Progress and Research in Cybersecurity: Supporting resilience, trust and digital identities Professor John McCanny CBE FRS FREng Professor Andy Hopper CBE FRS FREng
Progress and Research in Cybersecurity: Supporting resilience, trust and digital identities Professor John McCanny CBE FRS FREng
Professor Andy Hopper CBE FRS FREng
Steering
Committee
Co-chairs
Professor Andrew Hopper CBE FREng FRS Professor of Computer Technology, Head of Department,
Computer Laboratory, University of Cambridge
Professor John McCanny CBE FREng FRS Director of the Institute of Electronics, Communications
and Information Technology, Queen’s University Belfast
Members
Professor Ross Anderson FREng FRS Professor of Security Engineering, Computer Laboratory,
University of Cambridge
Professor Philip Bond Visiting Professor, Department of Engineering
Mathematics and Computer Science, Bristol University
Mr Martin Borrett IBM Distinguished Engineer
CTO IBM Security Europe
Professor Sadie Creese Professor of Cybersecurity, Department of Computer
Science, University of Oxford
Dr Steven Murdoch Principal Research Fellow, Department of Computer
Science, University College London
Professor Angela Sasse FREng Director, UK Research Institute in Science of Cyber
Security (RISCS), Department of Computer Science,
University College London
Mr Alex van Someren Managing Partner, Early Stage Funds, Amadeus Capital
Partners
Dr Claire Vishik Security, Privacy Standards and Policy Manager, Intel
Corporation UK
Progress and
research in
cybersecurity:
context
• The UK/Europe is particularly well-placed to realise the benefits of this emerging digital society. It has the advantages of supportive government policy, a strong research base and a history of industrial success.
• Digital systems are evolving rapidly, and so is the threat of attack.
• Solutions to the fast-evolving threat of cyber-attacks requires collaboration across all sectorial disciplines and national boundaries.
• Progress and research in cybersecurity:
• Assesses the conditions needed for the creation of a trustworthy and resilient cybersecurity environment
• Provides recommendations of how policy, practice and research can adapt to the evolving threat.
4
Progress and research in cybersecurity: key messages
Trust Trust is essential for growing and
maintaining participation in the
digital society.
Resilience Resilience – the ability to function,
adapt, grow, learn and transform under
stress or in the face of shocks – will
help organisations deliver systems that
are reliable and secure.
Research Research and innovation in industry
and academia will continue to
contribute to a more resilient and
trusted digital environment.
Translation Translation of innovative ideas and
approaches from research drives the
supply of reliable, proven solutions.
https://royalsociety.org/topics-policy/projects/cybersecurity-research/
Trust
Users of digital services must be able to assess the trustworthiness of a service and maintain trust in them. • Often users are unaware of the risks they face.
• Loss of trust in a digital based enterprise can lead to major economic
impact including its failure. By trust we mean an individual’s or group’s confidence in the integrity, safety and reliability of a system or organisation.
Data loss can occur accidentally or maliciously – either way it leads to loss of trust by the user. Can lead to loss of confidence and services and products not being used – impacting the benefits of the digital economy. To gain trust organisations must behave in a responsible manner and be able to convince users that this is the case.
Trust
Using end-to-end Encryption
• On-going debate about use of backdoors for surveillance
purposes, including law enforcement.
• However there is a consensus that backdoors means
weakening encryption leading to increasing vulnerabilities
and potential data loss.
• Report strongly stresses the importance of robust encryption.
Trust
Anonymisation of users’ personal information – two main approaches
• Remove personally identifiable information from a database before data is processed – e.g. medical records
• Protect identifiable data through controls on the queries that can be made to the database.
• However important challenges remain as other non-trivial information can be identifying when aggregated with other databases e.g. location data on a mobile phone could identify where a person lives or works etc.
• Stronger annonymisation methods needed where data bases are aggregated e.g. “differential privacy”
• Challenges remain in terms of implementation and more research is needed.
Trust
Adherence to evidence-based guidelines.
• Need for credible and comprehensible information to allow people to make
well-founded judgements to help them make well –founded judgements as to where to place their trust.
• Standards and guidelines - Governments to establish and promote rigorous, evidence-based guidance based covering testing and evaluation to ensure robust systems, with these updated in accordance with on-going research.
• Certification Marks to provide to provide information on trustworthiness of a company or a product.
• Can help identify what cybersecurity standards are being used.
• Development of guidelines/standards/kitemarks – must be transparent and done by an independent organisation.
Trust Recommendation 1
Governments must commit to preserving the robustness of encryption,
including end-to-end encryption, and promoting its widespread use.
Recommendation 2
The Government should go further to establish and promote rigorous,
evidence-based guidance on state of the art cybersecurity principles,
standards and practices, accompanied by certification marks or
benchmarks for digital products and services, focused on improving
consumers’ protection and understanding.
Resilience Cyber-risks can not be eliminated. Therefore it is important that organisations are resilient: preventing breaches and recovering swiftly from breaches. To achieve this organisations need to be pro-active and take simple steps to protect themselves and their users data.
Reporting cyberattacks is important in allowing resilience across the system – how does this work in practice?
• Often companies will not want to report that they have been a victim of a cyberattack as they may lose clients/business. Therefore there must be strong incentives for companies to report breeches.
• The EU directive, Security of Network and Information Systems (NIS) (2018), makes notification of a supervisory body within 72 hours mandatory
• Reporting bodies must be clear about what they plan to do with the data they are provided.
Resilience Recommendation 3
The government should commission an independent review of the
UK’s future cybersecurity needs, focused on the institutional
structures needed to support resilient and trustworthy digital systems
in the medium and longer term.
Recommendation 4
The incentives for organisations to adhere to rigorous, evidence-
based cybersecurity standards should be strengthened.
Research Research can illuminate how best to build, assess and improve digital
systems. But research needs to keep pace with the capabilities of
attackers. The requires a step change in the pace of research.
To achieve this, certain initiatives should be put in place:
• Establish a challenge-led research funding organisation.
• Promote cross sectorial, multidisciplinary research and
partnerships.
• Encouraging international research collaboration.
• Enabling access to talent from around the globe.
Research
The USA uses DARPA to fund research into disruptive technologies. This Challenge-led approach lends itself well to cybersecurity research. The UK could benefit from adopting a DARPA-like challenge-led approach for cyber. Research funded like this will need an appropriate institute to be driving it.
An appropriate research institute will need to be developed to ensure the success of challenge-led research funding.
Projects would need to be:
• Innovative
• Responsive
• Agile
Research
Collaboration between disciplines:
• As cybersecurity encompasses legal, social, regulatory and technological factors it is important that research does too, therefore there should be encouragement of multi-disciplinary research.
Collaboration between sectors:
• Digital systems are used by all sectors, and all sectors are highly invested in the success of cyber security.
• There are already initiatives in place in the UK such as CyberInvest (an industry and government scheme): but these need to be promoted to academic researchers to encourage connections between the sectors, which can help produce solutions for real problems.
Research Recommendation 5
The Government and research funders should introduce new funding and management structures for an ambitious, challenge-led research funding organisation... This organisation would identify key challenges and provide flexible support for excellent researchers to tackle them.
Recommendation 6
Research Councils and other research funders must draw effectively on world-class expertise. Research funders should go further to: ensure peer review involves the best expertise available internationally; encourage multidisciplinary research in cybersecurity; encourage international research collaboration with competent parties; and reduce barriers to academic researchers engaging with industry and the public sector.
Translation To facilitate effective research translation several steps need to be taken by the government, academia and industry:
• Promotion of SME research initiatives : such as small business research initiative (SBRI)
• Financial aid for early stage cybersecurity businesses can help them develop their ideas.
• Cybersecurity defences need to be tested before use: UK needs to be able to develop test facilities in collaboration with industry, giving access to data sets and test environments which reflect real-world threats and environments.
• Addressing the challenges of IP in university tech transfer offices. Need much more effective uptake of research advances in real world products and services.
Translation Recommendation 7
The Government should promote the creation and uptake of real
world test facilities, including data sets that can be accessed and
shared as a national resource to allow the robust evaluation of new
cybersecurity research and products.
Recommendation 8
The Government should expand the engagement of SMEs and
academic researchers with industrial partners through
procurement mechanisms, including the Small Business Research
Initiative.
Translation Recommendation 9
The Government should establish one or further dedicated support
funds under specialised and professional management to support the
financing of cybersecurity innovation, targeting cases where
innovation would have spill over benefits but might not otherwise be
funded.
Recommendation 10
Universities and their technology transfer offices should focus on the
volume of commercialisation opportunities, recognising the
difficulty of predicting the success of cybersecurity initiatives, and
taking into account broader benefits beyond the expected financial
return.
Progress and Research in Cybersecurity: Supporting resilience, trust and digital identities Professor John McCanny CBE FRS FREng
Professor Andy Hopper CBE FRS FREng