Dipl.-Ing. Dominik Fuß, BSc
- SEC Consult Unternehmensberatung GmbH
- Bundeskanzleramt BM.I (Bundesministerium für Inneres)
- BMLVS (Bundesministerium für Landesverteidigung und Sport)
- Magistrat der Stadt Wien (MA14, Informations- und Telekommunikationssysteme)
Cyber-attacks are among today’s greatest threats to both the private and public sectors. The resistance against such attacks varies from component to component, rendering different technologies or products more or less vulnerable to attack. One special kind of early-life attacks purposefully reduces the resilience of a product by introducing flaws during design or production though e.g. a faulty implementation of a cryptographic component, which might later enable certain side-channel attacks. Since most of the country’s IT infrastructure is manufactured abroad, our dependence on foreign, potentially untrustworthy suppliers is particularly high. Unfortunately, complete independence is difficult to achieve due financial considerations and because of Austria’s (but also the EU’s) minor role on the global IT market. The situation can be remedied, however: instead of costly and time-consuming attempts to develop competitive products or even entire industries, the focus of this project lies on the development of affordable and effective solutions in the form of a secure procurement strategy, a comprehensive decision support system and a number of tailored security tests for both hard- and software (IT components). The presented approach aims to be organizationally, technologically, and financially feasible for domestic implementation with or without the cooperation of select international partners. The proposed project – ITsec.at – initially evaluates threats to the Austrian IT landscape – focusing on product origin and aforementioned “by design” threats. Subsequent project stages focus on researching strategies, procedure recommendations and specific security tests for IT components and systems. In addition, requirement catalogues as well as hardware and software security specifications are to be developed in order to harden the national infrastructure against cyber-attacks. Strategies revolve around an Austrian strategy for the procurement of secure and trustworthy hardware and software components as well as telecommunications technology. Requirement catalogues and security specifications solely include technologies and components that are feasible to develop or finance in a domestic context or in cooperation with select international partners. Every component has to be relevant for defending national interests against attacks from cyberspace and will be prioritized accordingly. All project results as well as additional recommendations for a general course of action are to become part of a comprehensive decision support system which is to be implemented as part of a proof of concept prototype. A concluding management report summarizes all recommendations developed in the course of project ITsec.at. While political specifics are not part of the document, the project as well as the comprehensible final report will fundamentally support measures and initiatives that are part of the current government program (see chapter 1.1).