Page 1



CYBERSECURITY Research and innovation for a more secure Britain

£70 million

of current EPSRC investments in research

The RCUK Global Uncertainties Programme brings together the activities of the UK Research Councils in response to global security challenges to help governments, businesses and societies to better predict, detect, prevent and mitigate threats to society. One such challenge is cybersecurity and EPSRC is taking the lead in investing in research and training to help ensure the UK’s citizens, communities and businesses are safe and have the confidence to get the most from cyberspace. Key drivers


Research Projects


collaborators contributing a further £23.1 million



£27 billion lost through cyber crime1


of businesses and 73% of households have Internet access

£58.8 billion spent online in the UK in 20102

14.2 hours

per month spent online by adults in the UK3


of the UK population have mobile broadband3

UK society is increasingly dependent on IT networks. Everything from energy, water, banking and shopping involves use of the Internet or other connected computer systems. More than three quarters of households in the UK now have internet access. In the first half of 2011, £31.5 billion has been spent online. It is estimated that there are 1.5 billion users on the Internet across the globe. As mobile devices, especially smartphones, become the norm for internet access and as computers become embedded in everyday devices such as cars and televisions and increasingly communicate via the internet the risks we face will alter and expand in unpredicted and unexpected ways.

“Over the last decade the threat to national security and prosperity from cyber attacks has increased exponentially. Over the decades ahead this trend is likely to continue to increase in scale and sophistication, with enormous implications for the nature of modern conflict. We need to be prepared as a country to meet this growing challenge, building on the advanced capabilities we already have.” — David Cameron, Prime Minister

Reliance on cyberspace creates opportunities for the unscrupulous. Of the £27 billion lost through cyber crime in 2010 £3.1 billion was lost by individuals (fraud and ID theft) and £21 billion to industry (theft of intellectual property, customer data, price sensitive information). In addition to crime, there are also threats from malicious computer code disrupting government systems, both deliberately and accidentally, and the use of cyber techniques by one nation to bring about political or economic pressure on another. Research will be needed to explore the possibilities and devise suitable protection, mitigation and adaptation strategies.

Opportunities For over 20 years EPSRC has been supporting the research and training underpinning cybersecurity. This research has been carried out in collaboration with other research councils such as ESRC and in partnership with key agencies including GCHQ, CPNI and Dstl. As a result the UK has the world-class research base needed to meet cyber threats and enhance our security. We have expertise in computing, mathematics and the sociological and psychological disciplines that shed light on human behaviour and enable us to build systems which are better designed and easier to use. The UK has attracted many companies involved with the cybersecurity area including multinationals such as Hewlett-Packard, Thales, and Microsoft.

.. the Government’s National Cyber Security Programme ……. the emphasis is on the word ‘National’; it is about underpinning confidence that the UK is a safe place to do business in cyberspace and that in turn means engaging with the public, with industry and with other countries to ensure that we all benefit from a safe, secure and resilient cyberspace.” — Francis Maude, Minister for the Cabinet Office

These companies and many others actively engage with the UK research community. A safe and resilient IT infrastructure is necessary to ensure that the UK remains a desirable place for businesses to operate. Research Council investment in research and training helps to maintain this position.

Research for the future “Governments cannot deliver a safer online world. We need to work closely with industry to ensure that safe infrastructure and services can be provided to the public and share information and skills.” James Brokenshire, the Minister for Crime & Security.4 Good cybersecurity requires longterm, underpinning research of the highest quality that can keep pace with the changing environment. For example, in a £900,000 project at the University of Bristol researchers are addressing cloud computing (the ubiquitous, on demand network access to shared computing

resources). In particular they are using their expertise in cryptography to find cost-effective, secure ways of accessing data.

GCHQ will also be partnering RCUK in identifying research institutes in strategically important subject areas within cybersecurity.

A strong connection with users to ensure relevance and encourage takeup is an important component of our support. More than 200 collaborators, contributing an additional £23 million, work with the research community we support. They represent organisations in national and local government, law enforcement, civil engineering, ICT, transport, defence and aerospace.

Skills for the future

For example, with support from ourselves and the Technology Strategy Board, Cranfield University are working with some 30,000 online service users to explore ways of improving online privacy. Other projects engage with service providers and system vendors including Orange Labs, BAE Systems, TDK, Intel, and BTExact. We are also working closely with GCHQ to identify university groups which will become UK “Centres for Excellence” in cybersecurity research.

Priorities for the future • cyber crime: countering the financial and social damage. • global threats, cyber war, ethics, regulation, policy and legality: understanding the complexity and countering the threats • human factors and usable security: understanding human behaviour as a route to improving the security of systems.

Businesses, whether users or systems providers, need access to a skilled workforce able not only to work to minimise the risks, but also to design and implement new more resilient systems. EPSRC’s innovative postgraduate training programmes are providing the next generation of researchers with the skills required. The University of York is running a four-year postgraduate Engineering Doctorate Centre in large-scale complex IT systems. Bristol, Leeds, Oxford and St Andrews Universities contribute to the training programme which is linked to a multi-million pound research programme in the five universities. The graduates attending the Centre train on research projects that are of direct relevance to companies and spend a large proportion of their time on the premises of those companies. EPSRC also supports a multi million pound international centre for postgraduate training in security and crime science at University College London. This is the first of its kind in Europe and offers a comprehensive integrated doctoral programmes for students pursuing multidisciplinary security or crime related research degrees (see Case Study).

• risk identification, reduction, mitigation and management: looking at emerging uses of the Internet and the risks associated with them. • secure management and use of data: looking at better ways of storing and sharing data as well as considering ethical and legal issues. • making systems more resilient: investigating ways to protect infrastructure against malicious attacks. • understanding and monitoring systems and networks: understanding system behaviour so abnormal activity can be identified.

1 cyber_crime_summary_final_14_february_2011.pdf 2 (18% increase on 2009) £6.8 billion in December alone (ref IMRG Capgemini) 3 (Ofcom) 4 speech at the launch of the International Cyber Security Protection Alliance 5 July 2011


RIDING WITH THE WHITE HATS A major issue in cyber security is staying ahead of attackers and ensuring that new systems are not vulnerable targets. This is where “White hats” come in (the term comes from Hollywood westerns where the good guys wear the white hats). The White hats help security companies to find weaknesses that could be exploited. Andy King from the University of Kent used EPSRC funding to spend nine months working with White hats at security firm Portcullis to link his academic computer science research with real threats and vulnerabilities. His work revealed a weakness: the process relies on humans finding the errors. As he says “The reasoning is if they can’t find the errors then no one else can, but that doesn’t mean those errors are not there and cannot be found so it makes sense to automate the process.” Andy is now devising computer-based tools that will accelerate the discovery of security flaws. These tools will automate the time-consuming and labour-intensive tasks that have to be undertaken when searching for vulnerabilities. The project will develop programme analysis techniques that will automatically recover information about the behaviour of a programme, and then present it in a digestible form to the White hat.


PROTECTING CHILDREN ONLINE Recent years have seen a rapid rise in the number and use of online social networks. These pose two significant risks in terms of child exploitation by paedophiles: preying on children via chat rooms and web-based communities; and distributing and sharing child abuse media. The Isis project led by Professor Awais Rashid of Lancaster University working in collaboration with Swansea and Middlesex Universities is using the expertise of the team in monitoring, natural language analysis, child protection and ethics to develop a toolkit with 94% accuracy in identifying masquerading adults. The team has helped law enforcement agencies identify those posing as children or using multiple identities to groom their victims. It has also worked with pupils helping them understand online risks. The research has also developed a methodology to identify and mitigate ethical misuses of powerful policing tools. The results form the basis of guidelines for building and developing ethical monitoring solutions. The team’s research has featured in over 18 countries and is already being exploited. Isis Forensics Ltd, a spin-out company, has licensed the Language Analysis Software that has been developed by Lancaster University staff within the Isis project.


CENTRE FOR SECURE INFORMATION TECHNOLOGIES With total funding of £30M over five years from EPSRC, TSB, InvestNI, Queen’s University Belfast and industry collaborators, the Centre for Secure Information Technologies (CSIT) brings together research specialists in complementary fields such as data encryption, network security systems, wireless enabled security systems and intelligent surveillance technology. The multidisciplinary team is developing innovative and novel technologies in both information and people security applications that include powerful computer processors that can in realtime detect and filter malware and cyber attacks within large networks, lightweight and secure digital fingerprint for physical devices and an intelligent reasoning engine that can take large volumes of multi-agent information from CCTV, RFID etc and rationalise and identify security events. The Centre’s collaborators include: Altera, BAE Systems, Cisco, Q1Labs and Thales as well as government agencies such as the Home Office, GCHQ, CESG, CPNI and Dstl. Brendan Hannigan, CEO of Q1 Labs, says: “The research collaboration with CSIT has greatly expanded our ability to innovate security intelligence solutions for our customers.”


OPEN SECReTS SECReT is an international, multidisciplinary Security Science Doctoral Training Centre at University College London, the first of its kind in Europe. EPSRC’s funding of £7.5 million is augmented with contributions from partners the Centre offers a comprehensive programme for students wishing to pursue research in crime or security domains across the engineering, physical and social sciences. The Centre brings together science (including social science) and engineering expertise with that from wider disciplines. It applies this to mitigate threats from criminals and terrorists to the UK’s physical, communications, energy, health, border, transport, environment and financial infrastructures. Its 32 collaborators include a range of users from Government and its agencies (Home Office, NHS, British Transport Police), companies such as BT, HP, BAE, Thales, Logica, KPMG and academic groups in the UK and abroad. “The DTC will train and shape a generation of leaders in integrated and socially sensitive security: not only future academics but also the policy makers and industrialists with whom they interact during and after their training. We aim to transform the way security is done.” Professor Gloria Laycock OBE, former UCL SECReT Director

Other statements in the series

PIONEERING A DIGITAL FUTURE Research Councils UK Digital Economy Programme


MANUFACTURING THE FUTURE Creating new industries and new jobs


The Research Councils UK Energy Programme

tuNABLe stArCh for GreeN CheMistrY

10 years ago PhD research in the University of York’s Green Chemistry Centre of Excellence led to the discovery of new high surface area forms of starch. These are useful in applications from chromatography to catalysis. These new materials have remarkable properties which can be ‘tuned’ from starch-like to carbon-like. Named “Starbons” (registered trade name), they are the subject of several patent applications and are sold commercially for laboratory use worldwide. Continued EPSRC support is allowing their use in a number of processes including effluent treatment in the pharmaceutical industry as well as studies on process optimisation, scale-up trials and further applications with the chemical industry. Brian Trenbirth, Technical Director of Contract Chemicals a user of the Starbon technology says that they “will be delighted to transfer Starbon technology from laboratory through pilot to full scale production. This innovative technology will enable us to diversify our business portfolio thus helping the company to expand”.

EPSRC is the main UK government agency for funding high-quality basic, strategic and applied research and related postgraduate training in engineering and the physical sciences, to help the nation exploit the next generation of technological change. It invests more than £800 million a year in a broad range of subjects – from mathematics to materials science, and from information technology to structural engineering.

August 2010


Engineering and Physical Sciences Research Council


Engineering and Physical Sciences Research Council


The RCUK Global Uncertainties Programme brings together the activities of the UK Research Councils in response to global security challenges: poverty (including the effects of inequality & injustice), conflict, transnational crime, environmental stress and terrorism. The programme will help governments, businesses and societies to better predict, detect, prevent and mitigate threats to security.


caSe Study 03


Global production of cement is set to double to over five billion tonnes/year by 2050. But the type most commonly used today has a heavy environmental price accounting for five percent of manmade CO2 emissions. Novacem’s cement is carbon-negative absorbing CO2 from the atmosphere during manufacture. This is because it isn’t limestone based, requires low process temperatures and contains carbon-negative additives. The company has received additional venture funding through the Royal Society Enterprise Fund and is seeking further commercial sponsorship to take the process through to manufacture.

Engineering and Physical Sciences Research Council


Other statements in the series:

EPSRC funding has played a key role in developing both a new, carbon-negative cement and its manufacturing process. The development is spearheaded by Novacem, a spin-out company from Imperial College London and is also supported by the Technology Strategy Board and the London Development Agency.


engineering and Physical Sciences research council


caSe Study 04

CeMeNt set to reDuCe CArBoN eMissioNs

Cybersecurity: research and innovation for a more secure Britain  

The RCUK Global Uncertainties Programme brings together the activities of the UK Research Councils in response to global security challenges...