Activity report 2018-2019

Technical Committee (TC) CYBER (cybersecurity)

Chairman: Alex Leadbeater, BT

Responsible for the standardization of cybersecurity and for providing a centre of relevant security expertise.

Security lives everywhere, mediating all aspects of our digital lives. The rapid evolution and growth in the complexity of new systems and networks, coupled with the sophistication of changing threats, present demanding challenges for maintaining the security of Information and Communications Technologies (ICT) systems and networks.

Security is particularly important to new developments based on networked digital systems such as the Internet of Things (IoT) and Industry 4.0, where critical infrastructures can be disrupted through Denial of Service attacks introduced via something as insignificant as a webcam. In addition, virtualization technologies which, in combination with data networking, have enabled Cloud computing, offer numerous benefits, but they also bring with them specific security threats. To counter these threats, it is essential to develop trusted computing platforms.

At the same time, sensitivity towards the privacy of individuals/organizations and their data is intensifying with media exposure of insecure practice by governments and businesses, and there has been a proliferation of legislation worldwide, driven by these growing security concerns. Balancing the twin demands of privacy and protection is a major challenge. Solutions must include a reliable and secure network infrastructure, but they also depend on trust on the part of users – both individuals and businesses – that privacy, confidentiality, secure identification, privacy-friendly security, the visibility of security and other concerns are properly addressed.

Security standardization, sometimes in support of legislative actions, thus has a key role to play in protecting the Internet and the communications and business it carries. Our Cybersecurity committee (TC CYBER) is addressing many of these issues. Working closely with other stakeholders, the committee produces standards to meet strategic high-level needs, and co-ordinates the work of those committees within ETSI which deal with security aspects in their own technical areas. We work in close co-operation with numerous international, regional and national organizations and governments involved in cyber security, including the International Telecommunication Union (ITU) and the International Organization for Standardization (ISO). TC CYBER also develops standards itself for security requirements that are not catered for elsewhere in ETSI, and offers security advice and guidance to users, manufacturers and network and infrastructure operators.

Held in Brussels in February 2018, a joint workshop with ETSI, CEN, CENELEC and ENISA on the European Cybersecurity Act brought together more than 200 policy makers, industry representatives, standardization organizations, consumer associations and certification bodies. Providing an overview of the current legislative and standardization landscape, the event focused on key challenges that need to be addressed to implement the Act efficiently and increase trust in ICT products and services placed on the European market.

Enforced in May 2018, the GDPR is Europe’s legislative machinery to deal with data protection. ETSI’s role as a forum to exchange views impacting enterprises and citizens was highlighted in April at our Summit ‘Releasing the Flow: Data Protection and Privacy in a Data-Driven Economy’.

In August, TC CYBER issued two specifications on Attribute-Based Encryption (ABE), a key technology that bundles access control with data encryption to protect personal data securely in highly distributed systems such as 5G and the Internet of Things. Enforcing access control at a cryptographic level, ABE provides better security assurance than software-based solutions.

We also updated our Technical Report on the Global Cyber Security Ecosystem that provides a structured overview of work occurring in multiple technical forums worldwide.

In September we published various updates to our multi-part Technical Report on Critical Security Controls for Effective Cyber Defence. These updates cover areas of privacy enhancement, measurement and auditing, facilitation mechanisms and service sector implementations.

In October 2018, we released a cybersecurity specification to secure sensitive functions in a virtualized environment. The specification solves the problem where organizations want to protect customer data whilst still using a cloud that is not under their direct control thanks to an interface between a ‘secure vault’ that is trusted and a cloud that could be anywhere, where such sensitive data is stored in the vault. This allows a sensitive function to exist in a lower security environment, with data held securely.

Standards activities related to network gateway cyber defence have increased significantly due to an array of business and compliance obligations. A focus area of TC CYBER is so-called ‘middleboxes’ that are implemented in the boundaries between networks to enable secure communication between end-points, helping network providers to safeguard against viruses, malware and other threats. In November 2018 we released our first Middlebox Security Protocol specification. Driven directly by industry needs, this supports vital data centre operations including compliance and detection of external attacks on encrypted networks. Helping data centres and enterprise networks to meet their service obligations and legal mandates, the specification also offers visibility over access to users’ data.

Quantum Safe Cryptography

Now formally incorporated into TC CYBER, our Working Group on Quantum Safe Cryptography (QSC) has maintained its interest in practical implementation of quantum safe cryptography, publishing several reports spanning performance considerations, protocols, benchmarking and architectural considerations for specific applications. The group’s work also feeds into other organizations such as the ITU and the Internet Engineering Task Force (IETF).

The future integrity of Virtual Private Networks (VPNs) is threatened by the prospect of quantum computers circumventing current cryptographic techniques. In October 2018 we issued a Technical Report exploring requirements to add quantum resistance to VPN technologies, including client, server and architectural considerations.

In November we held our sixth Quantum Safe Cryptography workshop in Beijing, co-organized with the University of Waterloo’s Institute of Quantum Computing and Chongqing University.

Look out for in 2019 – TC CYBER work in progress:

  • Technical Specification (TS) on Critical Security Controls for MSP defence
  • Technical Report (TR) on guidelines for increasing smart meter security
  • TS on techniques for assurance of digital material used in legal proceedings
  • TR on Quantum-Safe Identity-Based Encryption
  • TR on Quantum-Safe Signatures
  • Revision to TS on Attribute Based Access control
  • TS on Middlebox Security Protocol
  • TS on identity management and naming schema protection mechanisms
  • TS on mechanisms for privacy assurance and verification
  • Revision to TS on methods and protocols for security
  • TR - Guide to Identity Based Encryption (IBE)
  • TS on metrics for identification of Critical Infrastructure
  • TS on Quantum-Safe Hybrid Key Exchanges