April 16, 2018
On 5 June, the third edition of the National Cyber Security Research Agenda (NCSRA-III) will be presented. On Thursday 12 April, cyber security researchers and experts from universities, government institutions and companies discussed the final refinements to this new research agenda in the area of digital security.
Computer viruses, hijacked computers, hacking, DDoS attacks, phishing and digital espionage are all threats to the digital security of citizens, companies and governments, and they reach the news headlines almost every week. As we have become increasingly dependent on digital services in our everyday lives over the past two decades, we have also become more vulnerable to such attacks.
Cyber security researchers are developing new security systems to protect the Dutch digital society. The National Cyber Security Research Agenda (NCSRA) is intended as a framework for public-private partnership within national research into digital security. The agenda was published for the first time in 2011 and was followed by a second edition, NCSRA-II, in 2013.
Five years after the second edition, considerable effort is being put into the realisation of a third edition, NCSRA-III. On Thursday 12 April, stakeholders discussed the draft texts of the agenda that were written earlier this year. The 90 participants included many academic researchers, but also experts from industry (including Philips, KPN, NXP, Secura and Rabobank) and representatives from government ministries, TNO, the Confederation of Netherlands Industry and Employers, the Dutch police and the Dutch judiciary.
pillars: better The NCSRA-III is subdivided into five design, better defense, better organisation, better understanding of attacks, and improved privacy. For each pillar, the agenda clearly states what the relationships with the other pillars are. 'The agenda that was published five years ago was more compartmentalised', says chair of the event Wim Hafkamp, chief information security officer at Rabobank (and chair of the dcypher advisory council). At the time, we had nine themes that were largely studied independently. The world has changed since, and we are trying to respond to that by clearly considering the relationships between the five pillars. One example of the difference between the new agenda and the previous edition is that we now pay more attention to the psychological aspects of cyber security, for example the change of behaviour; we no longer examine just the technical aspects.'
Jaap-Henk Hoepman, principal scientist of the Privacy & Identity Lab, states two ways in which the playing field for digital security has changed over the past five years: 'First of all, our society has become far more dependent on ICT than it was five years ago.'Second, it is better if we now assume that there is no such thing as an entirely secure digital infrastructure. Instead, we should assume that systems have been attacked and that the attacker has access. If this is the case, how can we best protect ourselves?
After a plenary session in which the five research pillars were each briefly introduced by a university researcher, the rest of the afternoon was used for discussions. Two successive discussion rounds were organised for each pillar, so that each participant could comment on two of the pillars. At the end of the afternoon, the discussion leaders reported on the most important comments and remarks.
The Pillar "Better design" assumes the idea that many security problems can be prevented by designing systems and services where security is one of the priorities from the outset: this is called security by design. When he presented this pillar, Erik Poll from Radboud University noted that, in recent years, everybody has been talking about security by design, but that far too little has been done about it in practice. An important point that emerged from the discussion round is that the end-user, in particular, should not be forgotten.
The pillar "Better defense" is about preventing and detecting attacks, but also about responding to and recovering from attacks. The main challenge here is to efficiently and effectively increase the strength of all defensive resources, says Luca Allodi from Eindhoven University of Technology.
"Better governance" is the third pillar. This pillar focuses on the owners of systems and services, namely citizens, companies and government bodies. How do they deal with the available technical possibilities to improve digital security? This pillar attracted the most discussion participants by far, including participants from TNO, the Confederation of Netherlands Industry and Employers, the Dutch police and the Dutch judiciary. Several comments concerned the concept of "security". Security has a subjective component, which is not objectively measurable by definition. But in addition, relatively few hard facts and data are available about the measurable component of security.
Kees Neggers, former director of Surfnet and one of the four Dutch people who have been included in the Internet Hall of Fame, expressed his concern that the deeper underlying causes of digital threats are not sufficiently tackled. For example, the current design of the Internet contains leaks that should be sealed according to him. That is technically feasible, but the investments required are scarcely being made. Representatives from industry expressed the concern that it is particularly difficult to get SMEs involved, even though they jointly constitute 95% of Dutch industry; there is an awareness of digital security among them, but also a lack of concrete action. Finally, Theo Jochoms, adviser on science and education at the Dutch police, noted that a lot of attention is devoted to defending against cyber attacks but relatively little attention to detecting these.
The fourth pillar, "Better understanding of attacks", studies vulnerabilities in designs, protocols, systems, defense measures, etc. Without an understanding of vulnerabilities, we cannot defend ourselves. The human factor will be given attention as well. Exposing the psychology of the attacker also makes it possible to improve the defense. Botnets could be knocked out before becoming active, for example.
The fifth and final pillar, "Improved privacy", ties in with the fact that privacy is a fundamental right within the EU – one that is protected by law. And just like the efforts to achieve security by design, efforts should also be made to design ICT applications in which privacy is a priority from the outset: privacy by design. One of the points raised during the discussion round was that privacy is also a part of identity management: proving that somebody is who he or she claims to be. A second interesting discussion point, submitted by Professor of Cyber Security Governance at Leiden University, Bibi van den Berg, is that privacy should not only be examined in the narrow sense of the term at the level of the individual but also in the broader sense of a community or organisation. People are very keen to share certain things, whereas they do not wish to share other things at all or just with a few people. And ideas about privacy have also changed over the course of time, but this aspect has barely been studied to date.
All comments and remarks made during the discussion afternoon will be carefully considered, concludes Jan Piet Barthel, director of dcypher (the Dutch Cybersecurity Platform Higher Education and Research), the organiser of the discussion afternoon. Proposals for amendments can still be submitted until 23 April. Where necessary, the draft texts of the NCSRA-III will be modified. On 5 June, the third edition of the National Cyber Security Research Agenda will be presented at press centre Nieuwspoort in The Hague.
Text: Bennie Mols, sciencejournalist
Translation: NST Science
Photo's: Thijs ter Hart