Reykjavik University, University of Iceland, and University of Akureyri and applied together for funding in order to establish a joint Cybersecurity research centre. The Minister of Higher Education, Science and Innovation announced that the thre universities will together get for the project Rannsóknarsetur um netöryggisfræði get 67.3 million ISK funding over 2 years from the university collaboration fund (Samstarf háskóla). This is a continuation of a established collaboration that created the M.Sc. cybersecurity specialisations/emphasis that received previously 2 years of funding.

However, we envisaged a significantly higher grant and with that, the idea was to use the grant to introduce a new Ph.D. program, co-funding two Ph.D. student positions, to hold community engagement activities, to organise a "Defend the Flag" contest, and to create undergraduate and M.Sc research opportunities. Now, with the lower funding, we need to adjust our vision for the Cybersecurity research centre.

The grant will also be used as co-funding for cybersecurity Digital Europe Programme projects that are funded by the EU, however only at a 50% funding rate, so that the ministry funding is needed to provide part of the co-funding.

As we will have soon a new government in Iceland, we can expect that the ministries will get re-organised and we have to see what this means for this funding.

We have two research papers accepted at the 11th IEEE International Conference on Social Networks Analysis, Management and Security (SNAMS-2024).

• Brynjólfur Stefánsson, Ásta Guðrún Helgadóttir, Martin Nizon-Deladoeuille, Helmut Neukirchen, Thomas Welsh: Understanding Trust in Authentication Methods for Icelandic Digital Public Services. IEEE SNAMS 2024: The 11th IEEE International Conference on Social Networks Analysis, Management and Security, IEEE, to appear 2024 or 2025. Preprint DOI: 10.48550/arXiv.2501.17548
• Martin Nizon-Deladoeuille, Brynjólfur Stefánsson, Helmut Neukirchen, Thomas Welsh.
  Towards Supporting Penetration Testing Education with Large Language Models: an Evaluation and Comparison. IEEE SNAMS 2024: The 11th IEEE International Conference on Social Networks Analysis, Management and Security, IEEE, to appear 2024 or 2025. Preprint DOI: 10.48550/arXiv.2501.17539

The program lists only paper titles -- not authors nor presenters. Our student Brynjólfur Stefánsson presented both papers at the conference.

This research is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).

On Friday, 1 November 2024, we had a we have a presentation (in Icelandic) on Cybersecurity at Þjóðarspegillinn 2024, the University of Iceland social science conference. This is to raise cybersecurity awareness, see also the NCC-IS and ICEDEF projects.

This talk is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).

We are holding a Sociotechnical Resilience and Cybersecurity Workshop 1.-2. October 2024 in Gróska, room Fenjamýri.

Contact the organiser Thomas Welsh for registration.

This event is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).

On Saturday, 28. September 2024, 13:00-18:00, there is Vísindavaka 2024, the Icelandic family-friendly-during-daytime edition of European Researchers' Night 2024 at Laugardalshöll.

The Computer Science department of University of Iceland has a booth there, showcasing some of their research:

• Cybersecurity: Eyvör NCC-IS, the National Coordination Centre Iceland for Cybersecurity. The Computer Science department of University of Iceland is part of Eyvör NCC-IS and we will show three pieces to raise awareness:
• Has my user info (in the worst case: my password) been leaked? Look up who else owns your login data: https://haveibeenpwned.com
  Note: if your data shows up there to have been leaked, then this is not your fault, but the fault of the website that was storing your data in an insecure manner and you should change your password at that website (also check whether the password has been leaked or only, e.g., your email adress). However, it is your fault if you use the same password for multiple websites: should your password leak from one website, criminals will try that password on other websites and will have success if you use the same password there. Use different passwords for different services. Even better: use multifactor authentication, i.e. not just a password (that can be easily leaked), but in addition something that can be less easily stolen, such as your phone: an authenticator app running on it, an SMS sent to your phone number, or the Icelandic digital ID on your SIM card.
• An online quiz on how good you are at identifying phishing emails, i.e. emails trying to trick you into providing information, e.g. passwords: https://cybersecuritymonth.eu/quiz (Note: solutions not provided online -- you need to visit us to get hints where you were wrong and where you were right!)
  
• A LEGO model of Iceland representing critical infrastructure that is subject to attacks. Each time, a service on our Internet-connected computer is attacked via the Internet from anywhere in the world, a light goes off. So when all Iceland turns dark in our Lego model, then you know that all of our services are currently being attacked at the same time. We use just a dummy sample server, but in fact, it could be your computer or a power plant that is attacked. True Blinkenlights - next time, we should do it using the lights in the glass front of Harpa concert hall.
  
  
  
• A 3D scanner that scans the shape of your ear: used in CoE RAISE in order to find with AI out how the shape of your ear influences how you hear from different directions.
  
• Quantum computing: a new piece to show, therefore no photos yet -- you really need to come and see!

See you at Laugardalshöll!

On Friday, 27 September 2024, 10:45-12:15, we have in room SAGA - E (former Hotel Saga) a presentation (in Icelandic) on Cybersecurity at Menntakvika 2024, the University of Iceland education conference. See, the abstract titled "Net og gagnaöryggi í nútímasamfélagi" in the abstract collection. This is to raise cybersecurity awareness, see also the NCC-IS and ICEDEF projects.

This talk is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).

Update 12/2024: The results of what get funded are now available at Rannís and the ministry even provides more details.

Icelandic Smaller and Middle-size Enterprises (SMEs) can now apply for cybersecurity-related funding for

• strengthening cybersecurity culture and awareness,
• efficient education, research and development,
• secure digital services and innovation,
• stronger law enforcement, defense and national security,
• effective response to incidents, and
• strong infrastructure, technology and legal framework.

This is in the context of Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS). See also the Icelandic announcement from the Ministry of Higher Education, Science and Innovation which includes the agenda of that kick-off meeting for that funding where we gave a presentation on the state of cysec in Iceland..

Note that there is also a podcast (in Icelandic related to this): Auðvarp #30.

This funding is in the context of the ECCC/EU co-funded project Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS). See also the official web page of Eyvör NCC-IS.

On Tuesday 20.8.2023, 16:00, room Ada, in Gróska, 3rd floor, there will be an information meeting on the joint cybersecurity master's programme and cysec courses being offered at University of Iceland and Reykjavik University.

You can find more info here: https://uni.hi.is/helmut/cybersecurity/ -- there also the presented slides will be made available.

For info on our cybersecurity activities can be find in all the blog posts from the cybersecurity category.

This joint cybersecurity master's programme would not be possible without funding from the University Collaboration Fund of the Ministry of Higher Education, Science and Innovation and co-funding from the ECCC/EU for the projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).

Currently, we are running some advertisements on social media and Icelandic news web pages in order to raise awareness of our two M.Sc. study programmes that offer specialisations in cybersecurity: M.Sc. in Computer Science/Tölvunarfræði and M.Sc. in Software Engineering/Hugbúnaðarverkfræði.

Deadline for applications is 15. April for the M.Sc. programme. If you missed that deadline: you can still apply for a related B.Sc. programme until 5. June and if you have the right qualifications (i.e. a B.Sc. degree in Computer Science or Software Engineering) change from there into the M.Sc. programme.

This joint cybersecurity master's programme would not be possible without funding from the University Collaboration Fund of the Ministry of Higher Education, Science and Innovation and co-funding from the ECCC/EU for the projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).

When University of Iceland switched 2018 to Microsoft Cloud for emails and other services, I warned about this and I was also concerned about the Icelandic government's cybersecurity.

At that time, our university administration argued to me that Microsoft can better protect our cybersecurity than we can do on our own. However, threat actors managed in May and June 2023 to access Microsoft Exchange Online mailboxes: while they mainly attacked US and UK government email accounts (but also others, but who exactly is not disclosed), this could apply in theory also to our emails at University of Iceland (which enables requesting and intercepting password-reset emails in order to get access to any other non-Microsoft service that offers email-based password reset) and of course to the Icelandic government that relies as well on Microsoft's cloud-based services.

While at that time, my concerns were mainly framed by what whistleblower Edward Snowden's taught us, i.e. we get eavesdropped by our friends, 6 years later, the landscape has added more awareness on the Russian aggression and Chinese and North-Korean threat actors, including the possibility to cut off the the Internet sea cables connecting Iceland to the cloud service that are all outside of Iceland. (E.g. according to a traceroute the Microsoft cloud serves that University of Iceland uses are located in the UK -- meaning that if a state actor cuts the sea cables connecting Iceland, probably the whole IT of University of Iceland is cut off because all user authentication runs via Microsoft in the UK.)

Now, the United States Secretary of Homeland Security Cyber Safety Review Board published a devastating report on Microsoft's Cloud security. As US Government-level publications are in the public domain, I provide below some extensive direct quotes (highlighting added by me) from that report:

Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.

To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.

Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources.

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul.

The Board reaches this conclusion based on:
1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;
3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not;
4. Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;
5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction;
6. the Board's observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and
7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.

Note that this report refers to the 2023 incident and the above only bullet point 6. refers to the most recent incident from 2024 where Microsoft had to admit that other threat actors have had access to their systems and that Microsoft is unable to prevent further accesses to their system by these actors. Or with the words of Adam Meyers, a senior vice president at the cybersecurity firm Crowdstrike:

the hackers are deep inside Microsoft, and Microsoft hasn't been able to get them out in two months

We will maybe get a further report from the Cyber Safety Review Board on this new incident.

This new incident means that these actors have access to the source code of all Microsoft products, allowing them to identify zero-day exploits, i.e. vulnerabilities that are yet unknown to Microsoft, while attackers can exploit them any time and Microsoft will not have a fix for this available in time.

Note that Microsoft owns GitHub where a huge majority of open-source software is hosted that drives today's Internet and computer systems, thus making software supply chain attacks by these actors more likely by giving them the tools to compromise the software supply chains via GitHub itself.

Compare the Microsoft attitude to blanket their security mistakes with Google creating a documentary on their security incidents (HACKING GOOGLE) and using this rather as opportunity for advertisement. (Talking about advertisement: it is a completely new experience to watch that documentary on YouTube: no ads -- well just the whole documentary is the ad.)