Europe's strategy on cyber crime
23 October 2012
At any given time, an estimated 150 000 viruses and other types of malicious code are circulating across the Internet, infecting more than a million people every day.
Anti-virus software developer McAfee counts 75 million unique pieces of malicious malware code on its databases, and estimates that botnets spewing out spam account for a third of all the emails sent every day.
While an individual may find themselves paying a hundred euros or so to get their computer cleaned or recover data lost to a virus, globally the financial impact on citizens, companies and governments is enormous. One high-end estimate from McAfee puts the worldwide annual cost of cyber crime at one trillion US dollars if wasted time, lost business opportunities and the expense of fixing problems are all taken into account.
Given society's increasing dependence on the internet for business and communications, cyber crime is a growing global problem that no company or country can tackle alone. Within Europe, a range of organisations - from the European Commission and national governments to SMEs and universities - are pooling resources among themselves, and with others around the world, to develop effective strategies, policies and technologies to fight what has become a serious global ‘epidemic’.
The European Commission will shortly publish 'A European Strategy for Cyber Security', focused on preparedness, prevention and response. Meanwhile, a permanent Computer Emergency Response Team (CERT-EU) has been set up and funding is currently being injected into a range of pan-European projects aimed at improving cyber security.
For the past two years, the European Commission has contributed 2.5 million euros to establish Syssec, a European 'Network of Excellence' (NoE) founded on the premise that prevention is better than cure. The NoE focuses on predicting threats and vulnerabilities before they occur, enabling potential victims of cyber-attacks to build defences before the threats materialise.
The project has set up a 'Virtual centre of excellence' to consolidate the systems security research community in Europe and empower collaborative research, and is working on an active research roadmap and a range of cyber security education initiatives.
Security-by-design
While Syssec takes a global approach to predicting threats, another EU-funded NoE, Nessos is focused specifically on fostering the design and development of secure software and systems for the 'Future Internet'. The aim is to ensure engineers and developers address security concerns at the very beginning of system analysis and design.
The security-by-design approach is perhaps best exemplified by another project, SecureChange. Researchers from nine European countries have developed the methodology, techniques and tools to make the entire software lifecycle - from requirements engineering, through design, development, testing and verification, to deployment and updating - more efficient, more flexible, more secure and far less costly in terms of time and money.
As SecureChange coordinator Fabio Massacci describes it: you ship secure software to your customer and then you need to update it, perhaps to add features to stay ahead of the competition. If you need to start from scratch every time and verify all code - even if only a small part of it has changed - you face considerable time and financial costs.
For example, an analysis conducted by the SecureChange team, spanning five years and six major version updates of the open source Firefox browser, found that only around one third of the software code changed from one version to the next. In addition, a significant number of vulnerabilities were inherited by each new version from its predecessor, a phenomenon also common to other browsers like Chrome and IE. The need for quick updates means there is less time to do testing and verification. The SecureChange approach makes it possible to test only the new parts and maintain the security and integrity of the entire system.
Looking ahead to the Future Internet - in which users will move away from today's static services toward mixing and matching components and services depending on availability, quality, and price - the Aniketos project is focusing on bringing security and trust to this heterogeneous environment.
In such a world, applications are likely to be composed of multiple services from many different providers, and the end-user will have little way of guaranteeing that a particular service or service supplier actually offers the security they claim.
The Aniketos team, which includes major industrial players and research institutes, is developing new technology, tools and security services to support the design-time creation and run-time dynamic behaviour of secure composite services, as well as methods for analysing, solving and sharing information on how new threats and vulnerabilities can be mitigated.
Toward an ‘Internet of secure things’
While much of the focus of cyber security to date has been on defending traditional computing systems, software and devices, such as PCs, servers and databases, the rapid development of new technologies such as embedded computing, the 'Internet of things' (IoT) made up of ubiquitous sensors and actuators, and cloud computing means that the approach to cyber security must also evolve.
'Trusted Computing', for example, is a well-established technology that uses both software and hardware for verification and implementation of integrity and security in personal computers and is now making the leap into embedded systems. But as more embedded systems are used in devices that are always turned on and always connected to the Internet, they are also becoming increasingly vulnerable to being hacked or infected with viruses and other malware.
The TECOM project has helped bring Trusted Computing to embedded systems, by adapting technology originally developed for PCs to run on everything from smart phones to smart electricity meters.
The IoT goes hand in hand with cloud computing in which data is distributed and instantly accessible from anywhere at any time. Cloud infrastructure therefore also needs to be secure and trustworthy just as much as the applications and services that run on it.
With the goal of building trustworthy clouds, the Tclouds project is focused on achieving security, privacy and resilience in a way that is cost-efficient, simple and scalable, and - by proxy - ensuring the continued expansion of cloud infrastructure, resources and services for many years to come.
Cryptic solution
When it comes to securing data, be it in the cloud or on your network server, cryptography plays a major role. But as computers become more powerful, network speeds increase and data storage grows, the current methods of protecting information are being challenged.
The Ecrypt project and its successor Ecrypt-II haveaddressed these challenges. A NoE that brought together 32 leading research institutes, universities and companies, the initiative developed improved cryptographic algorithms, ciphers and hash functions, studied protocols and implementation methods, and worked on more robust algorithms for digital watermarking.
Among the team's main achievements were eight new algorithms with the capacity to outperform the Advanced Encryption Standard developed by two Belgian researchers in the 1990s and subsequently adopted by the US government to protect classified information.
'There are three big issues facing cryptographers,' says project co-ordinator Bart Preneel, 'Cost, speed and long-term security.'
The same could be said for cyber security in general, but those issues and many others are likely to be successfully addressed over the coming years by European research, helping to keep computer users everywhere at least one step ahead of the hackers, trojans and viruses plaguing the online world today.
Les Hunt
Editor
Contact Details and Archive...