31 August 2022
Future Research Challenges in Cybersecurity for European Digital Sovereignty
There is an increasing concern that most of the digital products and services that we use in the European Union are developed (at least partially) outside Europe.
Although this may make sense from an economic point of view, it may have grave implications for the safety and security of Europe in general, and or European citizens in particular. For example, compromised digital devices and services may spy on individuals and prevent them from having control over their own data. Such data may involve personal or professional confidential communications, location information, health status, financial transactions, etc. Compromised devices may leak such data to jurisdictions that have practically no laws with respect to protecting the data of citizens of the EU. To make matters worse, such compromised devices may even serve as weapons in the hands of hostile countries at a time of cyber aggression or even war. Indeed, they may be used to spy on people, to provide false data supporting information warfare, or even to work against the interests of their legitimate owners! In this setting it is not only individual citizens who are at risk: it is European Digital Sovereignty that is threatened!
Having realised the importance of the situation, four pilot projects (CONCORDIA, CyberSec4Europe, ECHO, and SPARTA) together with the European Cyber Security Organisation (ECSO) created a roadmapping focus group and embarked on understanding how the situation can be prevented with the help of research. Thus, they posed the following question:
Which are the most important research areas in cybersecurity that we need to address through research so as to strengthen European Digital Sovereignty?
As it turned out, this was definitely not an easy question. It was not as if the focus group did not have enough research areas to propose: rather they wanted to identify those research areas that would have the greatest impact on European Digital Sovereignty. Their conclusion was that there is a need to act in four major research areas:
- Trust-building blocks. The building blocks of a computer system are just like the building blocks of a house: if they are weak and frail, the house will not be stable. Similarly, using weak and untrusted components in computer systems can easily compromise the security and privacy of any applications that are running. Although one can think of several different building blocks, the focus group prioritised:
- Holistic data protection
- AI-based security
- Systems security and security lifetime management
- Secure architectures and next generation communication.
- Trustworthy ecosystems of Thirty years ago, most computer programs consisted of no more than a few thousand lines of code usually written by a single programmer. Today, most of the systems that we use consist of millions of lines of code and have contributions from thousands of programmers. For example, the first Linux operating systems were no more than 10,000 lines of code. Today, Linux consists of more than 17 million lines of code written by programmers all over the globe. And this is just one system in the chain of systems we may use. That is why an ecosystems of systems focuses on protecting not a single program, not a single system, but the entire chain of systems from the firmware to the operating system, to the user programs, all the way to user-level libraries. Examples of such systems identified by the focus group include secure platforms of platforms and infrastructure protection.
- Disruptive and emerging technologies. It is usually the new or emerging systems that have the most vulnerabilities. Older systems usually have had the opportunity to run for a longer time and be more thoroughly tested. Among the emerging technologies, the roadmapping focus group selected secure quantum technologies, secure AI systems and personalised privacy protection.
- Governance and capacity building. This priority seems to be horizontal and cuts across all security issues. It does not focus on one system or one security aspect: it can apply to all systems. In this spirit, the horizontal priorities in the area of governance and capacity building that were selected include education and training, certification and collaborative networks.
We believe that this research prioritisation work of the roadmapping focus group will be useful to cybersecurity researchers who would like to focus their work in areas that will make a significant difference for Europe. At the same time, we believe that this work will also be useful to policy makers who would like to encourage cybersecurity research in areas that will have a significant impact for European Digital Sovereignty.
For more information on this work please see our Deliverable D9.20 Policy Recommendations 2.