TRUST aWARE: Transforming the Security & Privacy (S&P) vicious cycle into a virtuous one
by TRUST aWARE consortium
By providing tools for key stakeholders along the whole cycle, and supporting cooperation and intelligence sharing, TRUST aWARE will minimise the impact of cyberthreats, empowering users, promoting collective awareness, and encouraging trustworthy S&P-preserving digital products in compliance with regulation
TRUST aWARE “Enhancing Digital Security, Privacy and TRUST in softWARE” is an Innovation Action (IA) funded by the European Commission under the programme Horizon 2020 (H2020-SU-DS03-2019-2020). With a lifespan of three years (started in June 2021), TRUST aWARE aims to provide a holistic and effective digital Security and Privacy (S&P) framework comprising novel and integrated tools and services co-created by citizens and stakeholders to identify, audit, analyse, prevent and mitigate the impact of the various S&P threats associated with citizen’s digital activities in a timely manner, while enhancing software trust and regulatory compliance. To this end, the consortium brings together a multidisciplinary team made of ten EU organisations with different roles and profiles.
The digital economy is a complex socio-technical phenomenon that has brought in many advantages for citizens and society. However, cyber threats are one of the most critical risks threatening the world nowadays, being at the core of the continuous growth of the cybersecurity market. In this complex ecosystem where different stakeholders interplay, users often get exposed to a myriad of S&P threats when they use digital services for social networking, entertainment, banking, education, health, or even home security. The factors behind digital S&P threats are numerous and interconnected and, to a great extent, they are the combined result of inappropriate software engineering practices, bad user habits, and lack of regulatory enforcement and certification mechanisms, among others, as explained in the “Advancing software security in the EU” report by the European Union Agency for Cybersecurity (ENISA). Fundamental and interconnected problems for the different stakeholders involved in the development, certification, regulatory enforcement and use of digital products – known as the “S&P vicious cycle” – are presented in Figure 1 (left). TRUST aWARE aims to transform this “S&P vicious cycle” into the “S&P virtuous cycle” Figure 1 (right) through holistic and actionable intelligence and tools for the different stakeholders.
Consumers (users) and organisations
Users are not always aware of their exposure to S&P risks when they use software. This results in bad usage habits and lack of risk prevention mechanisms. To a significant degree this can be attributed to limited digital skills, but also to cyberattacks targeted at citizens, which have grown in scale and sophistication, even targeting individuals or groups of individuals within an organisation (e.g., administration/finance staff). Traditional privacy and home security tools such as anti-virus no longer provide adequate protection, which results in compromised users.
TRUSTAWARE will develop user-friendly tools to protect consumers against S&P cyberthreats (attacks, abusive practices and inappropriate behaviours of digital services) to empower them based on a better understanding, control, detection and response to S&P threats and attacks in a timely manner, also their ability to configure their own S&P protection settings. Awareness will be raised especially through dissemination campaigns and training.
Developers and Digital Service Operators (DSOs)
According to ENISA, developers lack best-practices for S&P-by-design in software engineering, resulting in S&P issues for end users (either intentional or unintentional ones) due to poor development practices, aggressive data-driven business models, and market pressures for quick releases without assuring S&P compliance. Likewise, DSOs often implement opaque data-driven or deceptive business models with inappropriate and incomplete privacy policies and consent forms (Barth et al., 2017). TRUSTAWARE will create and share knowledge to foster S&P-by-design in software engineering by supporting developers and DSOs with assessment, audit and certification methods for compliance with the European S&P regulation, fostering a more transparent framework.
Certification and standardisation bodies
Standards and certifications are key enablers for assessing and assuring the level of S&P protection provided by modern software and their risks. However, the “Study on data protection certification mechanisms” by the European Commission highlights that the lack of S&P certification methods and standards of developers and operators advocates for the establishment of effective digital S&P seals and certifications delivered by accredited certification bodies as a step forward towards enhancing digital trust.
TRUSTaWARE outputs in the technical areas of S&P will support the preparation and improvement of standards, engaging with certification and standardisation bodies – through the consortium partners and their contact networks – under diverse activities that will be organised along the project lifespan.
Regulation and public authorities
Regulators and national agencies all over the world are defining and implementing new legal frameworks for protecting citizens against online S&P threats. The European Union has made a huge regulatory effort with the General Data Protection Regulation (GDPR), the ePrivacy directive, the EU Cybersecurity Act, and the directive on Security of Network and Information Systems (NIS). However, it is unclear whether the penalties will be sufficient deterrent against S&P mispractices. At the same time, the pace of technological innovation occurs faster than policy making and enforcement, while software analysis tools are not intended for assessing regulatory compliance, which means that they are not suitable for assisting CERTs (Computer Emergency Response Teams), DPAs (Data Protection Authorities), as well as CISOs (Chief Information Security Officers) and DPOs (Data Protection Officers) in organisations to identify regulatory violations in software.
TRUST aWARE will ensure that collective intelligence gathered and built by the different software tools reaches CERTs and Authorities in collaboration with citizens, CISOs and DPOs. This will allowing guaranteeing and auditing that digital products and their S&P practices are transparent, secure and in compliance with regulation.