Future Information Security Trends
Future Information Security Trends
Kasi Research Project Tekes Safety and Security Research Program Final Report, March 11, 2011
Olli Pitkänen, Risto Sarvas, Asko Lehmuskallio, Miska Simanainen, Vesa Kantola Helsinki Institute for Information Technology HIIT / Aalto University Mika Rautila, Arto Juhola, Heikki Pentikäinen VTT Technical Research Centre of Finland Ossi Kuittinen Sitra
Executive Summary
This report presents the major findings of the research project Kasi – Future Information Security Trends (Kasi – tulevaisuuden tietoturvatrendit) conducted by Helsinki Institute for Information Technology HIIT and VTT Technical Research Centre of Finland. The project is a part of Tekes Safety and Security Research Program (Tekesin Turvallisuus-ohjelma) and its purpose is to provide rigorous and systematic foreseeing knowledge for the implementation of the Finnish National Information Security Strategy (kansallinen tietoturvastrategia). The aim of the project was to study near-future information security issues that are related to, for example, new technologies, services, and business models. Our approach combines perspectives from different disciplines in order to better address the complexity of the focus area. We identified relevant future information security trends especially from the Finnish viewpoint in the next five to ten years by collecting and analysing specialists’ conceptions and knowledge of the various developments in their professional fields. In order to deepen the analysis, we also specified factors and attributes that affect the realization of the trends. In addition, our objective was to evaluate the need for establishing a separate program for continuous foreseeing activities and provide methodological and procedural guidelines for carrying it out. Our research process went through five separate steps: 1) outlining possible future environments, 2) creating concrete future scenarios or stories, 3) analyzing information security issues in the
Kasi Research Project Tekes Safety and Security Research Program Final Report, March 11, 2011
Olli Pitkänen, Risto Sarvas, Asko Lehmuskallio, Miska Simanainen, Vesa Kantola Helsinki Institute for Information Technology HIIT / Aalto University Mika Rautila, Arto Juhola, Heikki Pentikäinen VTT Technical Research Centre of Finland Ossi Kuittinen Sitra
Executive Summary
This report presents the major findings of the research project Kasi – Future Information Security Trends (Kasi – tulevaisuuden tietoturvatrendit) conducted by Helsinki Institute for Information Technology HIIT and VTT Technical Research Centre of Finland. The project is a part of Tekes Safety and Security Research Program (Tekesin Turvallisuus-ohjelma) and its purpose is to provide rigorous and systematic foreseeing knowledge for the implementation of the Finnish National Information Security Strategy (kansallinen tietoturvastrategia). The aim of the project was to study near-future information security issues that are related to, for example, new technologies, services, and business models. Our approach combines perspectives from different disciplines in order to better address the complexity of the focus area. We identified relevant future information security trends especially from the Finnish viewpoint in the next five to ten years by collecting and analysing specialists’ conceptions and knowledge of the various developments in their professional fields. In order to deepen the analysis, we also specified factors and attributes that affect the realization of the trends. In addition, our objective was to evaluate the need for establishing a separate program for continuous foreseeing activities and provide methodological and procedural guidelines for carrying it out. Our research process went through five separate steps: 1) outlining possible future environments, 2) creating concrete future scenarios or stories, 3) analyzing information security issues in the
References: [1] Ministry of Transport and Communications, Action Programme "Everyday Security in the Information Society: A Matter of Skills, Not of Luck". Implementation of the government resolution on National Information Security Strategy. Liikenne- ja viestintäministeriön julkaisuja, 51. 2009. http://urn.fi/URN:ISBN:978-952-243-127-1 (downloaded on 1 Feb 2011) [2] Karlsson, B., Bria, A., Lönnqvist, P., Norlin, C. & Lind, J., Wireless Foresight: Scenarios of the Mobile World in 2015. Wiley, Chichester. 2003. [3] Gorniak, S., Ikonomou, D., Saragiotis, P. et al., Priorities for Research on Current and Emerging Network Trends. European Network and Information Security Agency. 2010. http://www.enisa.europa.eu/act/it/library/deliverables/procent (1 Feb 2011) [4] Forge, S., Guevara, K., Srivastava, L., Blackman, C., Cave, J. & Popper, R., Towards a Future Internet: Interrelation Between Technological, Social and Economic Trends. Interim report. Oxford Internet Institute. 2010. http://www.future-internet.eu/publications/view/article/towards-a-future-internetinterrelation-between-technological-social-and-economic-trends.html (1 Feb 2011) [5] Cave, J., van Oranje-Nassau, C., Schindler, R., Shehabi, A., Brutscher, P.-B. & Robinson, N., Trends in Connectivity Technologies and Their Socioeconomic Impacts. Final report of the study: Policy Options for the Ubiquitous Internet Society. RAND Corporation. 2009. http://www.rand.org/pubs/technical_reports/TR776.html (1 Feb 2011) [6] Aumasson, A., Bonneau, V., Leimbach, T. & Moritz, G., Economic and Social Impact of Software and Software-Based Services. Pierre Audoin Consultants. 2010. http://cordis.europa.eu/fp7/ict/ssai/studysw-2009_en.html (1 Feb 2011) [7] Bylund, M., Johnson, M., Lehmuskallio, A., Ovaska, S., Räihä K.-J., Seipel, P., Tamminen, S. & Turunen, M., PRIMA: Privacy in the Making. Final financial and scientific report. 2010. [8] Ovaska, S. & Räihä, K., Teaching Privacy with Ubicomp Scenarios in HCI Classes. Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special Interest Group. OZCHI 2009, 411, pp. 105–112. ACM, New York. 2009. [9] Pitkänen, O., Legal Challenges to Future Information Businesses. Doctoral thesis at Helsinki University of Technology. HIIT Publications 2006-1. Helsinki Institute for Information Technology HIIT. 2006. [10] Bylund, M., Johnson, M., Lehmuskallio, A., Seipel, P. & Tamminen, S., Privacy Research through the Perspective of a Multidisciplinary Mash Up. In Greenstein, S. (ed.), Nordisk årsbok i rättsinformatik 2006–2008. In press. [11] Adler, M. & Ziglio, E., Gazing into the Oracle: The Delphi Method and Its Application to Social Policy and Public Health. Kingsley Publishers, London. 1995. [12] Martino, J. P., Technological Forecasting for Decision Making. McGraw-Hill, USA. 1993. [13] Van Gundy, A. B., Techniques for Structured Problem Solving. Van Nostrand Reinhold, New York. 1988. [14] Masser, I., Svidén, O., Wegener, M., The Geography of Europe 's Futures. Belhaven Press, London. 1992. [15] Bell, W., Foundations of Futures Studies. Vol. 1 & Vol. 2. Transaction Publishers. 1997. 33 [16] Mannermaa, M., Politics + Science = Futures Studies? In Dator, J. A. (ed.), Advancing Futures. Praeger. 2002. [17] See Pitkänen, O. 2006. [18] May, G. H., The Future Is Ours: Foreseeing, Managing and Creating the Future. Praeger. 1996. [19] Metsämuuronen, J., Tutkimuksen tekemisen perusteet ihmistieteissä. International Methelp, Helsinki. 2006. [20] We chose four global scenarios created by EVA (a Finnish policy and pro-market think tank) because their preparation process was broadly-based, they covered current topics and they had been tailored particularly to the Finnish environment. Alternatively we could have created the background scenarios by ourselves or by combining future visions of different actors. http://www.eva.fi/wpcontent/uploads/files/2443_EVA_SCENARIOS_playing_fields_of_the_future.pdf (1 Feb 2011) [21] Johansson, S., Kaarin, P., Kankainen, A., Kantola, V., Runonen, M., Vaajakallio, K. & Kuikkaniemi K., Cookbook: Extreme Service Design Methods. 2010. http://www.hiit.fi/files/admin/publications/other/eXdesignreseptikirja.pdf (1 Feb 2011) [22] Kankainen, A., Vaajakallio, K., Kantola, V. & Mattelmäki, T., Storytelling Group: A Co-Design Method for Service Design. Behavior & Information Technology. In press. [23] See Johansson, S. et al. 2010. [24] Acquisti, A. & Grossklags, J., Privacy and Rationality in Decision Making. IEEE Security and Privacy, 3(1), pp. 26–33. 2005. [25] Järvinen, P., Yksityisyys. Turvaa digitaalinen kotirauhasi. WSOY, Jyväskylä. 2010. [26] More about Stuxnet, see http://en.wikipedia.org/wiki/Stuxnet (1 Feb 2011) [27] More about TiViT Cloud Software Program, see http://www.cloudsoftwareprogram.org/ (1 Feb 2011) [28] Telcordia, The Case for Deep Configuration Assessment of IP Networks. White paper. http://www.telecomtv.com/docDownload.aspx?fileid=184a8c35-9f55-4779-aae64444a35ea12b/849179_deep-config-assessment.pdf&id=1342 (1 Feb 2011) [29] For a definition of Silver Bullet, see http://en.wikipedia.org/wiki/Silver_bullet (1 Feb 2011) [30] Wisniewski, C., Smartphone Security: 50% of Devices Unprotected, 24% Unsure. Article in Naked Security blog. 1.2.2010. http://nakedsecurity.sophos.com/2010/02/01/smartphone-security-50smartphones-unprotected-24-unsure/ (1 Feb 2011) [31] Thorsberg, F., Half of U.S. Broadband Users Unprotected. Article in PCWorld. 16.7.2001. http://www.pcworld.com/article/55154/half_of_us_broadband_users_unprotected.html (1 Feb 2011) [32] Locke, J., Two Treatises of Government. Cambridge University Press, Cambridge. 1960. [33] Westin, A., Privacy and Freedom. Atheneum, New York. 1967. [34] Rössler, B., The Value of Privacy. Polity, Cambridge. 2005. [35] Warren, S. & Brandeis, L., The Right to Privacy. Harvard Law Review, 4, pp. 193–220. 1890. 34 [36] Etzioni, A., The Limits of Privacy. Basic Books, New York. 1999. [37] Etzioni, A. The Common Good. Polity Press. 2004. [38] Regan, P., Legislating Privacy: Technology, Social Values and Public Policy. University of North Carolina Press, Chapel Hill. 1995. [39] Bennett, C. J. & Raab, C. D., The Governance of Privacy. Policy Instruments in Global Perspective. MIT Press, Cambridge. 2006. [40] See Warren, S. & Brandeis, L. 1890. [41] Seipel, P., Alone No More. In Bakardjiev, A. et al. (eds), Festskrift till Marianne Levin. Norstedts Juridik, Stockholm. 2008. [42] See Wisniewski, C. 2010. [43] See Thorsberg, F. 2001. [44] Bejtlich, R., The Tao of Network Security Monitoring: Beyond Intrusion Detection. AddisonWesley. 2004. [45] Gaudin, S., Intel Developing Security “Game-Changer”. Article in Network World. 26 Jan 2011. http://www.networkworld.com/news/2011/012611-intel-developingsecurity.html?source=NWWNLE_nlt_daily_am_2011-01-26 (1 Feb 2011) [46] Krautheim, J., Trusted Virtual Machine Identification (TVMI). Presentation in Xen Summit 2008 Boston, MA. 2008. http://www.xen.org/files/xensummitboston08/IdentifyingTVM.pdf (1 Feb 2011) [47] More about 2007 cyberattacks on Estonia, see http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia (1 Feb 2011) [48] More about Operation Payback, see http://en.wikipedia.org/wiki/Operation_Payback (1 Feb 2011) [49] Nygårds, O., Myndighet slår larm om it-läckor. Article in Svenska Dagbladet. 2 Feb 2011. http://www.svd.se/naringsliv/nyheter/myndighet-slar-larm-om-it-lackor_5909395.svd (1 Feb 2011) [50] More about Evercookie, see http://samy.pl/evercookie/ (1 Feb 2011) [51] More about Panopticlick, see https://panopticlick.eff.org/ (1 Feb 2011) [52] Begtrup, G. E., Gannett, W. Yuzvinsky, T. D., Crespi, V. H. & Zettl, A., Nanoscale Reversible Mass Transport for Archival Memory. Nano Letters, 9(5), pp. 1835–1838. 2009. http://www.physics.berkeley.edu/research/zettl/pdf/361.NanoLet.9-Begtrup.pdf (1 Feb 2011) [53] Fitzpatrick, M., ’Rosetta Stone’ Offers digital Lifeline. Article in BBC News. 29.7.2009. http://news.bbc.co.uk/2/hi/technology/8172568.stm (1 Feb 2011) [54] For more information, see, e.g., http://www.sap.com/press.epx?pressid=14195 (1 Feb 2011) [55] More about functional requirements for URN, see http://www.ietf.org/rfc/rfc1737.txt (1 Feb 2011) [56] Celesti, A., Villari, M. & Puliafito, A., Design of a Cloud Naming Framework. Proceedings of the 7th ACM International Conference on Computing Frontiers. CF 2010, pp. 105–106. ACM, New York. 2010. http://portal.acm.org/citation.cfm?id=1787275.1787305 (1 Feb 2011) 35 [57] For particular features of Symantec Endpoint Protection.cloud, see http://www.symantec.com/business/endpoint-protection-cloud (1 Feb 2011) [58] Li, J. & Zhou, Z., Bohu Takes Aim at the Cloud. Article in Threat Research & Response Blog. Microsoft Malware Protection Center. 18 Jan 2011. http://blogs.technet.com/b/mmpc/archive/2011/01/19/bohu-takes-aim-at-the-cloud.aspx (1 Feb 2011) [59] Vuokola, J., Suomesta voi tulla datan paratiisi. Article in Tietoviikko. 30 Jan 2011. [60] See Metsämuuronen, J. 2006. [61] We chose four global scenarios created by EVA (a Finnish policy and pro-market think tank) because their preparation process was broadly-based, they covered current topics and they had been tailored particularly to the Finnish environment. Alternatively we could have created the background scenarios by ourselves or by combining future visions of different actors. http://www.eva.fi/wpcontent/uploads/files/2443_EVA_SCENARIOS_playing_fields_of_the_future.pdf (1 Feb 2011) [62] See Kankainen, A. et al. In press. [63] See Johansson, S. et al. 2010. [64] See Vuokola, J. 2011. 36