ENISA: analysis of the research and development priorities of the Cyber ​​sector

(To Alessandro Rugolo)
01/02/19

The European Union Agency for Network and Information Security (ENISA) is the European center of cyber experts. The head office is in Greece, in Athens, while a branch is located in Crete, in Eraclion.
The task of the European Agency is to:
- provide recommendations;
- activities supporting the production of sector policies and their implementation;
- training for citizens, companies and Member States;
- various activities.
On the site you can find information on European studies but also on existing CERT / CSIRT or on research and development studies in progress. Among the documents of this last category made available on the site I had the opportunity to read the "Analysis of the European R & D in cybersecurity", subtitled "Strategic in cybersecurity for a safer Europe" issued last December 2018. I will try in a few lines to give you an idea of ​​what it is and what its importance and I will make some general considerations about it.

I begin by saying that it is a strategic analysis document. The aim of the document is to identify the cyber risks to which the European company will be subjected and to identify the research priorities that will help to reduce or eliminate them. The aim is therefore to "play in advance".
To do this, the author proceeded to carry out a series of interviews with experts in the field, analyze the data collected together with the experts of ENISA and try to imagine the European society of 2025 from a social, technological and business point of view.
Let's start with the analysis of the "Europa 2025" scenario.

Europe 2025 foresees that the devices connected to the internet are by now the norm, every sector of the society is therefore highly connected. Operators in the sector (energy, transport, banks, digital infrastructures, hospitals) as well as all public administrations and industry provide online services.

In the world there could be about 80 billion connected devices (compared to a population of about 8 billion people). IoT (Internet of Thing) is turning into IoE (Internet of Everything) which in turn influences society. It has become common practice to use wearable devices connected and controllable with the use of the voice. 5G technology enables connection service improvements. Education and training are more effective thanks to the use of new technologies such as augmented reality and techniques gamification.

The company's attention to cyber issues has increased. Many initiatives have been launched that promote the creation of systems and services according to the concept of "security by design".
Unfortunately, social tensions exist between a "cyber aware elite" and a sub-culture of "less aware" workers.

Governments ask citizens to use online services for all administrative services, which implies the use of a digital identity. Very high computational and cloud storage capabilities are now available. Artificial Intelligence (AI) is used for the behavioral analysis of the collected data and to develop services and products more adapted to the needs, unfortunately even the criminal organizations are starting to use them. There is still no clear regulation on the use of AI.
Internet giants have become even bigger and more powerful, and they not only analyze and answer customer questions but guide their choices and desires.
Quantum technology starts to develop ...
I stop here in the description of the scenario, who wants to can find it in full on the site of ENISA.

The ENISA document continues by analyzing the scenario described and then identifying a series of recommendations aimed at reducing the identified risks. The recommendations focus on some aspects of the cyber dimension, in particular:
- promotion of awareness of the use of technologies, limitations and risks. The development of systems designed to guarantee data security and privacy. It is also suggested to encourage innovations in the dissemination of knowledge related to risks related to the cyber world;
- encourage the transfer of knowledge between experts specialized in security and the wider academic world; facilitate the teaching of the principles of security in the faculties of "computer science";
- to promote an artificial intelligence which is comprehensible to man and which guarantees its reliability;
- facilitate research on quantum cryptography technologies and quantum distribution of encryption keys for high security communications;
- on the complexity of risk, the development of new risk analysis and impact approaches for complex and interdependent systems should be promoted. Furthermore, it is suggested to define interoperability interfaces between critical infrastructures that are designed to prevent cascading effects.
- In the cybercrime sector it is suggested to facilitate research in the field of safety prioritization and in the development of innovative situational awareness tools;
- finally, in the field of privacy risks, it is suggested to promote and spread the development and use of technologies that guarantee high standards of privacy and the development of special assessment tools.

Naturally the document is much more complete than I have written and analyzes in detail some areas of interest for which it is certainly an interesting and instructive reading.
But I want to dwell on some aspects related to the scenario. When constructing scenarios, the risk is to leave out some areas that should be considered and this could make the risk analysis that is carried out partially incorrect.
In our case there are in fact several areas in my opinion not considered and that would require some attention, in particular:
- the use of cryptocurrency. Today there are signs that the cryptocurrencies should be increasingly used, even in the government and banking / insurance sectors;
- blockchain technology will continue to develop and will replace some technologies also in the digital identity sector;
- DNA data coding techniques are already experimented and have achieved good results (see article). It is reasonable to think that they will be developed to allow the coding, storage and transmission of data over time and space, especially in the field of industrial and military secrecy;
- the development of space activities will have reached a good level in the industrial world and will have led to the development of new communication systems. This should also boost the development of new types of armaments;
- the development of increasingly complex cyber weapons and their use by States should lead to an increase in the use of the deterrent weapon, ie more and more States will declare to use their own offensive cyber-military capabilities in response to attacks or safeguard national interests. This should lead to the stipulation of "non-proliferation treaties", similar to what happened in the field of weapons of mass destruction.

Let me be clear that the above is my vision of what is missing in the "Europa 2025" scenario.
Now, the introduction of these new factors in the scenario Europe 2025, when considered valid, it leads as a logical consequence to the need to review the risk analysis and find the most suitable prevention or mitigation methods, but beyond the scope of this article.

To learn more:
- https://www.enisa.europa.eu/;
- https://www.enisa.europa.eu/publications/analysis-of-the-european-r-d-pr...