Could well-organised R&D create a 'vaccine' for cyber security?
How can we stay ahead of the attacker, protect everyone in an environment and enable freedom to interact? It's a problem the world confronts in both the Corona epidemic and cyber security. Vaccines promise a light at the end of the tunnel for the epidemic but for cyber security, we need to address that issue in a digital world that we have come to see as the new normal, but which is vulnerable to the growing threat of hackers and those who want to disrupt it. While there is no vaccine as such, the research that needs to go into finding solutions is just as vital as the race for a Corona vaccine that we have witnessed over the past year or so. A good moment, then, to consider R&D around cyber security. Sophie Proust, Chief Technology Officer of Atos, and Zeynep Sarılar, Chairwoman of ITEA, shared the screen and swapped some thoughts on the relevant issues.
New opportunities, new risks and changing landscapes
Sophie Proust attended the ITEA Cyber Security customer workshop last year. While everyone realises the growing importance of IT security, and "we are continuing to develop more and more knowledge about it, it has also become very evident over the past year," Sophie points out, "that we are becoming increasingly exposed, so much so that security is now part of our daily routine. It is a task that is well and truly being taken up at board level. As a leading global organisation, Atos is really supporting the cyber security journey." Turning to consider Industry 4.0 and the digital transformation that is an integral part of the transition, Sophie suggests that new possibilities have been generated, such as digital twins and sensors everywhere in the production plant. "But," she warns, "this expands the threat landscape. For instance, when it comes to IT operational technology, the landscape completely changes. The risk and the threat also change because we are in a regulated environment, which has been absolutely stable for years – the average lifetime of a production line is twelve years or so. And now they are facing attackers who operate outside the regulated framework. So what can you do? It puts us in a very vulnerable position. So that's why we need to have top-quality professionals at the top of their game. We also need to link the three domains – OT, IT and cyber. And it's in the convergence of these three domains that we are going to find a solution. In Atos we have a whole theme dedicated to OT security support capabilities, security operation centred targeted to OT, incidence and response management services in this domain. The challenges are different than those we face in the IT world."
Hacking on a huge scale
The risks and threats that come with the proliferation of data go hand in hand with the digital transformation of industry, it is clear, suggests Zeynep, that with so many different modern-day ‘highwaymen' – the hackers – hiding in the bushes along the manufacturing route to rob, steal and blackmail, industrial security has become a massive and critical issue. "Of course," explains Zeynep, "there are some naive hackers, for instance, who hack restaurants to get a free dinner but unfortunately there are also others that mean to do harm. Operating outside the rules and often with greater budgets than the companies that buy cyber security solutions, how can we compete with hacking on an industrial scale? How can we stay ahead of them? What kind of research are we doing in this respect?"
A race against time
"Cyber security must become a strategy at board level as I mentioned. We see it at Atos in the budget increase for this topic over the past few years. We see it increasingly as an integral budget item in more and more companies. Innovative technology is our ally. But it is the same for the hackers. We have to boost awareness among the potential ‘victims' about the threats and actions of hackers. We need to stay one step ahead. It's a race, there's no two ways about it," Sophie says. "And they are making use of innovative technologies just as we are doing to prevent their attacks. But it's not only the hackers that we have to be concerned about. Cyber security also has to tackle misconfiguration issues. One of the problems is that prevention tends to happen after the event, so we are using AI to try to identify the threat and mitigate the risk before the attack can do harm. We adopt, for instance, cyber security posture management where you can gain an overview of all your possible vulnerabilities so that you can act. Essentially, we have to innovate and be faster if we are to outwit the hackers."
Collaboration is key
To this end, Atos not only engages in collaboration with universities because of their expertise in the area of vulnerabilities and technology co-evolution but also collaborates within the ITEA context on innovation within the cyber ecosystem and is part of the Charter of Trust. "Just take the ITEA Cyber Security customer workshop on which we have been working together," Sophie mentions. "I think it is important to create a bubble of security in which we share ideas on what the attacks might entail and how these could be prevented, so that we can reduce the opportunities of the malicious few through the combined strengths of the many. So collaboration with both customers and providers of cyber security is a very good way to fortify our 'shield'."
Tailoring the solution
Both Zeynep and Sophie are convinced of the power of collaboration, and ITEA provides the perfect environment to share experience and expertise from a wide variety of domains to build up a comprehensive picture of the cyber security issues that need to be tackled and to spark the innovation required to actually generate the requisite solutions. Atos can also play a central role in this given the variety of customers and domains in which it operates. "Indeed, Atos has explicitly focused on alignment with the needs of industry, not only in terms of cybersecurity but also in the whole digital transformation shift that is taking place. We need to understand their business," Sophie explains, "and be closer to them. Our solutions focus on the specific requirements of our customers' business and the industry in which they operate. In cyber security, the tools and methodologies you employ will differ from industry to industry. We identify the most important risks per industry, identify the data that is at risk and apply security solutions to mitigate those risks. Take access management, for instance, where many companies use biometry access control. In the health sector, in hospitals, this is not possible because people wear gloves, which prevents fingerprinting, so a much more practical alternative solution is to wear an authentication band."
Think global, act local
"That's exactly the approach the ITEA Community appreciates," Zeynep adds, "because by focusing on the customers' needs we can help them find the most suitable cyber security solutions. Plug and play preferably." And to do that, it is essential to leverage the input and expertise of multiple players. Furthermore, when developing solutions on a global scale, there is a real need to take local regulations and customs into account. As Sophie says, "Our approach is to think global but act local. Our products are, of course, configurable so that we can adapt to the local needs of each customer. Because specific regulations must be taken into account, we involve local customers by making them aware of these differences, and the impact of these on their projects. It's indeed another challenge we face."
Catch-22
Another challenge is the issue concerning privacy of the data and the cyber security. "Where is the borderline?" asks Zeynep. "It's more of a blur than a line," Sophie suggests, "if you say that cyber security contributes to privacy by protecting access to data. On the other hand, cyber security is about monitoring data – you can see what is happening, which goes against privacy. It's a catch-22 situation – you can't have one without the other. So a balance needs to be struck, and this really is a challenge. But we have to accept that the threat of unauthorised access to our data is the biggest danger to our digital selves. And AI can even be a risk for privacy, extending the threat of analysis made out of your data. We are currently working on research that will enable encrypted data to be shielded from view. Look at the autonomous vehicle which communicates with the infrastructure. Cyber security for the immovable object, where there is greater anonymity, is more straightforward from a privacy perspective than for the moving vehicle and the driver, which make it a difficult challenge to overcome."
Power of research
"I think what is clear is that cyber security is a research topic for which the European Union needs to provide appropriate funding for projects. ITEA is one of the key platforms to help us generate innovative technologies and get them to the market fast. We've seen how amazing results can be achieved by collaborative research in producing corona vaccines at an unprecedented speed. We can do the same with cyber security. The increasing vulnerabilities – from private individuals to multinationals and governments – to malicious attacks cannot be underestimated. The hackers are becoming increasingly audacious and technologically sophisticated. We have to take the threats seriously and, as I said, fight the few with the force of the many."
Zeynep adds that "The deep knowledge created by the universities and the very agile SMEs who think out of the box together with the large industrial players that open the doors to create innovative solutions – this is a collaborative environment that really can pave the way to get on top of the threats and reduce the vulnerabilities."Protecting the collaborative environment
Sophie: "In every aspect of our products we aim for security by design. Whether that's API in an application or attaching security to the communication, to both the person and the data, and by multiplying everywhere in the stack, by thinking in terms of cyber security when working in the ecosystem – in this way you can secure and ensure an open and collaborative environment. The open source model is also a very interesting approach because everyone can look at the code, there's no back door. "
Zeynep: "When we work in a collaborative environment, we define our borders and what we really want to keep inside and what we are willing to share openly. When you have a secure environment, then you feel more secure, more willing to open and share. Trust is created. We often think of cyber security as something that intrudes on our lives but it actually has a very positive impact on our lives. We can share data with the ones we trust and love in a secure way."