Today's Essential Cyber Security Requirements

Today's cyber space (Internet and Computing) is not trustworthy or dependable.  To quote U.S. President Obama's Cyberspace Policy Review - "Our reliance on the internet is becoming nearly total." ... "Threats to cyberspace pose one of the most serious economic and national security challenges of the 21st Century for the United States and our allies." ... "Ensuring that cyberspace is sufficiently resilient and trustworthy to support U.S. goals of economic growth, civil liberties and privacy protections, national security, and the continued advancement of democratic institutions requires making cybersecurity a national priority."

Consequently there have been major initiatives over 2009/10 to identify the essential features that are required in existing and future security systems to ensure the safe and assured operation of our essential ICT.  The ICT Gozo Malta projects directly address many of the current hard problems and deliver features that are considered essential today for achieving trustworthy and dependable cyber security.  We begin by listing cross-cutting security requirements and then capture requests from different organisations / contexts.  

Cross-cutting security requirements called for today

In this entry we compile a short-list of cross-cutting security features most called for by Government and Industry security experts.  The ICT Gozo Malta projects specifically address each of these points:

  • security built in from the ground up
  • removing central points of failure by distributing trust and using multiple layers of defense
  • protection against a wide range of insider (management, trusted staff, malware in hardware and software) and external attacks
  • rewards collaboration between competitors (organisations or divisions can guarantee their own security and satisfy legislation, while gaining superior security when collaborating with others, including their competitors)
  • exploiting existing infrastructure and standards investments
  • careful attention to maintaining interoperability and security standards compliance
  • enhancing and removing known threats to existing standards security systems

DHS - Security features required for trustworthy systems envisioned by U.S. Government 

The United States Department of Homeland Security November 2009 Cyber Security Roadmap has outlined the following eight current hardest and most critical security problems and needs that must be addressed if trustworthy systems envisioned by the U.S. Government are to be built.  In addition to the first eight (1-8), there are three other important security features (9-10).  These features need to be retro fitted where possible to existing security systems and present in all future systems.  Projects in the ICT Gozo Malta forum directly contribute to those security properties marked with an asterisk * for both existing and future systems. 

  1. Global-scale identity management *
  2. Combatting insider threats *
  3. Availability and survivability of time-critical systems *
  4. Building scalable trustworthy and secure systems *
  5. Situational understanding and attack attribution *
  6. Information provenance *
  7. Security with privacy *
  8. Enterprise-level security metrics
  9. System evaluation life cycle
  10. Combating malware and botnets *
  11. Privacy-aware security *

NITRD - Leap ahead cyber-security themes

"It's not about security, its about Trustworthiness of our digital infrastructure.  This means Security and Reliability, Resiliance, Privacy and Useability."  Dr. Jeanette Wing, 
Assistant director for computer & information science and engineering (CISE), NSF (2010)

The US Federal Network and Information Technology Research and Development Program (NITRD) co-ordinates practically all US Federal Government research.  NITRD has been charged with leading the national cyber security initiatives and is currently promoting three cybersecurity themes: tailored trustworthy spaces, moving target, and cyber economic incentives.  These cyber security themes are considered universal and should apply to most ICT projects. 

  1. Tailored trustworthy spaces:
    • According to Dr. Jeanette Wing in the NITRD 2010 Cybersecurity R&D Themes webcast, based on federal consensus the tailored trustworthy spaces theme is considered the most important of the three NITRD themes. 
    • "Tailored Trustworthy Spaces is a New Paradigm.  Users can select different environments for different activities (online banking, commerce, healthcare, personal communications) providing operating capabilities across many dimensions, including confidentiality, anonymity, data and system integrity, provenance, availability and performance."
  2. Moving target theme:
    • According to Dr. Jeanette Wing in the NITRD 2010 webcast, the moving target theme is about providing resilience through agility.
    • According to Dr Patricia Muoio, Science and technology lead for cyber, Office of the Director of National Intelligence defines agility as the ability to control change across multiple system dimensions to:
      • increase uncertainty and apparent complexity for attackers,
      • reduce their windows of opportunity, and
      • increase their costs in time and effort.
      • increase resiliency and fault tolerance within a system.
  3. Cyber economic incentives theme:
    • According to Dr. Jeanette Wing in the NITRD 2010 webcast, the cyber economics theme is about providing incentives to good security.
    • Dr Douglas Maughan, Program Manager, Cyber Security R&D, Science & Technology Directorate, Department of Homeland Security (DHS S&T), goes on to say that the consensus agreement today is "Crime pays on the internet".  He asks, in the future can we create an environment where being a good guy pays, and a bad guy doesn't?
    • The ICT Gozo Malta approach to cyber economic incentives is to employ notions such as user-centric design, holding all parties equally accountable, and design for protecting the legitimate interests of all stake-holders as proactive design strategies to begin addressing the cyber economic incentives.

NITRD - Leap-ahead recommendations

We will list several suggestions or desirable features from the working groups of the NITRD National Cyber Leap Year 2009 Summit that are adopted in one or more of the ICT Gozo Malta Project.  Security features and design techniques were proposed in five cyber security themes. 

  • Hardware enabled trust
    • Trustworthy hardware that will not leak information
    • Hardware-enabled resilience
    • Application behavioral analysis
    • Trustworthy storage and data
  • Cyber economics
    • Infrastructure diversity
  • Moving target defense
    • Diversity in software
    • Resilient cryptographic systems
    • Configuration-space randomization for infrastructure
  • Digital provenance
    • Global identifier based cryptography
    • Global electronic identity management system
    • Systems that are post-quantum secure
    • Network behavioral analysis and over-the-horizon network visibility
  • Digital Immune System (Nature-inspired cyber health):
    • Create a digital immune system for ICT systems that employs:
      • distributed processing
      • decentralised control
      • distributed defense
      • multi-layered protection
      • pathogenic pattern recognition
      • diversity
      • signalling
    • Employ early and dependable detection and recognition of information attacks, rational utilization of the network resources for minimization of the damage and fast recovery, and development of successful ways to prevent further attacks.

ENISA - Critical security requirements for public cloud computing

Major security studies in 2009/10 (such as those by European Network and Information Security Agency (ENISA), the US NIST and the Cloud Security Alliance CSA) have identified a short-list of top threats / open problems.  The common themes found in these studies are:

  • A cloud user's or user organization's loss of governance:
    • Ceding security controls of data to cloud provider
    • Insufficient assurances of data security controls
  • Data leakage or destruction:
    • Malicious insider attacks by cloud provider
    • Malicious insider attacks by managed security providers
    • Inherent vulnerabilities and malicious back-doors present in the cloud's software & hardware platforms
    • Malicious client attacks that exploit isolation failure between virtual machines in the cloud (cloud-bursting)
    • Client does not know what the risk profile of the cloud provider is, and so cannot mitigate those risks
  • Account or service hijacking

Projects in the ICT Gozo Malta forum directly address these security requirements.

DHS - Essential security requirements for global-scale identity management

In this section we outline many of the requirements for global-scale identity management systems identified by the US Department of Homeland Security.  The ICT Gozo Malta global-scale IdM-CKM model is designed (or is being designed) to address these issues. 

  • Must be capable of trustworthy binding of identities [humans, organisations] and credentials
  • Must be capable of multi-stakeholder, multi-jursidiction environments.
  • Must be capable of managing diverse interorganizational relationships that today are hampered by the lack of trustworthy credentials for accessing shared resources.
  • Will need to incorporate policies governing release of identifying information. (user-centricity, data-self determination)
  • Support the control and management of credentials used to authenticate one entity to another, and authorization of an entity to adopt a specific role and assert properties, characteristics, or attributes of entities performing in a role.
  • Must support efficient support for management of identities of objects, processes, and transactions on a very large scale.
  • Must provide mechanisms for two-way assertions and authentication handshakes building mutual trust among mutually suspicious parties.
  • The lifetimes of credentials may exceed human lifetimes in some cases, which implies that prevention of and recovery from losses are particularly difficult problems that must be managed.
  • Must achieve longevity of security without the use of public-key cryptography or with quantum-resistant public key cryptography (such as Merkle Tree digital signatures). 
  • Insider and outsider misuses are commonplace in identity management systems. These must be addressed.
  • To whatever extent it can be automated, it must be administratively manageable and psychologically acceptable to users
  • Must be embedded in trustworthy systems and be integrally related to authentication mechanisms and authorization systems, such as access controls.

NIST - Essential requirements for global-scale key management

"Key management is critical for all sensitive information processing applications. Economic prosperity is a major goal and needs information security.” ... “Nearly all Internet security protocols use cryptography for authentication, integrity and/or confidentiality, and hence, require key management (KM).” - Curtis Barker, Division Chief - Computer Security Division, NIST.

There are several problems with today’s Cryptographic Key Management (CKM) solutions. They are expensive, hard to implement, difficult to maintain, perhaps insecure, and user unfriendly.” - Miles Smid, Former acting NIST Computer Security Division Chief.

Some identified essential features that are frequently not present in currently deployed key management systems include:

  • Solutions that are focused on the user:
    • "It is not acceptable to only have a choice between usability with little security and security with little usability.  A CKM system designer has to know the prospective user and to understand that security is not the primary task of the user. A system must be efficient, effective and understandable. There is no complex system that is secure"
  • Scalable Solutions:
    • "We know how to handle key management reasonably effectively for up to a million people, we need to go a couple of orders of magnitude beyond that in the relatively near future
    • Identity based symmetric keys may reduce the scale of symmetric key distribution problem
  • Solutions that offer vastly improved security:
    • We’re not going to accept high risks in the future Internet, because we don’t want the adversaries to have high payoffs.”
    • In light of quantum computing, CKM system designers must look at means other than public key-based key management systems; they must look at quantum computing-resistant algorithms and schemes.” 
    • … must be secure, cost-effective, fault-tolerant, and highly available
  • Designs that are fault-tolerant and highly available:
    • Survivable key management systems

end faq

Recent News!

Prev Next

ICT Gozo Malta Project wins National Ent…

26 Apr 2012

ICT Gozo Malta Project wins National Enterprise Award

The ICT Gozo Project co-founded by The Gozo Business Chamber and Synaptic Laboratories Ltd were joint winners of a 20,000 Euro prize in the National Enterprise Support Awards 2011, an event sponsored by Government of Malta and the European Commission,...

Read more

Synaptic Laboratories Ltd. to represent …

26 Apr 2012

Synaptic Laboratories Ltd. to represent ICT Gozo Malta Project, and also to present at, the Dubrovnik Nuclear Threats and Security Conference 2012

The activities of the ICT Gozo Malta Project and Synaptic Laboratories continue to draw international attention, resulting in invitations to provide expert speakers at leading scientific events.  Recently Synaptic Laboratories Ltd., as ICT GM co-founders and project designers, were contacted by...

Read more

Cyber Security and Awareness Seminar

28 Nov 2011

Cyber Security and Awareness Seminar

On the 23rd November 2011 we held a unique Cyber Security and Awareness Seminar, targeted to all groups and held at MITA’s offices, who also sponsored the event.  Entrence was free with complimentary refreshments.  The seminar was organised by ICT Gozo Malta...

Read more

News:Cyber Security Seminar

16 Nov 2011

News:Cyber Security Seminar

Cyber Security Seminar ICT Gozo Malta and BCS Malta to organize International Cyber Security Seminar with bi-directional links to Brazil’s Annual Security Leaders Congress and world leading security experts. An International Cyber Security Seminar will be held at MITA’s Offices on Wednesday...

Read more

News: Participation in Brasil Security L…

04 Nov 2011

News: Participation in Brasil Security Leaders Congress

Synaptic Laboratories' Chief Technical Officer Benjamin Gittins has been invited to participate in the Annual Brasil Security Leaders Congress on the 23 Nov. 2011.  This 2 day Congress is attended by some 300 CEO/CIO/CTO level executives from public and industry...

Read more

News: Gozo may have it's own Silicon Val…

27 Oct 2011

News: Gozo may have it's own Silicon Valley

Just the moment you start reading this article, a new technology has been invented, produced, tested or used. Technologies took over the way we communicate, think, travel or learn and it has infiltrated  human lives in a manner that no...

Read more

News: ICT Gozo Malta Launch

12 Aug 2011

News: ICT Gozo Malta Launch

 Official launch of ICT Gozo Malta Project Click on image to view Launch videosWe are pleased to announce that on 5th AUGUST  2011, the ICT Gozo Malta Project was formally launched by the Hon. Giovanna Debono, Minister for Gozo. Speakers also...

Read more

News: Government Funding for Project

25 Apr 2011

News: Government Funding for Project

The Government of Malta has provided funding, through the Eco-Gozo initiative, to launch Phase 1 of the ICT Gozo Malta Project. Contract Signing Ceremony   with the Honourable Giovanna Debono, Minister for Gozo. 

Read more

News: Malta Chamber participation

04 Mar 2011

News: Malta Chamber participation

The Malta Chamber of Commerce, Enterprise and Industry have added their weight and support to this project, recently confirming their participation and collaboration.

Read more

News: Malta Enterprise support initiativ…

24 Feb 2011

News: Malta Enterprise support initiative

Malta Enterprise express support for the ICT Cluster initiative in Gozo.  Tasked with assisting networks to develop further into business clusters, Malta Enterprise supports this initiative

Read more

News: MITA participation and support

20 Jan 2011

News: MITA participation and support

The Government's Malta Information Technology Agency (MITA) recently expressed clear support for the ICT Gozo Malta project confirming their participation in the project to identify common goals and potential areas of collaboration.

Read more

News: Brazilian Banking Expertise

22 Nov 2010

News: Brazilian Banking Expertise

Brazilian banking security expert Professor Fabian Martins will assist ICT Gozo Malta to develop its members global cyber security solution suited to the credit card market.

Read more
GBC1 SLL-Logo_150  A Collaborative Project co founded by
PaceIT & The Gozo Business Chamber and
Synaptic Laboratories Ltd

Eco Gozo Logo

Eco-Gozo – a Better Gozo Action Plan 2010 – 2012
Project part-financed by the Government of Malta - Ministry for Gozo