by Professor Bart Preneel
Department of Electrical Engineering-ESAT/COSIC
(Computer Security and Industrial Cryptography)
On 19 November 2014, the SWIFT Institute and KU Leuven hosted a one day conference focusing on cyber security issues impacting the global financial industry. The program brought together experts from academia, the financial and technology industries, and law enforcement, resulting in several interesting observations.
In his opening address, SWIFT’s CEO Gottfried Leibbrandt discussed the paradoxical observation that Internet security keeps getting worse, while e-commerce keeps growing. As a potential solution for the mounting cybersecurity challenges he proposed a comparison of the co-development of diseases and immune systems. Creating durable solutions to cybersecurity requires better ecosystems and infrastructure, international cooperation, as well as non-proliferation treaties (similar to those against biological warfare).
The insider threat was confirmed as real and serious. One needs to consider both malicious and non-malicious insiders and cyber and non-cyber threats. Today employees have access to sensitive data anywhere and on a 24/7 basis, but on the other hand capabilities to monitor employees have increased substantially. Monitoring also needs to take into account the privacy rights of employees. Addressing insider threats requires strong governance and is the responsibility of every single person in the organisation, and not just of the Chief Security Officer. Communications between HR and business units still need to be improved.
Cryptology was highlighted as a key technology in a world in which we need to secure data rather than IT systems. As cryptology shifts protecting data to protecting keys, proper key management is central in the deployment of cryptology. For the next 10-20 years, there is a realistic expectation that large scale quantum computers can be built; those computers would be extremely effective in attacking our current cryptographic schemes. A major upgrade would be required of symmetric key schemes, but for public-key cryptography the impact could be dramatic: all of our widely deployed schemes would need to be replaced. Currently research is underway on public-key schemes that would resist quantum computers. The main message is that we are running behind schedule and a major investment is required today, even if the problem will only arise ten years from now. The Snowden revelations have lifted the veil on the NSA’s Bullrun program, which intends to undermine cryptographic standards. This issue also brings to light the larger problem of certification of cryptographic standards and products. Overall, an important message is that we need to improve the governance of our cryptographic ecosystem.
Every financial institution has to decide between two options: strengthening the security of legacy systems, which were designed before cyber security was a concern, or deploying new systems and architectures. The advantage of the former is that an organic growth allows for an organic development of security, but on the other hand a clean start may present a simpler and easier to manage solution.
We are witnessing exciting developments on virtual currencies, in which highly innovative ideas are being put forward that have the potential to be highly disruptive. In spite of the early success of Bitcoin (currently a total value of US$ 4.5 billion), the area is still very immature. Many alternative solutions are being researched in academia. Banks and regulators are still exploring which roles they can play in this developing ecosystem.
Globalisation has resulted in a complex supply chain, in which software and hardware components that are shipped around the globe have been designed, built, and configured in different continents. We have to manage the risk that accidental or deliberate vulnerabilities can be inserted at each step of the chain. Revelations by Snowden have shown that this is not only a risk, but that some nations actually engage in supply chain subversion. Addressing this risk requires a careful selection of suppliers, verification of building blocks as much as possible, and creative shipping solutions.
The Snowden revelations have changed our view on the role of governments in cyber security. While there were earlier revelations about nation state bulk eavesdropping (e.g. the 2001 Echelon report), the massive scale of the eavesdropping and the sophistication in terms of technologies and organisation have surprised most of us. Data in the cloud seems to be fair game – the only uncertainty is about how the access under the PRISM program works exactly. Sophisticated data mining techniques are used to shift from a paradigm of collecting information based on specific key words or targets to search by association, in which one element related to a target becomes just a starting point to completely map the target’s behaviour and network. The extent of the collaboration of industry – voluntary or involuntary – is much larger than expected. Moreover, mass surveillance is not the privilege of the US or the Five Eyes (Australia, Canada, New Zealand, UK, US): many nations seem to be involved in exchanging data. Economy of scale seems to play a central role, and smaller countries have the option to trade data with the large ones, or not play at all. One of the more interesting revelations is the Bullrun program (cf. supra) that intends to undermine cryptographic standards. But perhaps most surprising is the extent of “active attacks” in which government agencies take over networks, insert malware, and subvert supply chains (that is, add extra eavesdropping devices in hardware). In other words: offense has trumped defence. To come back to the biological analogy: it seems that our governments have been creating and releasing dangerous viruses and bacteria and have been experimenting with Polonium on real people, rather than building modern and effective health care systems. The risk of proliferation of some of these technologies to many other nations, to organized crime and to violent non-state actors is very high.
A natural question is: have we done enough to adjust to the new reality? We are seeing a somewhat wider deployment of stronger encryption technologies, but major gains can only be made if this can be done transparently, end-to-end, and without central control or backdoors. Supply chain security is receiving more attention, but industry-wide changes take a long time. Developing digital sovereignty requires increased control over design and implementation of systems and intensive and complex security audits. The cloud and big data models that are holding such large promises have turned out to have a dark side and unexpected risks. We should perhaps re-think our centralised architectures, towards distributed control and decentralisation, and return to the old principle of data minimisation: don’t collect or give out more data than strictly necessary. Advanced cryptographic technologies can help to perform some computations on encrypted data and to distribute security over multiple nodes, so that compromise of a single key does not open the floodgates of data. Open technologies offer the best guarantee against backdoors.
Technology can play an important role to stop mass surveillance and protect our democracies, but there is only so much that it can do. We need to convince decisions makers that the current approach will quickly turn against all of us. The next step is the creation of a strong governance framework in which technology is used to support legal guarantees. We have to favour defence over attack. Building trustworthy systems is already hard enough without governments trying to undermine the effort.