Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Ciberespaço, Soberania,
Risco Social: desafios para Portugal
Paulo Esteves-VeríssimoUniversity of Luxembourg, SnT
Professor, FNR PEARL Chair
http://wwwen.uni.lu/snt/people/paulo_esteves_verissimo
10º Simp. Int’l “Estratégia Da Informação Nacional”, Academia Militar,
Amadora, 29 de Abril 2016
Cyberspace today
The world is becoming an immenseinfrastructure
ISP
ISP
CLOUD COMPUTING AND
COMMUNICATIONS
Internet minute
www.intel.com/.../internet-minute-infographic.html
5
Vulnerabilidades em Softwaresempre em alta
(Source: IBM xForce)
Number of Vulnerabilities
20XX
Summarizing: Cyberspace today
• immense, interconnected,interdependent infrastructure
• huge amounts of correlatable data
• huge cheap storage capacity
• steadily increasing softwarevulnerabilities
Threat Landscape (in times of peace)
How are threats themselves evolving?
• targetedattacksandadvancedpersistentthreats
• weakening andsubversionofcommsandcomputingservices
• threats toprivacy:blanket datacollection
• sophisticated automatedcyberweapons
• organised crime
(Source: Adapted from Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002. (CERT)
High
Low
1980 1985 1990 1995 2000
password guessingself-replicating code
password crackingexploiting known vulnerabilities
disabling auditsback doors
hijacking sessions
sweeperssniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Attacks
Attackers“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
DDOS attacks
20xx…
Bot Nets
Embedded malicious
code
Attack sophistication vs. attacker expertise
Chipsubversion
Required Attacker expertise
AvailableAttack sophistication
TARGETED ATTACKS a.k.a.
ADVANCED PERSISTENT
THREATS
Re-identifying de-identified dataOn the reidentifiability of credit card metadata
On the re-identifiability of credit card metadataYves-Alexandre de Montjoye et al., 2015
The power of metadata ...
Recent evolution
• thebalanceamongstvulnerabilities,threatsanddependence mustbekept,lesttheriskmayincrease
• buttherecentevolutionhasbeenopposite ofthat:
– dependence of society on ICTis very high
– increase ofthreatshasbeenignored
– increaseofvulnerabilitieshasnotbeenstopped
• societyis adopting cyber risk behaviours
Summarizing: Threat Landscape
• Powerful adversary actors
• Availabilityofsophisticatedcyberweaponry
• Datacorrelations previously impossible
• Inbig data,meta-datais data
• Elevatedriskinallcybercomponents
Cyber-engagement
• Generalisedtrendtowardblanketdataand“meta-data”collection
• Deliberateweakeningofcommunicationandcomputingsystemsinfrastructures
• Experimentalsabotage and kinetic cyber attacks• Escalationincyberweapondevelopment,passive
andactive
We live a non-declared low-intensity cyber-war, under a cyber-weapons proliferation ambience.Without proper “cyber-Geneva” and “anti-Proliferation” treaties, this can scale-up unexpectedly
Some reflections on cyberspace strategy
On the asymmetric nature of cyberspace
• Risk is directly proportional tonation development• CIIcentralisation and interdependence induces
escalation and threat amplification• Cyber attack capability is not directly proportional
tonation development or wealth• Kinetic cyber attacks (e.g.SCADArelated)within
potential reach of otherwise weak actors• Highpotentialdisturbancemomentumof
mobilisedhacktivism
Fundamental principles of a winning strategy for protection of the society
• CybersecurityandCyberdefense, twocomplementaryandsymbioticinstancesofsocietyprotection
• SecurityandPrivacy,twofacesofthesamecoin
Cybersecurity = Cyberdefense: dangerous equation• cybersecurity coversmostlymediateandproactive
concepts,adequatetotimesofpeace• (inclusiveofcivilsociety,prevention,earlywarning,trainingand
awareness,certificationandauditing,etcetc.)
• cyberdefense coversmostlyimmediateandreactiveconcepts,adequatetotimesofdisturbance/damage
• (drasticand/orkineticdefenceand/orcounterattack/offenseactions)
• noreasonforconsideringthatcyberspaceshouldescapedemocraticruleoflawprinciples,or,forthatmatter,generalwarfareprinciples
Security vs. Privacy: wrong equation
• Privacyis securityfromtheperspectiveofanindividualorcollectiveperson,orcollectionthereof.
• Blanketsacrificeofprivacymeansdestroyingvalue (ofhugesetsofindividuals,organisations,orevennation’sbusinesssectors)
• Thesentencesomanytimespronouncedbypoliticiansactuallymeansacontradictioninterms:– “wemustunderminethesecurityoftheindividualsand
organisations ofawholenationtopreservethesecurityofthenation”(!)
Epilogue: key strategic measures for global détente
threats became global,persistent,and perpetrated by powerful,motivated,competent and non-regulated adversaries
it is impossible todopervasive and blanket datacollection withoutdamaging society and democracy asawhole
underminingintegrityand trustworthiness of theinfosocietyandinfrastructurecanbe disastrous
Before it is toolate,we must:setclearmissionsforcybersecurityandcyberdefense
redefineprivacyasaformofsecuritygobacktotargetedsurveillanceunderdemocraticruleoflawregulate the commercial rights foracquisition of private info
regulate international trade in ICT
26
PauloEsteves-VeríssimoUniversity of Luxembourg Faculty of Science,Technology and Communication _
andSnT,theInterdisciplinary CentreforSecurity,Reliability andTrustPEARLChairsponsored bytheLuxembourgNationalResearchFund(FNR)
[email protected] http://wwwen.uni.lu/snt/people/paulo_esteves_verissimo
@SnTCriticalandExtremeSecurityandDependability
Thankyou!_