Ciberespaço, Soberania,

Risco Social: desafios para Portugal

Paulo Esteves-VeríssimoUniversity of Luxembourg, SnT

Professor, FNR PEARL Chair

paulo.verissimo@uni.lu

http://wwwen.uni.lu/snt/people/paulo_esteves_verissimo

10º Simp. Int’l “Estratégia Da Informação Nacional”, Academia Militar,

Amadora, 29 de Abril 2016

Cyberspace today

The world is becoming an immenseinfrastructure

ISP

ISP

CLOUD COMPUTING AND

COMMUNICATIONS

Internet minute

www.intel.com/.../internet-minute-infographic.html

5

Vulnerabilidades em Softwaresempre em alta

(Source: IBM xForce)

Number of Vulnerabilities

20XX

Summarizing: Cyberspace today

• immense, interconnected,interdependent infrastructure

• huge amounts of correlatable data

• huge cheap storage capacity

• steadily increasing softwarevulnerabilities

Threat Landscape (in times of peace)

How are threats themselves evolving?

• targetedattacksandadvancedpersistentthreats

• weakening andsubversionofcommsandcomputingservices

• threats toprivacy:blanket datacollection

• sophisticated automatedcyberweapons

• organised crime

(Source: Adapted from Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002. (CERT)

High

Low

1980 1985 1990 1995 2000

password guessingself-replicating code

password crackingexploiting known vulnerabilities

disabling auditsback doors

hijacking sessions

sweeperssniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Attacks

Attackers“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

DDOS attacks

20xx…

Bot Nets

Embedded malicious

code

Attack sophistication vs. attacker expertise

Chipsubversion

Required Attacker expertise

AvailableAttack sophistication

TARGETED ATTACKS a.k.a.

ADVANCED PERSISTENT

THREATS

Re-identifying de-identified dataOn the reidentifiability of credit card metadata

On the re-identifiability of credit card metadataYves-Alexandre de Montjoye et al., 2015

The power of metadata ...

Recent evolution

• thebalanceamongstvulnerabilities,threatsanddependence mustbekept,lesttheriskmayincrease

• buttherecentevolutionhasbeenopposite ofthat:

– dependence of society on ICTis very high

– increase ofthreatshasbeenignored

– increaseofvulnerabilitieshasnotbeenstopped

• societyis adopting cyber risk behaviours

Summarizing: Threat Landscape

• Powerful adversary actors

• Availabilityofsophisticatedcyberweaponry

• Datacorrelations previously impossible

• Inbig data,meta-datais data

• Elevatedriskinallcybercomponents

Cyber-engagement

• Generalisedtrendtowardblanketdataand“meta-data”collection

• Deliberateweakeningofcommunicationandcomputingsystemsinfrastructures

• Experimentalsabotage and kinetic cyber attacks• Escalationincyberweapondevelopment,passive

andactive

We live a non-declared low-intensity cyber-war, under a cyber-weapons proliferation ambience.Without proper “cyber-Geneva” and “anti-Proliferation” treaties, this can scale-up unexpectedly

Some reflections on cyberspace strategy

On the asymmetric nature of cyberspace

• Risk is directly proportional tonation development• CIIcentralisation and interdependence induces

escalation and threat amplification• Cyber attack capability is not directly proportional

tonation development or wealth• Kinetic cyber attacks (e.g.SCADArelated)within

potential reach of otherwise weak actors• Highpotentialdisturbancemomentumof

mobilisedhacktivism

Fundamental principles of a winning strategy for protection of the society

• CybersecurityandCyberdefense, twocomplementaryandsymbioticinstancesofsocietyprotection

• SecurityandPrivacy,twofacesofthesamecoin

Cybersecurity = Cyberdefense: dangerous equation• cybersecurity coversmostlymediateandproactive

concepts,adequatetotimesofpeace• (inclusiveofcivilsociety,prevention,earlywarning,trainingand

awareness,certificationandauditing,etcetc.)

• cyberdefense coversmostlyimmediateandreactiveconcepts,adequatetotimesofdisturbance/damage

• (drasticand/orkineticdefenceand/orcounterattack/offenseactions)

• noreasonforconsideringthatcyberspaceshouldescapedemocraticruleoflawprinciples,or,forthatmatter,generalwarfareprinciples

Security vs. Privacy: wrong equation

• Privacyis securityfromtheperspectiveofanindividualorcollectiveperson,orcollectionthereof.

• Blanketsacrificeofprivacymeansdestroyingvalue (ofhugesetsofindividuals,organisations,orevennation’sbusinesssectors)

• Thesentencesomanytimespronouncedbypoliticiansactuallymeansacontradictioninterms:– “wemustunderminethesecurityoftheindividualsand

organisations ofawholenationtopreservethesecurityofthenation”(!)

Epilogue: key strategic measures for global détente

threats became global,persistent,and perpetrated by powerful,motivated,competent and non-regulated adversaries

it is impossible todopervasive and blanket datacollection withoutdamaging society and democracy asawhole

underminingintegrityand trustworthiness of theinfosocietyandinfrastructurecanbe disastrous

Before it is toolate,we must:setclearmissionsforcybersecurityandcyberdefense

redefineprivacyasaformofsecuritygobacktotargetedsurveillanceunderdemocraticruleoflawregulate the commercial rights foracquisition of private info

regulate international trade in ICT

26

PauloEsteves-VeríssimoUniversity of Luxembourg Faculty of Science,Technology and Communication _

andSnT,theInterdisciplinary CentreforSecurity,Reliability andTrustPEARLChairsponsored bytheLuxembourgNationalResearchFund(FNR)

paulo.verissimo@uni.lu http://wwwen.uni.lu/snt/people/paulo_esteves_verissimo

@SnTCriticalandExtremeSecurityandDependability

Thankyou!_