activities of the UK Research Councils in response to global security challenges ... the threats and risks we face, and
CYBERSECURITY ISSUE 2.0
CYBERSECURITY RESEARCH AND INNOVATION FOR A MORE SECURE BRITAIN
CYBERSECURITY Research and innovation for a more secure Britain
£82 million
of current EPSRC investments in research
The RCUK Global Uncertainties Programme brings together the activities of the UK Research Councils in response to global security challenges to help governments, businesses and societies to better predict, detect, prevent and mitigate threats to society. One such challenge is cybersecurity and EPSRC is taking the lead in investing in research and training to help ensure the UK’s citizens, communities and businesses are safe and have the confidence to get the most from cyberspace. Key drivers
96
Research projects
£27 billion
lost through cyber crime
£82 billion UK’s Internet-related market
6% of the UK’s GDP is enabled by the Internet and this is set to grow
93%
of large corporations and 76% of small businesses reported a cyber breach in the last year
UK society is increasingly dependent on IT networks. Everything from energy, water, banking and shopping involves use of the Internet or other connected computer systems. More than three quarters of households in the UK now have internet access. It is estimated that there are 2.4 billion users on the Internet across the globe. As mobile devices, especially smartphones, become the norm for internet access and as computers become embedded in everyday devices such as cars and televisions and increasingly communicate via the internet the risks we face will alter and expand in unpredicted and unexpected ways. Reliance on cyberspace creates opportunities for the unscrupulous. Of the £27 billion lost through cyber crime in 2010 £3.1 billion was lost
“Over the last decade the threat to national security and prosperity from cyber attacks has increased exponentially. Over the decades ahead this trend is likely to continue to increase in scale and sophistication, with enormous implications for the nature of modern conflict. We need to be prepared as a country to meet this growing challenge, building on the advanced capabilities we already have.” — �David Cameron, Prime Minister
by individuals (fraud and ID theft) and £21 billion to industry (theft of intellectual property, customer data, price sensitive information). In addition to crime, there are also threats from malicious computer code disrupting government systems, both deliberately and accidentally, and the use of cyber techniques by one nation to bring about political or economic pressure on another. Research will be needed to understand the threats and risks we face, and devise suitable protection, mitigation and adaptation strategies.
Opportunities For over 20 years EPSRC has been supporting research and training underpinning cybersecurity. We work in collaboration with other Research Councils and in partnership with key government agencies including GCHQ, CPNI and Dstl. As a result the UK has the world-class research base needed to meet cyber threats and enhance our security. We have expertise in computing, mathematics and the sociological and psychological disciplines that shed light on human behaviour and enable us to build systems which are better designed and easier to use. The UK has attracted many companies involved with the cybersecurity area including multinationals such as Hewlett-Packard, Thales, and Microsoft. These companies and many others actively engage with the UK research community. A safe and resilient IT infrastructure is necessary to ensure that the UK remains a desirable place for businesses to operate. Research Council investment in research and training helps to maintain this position.
“Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.” — Francis Maude, Minister for the Cabinet Office
Research for the future “Governments cannot deliver a safer online world. We need to work closely with industry to ensure that safe infrastructure and services can be provided to the public and share information and skills.” James Brokenshire, the Minister for Crime & Security.1 Good cybersecurity requires longterm, underpinning research of the highest quality that can keep pace with the changing environment. For example, in a £900,000 project at the University of Bristol researchers are addressing cloud computing (the ubiquitous, on demand network access to shared computing resources). In particular they are using their expertise in cryptography to find cost-effective, secure ways of accessing data. A strong connection with users to ensure relevance and encourage takeup is an important component of our support. More than 200 collaborators work with the research community we support. They represent organisations in national and local government, law enforcement, civil engineering, ICT, transport, defence and aerospace.
For example, with total funding of £30m over five years from EPSRC, TSB, InvestNI, Queens University Belfast and industry collaborators, the Centre for Secure Information Technologies (CSIT) brings together research specialist in complementary fields such as data encryption, network security systems and intelligent surveillance technology. Other collaborators include: Altera, BAE Systems, Cisco, Q1Labs and Thales as well as government agencies such as the Home Office, GCHQ, CESG, CPNI and Dstl. EPSRC have worked closely with GCHQ to recognise 11 UK universities as Academic Centres of Excellence in Cyber Security Research (ACE-CSRs) and have also partnered with them to identify two Research Institutes in strategically important subject areas within cybersecurity.
Skills for the future Businesses, whether users or systems providers, need access to a skilled workforce able not only to work to minimise the risks, but also to design and implement new more resilient systems. EPSRC’s innovative postgraduate training programmes
Priorities for the future • �cyber crime: countering the financial and social damage. • �global threats, cyber war, ethics, regulation, policy and legality: understanding the complexity and countering the threats. • �human factors and usable security: understanding human behaviour as a route to improving the security of systems. • �risk identification, reduction, mitigation and management: looking at emerging uses of the Internet and the risks associated with them. • �secure management and use of data: looking at better ways of storing and sharing data as well as considering ethical and legal issues.
are providing the next generation of researchers with the skills required. Two Centres for Doctoral Training (CDTs) in cybersecurity have been established jointly by EPSRC and BIS to provide the next generation of researchers with the advanced skills which are so important to the UK’s online future. The Oxford University Centre for Doctoral Training in Cyber Security will cover some of the most pressing cyber security challenges our society faces today. The focus is on four key themes: • the security of ‘Big Data’ • cyber-physical security • �effective systems verification and assurance • real-time security These themes link to many existing research strengths at Oxford, and extend their horizon into areas where technology is rapidly emerging and raising pressing cyber security concerns. The projects undertaken at the Centre for Doctoral Training in Cyber Security at Royal Holloway will be driven by the problems faced by businesses and government. Among the range of topics they will investigate are: • �provably-secure ciphersystems and protocols • �systems engineering and security analysis • trusted and trustworthy platforms • �organisational processes and socio-technical systems Between them the two Centres will graduate more than 60 PhD students over seven years, making a significant contribution to UK capability in this essential area. Every CDT student’s training lasts for four years. It involves both masters-level education in a range of subjects addressing key areas of relevance to cyber security and a challenging and original research project.
• �making systems more resilient: investigating ways to protect infrastructure against malicious attacks. • �understanding and monitoring systems and networks: understanding system behaviour so abnormal activity can be identified.
1�
speech at the launch of the International Cyber Security Protection Alliance 5 July 2011
PIONEERING A DIGITAL FUTURE Research Councils UK Digital Economy Programme
PIONEERING A LOW CARBON FUTURE
TECHNOLOGY FOR A SUSTAINABLE ECONOMY
caSe Study 03
tuNABLe stArCh for GreeN CheMistrY 10 years ago PhD research in the University of York’s Green Chemistry Centre of Excellence led to the discovery of new high surface area forms of starch. These are useful in applications from chromatography to catalysis. These new materials have remarkable properties which can be ‘tuned’ from starch-like to carbon-like. Named “Starbons” (registered trade name), they are the subject of several patent applications and are sold commercially for laboratory use worldwide. Continued EPSRC support is allowing their use in a number of processes including effluent treatment in the pharmaceutical industry as well as studies on process optimisation, scale-up trials and further applications with the chemical industry. Brian Trenbirth, Technical Director of Contract Chemicals a user of the Starbon technology says that they “will be delighted to transfer Starbon technology from laboratory through pilot to full scale production. This innovative technology will enable us to diversify our business portfolio thus helping the company to expand”.
EPSRC is the main UK government agency for funding high-quality basic, strategic and applied research and related postgraduate training in engineering and the physical sciences, to help the nation exploit the next generation of technological change. It invests more than £800 million a year in a broad range of subjects – from mathematics to materials science, and from information technology to structural engineering. www.epsrc.ac.uk
August 2010
Engineering and Physical Sciences Research Council
BUSINESS
INFRASTRUCTURE
Engineering and Physical Sciences Research Council
INFRASTRUCTURE SUPPORTING THE FUTURE
mAnUfACTUring ThE fUTUrE Economic growth made in Britain
Research Councils UK Energy Programme
Issue 2
Engineering and Physical Sciences Research Council
PIONEERING SKILLS TO BUILD BRITAIN’S FUTURE
DElIVErIng WITH bUSInESS Harnessing world-class knowledge for growth and prosperity
The RCUK Global Uncertainties Programme brings together the activities of the UK Research Councils in response to global security challenges: poverty (including the effects of inequality & injustice), conflict, transnational crime, environmental stress and terrorism. The programme will help governments, businesses and societies to better predict, detect, prevent and mitigate threats to security. The Engineering and Physical Sciences Research Council (EPSRC) leads on the Cybersecurity strand of the RCUK Global Uncertainties Programme. www.globaluncertainties.org.uk
MANUFACTURING ISSUE 2.0
Global production of cement is set to double to over five billion tonnes/year by 2050. But the type most commonly used today has a heavy environmental price accounting for five percent of manmade CO2 emissions. Novacem’s cement is carbon-negative absorbing CO2 from the atmosphere during manufacture. This is because it isn’t limestone based, requires low process temperatures and contains carbon-negative additives. The company has received additional venture funding through the Royal Society Enterprise Fund and is seeking further commercial sponsorship to take the process through to manufacture.
d Physical Sciences and Biological uncil (ESRC), the logy Facilities
Engineering and Physical Sciences Research Council
SKILLS
engineering and Physical Sciences research council
DIGITAL ECONOMY
EPSRC funding has played a key role in developing both a new, carbon-negative cement and its manufacturing process. The development is spearheaded by Novacem, a spin-out company from Imperial College London and is also supported by the Technology Strategy Board and the London Development Agency.
CYBERSECURITY RESEARCH AND INNOVATION FOR A MORE SECURE BRITAIN
GREEN TECHNOLOGY
Other statements in the series:
CYBERSECURITY
CeMeNt set to reDuCe CArBoN eMissioNs
ENERGY
caSe Study 04 INFRASTRUCTURE
ng and Physical Sciences Council
Other statements in the series
CASE STUDY 01
Riding with the White hats A major issue in cyber security is staying ahead of attackers and ensuring that new systems are not vulnerable targets. This is where “White hats” come in (the term comes from Hollywood westerns where the good guys wear the white hats). The White hats help security companies to find weaknesses that could be exploited. Andy King from the University of Kent used EPSRC funding to spend nine months working with White hats at security firm Portcullis to link his academic computer science research with real threats and vulnerabilities. His work revealed a weakness: the process relies on humans finding the errors. As he says “The reasoning is if they can’t find the errors then no one else can, but that doesn’t mean those errors are not there and cannot be found so it makes sense to automate the process.” Andy is now devising computer-based tools that will accelerate the discovery of security flaws. These tools will automate the time-consuming and labour-intensive tasks that have to be undertaken when searching for vulnerabilities. The project will develop programme analysis techniques that will automatically recover information about the behaviour of a programme, and then present it in a digestible form to the White hat.
CASE STUDY 02
Protecting children online Recent years have seen a rapid rise in the number and use of online social networks. These pose two significant risks in terms of child exploitation by paedophiles: preying on children via chat rooms and web-based communities; and distributing and sharing child abuse media. The Isis project led by Professor Awais Rashid of Lancaster University working in collaboration with Swansea and Middlesex Universities is using the expertise of the team in monitoring, natural language analysis, child protection and ethics to develop a toolkit with 94% accuracy in identifying masquerading adults. The team has helped law enforcement agencies identify those posing as children or using multiple identities to groom their victims. It has also worked with pupils helping them understand online risks. The research has also developed a methodology to identify and mitigate ethical misuses of powerful policing tools. The results form the basis of guidelines for building and developing ethical monitoring solutions. The team’s research has featured in over 18 countries and is already being exploited. Isis Forensics Ltd, a spin-out company, has licensed the Language Analysis Software that has been developed by Lancaster University staff within the Isis project.
Academic Centres of Excellence in Cyber Security Research (ACE-CSRs) In a national partnership with BIS, the Centre for the Protection of National Infrastructure (CPNI), GCHQ, the Office of Cyber Security and Information Assurance (OCSIA) and RCUK, EPSRC has recognised 11 UK universities as ACE-CSRs, they are: Imperial College London, Lancaster University, Newcastle University, Queen’s University Belfast, Royal Holloway, University of London, University of Bristol, University of Birmingham, University of Cambridge, University of Oxford, University of Southampton, University College London. These 11 centres conduct world-leading research and training activities which will ultimately help protect the UK’s citizens, businesses, infrastructure and government from cyber threats by extending knowledge and enhancing skills in cyber security. The ACE-CSR scheme is one of a number of initiatives outlined in the UK Government’s National Cyber Security Strategy. The Strategy describes how Government is working with academia and industry to make the UK more resilient to cyber attacks. Each ACE-CSR receives a support grant from EPSRC to help them to work with partners in the private, public and third sectors.
EPSRC-GCHQ Cyber Research Institutes Two academic Research Institutes have been established jointly by EPSRC and GCHQ to tackle some of the UK’s most pressing cybersecurity challenges. Through these Institutes we are supporting more than £10m of collaborative research activity which is inspired by real world, cutting edge, security issues. The Research Institute in the Science of Cyber Security is a virtual organisation involving seven universities. Its Director is Professor Angela Sasse of University College London. It brings together leading academics in the field of cybersecurity – including social scientists, mathematicians and computer scientists – from across the UK. Its research programme will help to answer two common questions faced by any organisation interested in enhancing its security: how secure are we, and how do we make better security decisions? The Research Institute in Automated Programme Analysis and Verification is led by Professor Philippa Gardner of Imperial College London. Its partners across six leading UK universities will investigate new ways of automatically analysing computer software to reduce its vulnerability to cyber threats.Its outputs will provide businesses, individuals and government with additional confidence that software will behave in a secure fashion when installed on operational networks.
