Software Vulnerabilities Disclosure: The European landscape. CEPS Commentary, 31 July 2017

Software is nearly everywhere today: in our smartphones, our cars, our offices and our homes. But it has been estimated that the average programme has at least 14 separate points of vulnerability. Each of those weaknesses could permit an attacker to compromise the integrity of the product and potentially make an illicit entry. What can we do to protect ourselves? Who should look for vulnerabilities and should the vendors or the users be informed about them

CEPS Task Force on Artificial Intelligence and Cybersecurity Technology, Governance and Policy Challenges Task Force Evaluation of the HLEG Trustworthy AI Assessment List (Pilot Version). CEPS Task Force Report 22 January 2020

The Centre for European Policy Studies launched a Task Force on Artificial Intelligence (AI) and Cybersecurity in September 2019. The goal of this Task Force is to bring attention to the market, technical, ethical and governance challenges posed by the intersection of AI and cybersecurity, focusing both on AI for cybersecurity but also cybersecurity for AI. The Task Force is multi-stakeholder by design and composed of academics, industry players from various sectors, policymakers and civil society. The Task Force is currently discussing issues such as the state and evolution of the application of AI in cybersecurity and cybersecurity for AI; the debate on the role that AI could play in the dynamics between cyber attackers and defenders; the increasing need for sharing information on threats and how to deal with the vulnerabilities of AI-enabled systems; options for policy experimentation; and possible EU policy measures to ease the adoption of AI in cybersecurity in Europe. As part of such activities, this report aims at assessing the High-Level Expert Group (HLEG) on AI Ethics Guidelines for Trustworthy AI, presented on April 8, 2019. In particular, this report analyses and makes suggestions on the Trustworthy AI Assessment List (Pilot version), a non-exhaustive list aimed at helping the public and the private sector in operationalising Trustworthy AI. The list is composed of 131 items that are supposed to guide AI designers and developers throughout the process of design, development, and deployment of AI, although not intended as guidance to ensure compliance with the applicable laws. The list is in its piloting phase and is currently undergoing a revision that will be finalised in early 2020. This report would like to contribute to this revision by addressing in particular the interplay between AI and cybersecurity. This evaluation has been made according to specific criteria: whether and how the items of the Assessment List refer to existing legislation (e.g. GDPR, EU Charter of Fundamental Rights); whether they refer to moral principles (but not laws); whether they consider that AI attacks are fundamentally different from traditional cyberattacks; whether they are compatible with different risk levels; whether they are flexible enough in terms of clear/easy measurement, implementation by AI developers and SMEs; and overall, whether they are likely to create obstacles for the industry. The HLEG is a diverse group, with more than 50 members representing different stakeholders, such as think tanks, academia, EU Agencies, civil society, and industry, who were given the difficult task of producing a simple checklist for a complex issue. The public engagement exercise looks successful overall in that more than 450 stakeholders have signed in and are contributing to the process. The next sections of this report present the items listed by the HLEG followed by the analysis and suggestions raised by the Task Force (see list of the members of the Task Force in Annex 1)

EU Cybersecurity and the Paradox of Progress. CEPS Policy Insights No 2018/06, February 2018

Technological revolutions bring opportunities, but sometimes even greater threats. This ‘paradox of progress’ affects cyberspace today, threatening to undermine the very principle and foundation of the open internet. The global debate on cyber-governance is currently in a stalemate on the norms for global stability of cyberspace and the fight against cybercrime, although the EU is making considerable efforts to strengthen the resilience of cyberspace and the critical information infrastructure. The newly proposed Cybersecurity Act should, however, be supported by additional measures to increase awareness, devise smarter policy and enable effective governance. Too many users and businesses are still failing to take cybersecurity and computer hygiene seriously. And there is a need to strengthen the pan-European coordination of deterrence, detection, and defence. This paper looks at the possibilities for the EU in this domain and argues that at a time of American diplomatic and political retrenchment from Europe and the world, it has an opportunity to play a leading role in global cybersecurity policy and governance

The Economics of Next Generation Access Networks and Regulatory Governance: Towards Geographic Patterns of Regulation

This paper examines the mix of technical, regulatory, and business strategy issues that arise in implementing next generation broadband platforms in Europe. Our review of some European studies on NGAN in Europe and our specific focus on the Italian situation, in particular on the competitive situation in Milano, shows the relevant flaw of continuing to advocate national patterns of regulation. In fact, the deployment of NGAN calls for a radical shift of regulation on a geographic level. The recognition that a NGAN business case does exist for OLO in a number of local areas, mainly metropolitan ones, has relevant regulatory implications.In the first place, since the conditions of competition differ significantly among local areas, regulation should promote both incumbents' and OLO's investments in NGAN by limiting ex ante interventions to those enduring economic bottlenecks found at a specific geographic markets level. In the second place, market definition is the most important step in the market analysis procedure to help decide whether to regulate a given service provided over a NGAN or not. We have proposed a taxonomy of local areas that may be adopted in a country like Italy for a correct geographic definition of markets 4 and 5 and, as a consequence, for the imposition of appropriate remedies.Next Generation Networks, geographic markets, geographic remedies, infrastructure sharing, market definition

The Economics of Next Generation Access Networks and Regulatory Governance: Towards Geographic Patterns of Regulation

This paper examines the mix of technical, regulatory, and business strategy issues that arise in implementing next generation broadband platforms in Europe. Our review of some European studies on NGAN in Europe and our specific focus on the Italian situation, in particular on the competitive situation in Milano, shows the relevant flaw of continuing to advocate national patterns of regulation. In fact, the deployment of NGAN calls for a radical shift of regulation on a geographic level. The recognition that a NGAN business case does exist for OLO in a number of local areas, mainly metropolitan ones, has relevant regulatory implications.In the first place, since the conditions of competition differ significantly among local areas, regulation should promote both incumbents' and OLO's investments in NGAN by limiting ex ante interventions to those enduring economic bottlenecks found at a specific geographic markets level. In the second place, market definition is the most important step in the market analysis procedure to help decide whether to regulate a given service provided over a NGAN or not. We have proposed a taxonomy of local areas that may be adopted in a country like Italy for a correct geographic definition of markets 4 and 5 and, as a consequence, for the imposition of appropriate remedies.Next Generation Networks, geographic markets, geographic remedies, infrastructure sharing, market definition.

Protecting Europe against software vulnerabilities: It’s time to act! CEPS Commentary 28 June 2018

A new CEPS Task Force report suggests concrete policy measures and recommendations addressed to all stakeholders to help jumpstart coordinated vulnerability disclosure and government disclosure decision processes across Europe

Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. Report of a CEPS Task Force. CEPS Task Force Reports 28 June 2018

This report puts forward the analysis and recommendations for the design and implementation of a forward-looking policy on software vulnerability disclosure (SVD) in Europe. It is the result of extensive deliberations among the members of a Task Force formed by CEPS in September 2017, including industry experts, representatives of EU and international institutions, academics, civil society organisations and practitioners. Drawing on current best practices throughout Europe, the US and Japan, the Task Force explored ways to formulate practical guidelines for governments and businesses to harmonise the process of handling SVD throughout Europe. These discussions led to policy recommendations addressed to member states and the EU institutions for the development of an effective policy framework for introducing coordinated vulnerability disclosure (CVD) and government disclosure decision processes (GDDP) in Europe

The Economics of Next Generation Access Networks and Regulatory Governance: Towards Geographic Patterns of Regulation

This paper examines the mix of technical, regulatory, and business strategy issues that arise in implementing next generation broadband platforms in Europe. Our review of some European studies on NGAN in Europe and our specific focus on the Italian situation, in particular on the competitive situation in Milano, shows the relevant flaw of continuing to advocate national patterns of regulation. In fact, the deployment of NGAN calls for a radical shift of regulation on a geographic level. The recognition that a NGAN business case does exist for OLO in a number of local areas, mainly metropolitan ones, has relevant regulatory implications.In the first place, since the conditions of competition differ significantly among local areas, regulation should promote both incumbents' and OLO's investments in NGAN by limiting ex ante interventions to those enduring economic bottlenecks found at a specific geographic markets level. In the second place, market definition is the most important step in the market analysis procedure to help decide whether to regulate a given service provided over a NGAN or not. We have proposed a taxonomy of local areas that may be adopted in a country like Italy for a correct geographic definition of markets 4 and 5 and, as a consequence, for the imposition of appropriate remedies

The Economics of Next Generation Access Networks and Regulatory Governance: Towards Geographic Patterns of Regulation

This paper examines the mix of technical, regulatory, and business strategy issues that arise in implementing next generation broadband platforms in Europe. Our review of some European studies on NGAN in Europe and our specific focus on the Italian situation, in particular on the competitive situation in Milano, shows the relevant flaw of continuing to advocate national patterns of regulation. In fact, the deployment of NGAN calls for a radical shift of regulation on a geographic level. The recognition that a NGAN business case does exist for OLO in a number of local areas, mainly metropolitan ones, has relevant regulatory implications.In the first place, since the conditions of competition differ significantly among local areas, regulation should promote both incumbents' and OLO's investments in NGAN by limiting ex ante interventions to those enduring economic bottlenecks found at a specific geographic markets level. In the second place, market definition is the most important step in the market analysis procedure to help decide whether to regulate a given service provided over a NGAN or not. We have proposed a taxonomy of local areas that may be adopted in a country like Italy for a correct geographic definition of markets 4 and 5 and, as a consequence, for the imposition of appropriate remedies

Upgrade of the HIVIPP Deposition Apparatus for Nuclear Physics Thin Targets Manufacturing

The High Energy Vibrational Powder Plating (HIVIPP) technique allows for the preparation of targets starting from refractory metal powders with negligible material losses during the process, thus preserving the expensive isotope-enriched materials. An upgraded HIVIPP apparatus was developed at the Legnaro National Laboratory of the National Institute of Nuclear Physics (INFN-LNL), and it is reported in this work. Particular attention was paid to the design of the sample holder, the automation of the power supply, and the control of the process, all with the aim of obtaining a versatile and reliable apparatus. Several tests have been carried out and the related results are reported proving the flexibility of the apparatus and the process reproducibility. The main result is a 'ready to use' technology at INFN-LNL for the preparation of isotopically enriched refractory metal targets that cannot be manufactured using standard techniques