Interesting effort. I do think their Expected Ideas, perpetuate the presumptions that cause security issues in the first place.
"
Data and link security,
Ground and space equipment security,
Protection of classified information,
Keys management through full life cycle,
Monitoring, situational awareness and forensic analysis of cyber-attacks,
Technological enablers and transversal building blocks.
"
The most interesting thing I've found over the last 18 months is how few CISOs and secdevops people actually know what they are protecting, and from whom. Their worldview seems to end at, "the business!" which is a black box to them.
Often, the sophistication and complexity of security technologies subtly moves risk out of the domain of business owners, and onto operations staff who aren't equipped to hold or meaningfully mitigate it, and the effect is that we're left with transferring risk to empty compliance rituals, or a company security troll who can be periodically scape-goated.
I've got a horse in this race, but the solution is not for techs to educate business partners on security, but for owners to align their teams around the business risks that actually matter and let techs do what they do best, which is solve problems.
ESA would benefit most from a tool that educated all their engineers and product owners on the things the agency and projects value, and the risks to them it perceives.
Wow. That is the most well informed security comment I think I have ever read on this site.
There are multiple ways that business will push risk onto tech employees. This seems to be really prevalent in highly decentralized businesses where tech can't push back on decisions and the business unit can't really judge overall risk to the entire enterprise.
It goes beyond security or, maybe more accurately, security and risk are more expansive than just technical security measures.
One use case that I've long thought might be interesting is an orbital certificate authority/notary that is accessible directly via RF. Hard to beat the physical security and it would democratize access to a fairly mature and useful encryption ecosystem.
> The Campaign is open for submissions from academia, research institutes and economic operators registered in any of the GSTP participating states: Austria, Belgium, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovenia, Spain, Sweden, Switzerland, United Kingdom, Canada.
Not open for submissions from the USA in case anyone else from there was getting excited :(
Interesting but I wonder about the volume of submissions they will receive. Since the outcome is very vague in terms of potential business: "Ideas that meet the evaluation criteria of this call - in consultation with the proposers of the ideas - will be considered for the preparation of technology development activity proposals."
If you are in this line of work, I think people would rather spend their time to respond to an RFP.
" Data and link security, Ground and space equipment security, Protection of classified information, Keys management through full life cycle, Monitoring, situational awareness and forensic analysis of cyber-attacks, Technological enablers and transversal building blocks. "
The most interesting thing I've found over the last 18 months is how few CISOs and secdevops people actually know what they are protecting, and from whom. Their worldview seems to end at, "the business!" which is a black box to them.
Often, the sophistication and complexity of security technologies subtly moves risk out of the domain of business owners, and onto operations staff who aren't equipped to hold or meaningfully mitigate it, and the effect is that we're left with transferring risk to empty compliance rituals, or a company security troll who can be periodically scape-goated.
I've got a horse in this race, but the solution is not for techs to educate business partners on security, but for owners to align their teams around the business risks that actually matter and let techs do what they do best, which is solve problems.
ESA would benefit most from a tool that educated all their engineers and product owners on the things the agency and projects value, and the risks to them it perceives.