Outcomes and key themes from ICT 2018 Session on Cybersecurity as key for a Digital Economy and Society

On 5 December 2018, the Digital Single Market of the European Commission sponsored a session on the topic of “Cybersecurity as key for a Digital Economy and Society”. The highly-popular session (over 90 attendees) took place on 5 December 2018 within the flagship ICT2018 Conference in Vienna, Austria.

Khalil Rouhana, Deputy Director General, EC – DG CNECT, kicked off the session with an overview of some of the most pressing issues of the day in cybersecurity:

SMEs. First off, he spoke of the special issues faced by SMEs with regard to cybersecurity. Two-thirds of European SMEs are attacked systematically. This intensity of cyber-attacks has significant impacts on European businesses and citizens, yet very few SMEs report attacks. While awareness about impacts is growing, there is still an incredible amount of work to be done to achieve stronger security postures. Many SMEs do not even know they’ve been attacked.

Cyber Public Private Partnership. He then introduced the attendees to the European cPPP (public private partnership) is a collective effort to tackle the challenges of cyber security. Cyber security is increasingly cross border, with public-sector organisations and businesses increasingly connected. A weak link in one part of Europe can affect other member states. Through this partnership with industry, Europe is working together to shield the economy and society, detecting attacks, deterring them and responding to them.

Regulatory Framework: the new Cybersecurity Act. The European regulatory framework has defined roles and responsibilities for cyber security, including operators of critical infrastructures, so they meet the necessary legal and technical requirements to shield themselves from attacks and respond to them more effectively. The European Cyber Security Act defines and strengthens the role of ENISA and provides for an EU Cyber Security Certification Scheme of products and services. The partnership with industry ensures the right investments are available to build European capacity in a fast-evolving risk landscape. By linking the R&I community of research centres and industry across the EU, we can reduce fragmentation and achieve critical mass. New investments in Horizon Europe will ensure funding in those areas where Europe is lagging behind such as quantum cryptography tools and self-healing networks, which require high investments and collaboration.

Ondrej Vleck, from Avast (Czech Republic), then spoke on one of the major pain points in cybersecurity today: the security of the Internet of Things. Gartner forecasts that by 2020, 19 billion devices will be connected to the Internet. 60% of these devices will be in the consumer space, spanning apps in smart homes, baby monitors and wearables. IoT is one example of just how fast cyber threats are evolving in a crowded space with lots of vendors and options and with plenty of opportunities for the cyber criminals. The reason? Security levels are dangerously low (think “late 80s and early 90s” security levels) with many exploitable vulnerabilities. There is a big push in the market, with little incentive for vendors to add security to their devices, and some are not sufficiently skilled in building secure software. We need to arrive at a point where the security industry can respond to more consumers demanding security and by expediting the sense of urgency that is currently lacking.

Ondrej stressed that we need a bottom-up ecosystem approach with financial incentives also for start-ups. IoT security issues have emerged from an explosion of cheap devices, especially on the consumer side. There is no regulation and no incentives for security. It’s a time-bomb waiting to explode. We can’t expect the citizen-consumer to take action. It’s very complex and only understandable to a very small part of the population.

Continuing in the same vein, speaker Anand Prasad, NEC and Chairman 3GPP SA3, reflected on cybersecurity standards based on “by-design” approaches. He observed that security is deeply engrained in our everyday lives and because of this we tend to assume it’s somebody else’s responsibility. Yet calculating risk is key. Security is a whole new ball game with 5G, as we are moving outside the network parameter with software blocks inside the cloud, which with virtualisation has different security implications. On top of this, IoT devices have different security requirements and the user space is also evolving.

The 3GPP SA3 (security) has adopted a multi-phase approach to security. In phase 2, they’re working towards unified authentication through a single database, interoperable security and issues like fraud. The priority is to have privacy and security from the very first step. Security also has to keep pace with technological changes and evolving risks. Holistic security from the beginning is the only valid approach.

Prasad emphasized that businesses need to step up on security. Management must start taking action, including investments in cybersecurity and taking holistic approaches. Technology is moving very fast. On the operational side, we need to create a platform for sharing threat information in private mode. We need security guidance rather than regulation. In today’s threat landscape, security can be a business driver, benefitting also from partner security services. The United Nation’s Sustainable Development Goals (SDGs) can also open new markets. We must consider cybersecurity as a key part in the ecosystem and crucial for making business happen. Standards can enable secure connectivity and set of the technical specifications as a first critical step.

On another front, speaker Alexandra Maniati from the European Banking Federation highlighted the need for improved digital awareness and skills. Banks have always been targets for malicious attacks for obvious financial reasons but cyber-attacks are increasingly targeting big data, which is an important asset for banks with information about financial data and transactions. The industry is facing three major challenges that apply also to other sectors.

• Managing cyber risks is increasingly complex and interconnected with a wider range of actors and offers across diverse channels. The banking sector has also become heavily dependent on sectors like energy and telecommunications, bringing in new actors from outside the industry.
• Harmonised and adequate regulation and supervision to improve cyber resilience and protection.
• There is a need to increase awareness and education to ensure cybersecurity is an organisation-wide responsibility towards cybersecurity and achieve lower risk-related human behaviour.

Maniati underlined that 95% of cyber-attacks are attributed to human activities, intentional or not. People using the internet need to be more mindful of their actions at work, at home and at play. Talent across Europe is terribly fragmented. We need formal education and courses to train the work force of the future, and to also retrain and up-skill the existing workforce.

So what can we do about all this? Speaker Jesper Rasmussen from EASA, Flight Standards – European Aviation Safety Agency, expressed a firm opinion on this: we need a systematic approach to cybersecurity. Aviation is by default an interconnected system of systems. As we embrace digitisation, we need to be extra vigilant and adopt very different approaches to the threat landscape. We already have in place certification and complete oversight with different layers of protection for every aspect of aviation. But one weak link could bring down the entire system. It’s paramount that we plan for this malicious alignment through coordinated efforts, avoiding duplication and ensuring a systematic approach to cyber security.

All relevant players must be on board: the military, NATO, aviation industry associations, the EC, member states with high involvement of industry all the way as we work towards implementing a comprehensive cyber security strategy for aviation. One of the new mechanisms is the establishment of a European Centre for Cyber Security in Aviation (ECCSA – operational before end of 2019). Another is robust regulation and a common risk management approach. The aviation industry must coordinate on existing regulations and frameworks to avoid overlap, such as working with ENISA on the NIS Directive from an aviation perspective.

Rasmussen stressed that every industry should adopt a systematic approach to malicious alignment of all potentially weak points in our systems as nobody is stronger than the weakest link. It’s important to have end-to-end security. Interestingly, not many people relate physical risks to safety, such as the Samsung smart phone issue.

Finally, the audience was given a glimpse into the future, where Stephanie Wehner, Delft University of Technology and QuTech, Netherlands, spoke on the topic of quantum computing and its applications in cybersecurity. Quantum bits are called Qubits and cannot be copied. Any attempt to do so can be detected. In quantum communications, security can be mathematically proven. Quantum communications in the cloud helps secure designs, ensure passport identification, and other applications. AI plays a useful role in design and control alongside quantum devices. It can enable accessibility for E2E security in small regions as we progress towards repeaters, which are Qubits over a long distance. Ultimately, we should be able to connect all of Europe through secure quantum networks. How soon this can happen, only time will tell.