Feature Stories - Fighting cybethreats, making the future more secure
At any given time, an estimated 150 000 viruses and other types of malicious code are circulating across the internet, infecting more than a million people every day. Anti-virus software developer McAfee counts 75 million unique pieces of malicious malware code on its databases, and estimates that botnets spewing out spam account for a third of all the emails sent every day. While an individual may find themselves paying a hundred euros or so to get their computer cleaned or recover data lost to a virus, globally the financial impact on citizens, companies and governments is enormous: one high-end estimate from McAfee puts the worldwide cost of cybercrime even at USD 1 trillion annually if wasted time, lost business opportunities and the expense of fixing problems are taken into account. Given society's increasing dependence on the internet for business and communications, cybercrime is a growing global problem that no company or country can tackle alone. Within Europe therefore a range of organisations - from the European Commission and national governments to SMEs and universities - are pooling resources among themselves, and with others around the world, to develop effective strategies, policies and technologies to fight the epidemic. The European Commission intends to publish 'A European Strategy for Cybersecurity', focused on preparedness, prevention and response, in the near future - and a permanent Computer Emergency Response Team (CERT-EU) has been set up. At the same time, EU funding is being directed into a range of pan-European projects aimed at improving cybersecurity. For the last two years, the European Commission contributes EUR 2.5 million to establish Syssec (1), a European 'Network of Excellence' (NoE) built on the age-old concept that prevention is better than cure. The NoE is focused on developing solutions for predicting threats and vulnerabilities before they occur, enabling potential victims of cyber-attacks to build defences before threats materialise. The project has set up a 'Virtual centre of excellence' to consolidate the systems-security research community in Europe and empower collaborative research, and is working on an active research roadmap and a range of cyber-security education initiatives. 'The SysSec "Network of Excellence" takes a game-changing approach to cyber security: instead of chasing the attackers after an attack has taken place, SysSec studies emerging threats and vulnerabilities ahead of time. The network's main thrusts are to identify a roadmap to work on threats and to build infrastructure to boost education in system security - to provide the expertise needed to deal with these emerging threats,' Evangelos Markatos, the project coordinator, and Herbert Bos, a fellow Syssec researcher, note in a paper on the project. Security by design While Syssec takes a global approach to predicting threats, another EU-funded NoE, Nessos (2) is focused specifically on fostering the design and development of secure software and systems for the 'Future Internet'. The aim is to ensure engineers and developers address security concerns at the very beginning of system analysis and design, with the team focusing on six key areas: security requirements for Future Internet services, creating secure service architectures and secure service design, supporting programming environments for secure and composable services, enabling security assurance, establishing a risk-aware and cost-aware software development cycle, and delivering case studies for future internet application scenarios. The security-by-design approach is perhaps best exemplified by another project. In SecureChange (3), researchers from nine European countries developed the methodology, techniques and tools to make the entire software lifecycle - from requirements engineering, through design, development, testing and verification, to deployment and updating - more efficient, more flexible, more secure and far less costly in terms of time and money. SecureChange coordinator Fabio Massacci describes the problem this way: 'You have secure software, for example. You ship it to the customer and then you need to update it, perhaps to add features to stay ahead of the competition. If you need to start from scratch every time and verify all code - even if only a small part of it has changed - you face considerable time and financial costs.' For example, an analysis conducted by the SecureChange team, spanning five years and six major version updates of the open source Firefox browser, found that only around one third of the software code changed from one version to the next. In addition, a significant number of vulnerabilities were inherited by each new version from its predecessor, a phenomenon also common to other browsers like Chrome and IE. The need for quick updates means there is less time to do testing and verification. The SecureChange approach makes it possible to test only the new parts and maintain the security and integrity of the entire system. Looking ahead to the Future Internet - in which users will move away from today's static services toward mixing and matching components and services depending on availability, quality, and price - the Aniketos (4) project is focusing on bringing security and trust to this heterogeneous environment. In such a world, applications are likely to be composed of multiple services from many different providers, and the end-user will have little way of guaranteeing that a particular service or service supplier actually offer the security they claim. The Aniketos team, which includes major industrial players and research institutes, is therefore developing new technology, tools and security services to support the design-time creation and run-time dynamic behaviour of secure composite services, as well as methods for analysing, solving and sharing information on how new threats and vulnerabilities can be mitigated. Toward an internet of secure things While much of the focus of cybersecurity to date has been on defending traditional computing systems, software and devices, such as PCs, servers and databases, the rapid development of new technologies such as embedded computing, the 'Internet of things' (IoT) made up of ubiquitous sensors and actuators, and cloud computing means that the approach to cyber security must also evolve. 'Trusted Computing', for example, is a well-established technology that uses both software and hardware for verification and implementation of integrity and security in personal computers and is now making the leap into embedded systems. Unlike a traditional PC or laptop, embedded systems are computer systems designed to work 'hidden' (embedded) inside everyday equipment and devices. They transmit data between your mobile phone and the mobile network, they manage your home internet connection and prevent network attacks, they control the traffic lights on your street: they are in airplanes, cars and even power stations. But as more embedded systems are used in devices that are always turned on and always connected to the internet, they are also becoming increasingly vulnerable to being hacked or infected with viruses and other malware. The TECOM (5) project has helped bring Trusted Computing to embedded systems, by adapting technology originally developed for PCs to run on everything from smart phones to smart electricity meters. 'The range of applications for TC in embedded systems is huge. In TECOM we have built the technological framework that makes implementing this technology possible, and we have shown how it can work,' Klaus-Michael Koch, whose company oversaw the TECOM project, says. 'Over the coming years, we will start to see this in use in many different environments.' The IoT goes hand in hand with cloud computing in which data is distributed and instantly accessible from anywhere at any time. Cloud infrastructure therefore also needs to be secure and trustworthy just as much as the applications and services that run on it. With the goal of building trustworthy clouds, the Tclouds (6) project is focused on achieving security, privacy and resilience in a way that is cost-efficient, simple and scalable, and, by proxy, ensuring the continued expansion of cloud infrastructure, resources and services for many years to come. Cryptic solution When it comes to securing data, be it in the cloud or on your network server, cryptography plays a major role - every time you use a credit card, access your bank account online or send a secure e-mail cryptographic algorithms are running behind the scenes. But as computers become more powerful, network speeds increase and data storage grows, the current methods of protecting information are being challenged. The Ecrypt project and its successor Ecrypt-II (7) addressed these challenges. A NoE that brought together 32 leading research institutes, universities and companies, the initiative developed improved cryptographic algorithms, ciphers and hash functions, studied protocols and implementation methods, and worked on more robust algorithms for digital watermarking. Among the team's main achievements were eight new algorithms with the capacity to outperform AES, the Advanced Encryption Standard developed by two Belgian researchers in the 1990s and subsequently adopted by the US government to protect classified information. 'There are three big issues facing cryptographers,' says Bart Preneel, the project coordinator: 'Cost, speed and long-term security.' The same could be said for cybersecurity in general, but those issues and many others are likely to be successfully addressed over the coming years by European research, helping to keep computer users everywhere at least one step ahead of the hackers, trojans and viruses plaguing the online world today. --- The projects featured in this article have been supported by the Seventh Framework Programme (FP7) for research. (1) Syssec: A European Network of Excellence in Managing Threats and Vulnerabilities in the Future Internet: Europe for the World (2) Nessos: Network of Excellence on Engineering Secure Future Internet Software Services and Systems (3) SecureChange: Security engineering for lifelong evolvable systems (4) Aniketos: Secure and Trustworthy Composite Services (5) TECOM: Trusted embedded computing (6) Tclouds: Trustworthy Clouds? Privacy and Resilience for Internet-scale Critical Infrastructure (7) Ecrypt-II: European network of excellence in cryptology - Phase II Links to projects on CORDIS: - FP7 on CORDIS - Syssec on CORDIS - Nessos on CORDIS - SecureChange on CORDIS - TECOM on CORDIS - Aniketos on CORDIS - Tclouds on CORDIS - Ecrypt-II on CORDIS Other links: - European Commission's Digital Agenda website