There’s more to the Internet than just the likes of Google, Facebook and Twitter. There’s a whole infrastructure constructed behind it. If Swiss values could be injected into it, perhaps confidence in the Internet might be restored. While all the talk is about cybersecurity, there is still a great deal of uncertainty. That’s what experts from the ETH Domain have to say about this issue.

Symbolic image Shutterstock

Cybersecurity. Or security in the digital realm, which is frequently no longer even called cyberspace be-cause it has long since become part of our everyday lives. And that’s precisely where the problem lies too. Some people still haven’t developed a sense of this space, especially of its dark corners and pitfalls. The German Chancellor Angela Merkel called it “uncharted territory” a few years ago and was criticised on the Internet for that comment. But she wasn’t altogether wrong. Society is taking this “uncharted territory” – and everything that makes it work – too much for granted. 

It has become clear to every Internet user since the US whistle-blower Edward Snowden made his revelations, if not before, that ambiguities and dangers lurk pretty much everywhere on the Internet. And new stories keep cropping up: it was recently reported that Asian hardware companies had been incorporating discreet back doors into the electronic infrastructure we use every day.

Nothing seems safe any more. You are left with a sense of unease and many questions. Where’s the threat actually coming from? What everyday digital activities and, more especially, which careless actions make you vulnerable? Are private Internet surfers even being targeted? Would society collapse in the event of a targeted attack on digital infrastructure? Are there problems residing within the structure of the Internet? Or should we be most afraid of malicious disruptive acts?

The digital world has infrastructure and “engineers” who build it. Switzerland has some of the best engineers in the world and, above all, engineering with a reputation for being highly reliable. Both Federal Institutes of Technology train engineers. Wouldn’t Switzerland have a lot to offer in order to build the digital realm to be both elegant and robust? A digital engineering paradigm based on bridges, tunnels and building statics.

C4DT: Interdisciplinary cybersecurity
Engineers have to know what stresses their system will face. For the safety of a bridge, this means that it has to be stable enough to withstand the ravages of time and the expected volume of traffic. And extreme peak loads, of course. But would it also have to be able to withstand an earthquake? If so, up to what magnitude? Therefore, the question of safety is always a question about the likely danger too.

Professor Edouard Bugnion, Vice President for Information Systems at EPFL and one of the initiators of the recently launched “Center for Digital Trust” (C4DT),believes that computer networks should not have to withstand natural hazards, but rather targeted attacks by perpetrators whose motivation he has no hesitation in calling “perverse”. “The enemy is not nature, but private or state attackers.” Therefore, the question of the security of a system, its resilience, is very different from the question of building physical structures. And as far as defence against cyber attacks is concerned, Switzerland clearly lacks the means and thus the expertise compared with other countries, such as the major players as well as specialists such as Israel. Nevertheless, Switzerland is precisely the right place to restore confidence in these systems.

In addition to engineering, Bugnion also sees a second great Swiss tradition, one that is just as important in developing identity and trust: reliability. For centuries, Switzerland has specialised in areas which are based on reliability and, thus, on trust between people, be it luxury watches, banks or insurance companies. This is an attribute that can also be put to good use in the digital realm. C4DT, which is an umbrella organisation for the research activities of more than 30 groups, is trying to combine ethical issues and political feasibility, adopting an interdisciplinary approach, for example in relation to encryption technologies. Security is under-stood here in a broader sense, as a kind of culture to be fostered.

Myriam Dunn Cavelty is in complete agreement with this. “Cybersecurity has long since ceased to be just a technical problem.” The researcher at the Center for Security Studies (CSS) at ETH Zurich firmly believes that we will not have secure cyberspace unless there is a socio-political agreement to protect this territory. There are some initiatives to change that, and occa-sionally they come from surprising quarters. Dunn Cavelty mentions the idea recently proposed by Microsoft President Brad Smith for a new Geneva Convention for digital space. This did not necessarily meet with widespread approval, “because countries do not like to be guided by private enterprise”. Nevertheless, she believes that Switzerland and Geneva, in particular, could play a special role in international efforts to stem attacks on digital infrastructure. On the other hand, she considers attempts to establish digital sovereignty in the national con-text as “humbug”. Bugnion feels the same way: “You have to be more European in your thinking.”In particular, he bemoans the absence of a European initiative for a different digital culture, focusing strongly on data protection and a secure Internet.

«Das jetzige Internet hat so viele Probleme, dass man es von Grund auf neu konzipieren und bauen muss, wenn man es wieder sicherer machen will.» Professor Adrian Perrig, Leiter der Network Security Group an der ETH Zürich

SCION – new Internet architecture
Adrian Perrig thinks global. The professor at ETH Zurich and head of the Network Security Group has perhaps taken on one of the most ground-breaking cybersecurity projects in the ETH Domain; he wants to rebuild the entire Internet. The network specialist realised at some point that “the current Internet has so many problems that you have to redesign and build it from scratch if you want to make it more secure.” Perrig and his group have invested a good ten years of research into this topic. Specifically, the aim has been to find out how much security can be achieved at all. Not as a theoretical ideal, but in everyday computing practice. “Achieving absolute security for the use of computers is very difficult,” Perrig cautions. However, in the case of networks, he is very optimistic after many years of testing. The new Internet architecture is not only more secure, but also more efficient.

Another important contribution is the work done in the research groups led by Professors David Basin and Peter Müller at ETH Zurich. They are working on mathematical proof that the Internet protocols and the code are actually secure. “Due to the complexity of today’s Internet, this so-called formal verification is extremely difficult,” says Basin, adding, “but it is the structure of our new network architecture that makes verification possible in the first place. Professor Müller’s group is working on the verification of the source code. He observes that “in recent years, we have done intensive research to improve our methods in order to provide evidence.” Thanks to a breakthrough, it was possible to use the methods of evidence developed by the Basin and Müller groups so that the entire system, from protocol to code, is verifiably secure.

This new network is called SCION (Scalability, Control, and Isolation on Next-Generation Networks), and Perrig promises that users will not notice any difference between it and the “old” Internet; and if they do, they’ll find surfing more enjoyable. One of the ways in which the SCION team achieves this is by specifically influencing the paths of the data packets and using several different paths for a single transmission, for example one with a short delay for the audio signal and one with more bandwidth for the video signal. There is no need to completely rebuild everything for this. “Imagine if you could choose to go along a road either on a bicycle or in an electric car.” While this may still be a vision for the future, it is not too far off; intensive negotiations are under way with Internet providers. So, does this mean thatyou will soon have several options for how you want to surf, as you do with electricity providers? At low cost and insecure or in the fast lane, with network architecture from the 21st century? That doesn’t sound all that farfetched; it’s actually perfectly reasonable from an engineering perspective

The “enemy” in my laptop
But what if the problem is in your own computer? Professor Gabriel Aeppli, member of the directorate and Head of the Photon Research Division at the Paul Scherrer Institute (PSI) can well imagine that the hardware has already been manipulated. While the software that keeps the western digital world turning was probably written in America or Europe, the hard-ware in most computers is produced in Asia. If it were possible to corrupt the computer components during manufacture, then normal defence strategies or new network architectures wouldn’t be much use. Therefore, Aeppli believes that it will soon be standard practice to conduct spot checks on hardware de-liveries down to individual circuit level.

So far, this has only been possible with great effort, which makes reasonable monitoring impossible, which opens the door to suspicious activities, of course. This is precisely where new X-ray technology co-developed by Aeppli could help. It can X-ray entire chips within a matter of minutes without destroying them. The 3D method perfected at the PSI has caused quite a stir in technology circles, as it allows the routing of the internal, nanometer size components to be shown in detail and without any distortion for the very first time. The deliverables can then be compared with the goods ordered. It is good for trust, and monitoring will be better in the future.

It begs a key question at the psychological level. Who can you even trust? The story about the corrupted hardware did nothing to improve trust, not least of all since the companies affected denied everything and sought injunctions against the reporters. Then again, this reaction is hardly surprising when you consider how damaging this sort of loss of trust would be to business. Dunn Cavelty’s view is that “trust is crucial, not least of all for the economy