All of the complex risks: hacker attacks targeted at governments and companies, a significant data leak affecting holders of Swiss Federal Railways’ SwissPass, and a cyberattack that compromised data conducted by the International Committee of the Red Cross (ICRC) in Geneva. There are examples that abound in cyberspace. The question of what makes the digital world secure is a highly charged issue that concerns ETH researchers in many different ways.
One of the most important risk factors in today’s world is the Internet. It appears to be a smooth-running machine that connects the world in unprecedented ways – yet it allows malicious actors to interact with innocent users and promote long-distance conflicts. Furthermore, the ancient architecture of the Internet itself causes a steady stream of serious problems.
Fast, Safe and Efficient
Everyone knows that the modern Internet has some significant flaws, but Professor Adrian Perig of the ETH Zurich Network Security Group is confident they can be fixed. Perig is the originator of a simple concept to make the Internet systematically more secure without disrupting its operation. He describes his approach as “Scalability, Control and Isolation on Next Generation Networks,” or “Scion” for short. At its core is to divide the Internet into different regions and transmit data packets along predefined paths, preventing information from passing through points where it could fall into the wrong hands.
Many are now trying to put the concept of Perig into practice. He is backed by a variety of collaborators, including Peter Muller and David Bassin, two ETH professors whose groups are engaged in validating Scions and validating program code. His work so far has been remarkably successful. Last autumn, for example, Swiss National Bank together with SIX Group, ETH spin-off Anapaya and other partners launched the Secure Swiss Finance Network based on Scion technology. His concept has also been adopted by the Swiss Federal Department of Foreign Affairs, which uses Scion connections to communicate with embassies.
And it’s not just a question of better safety, Perig says: The Scion is also faster and more energy-efficient. By providing more paths to transmit data, Scion makes optimum use of infrastructure. And with the option to choose which direction the data packet should be headed, it’s easy to choose the one with the lowest CO₂ emissions.
Perrig initially thought this faster, more secure and environmentally friendly approach would be a sure fire. So he was surprised by the tremendous effort required for adoption. Fundamentally new approaches often struggle to gain mainstream acceptance, but a web of market dependence has also impeded the descent. No customer will use Scion technology if no Internet provider provides it – and with no users, there is no need to standardize the protocol. In turn, providers are hesitant to invest in the technology.
But Perrig’s persistence is finally paying off. Various providers, including the Swiss telecom companies Swisscom, Sunrise and Switch, have started offering a Scion Internet service. Providers in other countries are also starting to show interest in the new concept, and Perig is confident it is now on track: “Scion is the first inter-domain routing infrastructure to be deployed in practice in the 30 years since the Border Gateway Protocol.” Gone. Before.” He also argues that switching to a new Internet architecture is inevitable in the medium term: “Today’s Internet is very vulnerable given the critical nature of the systems it relies on.”
small and delicate
But apart from the risks posed by the network, dangerous vulnerabilities also lie hidden within the computer itself. As chips become more complex and the capacitors and transistors that make them smaller, they become more vulnerable to sophisticated attacks. For example, hackers can launch what are known as side-channel and rowhammer attacks, which compromise the integrity of data in the dynamic memory of computers, tablets and smartphones. Experts have long been familiar with how these attacks happen. Still, chip makers have yet to take a strong enough countermeasure, as recently demonstrated by Kevey Razavi, assistant professor of engineering at Secure Systems.
This is all the more worrying because fixing vulnerabilities in hardware is much more challenging than software bugs. These classes of attacks are not a big problem because there are easy ways for hackers to infiltrate people’s computers. But the more we improve our defenses against other attacks, the more attractive these new hardware attacks become.
Razavi’s research focuses on protecting entire computer systems, including software and hardware, and he is currently working on projects with several large chipmakers. “In some of these projects, we’re going deeper into systems and developing new chip design methods. In others, we’re more concerned with the impact of programs on the hardware,” he explains.
Ultimately, everyone is interested in improving security—yet it’s a dilemma for computer manufacturers. The added security comes at a cost, but some consumers are willing to pay more or sacrifice performance in exchange for more protection. Razvi also faces a dilemma: as a scientist, he needs to publish his findings as quickly as possible in order to gain an edge in the cut-and-thrust world of academia – but not with his industry partners. Have other ideas. “We follow the principle of responsible disclosure,” he says. “In other words, we give companies time to fix flaws before publishing them.” Razavi also enlists the support of the Swiss federal authorities. For example, his discovery of a vulnerability in dynamic memory led to a joint publication with the National Cyber Security Center. It is the agency responsible for recording significant vulnerabilities in Switzerland as of last September.
Yet technical measures alone are not enough to make cyberspace secure, says Razavi. “We also need input from policymakers because questions about how we share data and who has the right to access certain types of information are political decisions that engineers should not be expected to make,” he says. .
neutral and transparent
Such policy issues fall under the purview of Jacob Bund, who leads the cyber defense project in the Risk and Resilience team at the ETH Zurich Center for Security Studies. One of their functions is to examine how governments and organizations protect themselves from risks in cyberspace. “We provide policymakers with the scientific principles needed to make decisions,” he says. To do this, the Bund maintains regular contact with the Swiss Department of Defense and the Armed Forces Command Support Organization, which will be transformed into a military cyber command by early 2024.
As a political scientist, his job is to put technological risks into political context. “We are concerned about the potential impacts,” he says. “For example, how are these technologies being deployed? What can they be used for? And how do they differ from traditional methods?”
Today’s governments face competition and conflicts in cyberspace at many different levels: spreading false information in social networks, using cyber espionage to obtain secret information, and deliberately crippling their adversaries’ critical infrastructure. to try Yet individual actions can only be adequately understood within a broad strategic framework, Bund says – and by continually re-evaluating what actors hope to achieve and the impact their activities may have. . Experts are currently engaged in a heated debate about the possibility of setting rules for governments in cyberspace. “It’s a complicated process,” Bund says. “Along with defining what it means for a state to behave responsibly in cyberspace, we also need to figure out how we want to ensure those norms are adhered to in the future.”
The US presidential election in 2016 was a wake-up call for how sophisticated state-sponsored cyber conflict has become. “The cyber espionage campaign in the US targeting the national headquarters of both major parties came as no surprise,” says Bund. “But the way some of the stolen information was used to manipulate voting decisions in an election campaign was a new combination of existing tactics and tools.” It shows how modern governments now have completely new ways of interfering in the affairs of another country. According to Bund, Europe still underestimates the importance of this point: “One possible explanation is that it is hard to see the impact on election campaigns here because many continental European countries have a wide range of political parties.”
One aspect of particular interest to Switzerland is the law of neutrality. It has been modified on several occasions to reflect the emergence of new technologies such as telegraphy and radio – but the question now is how far the concept of neutrality can be extended to cyberspace. “Cyberspace spans the globe and has many fault lines,” Bund says. “Yet it is also linked to infrastructure in the real world. Switzerland and other countries need to consider the circumstances under which these digital entanglements may expose them to geographically distant conflicts.”
And that’s not the only reason why Switzerland should have this conversation: it also needs to consider its duty to protect international organizations based on Swiss territory. “These organizations are an attractive target for cyber espionage,” Bund says. “And that makes Switzerland more likely to be caught in the crosshairs of dangerous actors working through cyberspace.” They argue that learning how other countries are protecting themselves from cyber risks should be a top priority. “And independent scientists like us can help share that kind of knowledge,” he says.
Source: ETH Zurich
