Category: Cyber Security CII sector

The race to protect sensitive electronic information against the threat of quantum computers has entered the home stretch.

After spending more than three years examining new approaches to encryption and data protection that could defeat an assault from a quantum computer, the National Institute of Standards and Technology (NIST) has winnowed the 69 submissions it initially received down to a final group of 15. NIST has now begun the third round of public review. This “selection round” will help the agency decide on the small subset of these algorithms that will form the core of the first post-quantum cryptography standard.

“At the end of this round, we will choose some algorithms and standardize them,” said NIST mathematician Dustin Moody. “We intend to give people tools that are capable of protecting sensitive information for the foreseeable future, including after the advent of powerful quantum computers.”

The latest details on the project appear in the Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process (NISTIR 8309) - https://csrc.nist.gov/publications/detail/nistir/8309/final - which was published recently. NIST is asking experts to provide their input on the candidates in the report.

“We request that cryptographic experts everywhere focus their attention on these last algorithms,” Moody said. “We want the algorithms we eventually select to be as strong as possible.”

Classical computers have many strengths, but they find some problems intractable — such as quickly factoring large numbers. Current cryptographic systems exploit this difficulty to protect the details of online bank transactions and other sensitive information. Quantum computers could solve many of these previously intractable problems easily, and while the technology remains in its infancy, it will be able to defeat many current cryptosystems as it matures.

Because the future capabilities of quantum computers remain an open question, the NIST team has taken a variety of mathematical approaches to safeguard encryption. The previous round’s group of 26 candidate algorithms were built on ideas that largely fell into three different families of mathematical approaches.

“Of the 15 that made the cut, 12 are from these three families, with the remaining three algorithms based on other approaches,” Moody said. “It’s important for the eventual standard to offer multiple avenues to encryption, in case somebody manages to break one of them down the road.”

Cryptographic algorithms protect information in many ways, for example by creating digital signatures that certify an electronic document’s authenticity. The new standard will specify one or more quantum-resistant algorithms each for digital signatures, public-key encryption and the generation of cryptographic keys, augmenting those in FIPS 186-4, Special Publication (SP) 800-56A Revision 3 and SP 800-56B Revision 2, respectively.

For this third round, the organizers have taken the novel step of dividing the remaining candidate algorithms into two groups they call tracks. The first track contains the seven algorithms that appear to have the most promise.

“We’re calling these seven the finalists,” Moody said. “For the most part, they’re general-purpose algorithms that we think could find wide application and be ready to go after the third round.”

The eight alternate algorithms in the second track are those that either might need more time to mature or are tailored to more specific applications. The review process will continue after the third round ends, and eventually some of these second-track candidates could become part of the standard. Because all of the candidates still in play are essentially survivors from the initial group of submissions from 2016, there will also be future consideration of more recently developed ideas, Moody said.

“The likely outcome is that at the end of this third round, we will standardize one or two algorithms for encryption and key establishment, and one or two others for digital signatures,” he said. “But by the time we are finished, the review process will have been going on for five or six years, and someone may have had a good idea in the interim. So we’ll find a way to look at newer approaches too.”

Because of potential delays due to the COVID-19 pandemic, the third round has a looser schedule than past rounds. Moody said the review period will last about a year, after which NIST will issue a deadline to return comments for a few months afterward. Following this roughly 18-month period, NIST will plan to release the initial standard for quantum-resistant cryptography in 2022.

The European Union Agency for Cybersecurity (ENISA) is unveiling its new strategy, which outlines the Agency’s strengthened path towards achieving a high common level of cybersecurity across the Union. The strategy was developed to fulfil the Agency’s permanent mandate established last year by the EU Cybersecurity Act (CSA). Under the strategy, the Agency takes on the vision of ‘A Trusted and Cyber Secure Europe’ and enhanced mission: “to achieve a high common level of cybersecurity across the Union in cooperation with the wider community.''

Jean-Baptiste Demaison, Chair of the ENISA Management Board, stated: "The EU Agency for Cybersecurity with its permanent mandate and enhanced role and capabilities will be instrumental in supporting Member States and EU institutions to face the cyber challenges of the future."

Juhan Lepassaar, Executive Director of the European Union Agency for Cybersecurity, said: “Our new strategy acts as a compass, guiding the Agency’s work towards a trusted and cyber secure Europe. It will strengthen our key relationships within the cybersecurity ecosystem and equally it will be a key driver for the Agency to follow new values.”

What are the strategic objectives?

The strategy proposes concrete goals for the Agency in the form of seven strategic objectives that will set the priorities for European Union Agency for Cybersecurity in the coming years. These strategic objectives are as follows:

1 - Empowered and engaged communities across the cybersecurity ecosystem;
2 - Cybersecurity as an integral part of EU polices;
3 - Effective cooperation amongst operational actors within the Union in case of massive cyber incidents;
4 - Cutting-edge competences and capabilities in cybersecurity across the Union;
5 - A high level of trust in secure digital solutions;
6 - Foresight on emerging and future cybersecurity challenges;
7 - Efficient and effective cybersecurity information and knowledge management for Europe.

What we want to achieve?

• An EU-wide, state-of-the-art body of knowledge on cybersecurity concepts and practices that builds cooperation amongst key actors in cybersecurity, promotes lessons learned, EU expertise and creates new synergies;
• An empowered cyber ecosystem encompassing Member States’ authorities, EU institutions, agencies and bodies, associations, research centres and universities, industry, private actors and citizens, who all play their role in making Europe cyber secure;
• Proactive advice and support to all relevant EU-level actors bringing in the cybersecurity dimension in the policy development lifecycle through viable and targeted technical guidelines;
• Cybersecurity risk management frameworks that are in place across all sectors and followed throughout the cybersecurity policy lifecycle;
• Continuous cross-border and cross-layer support to cooperation between Member States, as well as with EU institutions. In particular, in view of potential large scale incidents and crises, support the scaling up of technical operational, political and strategic cooperation amongst key operational actors to enable timely response, information sharing, situational awareness and crises communication across the Union;
• Comprehensive and rapid technical handling upon request of the Member States to facilitate technical and operational needs in incident and crises management;
• Aligned cybersecurity competencies, professional experience and education structures to meet the constantly increasing needs for cybersecurity knowledge and competences in the EU;
• An elevated base-level of cybersecurity awareness and competences across the EU while mainstreaming cyber into new disciplines;
• Well prepared and tested capabilities with the appropriate capacity to deal with the evolving threat environment across the EU;
• Cyber secure digital environment across the EU, where citizens can trust ICT products, services and processes through the deployment of certification schemes in key technological areas;
• Understanding emerging trends and patterns using foresight and future scenarios that contribute to mitigating the cyber challenges of the Agency’s stakeholders;
• Early assessment of challenges and risks from the adoption of and adaptation to the emerging future options, while collaborating with stakeholders on appropriate mitigation strategies;
• Shared information and knowledge management for the EU cybersecurity ecosystem in an accessible, customised, timely and applicable form, with appropriate methodology, infrastructures and tools, coupled and quality assurance methods to achieve continuous improvement of services.
  How will ENISA use the strategy?

The strategy’s high-level objectives are directed at shaping a more digitally secure environment for Member States, EU Institutions, Agencies and Bodies, SMEs, academia and all of Europe’s citizens. The European Union Agency for Cybersecurity will use the new strategy to map out its annual work programme to improve security across the Union, and specifically to:

• Better identify and understand the future cybersecurity capabilities needed to maintain competitiveness and preparedness.
• Build on the Agency’s trusted relationships with stakeholders and communities within the cybersecurity ecosystem across Europe.
• Guide ENISA communications within and beyond the Union, to non-EU countries and international organisations.
• Deepen the knowledge and information sharing of ENISA expertise to reach larger audiences and increase awareness of digital security.
• Provide cybersecurity stakeholders a clear understanding of the Agency’s priorities and actions.
• Shape the future outlook of cybersecurity across the Union.

The strategy is both an aggregation of the tasks identified by the Cybersecurity Act and the developed synergies within Articles 5-12 of the CSA.

This publication by the European Union Agency for Cybersecurity outlines the Agency’s strategic objectives to boost cybersecurity, preparedness and trust across the EU under its new strengthened and permanent mandate.

The Italian National Postal and Communication Police Unit (Polizia Postale e delle Comunicazioni) and the Romanian National Police (Poliția Română), supported by Europol and Eurojust, dismantled an organised criminal group involved in financial fraud, cybercrime and money laundering.

On 7 July, Italian and Romanian law enforcement authorities carried out 12 house searches and arrested 12 individuals (8 in Italy and 4 in Romania). The operation led to the seizures of personal computers, credit cards, properties, vehicles and other assets with an overall estimated value of over €1.5 million.

The criminal organisation was using a wide network of money mules in Italy, created to launder criminal proceeds from a variety of cybercrime activities. The criminal group was involved in financial frauds and cyber scams such as rental fraud (fraud through the advertisement of non-existent properties to rent) and CEO fraud (impersonating a company official to trigger large transfers to bogus accounts). With these frauds, the criminals were deceiving victims across Europe into making wire transfers to Italian bank accounts, owned by the money mules. It is estimated that the criminal group has generated up to €20 million losses per year for victims across Europe.

Europol supported the operation by facilitating information exchange and providing analytical support. During the two action days, Europol deployed an expert to Italy to cross-check in real time operational information against Europol’s databases and provide leads to the investigators in the field.

Eurojust facilitated the coordination of the operation and the cooperation between the judicial authorities involved in the case.

On 27 June 2020, the European Union Agency for Cybersecurity (ENISA) celebrated the first anniversary of the EU Cybersecurity Act (CSA) and its strengthened role towards securing Europe’s information society. The CSA gave the Agency a permanent mandate, a new list of tasks and increased resources, and also established the EU cybersecurity certification framework.

The Agency now plays a key role in setting up the framework and builds on its past work towards achieving a high common level of cybersecurity across the European Union by actively supporting Member States, EU institutions, industry, academia and citizens. Regarding the framework, the Agency is close to completing the first cybersecurity certification scheme and is making rapid progress towards a second one, on cloud services.

The mandate has also expanded the Agency’s role in supporting capacity-building and preparedness capabilities, as well as operational cooperation - areas that continue to be put to the test during the COVID-19 pandemic. ENISA acted quickly at the onset of the pandemic by preparing awareness campaigns, sets of tools and publications offering in-depth guidance on cyber safety for organisations, businesses and citizens, all publically available on the webpage COVID19.

Under its expanded role in policy development and implementation, ENISA has thrived, especially in the area of emerging technologies. For 5G security, ENISA has been involved in each phase and continues to support the European Commission and Member States as a common toolbox is being implemented. Last year, the Agency also supported the EU Member States with developing an EU-wide joint risk assessment regarding the 5G roll out, and delivered a 5G threat landscape report, which analyses threats at a more technical level. On Artificial Intelligence, the Agency has set up a 15-member ad-hoc working group on Cybersecurity for AI that will further advance European expertise on AI threats and solutions.

In addition, ENISA has welcomed the newly mandated tasks around research and innovation by creating the EU cybersecurity skills framework and fostering collaboration amongst the four cybersecurity pilot projects of the European Cybersecurity Competence Network.