How Can Technological Solutions Advance Cybersecurity?

3 Nov 2017
|
Geneva, Switzerland

Resource4Events

Event report/s:
Guilherme Cooper Vicente

As a practical contribution to a more secure Internet, Prof. Adrian Perrig, Computer Science Department, ETH Zurich, presented his team’s work on the ‘Scalability,

As a practical contribution to a more secure Internet, Prof. Adrian Perrig, Computer Science Department, ETH Zurich, presented his team’s work on the ‘Scalability, Control and Isolation on Next-Generation Networks’ (SCION) architecture. He elaborated on his comments on the previous panel, in which he disagreed with other speakers that humans were the weakest link in cybersecurity and emphasised the relevance of sovereignty matters in light of the ability of a few select (state and business) actors to implement kill switches against entire nations. Perrig illustrated his point with the case of the cyberattack Estonia suffered in 2007. In a more recent example, three weeks ago a Google employee in Japan made a mistake. As a result, ‘half of the country was down for 40 minutes’. If even an honest mishap like that can cause a complex Internet structure such as the Japanese to lose half of its digital capabilities, ‘then we have a problem’.

SCION, Perrig maintained, comes to solve this issue. It was built ‘to ensure the creation of areas of sovereignty where external entities cannot access and thereby disrupt connections’. Its basic approach is to use isolation domains, with routing across a number of autonomous systems. Before SCION was launched, the Border Gate Patrol (BGP) protocol was the only one to operate accordingly. Nonetheless, BGP was subjected to attacks such as prefix hijacking, to which SCION is much more resistant. This happens because SCION’s multi-path routing allows users to not only have a greater selection of paths, but also to control them. Moreover, multi-path routing enables users to prevent the transfer of any data packets from networks that are unauthorised by them. So, even when hackers may have all the necessary information on a particular network to launch an attack, they will be unable to do it, unless their network is authorised. 

Showcasing the SCION team’s accomplishments, Perrig mentioned ETH’s partnership with SWITCH, the Swiss national research and educational network. Such endeavor allowed other Swiss universities to enjoy the benefits of the architecture. All that is needed is a special router, which can be installed in 5 minutes. SCION’s dedicated visualisation system can be accessed from a machine as straightforward as a Raspberry Pi. Currently, SCION is present in over 40 campuses around the world. In addition, SCIONLab has already shipped another 50 routers to other universities, in Switzerland and abroad. Another landmark is that one Swiss bank has already changed one of its branches’ network to SCION. These developments evince that, not unlike the replacement of regular phones with smartphones, users have begun to perceive the benefits of SCION in comparison with other network architectures.

To conclude, Perrig challenged the reasoning that humans are the weakest link in cybersecurity. To him, only people can make certain decisions regarding technology with political implications. Nonetheless, the issue lies on the fact that ‘if you make it easier, it will be less effective’. Therefore, it is upon experts to adopt solutions that are both secure and user-friendly.

The ensuing Q&A covered topics such as: whether wide-scale adoption of SCION will demand scalar change in Internet architecture (no, the SCION router is all that is needed, Perrig responded); how does Scion differ from a firewall (it is an ‘implicit firewall’); the energetic efficiency of SCION (it spends 5% less than regular networks, despite being more secure); what incentives users of regular networks have to change to SCION (more secure and path-aware network architecture). Lastly, summarising the benefits of the architecture, Perrig compared cyberattacks to weapons such as missiles, positing that their effects on SCION would be as harmful as ‘a squirt gun’.

Guilherme Cooper Vicente

Welcoming attendants, Dr Roxana Radu, Programme manager, Geneva Internet Platform (GIP), introduced the main idea behind the event: to move cybersecurity discussions from an abstra

Welcoming attendants, Dr Roxana Radu, Programme manager, Geneva Internet Platform (GIP), introduced the main idea behind the event: to move cybersecurity discussions from an abstract level to a practical, solution-oriented one, away from politicised and ideological angles. This event is part of the Geneva Digital Talks series initiated on 12 October and co-organised by the Canton of Geneva, digitalswitzerland, and the GIP. Several focused discussions are planned in this series, including dedicated events later in the month on peace and jurisdiction. The spirit of these discussions is open and interactive. Co-organising the event, the Geneva Centre for Security Policy (GCSP) shared the vision for the event. Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, GCSP, moderated the first session, focused on current vulnerabilities in cybersecurity.

Mr Martin Dion, Vice President of EMEA Services, Kudelski Security, began by criticising attempts to predict cybersecurity trends. Such predictions, he argued, are based on flawed security reference models, which reflect a lack of understanding within the system. Drawing on three cases (Wannacry/ Petya ransomware; Mirai Botnet;  and Equifax/Deloitte breaches), Dion maintained that there is a disconnect between the real problem and how it is perceived. The affected companies spent considerable resources on their security; yet, all attacks could have been avoided by fairly simple measures, such as security patch updates. This, he posited, evinces a cognitive gap. Cybersecurity is conceived as an issue of confidentiality, but is acted upon as a matter of service availability (‘if you have a heart attack, does your privacy matter?’). Inflating the problem, technological solutions continue being developed, to the point of market saturation. However, scientific innovation should not be the main goal. A security system is as strong as its weakest link, and these are its users. To illustrate his provocation, Dion gave one idea and one fact. First, he believes that privacy is ‘an older issue’, since the new, digitally native generation, ‘doesn’t care about privacy’. Second, he stated that there are six times more jobs (90,000) than cybersecurity graduates (15,000) in the United States, his company’s biggest market. These examples, he argued, indicate that we need to address the issue of cybersecurity at its feeblest points: individually and socially.

Ms Päivi Tynninen, Researcher, Threat Intelligence Unit, F-Secure Labs, divided her presentation into three parts. First, she discussed recent supply chain attacks, such as the spy network detected by operation Cloud Hopper, Petya/NotPetya, and the hacking of CCleaner. While explaining Avast’s inability to notice the latter, she noted that since ‘these attacks target organisations through the most vulnerable parts of their supply network, this makes it difficult, even if you are within the industry, to detect threats’. Next, Tynninen assessed the vulnerability of devices connected to the public Internet system, citing the Mirai and ReaperIoT botnets. She also presented original research on information breaches: two-thirds of the stolen data concerned personal information, while the remainder pertained to credit card data. Furthermore, parsing the 30-odd breaches that happened to large companies within the last ten months, Tynninen shared estimates that 90% of them resulted from misconfigurations and years of delayed security updates. Finally, she analysed the issue of spam, observing that, in 2014, it represented two-thirds of the world`s email traffic. She gave as an example spammers’ ability to falsify sender addresses with the John Podesta leaks. Because he responded to a fake Gmail password update request, hackers were able to invade his account. To conclude, Tynninen stated that ‘the Internet is not fit for non-secured services’.

In the ensuing Q&A, speakers were first asked to summarise their recommendations. Dion emphasised the distinction between being a target and being a victim of an attack, extolled netizens to acknowledge their responsibility (and not just their governments’) concerning their security, and proposed that ‘we do the basics’ when it comes to cyber prevention. Likewise, Tynninen also highlighted the need for proper ‘basic hygiene’. She focused on the matters of restricting the upload of unnecessary data and taking the issue of security clearances seriously. Then, the presenters fielded questions on the importance of structural solutions; how regulatory efforts (in particular the EU General Data Protection Regulation) can increase cybersecurity; how big the risk of interstate cyberwar is, and, if the issue cannot be solved immediately, why should society be concerned about it. 

Arto Väisänen

Mr Andy Bates, Executive Director, United Kingdom, Europe, Middle East & Africa, Global Cyber Alliance, introduced the Global Cyber Alliance, and then stated how cybercrime has

Mr Andy Bates, Executive Director, United Kingdom, Europe, Middle East & Africa, Global Cyber Alliance, introduced the Global Cyber Alliance, and then stated how cybercrime has overtaken normal crime in terms of economic value. Despite the increasing economic risk of cybercrime, he argued that ‘cybercrime is just crime’, pointing out that it is crime adapting to modern tools. In his opinion, the responses should not basically differ too much from the measures taken to address other forms of crime. He highlighted that cybercrime is usually serial in nature, with many criminals potentially using the same vulnerability and being repeat offenders. He discussed the human psychological aspect in the context of phishing and spoofing emails as well as structural issues with the Internet.

He presented a tool called DMARC, which enables individuals and companies to register domains that then establish a handshake between actors to monitor email trustworthiness. In addition, he presented the Internet Immune System, a blacklist given to top level Internet service providers (ISPs) to track pages which contain malware. He argued that ISPs should work towards cleaning up the internet for individuals.

Lastly Bates outlined future scenarios, focussing mostly on the importance of sharing of information across private and public sectors, together with measures that would seek to prevent duplication. In addition to this he mentioned how reporting about cybercrime could be centralised. As a concluding remark he pointed out that individuals need to use common sense and intelligence when addressing cybercrime.

Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy (GSCP), gave a presentation which focussed on the issues and trends for future consideration in the field of cybersecurity. Firstly, he stressed that raising awareness needs to be a constant process. Due to its constantly changing nature, cybercrime should be seen as an emerging threat.

Lindstrom’s second point focussed on the key aspects of evolving technology and services which remain beneficial for us but also pose security challenges. He discussed many developments such as cloud computing, as the cloud is an attractive target for attacks. He described how the cloud can be used to hide malware. In addition to cloud computing, he mentioned how big data, through injecting false data, poses security threats in addition to the privacy issues. He also discussed the issue of 3D printing which can be used to circumvent existing measures, while providing potentially dangerous tools. Circumventing existing measures is also a risk posed by distributed ledger technologies. As a final aspect of this, artificial intelligence and machine learning, despite their ground-breaking advantages, run the risk of being misused and compromised.

The Internet of Things (IoT) can provide benefits, but it also opens the door for many new potential threats. Lindstrom pointed out how the shift in states’ cyber defence and offence poses a challenge. He argued that an increasing number of countries have developed capabilities to move from defence to offence, with roughly 30 countries having dual capabilities, but this number is hazy as is the boundary between defence and offence. As such, Lindstrom suggested, offensive cyber operations will likely increase and cyber weapons might be updated at a fast pace, especially in terms of delivery mechanisms. As a final point, while there are differences in state capabilities, all countries will try to seek to utilise zero-day vulnerabilities to their advantage. He then concluded his presentation by pointing out the increasing role of the private sector in the field, which is not only due to financial aspects but also due to the proliferation of public-private partnerships. 

Arto Väisänen

The moderator, Dr Jovan Kurbalija, Founding Director of DiploFoundation and Head of the Geneva Internet Platform), highlighted the dichotomy between technological and policy fields

The moderator, Dr Jovan Kurbalija, Founding Director of DiploFoundation and Head of the Geneva Internet Platform), highlighted the dichotomy between technological and policy fields in the cybersecurity domain. He then moved on to present the speakers.

Prof. Kavé Salamantian, Computer Science Department, University of Savoie and Senior Researcher, Castex Chair of CyberSecurity, IHEDN Paris, spoke about the semantic difference between cyber-strategy and cybersecurity. When people refer to cybersecurity, they are talking about stability and the status quo through maintenance of existing systems. As security is a more exclusive process, he prefers to use the term cyber-strategy, which, in technological terms, seeks to create measures rather than implement them. Professor Salamantian then pointed out the need to reduce the arrogance and lack of respect between the technical and policy fields of cybersecurity. He recommended this be done by increasing multi-disciplinary and other interactions between the fields, while increasing each other’s knowledge about the other’s field.

Prof. Solange Ghernaouti, University of Lausanne, and Director, Swiss Cybersecurity Advisory and Research Group, stressed the importance of multidisciplinary research and teaching. She said that it is important to incorporate social, economic, and wider policy issues related to the technological aspects and vice-versa. Professor Ghernaouti finished by pointing out that the existing problems in funding and organisations should be addressed while also looking at the importance of cybersecurity in the humanitarian field.

Mr Laurent Ferrali, Director, Government and IGO Engagement, Geneva Office, Internet Corporation of Assigned Names and Numbers (ICANN), stated that ICANN seeks to address the issue of silos by translating business and technological language to governments and vice versa. He emphasised that there is a need for better understanding of the big picture in cybersecurity but that, even with better understanding and threat assessment, the individual and technological issues form the weakest links in the cybersecurity chain. As such there needs to be greater awareness and education about wider cyber hygiene, as we will not have full technological solutions until there is an increase in education. He finished by describing how ICANN needs to be developed to increase coordination, and to bridge the gaps between stakeholders.

Prof. Adrian Perrig, Computer Science Department, ETH Zurich, stated that sovereignty remains the central question in terms of ownership of computational technology. He said that private companies have far-reaching powers to change the rules of the Internet. Governments, however, with increasing cyber-offensive capabilities, have ‘indirect kill-switches’. To address these issues, there need to be technological changes as the current encryption used actually enables the existence of kill-switches. Perrig argued that non-technical issues might not in fact be the weakest link because there are technological measures that enable the placing of humans into the centre of coordinated decision-making in a safer ‘neighbourhood’ or environment.

In the lively discussion, the debate ranged from issues of cyber citizenship to blockchain. Salamantian emphasised the need to re-frame the issues around the interactions and connections between the real and the digital worlds. He also pointed out that we need to have kill-switches in case something goes wrong, with which Perrig agreed while advocating the need for transparency and accountability in their governance. He also pointed out that blockchain is not currently a solution to governance because of issues in the logic of majority. Salamantian and Ghernaouti concluded that there remains a need for further governance and regulatory measures as governments increasingly seek to assert control over the Internet.

The moderator then ended the debate after thanking the audience and panellists.

        


Organised as part of the Geneva Digital Talks series, the event 'How can technological solutions advance cybersecurity?' will be held on 3 November 2017, from 10:00 - 16:30 CEST, at the WMO building (De Mello conference room, 2nd floor), Avenue de la Paix 7bis, 1202 Geneva.

The design of digital technology impacts cybersecurity. While the initial Internet architecture was not secure enough, security was gradually built into new operating systems, applications and tools. Today, we are faced with new challenges ranging from the expansion of the Internet of Things to artificial intelligence. Technical solutions for both existing and emerging cybersecurity challenges will be essential for the future of the Internet.

This Geneva Digital Talks discussion will feature three parts : (1) a mapping of cyber vulnerabilities, (2) a panel on the interplay of technical and policy aspects as well as the installation and presentation of one practical Internet solution – the SCION architecture, and (3) future directions and expectations in cybersecurity.

 

Programme:

10.00-10.15 | Registration

10.15-10.30 | Welcome remarks

  • Dr Roxana Radu, Programme Manager, Geneva Internet Platform and DiploFoundation
  • Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy

10.30-12.00 | Recent Cyber Incidents - Patterns, Vulnerabilities and Concerns

Examination of recent cyber incidents (e.g. Mirai, Wannacry), including targets, key vulnerabilities, attack limitations, and implications for security.

  • Mr Martin Dion, Vice President of EMEA Services, Kudelski Security
  • Ms Päivi Tynninen, Researcher, Threat Intelligence Unit, F-Secure Labs

12.00-12.45 | Standing lunch

12.30-14.00 | Panel discussion: ‘How can technological solutions advance cybersecurity?’

  • Prof Adrian Perrig, Computer Science Department, ETH Zurich
  • Prof Solange Ghernaouti, University of Lausanne and Director, Swiss Cybersecurity Advisory and Research Group
  • Prof Kave Salamatian, Computer Science Department, University of Savoie and Senior Researcher, Castex Chair of CyberStrategy, IHEDN Paris
  • Mr Laurent Ferrali, Director Government and IGO Engagement, Geneva Office, Internet Corporation of Assigned Names and Numbers (ICANN)
  • Moderator: Dr Jovan Kurbalija, Director of DiploFoundation and Head, Geneva Internet Platform

14.15-15.00 | Launch of the SCION pilot server | Presentation by Prof Adrian Perrig

15.00-15.15 | Coffee break

15.15-16.30 | Looking Ahead: What to expect in the Cyber Realm

What are future challenges and opportunities? What are likely trends in the cyber domain? How do we enhance response, preparedness and collaboration?

  • Mr Andy Bates, Executive Director, United Kingdom, Europe, Middle East & Africa, Global Cyber Alliance
  • Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy

16:30 – 16:35 | Conclusion

 

 

The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top