyber security risks, the need
for security and the difficulty in making services and information secure. There is
a need for the market to drive good security practices in e.g. the Cloud and WiFi.
We need to know the capabilities of who we are protecting against, these vary from any one as an attacker to a nation state.
Different attackers have different levels of expertise in cyber-attacks, this should be used to develop appropriate defences.
Very sophisticated attackers can and do also use the easy way in.
What do we need protection from? This could be, for example, attacks from outside a network, attacks from within the
network attacks using WiFi to access the network.
How to we protect ourselves? If, for example, we need protection against an attacker on the Internet, defences need to
be placed at the network / Internet access point. But the attacker can also target any devices that access the network, so
we need to rely on device users to manage security of their devices.
Present computer systems have a lot of bugs, although this issue is decreasing. The problem is the standard of warranties,
these do not provide any guarantee that software will work and we accept this. If we do not send bad software back it will
not be improved. We need to fix software to make an effect on cyber security and to create the security that we need.
Basic Cyber Hygiene - the basics to stop attacks. CESG have carried out analysis on some companies and discovered the
use of exploits such as software bugs, weak passwords, commodity hacking tools. The basic security requirements are
patch management, secure network configuration, firewalls and Internet gateways, access control, malware protection.
Business and large organisations say these are too hard, but if they do not implement them they are wide open. We need
to get UK organisations to do these 5 things well. This presents an opportunity for innovation, education and awareness,
to enable companies to do these security measures well.
Belfast 2014: Report 8
DR CLAIRE VISHIK, INTEL CORPORATION UK Next generation of trusted technologies. Presentation: http://bit.ly/PU9dJE
The speaker started by expressing her optimism and hopefulness about developments in the
cyber security area, with new technology brings new opportunities but also threats. Intel have
new technology, between technology developments, user awareness, regulation updates.
These are all examples of positive matters in the cyber security area.
We currently experience composite security networks and as these networks become more
complicated, protection becomes less useful. Looking at security issues at a high level is the
way to go. The multi-disciplinary nature of cyber security attacks is important, attacks happen
for different reasons, only some of which are technical, other reasons include, for example,
socioeconomic issues. We need to understand all of these reasons to develop cyber security
strategies.
We live in an increasingly connected environment. The number of devices is increasing and these now participate in many
processes. This increasing complexity is generating a much increased volume of data. We also now have a different
architecture environment with the introduction of the Cloud. The interaction between different environments is increasing,
barriers to entry are decreasing. With this increased interconnectivity comes different attack vectors. New trust and security
problems are appearing, for example in supply chains, the Internet of Things, industrial systems, mobile devices. New trust
and security problems are also arising from new usage models, economic developments and geopolitical issues. The cyber
security threat environment has therefore become increasingly complex, moving to hardware and firmware. There is a
need for security experts that understand the current security environment and also the present socioeconomic influences
on security. For example, we have increased automation of computer systems in the home. This has advantages but
introduces new attacks with new consequences. New technology monitoring can allow criminals to identify houses to
attack, criminals can also remotely access devices in houses to gain access or damage property.
Trust evidence was then discussed. Research in improved trust anchors has shown that the current trust environment is not
adequate. There is a need for a composite systems view to increase trust. Mechanisms are necessary that produce, verify
and consume trust evidence among the components of the current ecosystem. Intel have tried to produce a trust
generalisation useful to many ecosystems, this has proved very difficult and requires a new definition of trust. The definition
of trusted computing has not changed since 2010. A trusted system behaves in an expected way under certain
circumstances, i.e. the trust is about future actions. Currently trust definitions emphasise identity, but this trust is Y/N, a
graduated approach to trust is needed with system usage adjusted accordingly. Developers need to know several things
to develop for every use case - the intent of other developers, regulatory requirements, future architects and use models.
There is a need to develop trust thinking, presenting a number of potential research topics, e.g. cross domain trust
definition development. The vision for the future includes making foundational features for security and privacy mandatory
and looking at innovative threat models. For this there is a need for a new generation of security professionals who are
multidisciplinary and a need to adopt new work processes e.g. part time involvement in several projects.
For users to understand devices, they need to know about various issues including security and privacy features of devices,
app and network ownership, software on their devices, security models used, what information they share. Approaches to
helping user awareness include making indications on devices to warn about their impact on security and privacy, enabling
security and privacy technology by default, and teaching technology in the right way to increase an understanding of
security and privacy.
What affects our thinking in cyber security? The global environment of cybersecurity creates a global overlay picture with
different lifestyles and living standards, cloud apps, and an international workforce. There is a perceived disconnect
between research and real life issues. An increase of awareness of cyber security could be achieved by an increase in real
life conferences and programmes for collaboration and public private partnerships. In an ideal situation, we would find a
way to pursue ecosystem and niche problems together, develop mechanisms for public private partnerships and
technology transfer and form agile responsive teams.
Belfast 2014: Report 9
PROFESSOR MAIRE O'NEILL, QUB Cryptography in a Post Quantum Computing World. Presentation: http://bit.ly/1ed5l19
This presentation concerns Blue Skies research - cryptography in a post-quantum computing era. In traditional computing,
bits exist in one of two states, 0 or 1, and calculations are performed sequentially and one at a time. Quantum computing
involves qubits, which can exist in both states at one time, which allows quantum computers to perform multiple calculations
in parallel. Quantum algorithms are used to exploit this parallelism, such as Shor’s algorithm which allows factorisation of
numbers with exponential speed-up over traditional computers and Grover’s algorithm which searches unsorted databases
with quadratic speed-up. These algorithms has have demonstrated the potential of quantum computing.
However, some problems remain in quantum computing technology. Achieving large scale quantum computing is difficult
due to decoherence and it is difficult to verify if a system is in a quantum state or not. Also, the transmission distance of
quantum communications is limited.
In recent years there have been some major breakthroughs. The quantum
factorisation of 143 is now possible - this is the largest number yet to be factorised
into its primes by a quantum algorithm. The longest-distance quantum
teleportation in free space to date was achieved over 143km. This showed for the
first time the potential feasibility of transmitting quantum information between
satellites and ground stations. A quantum memory state was held stable at room
temperature for 39 minutes, which is 100 times longer than the previous record,
and although not long, is sufficient time to run over 20 million computations.
In 2011, D-Wave announced the first quantum computer. There is much debate as to whether this is a true quantum
machine, as it only shows a speed increase for certain calculations and it is difficult to verify if it is performing quantum
operations or not. In January 2014 it was revealed that the NSA are funding the development of a ‘cryptologically useful
quantum computer’ and their true capability in this area is unknown.
What happens when quantum computers do become a reality? Commonly used public-key cryptographic algorithms,
based on the integer factorisation and discrete log problems, such as RSA, ECC, DSA, etc., will be vulnerable to Shor’s
algorithm and will no longer be secure. It appears that symmetric algorithms will be secure against quantum computers
(and Grover’s algorithm) by simply increasing the associated key sizes.
However, there is an alternative form of public-key cryptography that can be used, namely post quantum cryptography.
Post quantum cryptographic algorithms refer to conventional non-quantum cryptographic algorithms that are secure today
and will remain secure even after practical quantum computing is a reality. The main types of post quantum cryptography
are code-based cryptography, hash-based cryptography, multivariate quadratic cryptography and lattice-based
cryptography. While code-based cryptography is the most mature post quantum technique, recent advances in lattice-
based cryptography have made it much more practical and it can be used to create cryptographic constructions beyond
public-key encryption, such as, identity-based and homomorphic encryption.
Many challenges remain in the area of post-quantum cryptography. Further security analysis of post-quantum cryptography
algorithms is needed. The selection of suitable parameters to guarantee both security and efficiently is still an open research
problem. Optimal and practical PQ algorithm implementations need to be investigated as does the resistance of these to
physical/side-channel leakages.
CSIT is carrying out research into accelerating the main underlying primitives involved in lattice-based cryptography and
homomorphic encryption. Recent research that utilises an improved low hamming weight multiplication architecture for
integer-based homomorphic encryption has led to a significant speed-up over the reference software implementation.
Belfast 2014: Report 10
JAAN PRIISALU, ESTONIA INFORMATION SYSTEM AUTHORITY Cyber Security in Estonia. Presentation: http://bit.ly/OIqbJG
Estonia is undertaking cyber security but is hampered by, for example, its small population, a lack of people to provide
cyber security, and a failure of automation of government services.
They have researched the architecture choices for government automation and arrived at a chosen system following
existing IT processes. Using IT experts' plans, the cost of the automation would be 30 times the national budget.
Interagency sharing of platforms was suggested to decrease the price. Measuring intergovernmental agency interactions
developed a knowledge of what government is doing, most government work is
in the social and security areas. However, implementing the connection of
national institutes makes citizens afraid of government knowledge of their data.
Therefore a government portal is used to allow citizens to see what data is held
on them.
eID cards have been developed and introduced in Estonia. These have a public
key basis. These are needed as, for example, the passports system is not scalable.
eID card authentication is used for government services and other purposes and
to define the identity of citizens and institutions.
With regard to Estonia's critical infrastructure, there is a need to protect the ecosystem, but the difficulty is where to
concentrate. It was decided not to build separate cyber security systems but to build cyber security within the infrastructure
used to support the critical services. 95% of critical services are dependent on IT, in 30% of cases the dependency is critical,
and in 10% of cases the dependency is highly critical. No alternative exists, if the IT service is down, the critical service is
down. There is a need to focus on critical infrastructure providers and make them understand cyber security, building
communities and collaboration and dialogue between players. CI managers and owners need to talk. Using penetration
tests and adding risk management language on presentation to managers resulted in a budget change for cyber security.
Estonia has learned the lesson from the cyber-attacks of 2001. Government etc. institutions have been made to talk. Cyber
security systems, e.g. encryption, have been introduced in the election system. Systems are being built so that essential
government services will operate even after occupation of Estonia, this serves as a deterrent to invasion. Cyber security is
being injected into citizen requirements, e.g. management of heating bills, as teaching every citizen to be a cyber-security
expert will not scale.
GERHARD ESCHELBECK, SOPHOS Cybercrime: From Kudos to Profit. Presentation: http://bit.ly/Q8N4qz
An increased amount of companies are going public with data breaches. This is not decreasing or stabilising, but actually
increasing. This is due to system complexity, which introduces vulnerability and threats and risks of cyber-attacks. At the
same time, cyber criminals are becoming more sophisticated, there is more funding and
resources, and growing motivation e.g. financial. Cyber-crime is increasingly becoming an
organised effort between various players, at a cost of $8 billion worldwide in 2007 and 2008.
Catching cyber criminals is difficult, even with lots of resources, it is still difficult. Cyber-crime
is a business with advertisement of its services e.g. on YouTube. Part of the issue is that
cyber-crime is an interconnected economy of individuals carrying out crimes, e.g. developers
of attack tools, attack deliverers and buyers, this is global and very difficult for law
enforcement.
One common thing is that all cyber-attacks involve malware, this is at the centre of cyber-
attacks. In the early days, 5 to 6 viruses were seen per month, e.g. the Michelangelo virus 20
years ago which was spread by floppy disk and activated only on Michelangelo's birthday. This was simple to deal with.
Today the situation is highly complex. An increased volume of 250 - 300,000 new malware samples are seen per day. Most
Belfast 2014: Report 11
malware is web driven and carried by legitimate websites. Malware is now extremely professional and complicated due to
the increasing financial clout of developers as their success rate increases.
An example of malware used in cyber-attacks includes ransomware, where a person's data is encrypted and they have to
pay to get it back. Ransomware is now using public / private key encryption and social engineering tricks, e.g. illegal data
has been found on your computer which you can pay to deal with. A further example of malware includes POS malware
which attacks POS systems. The malware resides on these systems and steals customer card details. It is present in various
sectors, e.g. in hotels, transport etc.
Everything that has been seen on fixed networks with respect to malware will be / is being transferred to mobile devices,
this is the next frontier for malware attacks. 350,000 Android malware samples have already been collected by SOPHOS.
Hacked devices have the capability of, for example, stealing data.
Crimeware kits, toolkits for cyber criminals, are now available, for example for download from the Internet. For criminal
malware to be successful it is all about traffic. Sites that have a lot of traffic are targeted and used to attack an increased
number of devices e.g. servers.
Cyber security is a global challenge, collaboration is needed between governments etc., and mechanisms for cyber-crime
reporting are required.
MARK CROSBIE, FACEBOOK Protecting a billion identities - Without losing (much) sleep
Facebook has 1.23 billion monthly active users, on this scale, security problems
become magnified and security solutions become useless. In addition, Facebook
operate using open source software and hardware design etc. There is a need to
think about security in a way that responds to threats as they happen. The mission
is to protect Facebook data and, as Facebook use their own systems for business,
to create a sense of ownership of security. As the Facebook culture does not
support barriers, security in Facebook needs to be done by the enablers, the
people who write the code are responsible for its security.
Facebook thinks about security by focussing on the threats, actual not perceived, the conversation is about the reality of a
threat and an appropriate solution. The top Facebook security risks are:
1. Abuse of user data, trust is the most important issue to Facebook
2. Source code deletion / modification
3. Protection of business data
4. Ads platform exploitation
5. Security in relation to employees, these are often targeted by attackers
To deal with these, Facebook disrupts the malware economy by making cyber-crime less valuable, e.g. it offers money to
people who find security vulnerabilities. This changes the security conversation, building trust in Facebook in the security
community. Facebook also makes security training fun. Every October a hacking challenge is run where hacking of other
Facebook employees, data centres etc. is attempted, simulating real world attacks e.g. phishing exercises. Facebook takes
a pragmatic security approach, assessing whether security policies get in the way and matching security controls to the
value of the asset, e.g. there is no point in using SSL to transfer data if you do not protect your computer. Cryptography is
easy but key management hard, so Facebook worries about the latter. The bad guys in cyber security are not obvious, they
try very hard to look legitimate.
Belfast 2014: Report 12
MARY AIKEN, ROYAL COLLEGE OF SURGEONS IN IRELAND The CyberPsychology of Cyber Security. Presentation: http://bit.ly/1gc2CUk
Cyberpsychology considers the impact of emerging technology on human
behaviour. The specific area of Forensic Cyberpsychology examines behavioural
evidence, related to crime, manifested in a virtual context. Cyberpsychologists
adopt an inter-disciplinary approach, ranging from the social sciences, to computer
and network science. My research focuses on higher level architectures of criminal
behaviour in cyber domains. Cyberpsychology is a growing field, and Ireland is a
centre of excellence. Exponential growth is expected due to the increased
use/penetration of the Internet, and the profound influence of this technology on humans.
Concerning the psychology of cyberspace, one of the important questions is; are real world psychological theories
applicable in virtual environments, do we need to modify them, or develop new theories? For example, are real world
stalking and cyberstalking the same condition? Is cyberstalking simply facilitated by technology, or is it a new and
differentiated form of criminal behaviour? In the latter, observed differences are as follows; emergence of more female
stalkers, stalking of multiple victims simultaneously, and the ability of the stalker to access more personal data of the victim.
Regarding “state and trait” characteristics in cyber space, anonymity coupled with the “online disinhibition effect” (Suler,
2004) dictates that people may do things in the virtual world that they may not do in the real world. Arguably there is a
need to conceptualise technology in a new way, a need to think about cyberspace as an environment, as a place, as
cyberspace. Furthermore there is a need to consider the impact of this environment on vulnerable populations (such as
developing youth), and criminal and deviant populations. This is required in order to understand modus operandi in this
space. Cyberpsychology can assist in this regard, delivering insight at the human / technology interface.
Key perspectives in cyberpsychology include ‘factoring the human’ into the cyber security debate. This involves the
consideration of person versus user, state and trait characteristics, and investigation of any disconnect between the “real
world self” and the “virtual world self”, along with organisational issues in security. For example, promotion of employees
is often based on knowledge focused on how that person presents in a real world context. The question is how does
leadership manifest in a virtual context? In the case of a major cyber event, how can we be sure that the best people are in
place in a leadership role? We should perhaps consider having two, or indeed dynamic organisational hierarchies, suitable
for real world, and virtual world events. In terms of insight, if we want to understand cyber criminals or sophisticated cyber
operators, we should consider profiling them in a cyber-context. We should examine motive, and primary and secondary
gains e.g. financial profit, emotion (such as revenge), politics/religion (common motivator for cyberterrorists) or “just for
the fun” (this motivation can apply to youth, and others who may hack into networks, share copyrighted music/movies,
deface web sites etc.)
As discussed, a key perspective is to consider cyber space as an immersive, as opposed to transactional entity, to consider
cyberspace as an actual environment. In cyber space it can appear that nobody is in charge, what Suler calls the
‘minimisation and status of authority online’. The challenge for technology is perhaps to create an impression that there is
in fact some accountability for use of technologies, to consider digital deterrent, and digital outreach protocols. There is
also a need perhaps to update and reconsider definitions in a contemporary context, for example what does privacy,
identity or trust mean to a new generation, and are they different constructs to previous generations?
There is a continuing debate regarding the role of Artificial Intelligence, however it’s important to remember that as
psychologists we do not as yet fully understand the workings of the human brain, indeed the very construct of testing of
Intelligence may need to be reassessed in an age of technology. Therefore how can we attempt to replicate something
that we do not fully understand? We need to think in paradigm shifts to tackle these issues; also we need to consider on-
going cyber ethical implications.
Cyberpsychology research vision is focused on understanding new cyber behaviours, and delivering insight. To do this we
need to have a theoretically profound, experimentally rigorous, developmentally longitudinal, and technically sophisticated
research approach, and we should adhere to principles of virtual research methodology.
Belfast 2014: Report 13
JINHYUN CHO, KOREA INTERNET & SECURITY AGENCY Cyber Security and Data Protection Challenges in Korea. Presentation: http://bit.ly/1oPcEAH
In Korea there are lots of cyber security and data security challenges. In KISA information
security, Internet promotion, international cooperation and policy research are the 4 main
functions.
In 2013, there were a number of security incidents in Korea. One was an attack on Korean
broadcast stations and banking services. This affected clients, servers and ATMs and
happened in the middle of the working day. A lot of effort was made to discover the malware
distribution path. Improper security management and serious security holes were discovered.
More resources needed to be focussed on security, not merely outsourcing this to vendors.
Security needed to be the job of users, not just security personnel. The attacked institutions
needed to invest more money on security. The attack had occurred on at least one state
broadcast station before, but they did not learn from it. A further cyber-attack resulted in the
defacement of the Korean President's website.
Central government systems are integrated so the DDoS attack resulted in the disruption of interconnected systems. The
discovered attack method was a web hard client program. Not enough attention was paid to the security of such programs
being downloaded by users. Definite determination of who was behind the attack was very difficult, e.g. due to the lack of
legal assistance from countries where malware data comes from. The Government have announced that the attack was
from North Korea. In 2014 various personal information security breaches took place. Entry of personal information is
required to access Korean websites. This includes residential registration numbers, which comprise an individual's birth
date, male / female information, and origin information. Residential registration numbers are used by the Korean
government as an identifier online, but they are also used by cyber criminals. We are now paying the cost of the
convenience of use of residential registration numbers. An employee of a credit rating company was involved in personal
information attacks. There was no security policy / encryption to prevent this. In a mobile service provider personal
information breach, the criminal got information on who needed a new mobile phone and used this to increase the sale of
phones.
The Korean government response included changing the responsibility for dealing with attacks, developing an attack
response strategy, introducing minimum data collection of personal information to protect financial consumers,
establishing new key research and development areas for information security, in 2014 the focus is on wireless, and
developing a cooperative model for research.
BRIAN HONAN, BH CONSULTING Cyber Security: Global Challenges, Local Solutions. Presentation: http://bit.ly/1etqhMc
Ireland plays an important role in the cyber security world. 94% of Irish companies depend on the Internet for their business,
this needs to be secure. Nearly 80% of security breaches are not detected by companies themselves, the difficulty of attacks
is low, using attack tool downloads.
In IRISSCERT a large increase in security incidents is being dealt with. Attackers
are mainly breaking into websites to set up phishing attacks. There has also been
a surge in DDoS attacks, both direct and to use websites in attacks. Most incidents
involve organised crime.
The causes include bad passwords, missing patches, vulnerable platforms for
websites, caused by use of these by web development companies, lack of virus
updating and lack of monitoring attack indication information such as security and
systems logs. There is a need to get back to security basics, why focus on advance attacks etc. when we have not dealt
with the most common attacks? Layered security is needed, putting the most important data behind various protection
layers. Collaboration is required to improve cyber security.
Belfast 2014: Report 14
PRECYSE
This special stream at Belfast 2014 brought together PRECYSE research partners, members of the PRECYSE end user group,
Critical Infrastructure stakeholders, and welcomed a number of other attendees from the main summit. The key outcomes
of this event were to engage critical infrastructure operators and stakeholders in an interactive discussion about the project,
progress to date, key technical outcomes, cyber security challenges, and to identify refinements and key research issues
for the remainder of the project.
PROFESSOR EUL GYU IM, HANGYANG UNIVERSITY, SOUTH KOREA Cyber security and critical infrastructure in South Korea
The event opened with a keynote address by Professor Eul Gyu Im of Hangyang University, who
highlighted a significant number of Smart Grid cyber security related research projects in South
Korea. Prof Im’s presentation included an insight into a range of cyber security incidents that the
country had experienced over recent years. International political relations in the region presented a
significant motivation for securing national cyber infrastructure.
His presentation concluded by explaining South Korea’s strategic plans for its future energy
infrastructure, and highlighted that many hundreds of millions of dollars would be invested into
emerging Smart Grid industries and related cyber security technologies in the next 5 years.
PRECYSE WORKSHOPS Progress to date
In the main part of the PRECSYE stream, the focus moved towards a workshop exploring the progress of the project
throughout the first 24 months of research, and the objectives for the remaining 12 months.
The initial session, led by Berthold Haberler of power distribution operator Linz AG, explored how PRECYSE technologies
and methodologies would be tested and validated in two pilot sites, built using expert domain knowledge of end-user
partners, which provide comprehensive and realistic test environments. The two pilot sites are:
1. Energy Demonstrator: Energy management control centre of the region of Linz, Austria, which
provides power supply and related services for 400,000 inhabitants in an area of 2,000 km2.
2. Transport Demonstrator: Traffic control centre in the city of Valencia, Spain, which has a metropolitan
area with more than 1.5 million inhabitants and an average of 500,000 vehicles running every day.
Privacy and information security issues
Jennifer Betts of CSIT then led a discussion on the implications for privacy and information security issues in the storage
and sharing of sensitive and confidential information in Critical Infrastructure, in line with EU Legislation, Directives and
other key principles. She proposed a “Privacy Impact Assessment Model” to be tested in the pilot sites, which will provide
operators a score based on level of compliance measured against best practice guidelines and offers specific
recommendations and actions for improvement.
PRECYSE Framework for Critical Infrastructure cyber security
Leonardo Grassi of Thales, and Nils Ullveit-Moe of the University of Agder, led a deeper investigation into the proposed
PRECYSE Framework for Critical Infrastructure cyber security. The discussion looked at extensive research carried out
during the project to define a Methodology and an Architecture for incrementally improving the cyber security of Industrial
Control Systems (ICS), as well as proposing a test suite for technology validation to be adopted through the remainder of
the project.
Belfast 2014: Report 15
From Security Analysis to Remediation
The theme of the final workshop session was “From Security Analysis to Remediation” and was led by Paul Smith of AIT,
Jörg Kippe of Fraunhofer IOSB, and Kieran McLaughlin of CSIT. This session offered a deeper dive into selected tools
developed within PRECYSE that offer significant advances towards securing ICS networks. Highlights included:
• A vulnerability-centric threat analysis for assessing the risk from multi-stage advanced persistent threats
• How to implement the PRECYSE security services framework using open source technologies
• Privacy preserving Intrusion Detection Systems (IDS)
• IDS customised for the IEC 60870-5-104 SCADA protocol used in power distribution
ABOUT PRECYSE PRECYSE is a £4M European Commission FP7 research project investigating “Prevention, protection and reaction to cyber-
attacks to critical infrastructures”. The goal of PRECYSE is to define, develop and validate a methodology, an architecture,
a set of technologies and tools to improve -by design- the security, reliability, and resilience of the Information and
Communication Technology (ICT) systems supporting Critical Infrastructures.
PRECYSE is coordinated by ETRA I+D (Spain) and partners include the Austrian Institute of Technology, AIT (Austria),
Fraunhofer IOSB (Germany), Skytek (Ireland), Thales Italia (Italy), University of Agder (Norway), Ajuntament de Valencia
(Spain), Linz AG (Austria) and the Centre for Secure Information Technologies, CSIT.
Website: http://www.precyse.eu/
Belfast 2014: Report 16
TECHSTARS
This stream was delivered in partnership with NISP Connect and Techstars. Two sessions ran that consisted of an invited
talk followed by expert panel discussion, allowing early stage entrepreneurs and businesses looking to accelerate growth
in the cyber security sector to get deep insights from key industry leaders.
Session 1: What differentiates success from failure?
Jon Bradford, MD Techstars UK gave a talk introducing Techstars (the world’s #1 start-up accelerator). He spoke briefly on
his own career enabling and facilitating innovative start-ups and also highlighted the 10 things that repeatedly come up as
reasons for early stage businesses failing. These were:
10. Lack of originality 5. Bad investors
9. Single founder 4. Founders falling out
8. Timing 3. Lack of pragmatism
7. Wrong staff 2. Too small a market
6. Too much/too little funding 1. No customers
Following the talk there was an expert panel session with Jon Bradford & Greg Rogers - Techstars, Elisabetta Zaccaria -
Independent Consultant, Zach Tudor - SRI International, Alex van Someren - Amadeus Ventures and Danny McCaughan -
Kernel Capital. The panel took questions from the 40+ people in the session on issues of building effective teams, bold
realistic aspirations and ways to practically shortcut experience. Open discussion was also held on topics of funding,
working environment and building effective sales/marketing channels.
Session 2: What big problems are waiting to be solved?
Andrew Tyrer from the UK Technology Strategy Board gave a talk on the emerging technology trends in the Digital
Tomorrow. He highlighted the agency’s role in stimulating innovation in the UK and spoke to some of the current and
upcoming funding calls that were relevant to the audience. Reference was also made to Prime Minister David Cameron’s
announcement at CeBIT Germany on 10th March 2014, of an extra £45M funding to be made available to develop Internet
of Things (IoT) technology in the UK.
A follow-up expert panel session was held with Andrew Tyrer - Technology Strategy Board, Martin Borrett - IBM, Jon
Bradford - Techstars, Zach Tudor - SRI International, Elisabetta Zaccaria - Independent Consultant and Danny McCaughan
- Kernel Capital. The panel discussed trends and key areas for innovation and where need is not matched by solutions.
Each panellist was asked if they were to set up a business today what area would that business be in. Anonymous answers:
1. Quantifying security, risk models 4. Cyber Physical System Security
2. Cloud Computing Security 5. IoT security of wearable technology etc.
3. Personal Computing (Next wave, after cloud) 6. Education, online expert on demand etc.
Significant time was spent in the panel session discussing the current market interest and focus on Privacy and Trust,
however, a conclusion from the Session was that business models to monetise Privacy and Trust technology are maybe not
mature enough. It was recognised that even though user appreciation and market demand are not enough to build
significant business at the moment, it certainly will be in the near future.
The Startup Stream held over the 2 sessions with delegates moving in and out of the main summit was reported as a great
success. CSIT will look to encourage the development of this type of innovation space and session at future Summits.
Belfast 2014: Report 17
BREAKOUT SESSIONS
SECURE DIGITAL ASSETS Facilitators: Professor Sakir Sezer, CSIT and Brian Honan, BH Consulting
The distributed and networked nature of computing and storing digital assets in the Cloud
requires context-specific security technologies. With pervasive computing, personal
information will be used to optimise Smart Utilities and Smart Cities. Group discussions
started by articulating what defines a digital asset (DA). There are radical differences
between DA’s in the commercial realm and the personal realm. For example, a Warner
Brothers motion picture which is broadcast to audiences worldwide, versus a set of
photographs taken on a phone which are shared with a small group of friends via social networking site. There are major
distinctions between static assets e.g. DOB, National Insurance Number etc., and dynamic assets such as meter readings,
smartphone locations etc.
DA’s are generated by commercial activity for example an end-user can choose to use a GPS modem on their phone but
the moment they do so they are exposing themselves and their location is known more widely. A company may
generate/collect data and may hold IP in how that data is used or processed but the broader question is who owns the
data? Individuals could consciously give away all their data and make it openly accessible on the Internet in encrypted
format. This may reduce key management problems.
Enterprise data management systems which analyse who / where / why data is being used and generate data classifications
and policy rules; could be extended into the personal realm.
Monetizing personal data?
Discussions moved on to the topic of monetizing personal data. Could identities be copyrighted for example and would
this be scalable? How would chains of vendors / syndication of personal DA’s spread throughout the Internet be managed?
Would this require legislation to establish a framework? This could take the form of a centralized personal repository of
DA’s owned by an individual. Vendors would be given access via a token (key) which would determine the policy to be
enforced by the repository. This would empower citizens to actively manage and monetize their personal data assets.
Privacy Protection
Jurisdiction plays a major role in determining the policy and level of protection afforded to DA’s. US law provides little
privacy protection – if an end-user chooses to use a service then that service provider can exploit the data generated. The
end-user effectively signs away their rights by enrolling in the service.
Privacy means different things to different people. For example, Fit-Bit is a life logging service tracking personal mobility,
exercise regime and sleep patterns. Data can be shared with friends and family in a social network context to help motivate
the individual and encourage healthy lifestyles. However, life insurance companies would be delighted to get access to this
class of information. They would create personalized policies with lower premiums for more active subjects.
The intent of the data processor / recipient of the data will determine the extent of the controls we wish to place on our
personal data. Protection of DA’s is context sensitive – we need to define what can be done with DA’s and then implement
different levels of protection depending upon the sensitivity of the material. This could take the form of an International
bill of rights for Digital Subscribers setting out a layered framework for privacy protection:
1. Individual only 3. Employer and/or work related
2. Family and close friends 4. Anonymous – Don’t care
Belfast 2014: Report 18
Service providers could be obliged to inform individuals what they are doing with their data. A user agent is needed to
deal with incoming Service Provider reports and automatically flag up issues or violations. That is, a personal privacy
advocate.
Corporate social responsibility does have a place too – businesses should only collect the minimum amount of data needed
on subjects to provide a sufficient service.
Many attendees reflected that it is annoying to be asked to fill in the same personal details on each Website / Internet
service they register on. Could a personal (secure) avatar remove the drudgery and provide stewardship of personal data?
Additional tool support in base operating systems to alert users to tracking and surveillance activity by third parties might
be an answer for less tech savvy users. New fundamental data types e.g. a transient data format that cannot be persisted
to disk might also address privacy concerns.
Data Aggregation
Linkage between data sources is a major concern. If government sources such as tax, VAT, police and justice, medical
records, driving licenses etc., which are all static databases, are linked to commercial and/or dynamic data sources such as
location and banking transactions the result is digital DNA. A complete map of a person’s life.
Credit rating agencies should provide greater transparency for data subjects and proactively inform them of significant
changes.
Do we have sufficient technology to maintain the integrity of DA’s as they are transported, processed and aggregated? Is
there a case for standardized handling procedures in the cloud?
Information assurance is a neglected issue in many organizations. The classification and governance of DA’s is not well
resourced. Strengthened privacy laws could have a positive effect inside enterprises and improve the business case for
better information assurance. True anonymity is not easy to achieve. Given the compute power now available to data
aggregators it is not difficult to personally identify data subjects. The ethical aspects of data aggregation require further
investigation.
The need for Education
Anger was expressed at supermarkets who collect data (via loyalty cards) and share or sell information onto third parties.
Society must enforce privacy since technology will not do it alone. Notwithstanding, it was argued that most people don’t
care. Or more accurately they don’t know that they should care. The general public are not capable of protecting
themselves when operating in cyber space.
Transformational change is needed via education of the general public. People view the Internet as a benign environment
and cannot see malevolent behaviour in cyber space. It may be easier to teach 11 year-old school kids than mature citizens.
We need a green cross code for traversing the internet.
Are data protection and cloud environments compatible? Is there a need for more specific regulation for cloud based
services? Root issues are identity, authentication and establishing trust. “On the internet no one knows you are a dog”.
The right to be forgotten
Request for a service that allows personal data over 5 years-old to be cleansed from all public Internet services. Is this
feasible? An EU court ruling has taken a step towards giving people the "right to be forgotten", forcing Google and other
search engines to remove certain links from search results. We need to consider works of artistic merit – should these be
deleted and made inaccessible to future generations? Note that in the digital world everything is a copy – there are no
originals. One distressing example is of automated LinkedIn work anniversary messages sent on behalf of a friend who had
died several months earlier.
Belfast 2014: Report 19
In summary the main outputs from the two secure digital assets breakout sessions are:
What are the top challenges and/or opportunities in this area?
• Who owns our data?
o Commercial versus personal trade-offs
• Can we protect our identity?
o Profiling happening around us
• Privacy is context dependent
o Complicated, generational, cultural
• Is our data safe in the Cloud?
o Effective handling procedures
• Does anyone care?
o Transformational change required in society o Extensive public education
What future technologies are required to take advantage of these opportunities?
• Identity Management Solutions
• International Digital Rights Bill
• Established levels of sensitivity
1. Strictly Personal 2. Close Family 3. Employer / Work Colleagues 4. Friends 5. Don’t Care / Anonymous
• Copyright our Identity
o Monetise our personal data – infrastructure needed
• Personal Data Repository
o Provide authorisation tokens to use/retrieve our data
o Secure Avatar
• Kill switch for specific personal data and the right to be forgotten
o Freedom to remove historic data
What practical steps can be taken collectively by research organisations to deliver this technology?
• Cloud Governance
o LinkedIn messages from dead people
o Inaccurate or malicious data aggregation
o Policy enforcement on Cloud platforms
o A personal cloud?
• Policy Expression
o Ease of use - simplification
o Context Driven
• Visibility into tracking / profiling
o Tool support
o Operating System extensions
• Happy Consumer
o Anonymisation - targeted advertisements
o Deanonymistation – direct impact in physical world
Belfast 2014: Report 20
SECURE DIGITAL DEVICES Facilitators: Professor Andrew Martin, University of Oxford and Mathieu Gorge,
VigiTrust
Discussion across both sessions started out by trying to place a limiting boundary on what
digital devices were. General consensus was that smartphones, whilst still insecure, have
such a level of processing power and sophistication that they were largely ruled out of
consideration.
Digital devices were defined as sensors or endpoints which connected wirelessly to mobile devices or some form of base
station for onward transmission of data. The wireless connection technologies such as 3G, LTE, Wi-Fi, Bluetooth, XBee,
WiMax and successor standards will be typically used for communication.
Securing these devices requires not only technical solutions but also legal frameworks, regulatory compliance and
appropriate standards and interoperability frameworks. Research and development are required for on-device, connectivity
and service integration security technologies and solutions.
Current and future digital device security problems articulated by both groups included the potential to attack downstream
devices, services and infrastructure via their attached sensors. Stuxnet was given as a very high profile example. In many
ways this case only serves as a clarion call for those with malicious intent to seriously consider sensors as an additional
attack vector for nefarious activity.
Commodity digital devices
Both groups considered the security implications of two commodity digital devices – a $30 smart TV dongle and a $5 smart
light bulb. Both are assumed to have passive and active capability i.e. they can both receive (Rx) and transmit (Tx) data to
a network attached to the internet. Primary concerns raised were trust, device lifecycle management, supply chain
provenance, and obsolescence.
In relation to trust, how does the typical user believe or be assured that the device is secure and acting in a benign way
when connecting them to a home or trusted network? At such a low price point who pays to provide security updates
should vulnerabilities be found? Finally should and can the components supply chain provenance be proven and should
there be a built in ‘kill switch’ which assumes that the devices simply can’t be trusted after a certain period of time and
should be automatically deprecated in a similar way to software releases.
Interoperability frameworks
In assuming that all the new generation of cheap smart devices cannot be trusted and that many of these sensors might be
repurposed in ways they were never designed for new interoperability frameworks may be required to determine trust
levels at connection. Some are already in existence such as Qualcomm’s AllJoyn for consumer electronics interoperability.
It was noted that consumers and enterprises operate different regimes in terms of device security with the BYOD security
issues being case in point. Smart devices in the home is almost the reverse BYOD problem with enterprises purposefully
placing devices they wish, and need, to trust in an untrusted environment. This could have implications for their own critical
infrastructure broadening the attack surface. Ongoing smart metering projects will produce real world data which may be
translated into other Internet of Things and digital device scenarios.
Education
Finally the groups recognised educational opportunities around teaching citizens to manage their own critical
infrastructure. Participants recognised the need for manufacturers themselves to be involved in this process but not to be
solely responsible.
Belfast 2014: Report 21
In summary the main outputs from the two secure digital devices breakout sessions are:
Top challenges and opportunities
• Assume that a $10-20 device is not secure out of the box – less so in 1-2 years or more
• Apps and software can’t be trusted on devices. Hardware with baked in security more so.
• Physical hardware rollouts expensive. Can you trust the supply chain?
• Smartphones are very sophisticated, sensors and IoT not.
• Understanding device behaviours, auto scanning devices on connection to determine trust levels
• Bringing down the power grid by taking over electric devices and turning them all on at once
• Who owns liability for IoT?
Future technologies required
• Open, Soft standards and interoperability framework
• Trusted device standards for search and discovery of security settings
• Useable multi-factor authentication on devices
• Trust zones for a variety of sensors and things
• A Euro NCAP type rating for devices to change buying behaviour
• Services opportunities for security – An independent devices ratings agency?
• DMZ for things in the home?
• Assuming all devices compromised – Need to invest in defence
• Obsoletion by design or new service and end of life models
Practical steps required by research organisations
• What protocols, what are default privacy policies?
• What is the regulatory impact with regards to vendor responsibility over impact of malicious control of devices
• Trustworthy behaviour from untrusted devices
• Lifecycle of a digital device
• Patching strategies for IoT devices in the home
• Automatic rating of devices on the fly as they are connected to home hub
• Security Operations Centre/Network Operations Centre for the home.
• Resilience of these devices to both cyber and natural events.
• To what level can you delegate autonomy back down to devices if central control systems go down?
• Bio inspired resilient cyber-physical systems
Belfast 2014: Report 22
SECURE DIGITAL CITIZENS Facilitators: Professor Tony Day, International Energy Research Centre (IERC) and
Mark Crosbie, Facebook Security
The sessions started by clarifying what we meant by a “digital citizen”. After some
discussion, the group agreed that people generally fall into three broad groups: (a) those
who fully embrace the digital world and who willingly engage in a range of different ways,
(b) those who reject the digital world (through fear, ignorance or principle) and do not wish
to engage, and (c) those who have some interest in engaging but are unable to (through lack of knowledge, time or access
to technology). It was agreed by the groups that current policy and strategies (for example around Smart Cities) seem to
make the assumption that everyone is online, or at least able and willing. An interesting discussion followed on the theme
that securing digital citizens is a conversation about social inclusion, as much as technology or policy.
Data ownership
One of the key challenges identified by both the groups was the issue of data ownership, protection, privacy and use. Some
attention was given to the public data initiative in Estonia, where citizens’ data is open for interrogation by those who have
the right privilege. Data relating to health, taxes, property etc. are stored centrally by government and access is granted to
authorised personnel in a controlled and regulated way. The openness displayed by the citizens in allowing their data to
be stored centrally is reciprocated by government in that a citizen is informed of any query relating to their data. This results
in an interesting trust model.
Some discussion was had about the difference between primary data (i.e. data that an individual specifically provides) and
secondary data (i.e. intelligence that can be gained through data analysis or data fusion). Organisations (both commercial
and public-sector) place a significant investment in analysing the primary data to create the intelligence of secondary data,
and logic would suggest that they then have a right to leverage that data to create further value. The question was then
asked whether that right to profit from data should also accrue to the individual who owns the primary data.
Profiting from data
It was recognised by both groups that as well as the question of profiting from data, there is also a significant benefit to be
had for society as a whole from looking at the data on a macro level. For example, if the metadata (or secondary data, or
intelligence) can be used to predict health issues within certain regions or demographics, then that can be leveraged to
benefit the whole of society. While this is a logical conclusion, it was pointed out that if there is a group of people who are
not willing to engage with the digital world, how does the absence of their data affect the overall picture? Would we really
be getting the true picture with accurate trends? Could incorrect conclusions be drawn, with disastrous consequences? Is
there an ethical question surrounding people gaining some benefit from such outputs, while not being willing to contribute
themselves (i.e. free-loading on the digital economy)?
Social inclusion
The social inclusion question was considered again and in particular the issue of education. Many people are simply
unaware of the need to take care of personal data, and the consequences of not doing so. Everyone agreed on the need
for improved education for all sections of the population, and the need for that education to be in an appropriate setting
and using appropriate tools. This reflected on one of the highlights from Mary Aiken’s keynote from the previous day talking
about appropriate education methods and environments. Everyone agreed that further work needs to be done in this area,
including the need for a common understanding of language and the terms we use. It was also pointed out, however, that
these issues are complex, and that an alternative (or additional) approach might be some form of brokerage model. This
would involve engaging with a third party to manage your online identity and data, which would also require a high level
of trust to be placed in that third party, which is an additional challenge.
Finally the groups touched on the issue of data retention, and whether an individual has the right to be ‘forgotten’ or the
choice to be invisible or anonymous on the internet. This conversation then reflected back on some previous topics
including privacy, use and ownership of data, and perfectly illustrated the fact that much of the complexity arising from
these questions is caused by the fact that they are inextricably linked and interdependent.
Belfast 2014: Report 23
In summary the main outputs from the two Secure Digital Citizens breakout sessions were:
Top challenges and opportunities
• How do we define a digital citizen?
o those who can and do opt in
o those who can participate, but don’t want to
o those who want to participate, but can’t (access to technology, time, know-how)
• Freeloading on the digital economy
• Primary versus secondary data
o Ownership
o Control
o Value and monetisation
• Individual versus aggregated data
• Transparency and the Estonian model
• Trust – government and commercial entities
• Education – message and means
• Trusted broker model
• Anonymisation
• Common language or taxonomy
• Data retention and the right to be invisible
Practical steps required by research organisations
• Creation of a common language so that everyone understands the risks and consequences in a simple manner.
• Education in terms, and through media, that people understand and associate with.
• Research study on the comparative benefits of opting in to / opting out of the digital economy.
Belfast 2014: Report 24
BLUE SKIES Dr Ulf Lindqvist, SRI International and Raj Samani, Intel Security
By way of introduction to each session the facilitators presented a brief history of
technology trends over recent years, referencing various charts and statistics. This
highlighted that a lot of the technology we use most heavily is in fact not very old. We
looked at the history of the Internet and Web (particularly relevant with the Web’s 25 year
anniversary at the time of discussion). We looked at mobile phone development timeline.
We also referenced some of the future forecasts from the past – commenting ‘we have no flying cars, but we do have
personal communicators’. We looked at the growth of computer power, emerging markets, emerging mobile web use and
the ‘countdown to singularity’. The question was then broached – what does this all mean for Cybersecurity?
Privacy and Trust
Initial group discussion highlighted the importance of Privacy and Trust and the current media focus on this topic. We
considered societal expectations on privacy and also what this will look like in the future, commenting on an increasing
appreciation of the value of personal data. WhatsApp was bought by Facebook for the equivalent of $42/user, which is an
interesting data-point, however there is no doubt that as society moves forward people will be attributing more and more
value to their personal data.
The group discussed expectations of privacy. We considered if this differed across geography, culture, age and status. A
consensus was reached from group discussions that a common expectation was information should only be made available
to those who have been given approval to access it, and an individual should be able to track who has the information.
People should have an understanding of control, access and audit privileges on their information. A good idea would be
to explore the potential for a dashboard where you have transparency of these issues. A Blue-Sky research topic could also
be to explore the opportunity for escrowed privacy services, providing an environment where you can control and manage
access to information, perhaps in the future controlling access to e-discovery of information that is implanted in you. The
focus of research should be to understand where within such environments you have control.
Business Models
We discussed a need to appreciate and understand business models for Privacy and Trust. Analysing data about you is
expensive. How and why will people pay for this to be limited? Do people expect governments to provide assurances?
What segment of the market is willing to pay for security? There was a long debate on Insurance companies and their
potential role in the cybersecurity landscape of the future. A research topic could be to assess technical measures that
would work out your cybersecurity liability, reviewing your risks and setting your premium etc. The group could foresee
Insurance companies providing a paid service of assurance, stipulating you take certain precautions, updating antivirus etc.
and providing cover against cyber risks. In general, the discussions concluded that it is important to determine how much
Privacy and Trust is worth, as then we will be able to understand the opportunity for this type of managed security as a
service. Researchers should also consider the opportunity for tailored trustworthy spaces for various security specific
contexts. For example, the security context for high-value financial transactions is very different from consumption of
multimedia content, but this is currently performed in exactly the same application environment (a web browser).
Data
We spoke of how our data will be shared and what data will be used for in the future. Issues of data analytics, data
economics, how and will our data be used to enable a Virtual Consciousness? - Machine thinking on our behalf, based on
our persona, replicating how we think, using knowledge based on our identity in predictive analytics. Will we have an
autonomous helper? Autonomous agents? This topic of discussion indeed opens up a minefield of issues regarding rules,
regulation, liability, policy and control.
Control
The group raised the question of who should police the cyber world. - An International body, governments, or global
corporations? Also, should we have an Internet Bill of Rights? Control is required, but who should have this right of control?
The group appreciated that governments will continue with surveillance, but in terms of this and others using our data, we
Belfast 2014: Report 25
need to understand if we have a right to be forgotten or to opt-out of a digital society. Reference was made to having an
equivalent to the telephone preference system, where you can request to be removed from databases and have restricted
access to your telephone and contact information. What then about law enforcement and cybercrime? – We still have a lot
of unanswered questions in this area. There should be strong efforts in Blue-Sky type research for governance and law
enforcement. This is an area of research that needs much more consideration.
Resilience
In terms of trustworthiness it is imperative that we must have a dependable, resilient and trustworthy Internet. WhatsApp
went down the day after its purchase. 10% of government services don’t have resilience or back-ups. The software systems
are so entangled we will struggle to put in fault governance. Should there be more research into self-healing networks,
graceful degradation, reconfiguring systems that come back up autonomously? We should also consider policy and what
can and should be mandated.
Electronic Currency
The group also touched on Electronic Currency and concluded that rather than deep technical analysis it was more
imperative to engage in significant review and analysis by economists, lawyers and sociologists etc. to then be applied into
a digital economy.
In summary the main outputs from the two Blue-Sky breakout sessions were:
Top challenges and opportunities
• Privacy and Trust. How do we layer access to data assets and provide context specific data privacy?
• System Resilience. With single points of failure being a major issue, how do we ensure recovery and self-healing?
• How do we see liability changing going forward? What about cyber insurance?
Future technologies required
• We need research into privacy expectations. Technologies that enables new privacy models (multiple personas etc).
A service public or private that can corral all the privacy issues people have - Allowing you to know who has your data
etc. But who should provide this service – who can we trust?
• Research and technology development for self-healing networks and systems.
• A research topic to assess technical measures needed to be able to effectively work out your liability – set your
premium etc. (Be able to mine from the logs how proficient your Internet use is. Perhaps a form of cyber black-box i.e.
equivalent to the automotive black-box premium reducer).
• Researchers should also consider the opportunity for tailored trustworthy spaces for various security specific contexts.
Belfast 2014: Report 26
SUMMIT EVOLUTION – WORD CLOUDS
* Excluded words: cyber, security, research and common English words.
BELFAST 2011
BELFAST 2012
Belfast 2014: Report 27
BELFAST 2013
BELFAST 2014
Belfast 2014: Report 28
www.csit.qub.ac.uk/belfast2014
A GLOBAL INNOVATION HUB FOR CYBER SECURITY
Contact Information ECIT Institute
Queen’s University Belfast,
Northern Ireland Science Park,
Queen’s Road,
Queen’s Island,
Belfast,
BT3 9DT
Tel +44 (0)28 9097 1700
The Centre for Secure Information Technologies (CSIT) is the UK’s Innovation and Knowledge Centre for cyber security technology research and is
based at Queen’s University of Belfast’s ECIT Institute.
CSIT brings together research specialists in data encryption, networking, wireless security and intelligent surveillance who are establishing a global
innovation hub for cyber security. This means that CSIT will accelerate new value creation, drive new venture creation and build capacity for the
cyber security industry. Operating an Open Innovation Model to drive collaboration partners include Altera, BAE Systems, Cisco, IBM, Infosys,
Intel/McAfee, Roke, Thales, numerous SMEs, spin-out ventures and leading institutes in USA, South Korea, India and Europe.