A redefined edition of European Security Forum – or ESF – took place last September 15th, at the ECCL, in parallel of ICT Spring. This first ever phygital edition allowed the participation of experts located all around the world, who shared their vision, discussed the latest trends and advocated their best practices.
Master of Ceremony Gregory Wawszyniak Dumont (Public Relations Officer at SECURITYMADEIN.LU) officially opened this phygital edition of European Security Forum.
The conference started with a video of Franz Fayot, Minister of the Economy of Luxembourg, who stated: “the Ministry of the Economy is very actively involved in cybersecurity and has been since 2001, always with a positive and inclusive approach”. He explained that the wakeup call was the “I love you” virus back in 2000, which showed how vulnerable we were to cybercrime. “The impact of cyberattacks can be dramatic and mass outbreaks can be very hard to stop. Everybody can be prepared for cyberattacks”, he highlighted. The Minister also said that the new cybersecurity strategy of the government will be published in the beginning of next year, it focused on a business-friendly and positive approach: cybersecurity concerns all individuals, cybersecurity creates trust among citizens and businesses, cybersecurity is an economic opportunity and finally, it is a collaborative task involving governments, companies and individuals. “Cybersecurity is, at the end of the day, about empowering people. Attackers often target our human weaknesses, which are triggered easily, especially if we are unconscious of cyber risks and best practices,” highlighted Franz Fayot, who concluded: “Cybersecurity also requires good coordination, inside organizations and among humans. It’s not a product, it’s a process”.
Pascal Steichen (CEO, SECURITYMADEIN.LU) then took the stage. The expert first described the local ecosystem which he labeled as “reliable, dynamic and open”. He added: “The Ministry of the Economy has been part of it since day 1, back in 2000, in the creation of a robust cybersecurity strategy. In fact, cybersecurity is a factor of economic attractiveness”. Pascal Steichen then listed some of the main initiatives that have been launched in Luxembourg, with the Cybersecurity Competence Center and the national brand for cybersecurity, being the latest projects. “In Luxembourg, more than 300 companies are active in the field of cybersecurity, with a diversified solutions portfolio and 68 startups from 4 incubators,” highlighted the CEO of SECURITYMADEIN.LU. He also underlined that the country is open and aims at the democratization of cybersecurity through a collaborative approach coordinated at national level, and by fostering open source communities and a data-driven economy. He ended his presentation by sharing the first lessons of this cybersecurity journey: “building a culture of security takes time, pragmatism and persistence are key, live the concept of co-competition, partner with peers, and share at all levels – governance, operational, sector specific”.
"Social Engineering - The dangers of a friendly face" was the name of the keynote speech given by André Meyer (Security and Cyber Defense lead, Accenture). The expert first defined social engineering: “it is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”. He then shared an example of a test project which was led within a German ban more than 10 years ago. “In a month, I was able to get a domain admin account, to access the CEO’s emails for the previous 12 months, to take a selfie picture in the CEO office with his PC unlocked and latest board meeting minutes on the screen, etc,” he explained. André Meyer then shared the 6 pillars of how to make people like you: reciprocity, scarcity, authority, liking, commitment and unity. “In the current context, you don’t even have to be the fact that is known by people. There is a new landscape: spoof websites, pretexting, vishing, fake news, SMiShing, phishing, etc,” he added. As a conclusion, he listed the keys to prevent such threats: awareness, trainings, penetration tests and continuous monitoring.
“How is the cyber threat evolving and are we up to the challenge?” was the question asked – and answered - by Dr Jamie Shea (Professor of Strategy and Security at University of Exeter & Former Deputy Assistant Secretary General for Emerging Security Challenges at NATO). “Cyberthreats were new in the early 2000s but now, anyone can be a target. Moreover, there are new vulnerabilities: for instance, with the democratization of space activities, new threats have appeared”, started Jamie Shea. According to the experts, the cyber weapons can also sometimes cause more collateral damage, as, for instance, an attack on a state or government could have a disastrous impact on companies. “Moreover, those are weapons with multiple uses: cyber is difficult to track and it is tough to know when it will end. For intelligence gathering to the spread of disinformation or propaganda but also to more conventional criminal activities, cyber can do a lot,” he added. He also explained that we are now moving from conventional attacks to attacks against much broader anti-societal campaigns. He also advocated the sharing of information, in order for Interpol to work on a standardized law on cybercrime, so that attackers are dealt with equality wherever they are. “NATO and the EU are also experimenting a tool box. Also, we need to exploit the expertise and knowledge of the private sector. Cybersecurity is a team sport”, he concluded.
A round table discussion entitled "EU Cybersecurity Act and the implementation of the NIS Directive" brought together Sheila Becker (Head of Network and Information Systems’ Security (NISS), ILR), Dr. Gabriele Lenzini (Senior research scientist in Security of Socio-Technical System at SnT) and Konstantinos Moulinos (Information security expert, EU Agency for Cybersecurity – ENISA). It was moderated by Alexandre Dulaunoy (Security Research, CIRCL). “It’s a lot about collaboration, at ILR we advocate a collaborative approach to reach the goal of having a common level of security. Yet, the issue is harmonization in Europe, therefore, we are trying to establish communities” started Sheila Becker. She also discussed the need to share information about threats and incidents, but also preventive information and measures as well as best practices. Gabrielle Lenzini also insisted on the need to harmonize and collaborate, even in the field of research. Currently three pilot projects are taking place in Luxembourg, with the participation of several actors. He added: “the value extracted out of information sharing is evident and will be beneficial for all. We are sharing our research with the private sector and are even developing programs together, around the awareness of cybersecurity. It is key to have interdisciplinary projects”. According to Konstantinos Moulinos, “all member states see the NIS Directive as a step forward and have a national cybersecurity strategy. The compliance phase is over and they are now moving to implementation”. He also focused on the collaboration with the private sector, but also on the coexistence with other legal regulatory frameworks such as PSD2 and GDPR. He concluded: “We need to create a strong cybersecurity industry in Europe, and even encourage companies that are not concerned with the NIS Directive, to finally create European cybersecurity products”.
After the break, the organizers welcomed Stéphane Duguin (Chief Executive Officer at CyberPeace Institute) for a keynote speech entitled "Bits and peaces: looking ahead". He started by describing the current context: “complicated challenges and many topics: cyber place, cyber criminals, cyber this, cyber that. All those words do not even have a real definition. The real challenge is to use innovation to tackle and address this magnitude of challenges”. He also insisted on the convergence of disruptive technologies, all growing exponentially, creating new challenges and new threats, as well as the fragmentation of law. “In this complex situation, we wish we could have a framework and a methodology to achieve peace in the cyberspace. Our mission is to put back Humans at the center of the conversation. Start with Humans and design professional responses, keeping the interest of Humans first,” he added. Stéphane Duguin then shared several examples, notably the one of an NGO active in Afghanistan which removes mines, but also discussed the impact of cyberattacks perpetrated on hospitals. He concluded: “If people are at the center and we invest in tech capacities to gather evidence that is transparent and efficient, we could have a totally different approach. Cyberpeace exists when human security, dignity and equity are insured in digital ecosystems”.
"Digital Continuum and European Cybersecurity Autonomy" was the name of the presentation given by Luigi Rebuffi (Secretary General at European Cyber Security Organisation (ECSO)). “In the last 6 months, the number of cyberttacks was multiplied by 4. The acceleration of digital also means the need for more cybersecurity,” started the expert. According to him, most sectors and citizens were not ready for such a change, and cyber hygiene was generally missing. People were teleworking for the first time with no training on how to work in a secure way. “How can we be prepared when we do not know where we are going? Risk management helps to identify threats and remedies, but the strongest solution remains resilience. We need to increase the level of preparedness for the challenges we know and the level of resilience for the challenges we will face tomorrow,” he added. According, most people are almost digitally illiterate: the level of digital maturity is increasing but it is now enough. He ended his presentation by describing the 5 pillars to face the current and future situations: having a comprehensive vision for cybersecurity and resilience by design, focusing on education and skills, advocating for an increased digital sovereignty for Europe, improving the trust of supply chain, and also continuous private public collaboration.
Cédric Mauny (Cybersecurity lead at Telindus) also took the stage and focused on "2021: On which strategic areas Security and Risk leaders should focus on to remain vigilant". The expert first focused on the beginning of the year, with cybersecurity professionals having to fix several vulnerabilities on VPN networks notably. “At that time they did not know that their actions were going to be very important because from March, attackers began to leverage the trend of the coronavirus”. He added: “2020 will be remembered as the years when every company tested their Business Continuity Plans and Disaster Recovery Plans. Also, Covid-19 actually led the digital transformation of companies. Staff was no longer working from the secure perimeter”. In the current situation, when working from home with everything going through the internet, Cedric Mauny said “trust no one to ensure the security of the corporate data”. According to him, companies should invest in the zero trust paradigm. “People are very important in the cybersecurity chains because they are known as the human firewall, strong and weak at the same time. Securing the new normal will be the next step for companies”, he highlighted. He also explained that one strategy could be efficient to protect the business and protect the business of customers and partners: prevent, detect, respond, predict, share and practice. As a conclusion, he shared his predictions for 2021: ransom will still be on the rise, increase of critical vulnerabilities on exposed systems, advent of ecosystems, top management will be the sponsor of a major shift in the security mindset, compliance will get closer to security, etc.”
On round table discussion entitled "Unlocking the public debate on encryption by bringing an innovative approach", moderated by Jean-Christophe Le Toquin (Coordinator, Encryption Europe), and with the participation of Annette Cassar (Seconded National Expert, European Commission), Lucien Castex (Secretary-General of Internet Society France) and Pierre Van Wambeke (CEO, Seezam) then took place. According to Jean-Christophe Le Toquin, encryption is not a new topic but is still very sensitive: it recently became more prevalent and recommended for all types of users, to an intense digitalization. Annette Cassar then focused on encryption and the fight against online child abuse. “The Commission reviewed its measures and adopted a strategy to set out a framework for developing a strong and comprehensive response to such crimes,” she added. It is also working on identifying and assessing possible technologies, along with private companies, to fight against child sexual abuse, in encrypted environments: “the industry has a huge role to play. Encryption is more available and even criminals are using it. We are working on new mechanisms of investigation”. Lucien Castex explained that the pandemic transformed the way we work and communicate and that it shed light on a number of challenges and risks related to security, privacy and fundamentals rights. “The internet society believes that strong encryption is more important than ever. It is a key tool to fight cybercrime and protect vulnerable people, but also the communication of law enforcement, military, emergency response, etc. It is crucial to support the economy and growth of the internet, as well as protecting the fundamental rights of its users”, he underlined. Pierre Van Wambeke added: “I see secrecy as the result of encryption as a defense tool, not as an offensive weapon. Encryption is needed to protect essential rights, medical secrets, the sources of journalists, information about ongoing investigations, etc. Having secrets is important and there is no taboo: when voting, our vote remains secret. Encryption allows it”.
Aline Moyret (Practice Lead Governance, Risk and Compliance, EBRC) shared a presentation entitled "Cyber-Resilience: a need for a common business continuity and information security approach". According to the expert, information security and business continuity were approached in parallel back in the day, and therefore, there was limited interaction between the different actors. “We have now moved to cyber-resilience. It refers to an entity’s ability to continuously deliver the intended outcome, despite adverse cyber events. It also consists in aligning continuity and information security strategies, with a strong understanding of business needs and of the ecosystem” added Aline Moyret. The expert then shared the EBRC approach, which starts with a gap assessment to understand the current posture, then consists in understanding business needs through a business impact analysis and risk assessment. “It is also necessary to opt for a combined approach for an optimized Integrated Management System and it is critical to test and exercise”.
Craig Jones, Cybercrime Director at INTERPOL, then focused on how to "build a global law enforcement response to cybercrime". As explained by the expert, crimes are increasingly international and connected, and criminals are taking these “opportunities” to make a profit with no regard to victims – individuals, institutions or companies. “Interpol is a global law enforcement organization and has three global programs: organized and emerging crime, counter-terrorism and cybercrime. The aim of our program is to support and coordinate countries’ efforts to combat cybercrime. Our goal is to reduce the global impact of cybercrime and to protect communities for a safer world,” he highlighted. The expert then discussed the cybercrimes which happened during Covid-19: malicious domains, disruptive malware, online scams and phishing, vulnerability of remote workforce and misinformation. As a response to such threats, Interpol established a global malicious domain taskforce, published purple notices as well as cyber activity reports shared with member countries, offered direct support and launched a global awareness campaign, #WashYouCyberHands. “Our activities are built on three pillars: technology, resources available and infrastructures. We are also part of a global ecosystem of cybersecurity, along with the private industry, nation CERTs, law enforcement, NGOs, international organization and online groups. After describing some of the ongoing projects – the production of a cybercrime threat assessment tool, projects around cyber norms, laws and policies – he concluded: “we are here to help police meet the challenge of fighting international crime in a complex environment that keeps on evolving”.
"Building Sustainable IoT using the Seven Properties of Highly Secure Devices" was the name of the keynote speech given by Diana Kelley, Co-Founder and CTO, SecurityCurve. As explained by the expert, security needs to be built into the device then it comes to securing the IoT world. “The are many downsizes not thinking about it, because by 2025, there will be more than 41.6 billion things – including cars, televisions, fridges, all things connected. These objects also communicate with each other by sharing data: by 2025, they will share 79,4zb of data, in what will be a 5 billion dollar market. These things therefore need to be resilient and protected”. She added: “as data accumulates, exposure issues will increase”. The expert then discussed the 7 properties of highly secure devices, developed by 3 researchers at Microsoft and that will help create more a sustainable IoT, good for organizations and for the entire society. Those seven properties are: hardware-based root of trust, small trusted computing base, defense in depth, compartmentalization, certificate-based authentication, renewable security and failure reporting. In addition to those 7 properties and as a conclusion, she shared the IoT Security Maturity Model (SMM) with the audience.
"GDPR: lessons learned about its weaponization and the importance of encryption" was the name of the presentation given by Dr. Greg Dzsinich, Executive strategist and attorney-at-law and Board Member of CyAN. “When GPDR arrived, people finally saw light at the end of the road. They also thought that they were ready to take on all those challenges, but we all faced important problems on the first day of GDPR”, he started. He then shared the 3-legged chair example: “if one of the legs is broken we fall down. GPDR in the motion requires three main aspects: policies and documentation, security, operation”. “We need to train people to understand it, monitor, and keep KPIs open and correct if needed. Trust is the most important part on that chair”. Dr. Greg Dzsinich then underlined that the main failure was the single person show effect: “the person responsible for data protection is the often sole actor. It is the wrong strategy because it should be the mission of a multidisciplinary team. The whole company actually needs to understand it and be able to report problems and generate corrective measures”. He then discussed the risk factors – outside and inside – and shared several cases such as the weaponization of GDPR. He concluded: “we should drive GDPR compliance as an attitude of workplace and client care excellence”.
The day ended with a round table discussion entitled "Luxembourg Think Tank CISO" and moderated by Cedric Mauny (VP, Leader Think-Tank CISO, CLUSIL), with the participation of Myriam Djerouni (CISO, LUXITH), Laurent Hourlier (Director IT Security & ITIL Processes, CHAMP Cargosystems), Arnaud Simonin (CISO, Dennenmeyer) and Lars Weber (ISO, BCEE). According to Myriam Djerouni, “the CISO has a central position as he needs to collaborate with the different functions of the company. His purpose is to act as an orchestrator, and ensure that security topics are involved and followed in all those areas. Moreover, he must lead discussions and be able to speak different languages whether it is IT or non-IT”. She highlighted that the CISO must also have the support of the CEO and ensure that business is running in a secure way. She added: “IT supports the business, but business must be performed in a secure way, therefore security must be taken into account right from the start”. Laurent Hourlier then explained that the goal of security is to protect business, with security requirements being driven by the business. “Security is transversal and brings new challenges people cannot focus on. Therefore, companies need to have an expert to tackle those challenges: the CISO. He must clearly understand the business and must be experienced enough in several domains, from IT and project management to service delivery, etc. Arnaud Simonin stated that the CISO obviously has to have a certain security expertise but he must also be the security translator. “In a company, people all talk about security in different ways. The CISO must advise but also translate the expectation of business lines in a language understood by others. He holds a central position and must be able to be the interface between all players. Therefore, soft skills are important: he must be willing to learn, communicate with people, share information, anticipate, etc. Finally, security is a never-ending story”. Finally, Lars Weber explained that the CISO needs to tackle different challenges, from security to risk management and figure out a way to build one single approach. “He needs to follow all the trends and put the strings together in order to deliver the correct approach and strategy. The CISO needs to federate all those different energies”, he added.
Photos: Dominique Gaul
Publié le 07 octobre 2020