This project will provide solutions to multiple problems. The first one is the security of information technology. The range of issues addressed includes zero-day exploits (e.g., WannaCry ransomware), denial of service attacks (e.g., Mirai), hardware attacks (e.g., based on the Meltdown and Spectre CPU flaws) up to novel types of hardware Trojans. The possibilities for these attacks originate from weaknesses in the long IT supply chains and threaten the confidentiality, integrity, and availability of systems.
The second problem is that these attacks can also threaten the safety of products, e.g., in energy infrastructures or in the automotive industry.
The third problem lies in the loss of value added because of a migration of production and competences towards competing economies (e.g., US and China). Sovereignty would mean to have full control of the characteristics of information technology, to be sure that no hidden features are implemented, that no business secrets can be stolen, and to benefit economically from such control.
These objectives are difficult to meet because any component involved in the supply chain may have multiple flaws, possibly even due to problems in the development tools used. Furthermore, while more secure components will reduce overall costs, developing them may initially increase costs. Hence, regulation making secure systems mandatory can help because competing companies would operate under the same conditions. Since other parts of the world are also working on controlling the supply chains, research on options and there implementation in industry is indispensable.
The project will include the following activities:
- Risk analysis
- Exploration of technical options, such as (1) the control of the entire supply chain, from the application layers through to the operating system and the hardware and tools used; (2) open, certified and proven paths; (3) migration paths of solutions, e.g., from small systems to large ones
- Exploration of supportive economic and legislative actions
- Contribution to setting up a transition process and participation in the development of prototypes
- Discussion of results, involving stakeholders, and refinement of options, prototypes, and product visions
The objectives will be pursued by means of expert interviews, dissemination activities, workshops, maintenance of a website, as well as participation in the specification and development of prototypes.
Workshop on “Security and Sovereignty in the Information Technology Supply Chain”, organized by KIT, Fraunhofer SIT and Télécom ParisTech, on January 12, 2017
Weber, A.; Reith, S.; Kuhlmann, D.; Kasper, M.; Seifert, J.-P.; Krauß, C.
Open source value chains for addressing security issues efficiently efficiency policies. In: IEEE Xplore (Hrsg.): Proceedings of the 3rd Annual IEEE Workshop on Cyber Resilience and and Economics (CRE 2018), 16.-20.07.2018, Lissabon, Portugal. Lissabon, Portugal: IEEE Conference Publications 2019, S. 599-606, DOI: 10.1109/QRS-C.2018.00105
Weber, A.; Guilley, S.; Kasper, M.; Krauß, C.; Krüger, P.S.; Kuhlmann, D.; Reith, S.; Seifert, J.-P.
IT-Sicherheit gründlich lösbar? Zukunftsmotor 2(2018), S. 12-13
Weber, A.; Reith, S.; Kasper, M.; Kuhlmann, D.; Seifert, J.-P.; Krauß, C.
Sovereignty in information technology. Security, safety and fair market access by openness and control of the supply chain. Karlsruhe, Wiesbaden, Singapur, Darmstadt, Berlin: KIT-ITAS, HS RheinMain, Fraunhofer Singapur/SIT, TU Berlin 2018, publ. online
If you would like to provide feedback, if you are interested in co-operation, or if you would like to second the content of the White Paper, please contact arnd.weber∂kit.edu.
Publications from prior work
Weber, A.; Weber, D.
Governance sicherer Informationstechnik in offenen Netzen. Wege zu Sicherheit ohne Lücken und Hintertüren. In: Bogner, A.; Decker, M.; Sotoudeh, M. (eds.): Responsible Innovation. Neue Impulse für die Technikfolgenabschätzung? Berlin: edition sigma 2015, 151-164
Jacobi, A.; Jensen, M.; Kool, L.; Munnichs, G.; Weber, A.
Security of eGovernment Systems. Policy options assessment and project conclusions. European Parliament, June 2013
Weber, A.; Weber, D.
Verifizierte Virtualisierung für mehr Sicherheit und Komfort. DuD-Datenschutz und Datensicherheit (2012)1, S. 43-47
Volltext/pdf full text/pdf
Enabling crypto: How radical innovations occur. Communications of the ACM 45(2002)4, S. 103-107
Supplementing material: Interviews with Whitfield Diffie and Ralph Merkle.
full text/htm full text/htm
Pfitzmann, B.; Riordan, J.; Stüble, C.; Waidner, M.; Weber, A.
The PERSEUS System Architecture; IBM Research Report RZ 3335 (#93381), Zurich 2001
Dr. Arnd Weber
Karlsruhe Institute of Technology (KIT)
Institute for Technology Assessment and Systems Analysis (ITAS)
P.O. Box 3640