WORLD FEDERATION OF SCIENTISTS



WORLD FEDERATION OF SCIENTISTS

Permanent Monitoring Panel on Information Security

Top Cyber Security Problems

That Need Resolution

The Planetary Emergency Regarding the InSecurity of Global Communications

Erice (Sicily)/Rome, December 2008

Geneva, May 2009

The Permanent Monitoring Panel on Information Security of the World Federation of Scientists (InfoSec PMP) believes that it is imperative that all countries begin to address the problems that enable cyber security risks and to seek mechanisms by which solutions and approaches can more readily be shared, with a goal toward harmonized solutions and greater communication security. Collaborative arrangements between governments, the research community, legal experts, and industry on the issues that underpin security risks to communications will both expand the reach of the solution and more rapidly advance cyber security.

Considering the technological innovations and the changing threat environment, the World Federation of Scientists Permanent Monitoring Panel on Information Security (InfoSec PMP) sought input from cyber security experts around the globe regarding the most serious problems that need resolution if the global crisis in the lack of security in communications is to be addressed.[1] In addition, the InfoSec PMP analyzed prior work in this area and included previously identified problems that continue to create security risks.

The Computing Research Association (CRA) developed a report in 2003, Four Grand Challenges in Trustworthy Computing, in which they identified four challenges “aimed at immediate threats, emerging technologies, and the needs of future computing environment over a much longer term.[2] In 1997, the INFOSEC Research Council (IRC) developed a Hard Problems List (HPL), which was published in 1999 and updated in 2005.[3] Since then, neither of these documents has been updated nor has any new list reached a level of prominence. Moreover, there is a seeming complacency by governments and private sector entities alike in recognizing the urgency of advancing cyber security. The InfoSec PMP hopes that its efforts in updating and advancing a Top Cyber Security Problem list will ignite new and collaborative efforts in addressing these issues.

The PMP will make its Top Cyber Security Problem list available to The United Nations International Telecommunications Union (ITU) for its consideration in its Global Agenda on Cybersecurity, nation states, universities, and other multinational fora, such as the European Commission, Organization of American States (OAS), the Asia Pacific Economic Cooperation forum, and ASEAN in the hope that this will spur attention on these critical issues and encourage collaboration. The InfoSec PMP will continue to work with all interested stakeholders to refine its Top Cyber Security Problem list and will update and reissue it accordingly.

Taking a multidisciplinary approach, the PMP has divided the Top Problems into three categories: legal, policy, and technical.

Legal

• Develop international law to accommodate cyber warfare offensive and defensive activities, thus making it operative for the cyber age.

• In that regard, elaborate on the UN Charter in the direction of topical interpretations: Define Article 2 armed attack and Article 51 limits of self-defense, define the concept of cyber weapon, define operational modes for Chapter VII action in case of cyber attack, develop and analyze scenarios of cyber war and cyber terrorism with a view to their legal consequences.

• Drawing upon NATO’s Strasbourg/Kehl Summit Declaration[4] and previous InfoSec PMP work in analyzing gaps in the international legal framework with respect to collective response, develop proposed amendments to NATO Treaty definitions of armed attack and territorial integrity and clarification of collective responses to accommodate collective cyber activities, self defense actions, and communication requirements.

• Encourage the ratification of the Council of Europe Convention on Cybercrime (“Convention”) and internal implementation by signatory states, and, where this does not obtain, encourage the harmonization of cybercrime laws (substantively and procedurally) around the globe consistent with the Convention and the cybercrime laws enacted in developed nations. The InfoSec PMP supports the efforts of the International Telecommunication Union’s (ITU) Global Cybersecurity Agenda in this regard and encourages use of the ITU Toolkit for Cybercrime Legislation in developing national cybercrime legislation.[5]

Policy

• Improve awareness and education of the various levels of users to enable them to safely and responsibly use ICTs and protect their systems through user-friendly and easy-to-use self-defense methods.

• Encourage the development and implementation of a Cyber Code of Conduct to enable a global culture of responsible cyber citizenship.

• Promote the evolution of computer emergency response teams (CERTs) toward multidisciplinary Cyber Response Centers that can respond to cyber incidents or attacks and coordinate technical, legal, operational, and policy considerations to ensure a holistic and effective response.

• Improve international cooperation and 24/7 points of contact, including improved skill levels in law enforcement and cyber investigations, between all countries connected to the Internet.

• Promote cyber security with assurance of privacy through compliance with privacy laws, especially in the context of data mining and digital surveillance.

• Identify and fund collaborative projects to advance solutions to priority issues on a global basis.

Technical

• Develop enterprise level security metrics so security progress can be measured. Quantitative information systems risk management for security needs to be at least as good as quantitative financial risk management.

• Enable time-critical system availability and resiliency across distributed systems. Enable the use of advanced information and communication technologies, stimulate the interoperability between communication systems and devices, improve the efficiency, reliability and safety of systems for power delivery and use.  Such systems exemplify future critical infrastructures that are heavily dependent on extensive communication systems and are often connected to the open and vulnerable Internet. Research is needed in developing "resilient" control systems that provide trustworthy interactions between communication systems and physical infrastructures to ensure resilience in the face of cyber attacks.

• Enable information management at the data structure level, in particular, data structures that represent identity information to ensure the identification, authentication and authorization of communications to allow seamless, secure information management on a secure basis beyond the limits of current public key infrastructure.

• Address the security challenges of mobile/wireless systems. The widespread and exponential deployment of such devices and systems presents security challenges in and of themselves and the risks they present to interconnected systems and devices.

• Identify the security risks and opportunities associated with virtual systems and cloud computing to enable their deployment and interconnection with increased security of information, applications and networks.

• Improve the ability to track and trace cyber communications to enable source identification (accountability) and use of digital assets by technical means, reducing the reliance on cooperation between Internet Service Providers, while safeguarding privacy.

• Develop tools that protect privacy and enable audits of activity in environments that involve data mining, digital surveillance and profiling for personalized services, and in the protection of personal and business data.

• Improve access to information provenance so as to enable users to track the pedigree for every byte of information in Exabyte scale systems, transforming terabytes of data per day. The development of such tools should take into account the challenges of volume of information, degree of automated processing and transformation.

• Improve transparency of network operations to enable visibility of activities, knowledge of status of operations, and identification of issues as a diagnostic tool to enhance security.

• Develop digital identification mechanisms to protect and advance the interconnection of devices, information, and networks. Develop an identification framework that identifies personal users in its use of networked devices.

• Place higher emphasis on cryptography, especially by developing cryptologic algorithms that will withstand future challenges, including those identified with quantum computing.

• Identify and fund collaborative projects to advance security solutions on a global basis.

The Permanent Monitoring Panel on Information Security is an independent group working within the World Federation of Scientists. Its current membership is the following:

Sergey V. Ablameyko, Rector, Belarus University, Minsk, Belarus abl@newman.bas-net.by; William A. Barletta, Department of Physics, Massachusetts Institute of Technology, Cambridge MA, USA wbarletta@; Vladimir Britkov, Institute for Systems Analysis, Russian Academy of Sciences, Moscow, Russian Federation britkov@; Udo Helmbrecht, President, Federal Office for Information Security, Bonn, Germany udo.helmbrecht@bsi.bund.de ; Pradeep Khosla, Dean, College of Engineering and Co-Director Carnegie Mellon CyLab, Carnegie Mellon University, Pittsburgh, PA, USA pkk@ece.cmu.edu; Axel Lehmann, Institute for Information Technology, Universität der Bundeswehr, Neubiberg/ Munich, Germany axel.lehmann@unibw.de; Zenonas Rokus Rudzikas President, Lithuanian Academy of Sciences, Vilnius, Lithuania rudzikas@itpa.lt; Henning Wegener, Chair of the Permanent Monitoring Panel, Ambassador of Germany (ret.) Madrid, Spain/Berlin,Germany henningwegener@; Jody R. Westby, Vice Chair of the Permanent Monitoring Panel, CEO, Global Cyber Risk LLC, Washington, D.C., USA westby@.

Associate members: Hamadoun Touré, Secretary General, ITU, Geneva sgo@itu.int; Robert E. Kahn, CEO and President, Corporation for National Research Initiatives, Reston, VA, USA rkahn@cni.reston.va.us; Jaques Bus, Head, ICT Security Programme, DG Information Security and Media, European Commission, Brussels, Belgium Jacques.bus@ec.europa.eu; Olivia A. Bosch, currently UN Secretariat, New York, NY, USA ahg88@dial.; John P. Casciano, Major General (ret.), GrayStar Vision LLC, Chantilly VA, USA Andrey Krutskikh, Deputy Director of the Department of Security and Disarmament Affairs, Ministry of Foreign Affairs, Moscow, Russian Federation; Ahmad Kamal, Ambassador (ret.), United Nations Institute for Training and Research, New York NY,USA kamal@; Timothy L. Thomas, Foreign Military Study Office, U.S. Army, Fort Leavenworth, KA, USA tim.l.thomas@us.army.mil; Vitaly Tsygichko, Institute of Systems Analysis, Russian Academy of Sciences, Moscow, Russian Federation vtsygichko@inbox.ru;

-----------------------

[1] Robert E. Kahn, “The Role of Identifiers in Global CyberSecurity,” Presentation to the World Federation of Scientists, Erice, Sicily, Aug. 21, 2008, on file with Jody Westby; Chet Hosmer, “Critical Cyber Security Problems,” Aug. 2008, on file with Jody Westby; KC Claffy, “Top Problems of the Internet and How To Help Solve Them,” CAIDA, ; James Mulvenon, O. Sami Saydjari (ed.), “Toward a Cyberconflict Studies Research Agenda,” IEEE Privacy & Security, IEEE Computer Society, 2005; input also was obtained input from Himanshu Khurana, Principal Research Scientist, Information Trust Institute, University of Illinois at Urbana-Champaign and Michael Bailey, , see Email from Himanshu Khurana to Jody R. Westby, Aug. 6, 2008; email from Michael Bailey, Assistant Research Scientist, Electrical Engineering and Computer Science, University of Michigan, to Jody R. Westby, Nov. 12, 2008.

[2] Four Grand Challenges in Trustworthy Computing, Computing Research Association, Nov. 16-19, 2003, .

[3] INFOSEC Research Council (IRC): Hard Problems List, INFOSEC Research Council, Nov. 2005, cyber.st.docs/IRC_Hard_Problem_List.pdf;

[4] “Strasbourg/Kehl Summit Declaration Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Strasbourg/Kehl on 4 April 2009”, in particular para. 49. http//:nato.int/cps/en/natolive/news_52837.htm?mode=pressrelease.

[5] See “Legislation and Enforcement, ITU Toolkit for Cybercrime Legislation,” United Nations, International Telecommunications Union, .

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download