Momentum! featured four keynote speakers representing different external perspectives on cybersecurity
- Mario Campolargo, Secretary of State for Digitalisation and Administrative Modernisation, Government of Portugal who previously worked at DG CONNECT
- Oliver Väärtnõu, CEO of Cybernetica AS, an Estonian SME
- Bart Preneel, Head of Computer Security and Industrial Cryptography (COSIC), at KU Leuven
- Ievgen Vladimirov, honorary member of the International Cybersecurity University, and formerly Deputy Minister of Energy of Ukraine for Digital Development, Digital Transformations and Digitalization from 2020-2021
Mário Campolargo, Secretary of State for Digitalisation and Administrative Modernisation, Government of Portugal
Mário is working towards modernisation in the Portuguese government in the sense of digitalisation which requires a new mindset and doing things in a new way, with people being at the centre of this. New technologies have value for companies to develop intelligent territories. We need to tackle cybersecurity as one of the key points. We also need safe digital services. We would like to have better services and not leave anybody behind – a human centric and whole society approach. The Portugal presidency has stressed a fair and digital recovery for Europe.
The issues of trust prevent further adoption. Digital technologies are key for a new society and economy but we must ensure safe and trustworthy digital technologies with cybersecurity being one of the components that enables trust. Covid accelerated the migration to cyberspace. It diversified the threats landscape – the current main threats are ransomware and social engineering. Cybersecurity has become a business venture – ransomware as a service or even open-source. Cyber threats accounted for 5.5 trillion EUR. The new political reality is another key aspect that impacts cybersecurity.
The new cybersecurity strategy is important – a safer single digital market. The new Cybersecurity Resilience Act (CRA) shows the direction of development – a critical regulatory instrument to ensure the security of the whole supply chain.
Europe has developed a regulatory framework, but we need to go further. We need to have cybersecurity present in everyday life. Cybersecurity should be seen as an investment, not a cost. CyberSec4Europe is related to these concerns and related to ECCC and the NCCs. The mission of the ECCC is to provide a dedicated approach with the use of the Digital Europe and Horizon Europe programmes in order to facilitate strategic cybersecurity projects and to achieve quorum among Member States, deepen strategies and assure coordination inside the EU.
In summary, Mário believes it is important to foster digital skills and people, by endorsing smart solutions in the private and public sectors and bringing digital (automated) (public) services closer to the citizens. Digitalisation efforts are important for personal (users) and societal perspectives. The issue of threat is present in all aspects of digitalisation: digitalised solutions should be both safe and trustworthy. Mario agrees with the most important issues that ENISA has pointed out in their report, estimating that 10TB of data are stolen every month. The implementation of cybersecurity has to be met with the same ambition and commitment as it is to developing promising new technologies, such as 5G, IoT and AI. The new Cybersecurity Resilience Act and NIS2 directive are good examples of this.
The challenge is to make cybersecurity a part of the everyday lives of people and organisations – how to make it important and relevant to them. The ECCC will help with joint/focused funding/research and European independence and of course national governments play a key role (by how they implement the regulations). Cybersecurity is important for resilience and recovery.
In Portugal, they have C-academy for ICT professionals (public and private) with 44 courses spread across the country. The C-academy is an addition to the more generic training that existed before. Scale and distance from the main centre diminish involvement/intensity. In Portugal, they have, for this reason, a C-network – seven centres spread across Portugal’s regions to give local support in the cybersecurity efforts which are somehow connected to the C-academy and could serve to support the Portuguese NCC. A Cybersecurity Hub was established in Portugal which has produced best practices and some certification possibilities – a national certification scheme following EC certification schemes).
As a result of these initiatives, Portugal recently advanced on the global cybersecurity index from 47th to 14th place.
Question from Kai: How does the implementation so far integrate/translate to the current NCC/ECCC efforts? What do you expect from NCC/ECCC?
Mário: National strategy work has to be aligned with the goals of the EU. National strategies /work /efforts should form /mould /lead the EU goals and policies. Collaboration in the cybersecurity field and with related fields/disciplines is important and connects the goals of Portugal’s efforts and ECCC’s goals.
Oliver Väärtnõu, CEO, Cybernetica
Oliver expressed his thanks for being given the opportunity to provide an insight on the industry perspective of cybersecurity.
He started by telling the story of eEstonia with Cybernetica’s place in it, how over the last 60 years an organisation has blended research and development with cybersecurity always at its core.
Cybernetica was founded in 1960 as a research institute called Institute of Cybernetics under the Estonian Academy of Sciences. It was a direct response to Norbert Weiner’s famous book from 1948, which established the discipline of cybernetics, called, as he put it, “Control and Communication in the Animal and the Machine”. The discipline, which essentially studied how with the use of technology one could make societies, systems more efficient. The Cybernetics Institute was really focused on applied science(s), on how to develop practical solutions, for example, to the mining industry, on how to improve factory production systems etc. At its height, the institute had around 700 employees and was servicing not only Soviet Estonia but also the wider Soviet ecosystem.
Come the end of the eighties, came the independence of Estonia. All links to Russia were cut and our funding and client base collapsed. And that did not only happen for the Institute of Cybernetics, but to all other 15 institutes that existed at that time, plus our universities. The Estonian government faced a serious challenge on how to gear it’s research and innovation system towards its own national goals – what were the goals, what was the optimal innovation system for our current and future needs? A decision was taken that these institutes where to be merged with universities which meant to become the main research and development agencies in Estonia, of course with radical decrease in funding and personnel.
There were a few exceptions however, Institute of Cybernetics’ being one of them. It became a company, which played a key role in creating the new governance structure for Estonia. It had struck a relevant balance between understanding computer science, governance or governance systems and information security (or cybersecurity as the discipline is known today). The first two disciplines are evident from the definition, but information security perhaps not. The decision to start developing information security as a discipline, was taken in the mid-1990s after having seen that IT systems would become prevalent in their usage. The security aspect is one of the most fundamental characteristics in order to guarantee their widespread.
So when Estonia really started to build up its institutions in the mid 1990s (the first years of our independence were really a transition period) it had the guts and the entrepreneurialism to think what is the new form of government. Perhaps it was not about building brick houses to service its citizens, but rather something new? Estonia took a plunge, like the Economist noted some years ago.
The politicians who were in their twenties and thirties had heard of computers and a thing called the Internet, perhaps even seen them and played the first computer games, programmed a line of two of code. They created the Tiger Leap Program and organization called the Innovation Fund to engage the researchers to look into the future, to design something new. A digital government, or the digital society? Some of the issues that needed to be solved had to be designed on the society level rather than only for the governmental purposes.
And so the journey started; funnily enough, it didn’t start by creating technology, applications and architectures, it started by creating a relevant legal framework, the rules and regulations for the government to interact in the cyberspace, and to do this securely. Creating the norms for technologies that could be used for interacting. Cybernetica had a modest role here in advising the Estonian Parliament on the creation of the Digital Signatures Act and in amending the Public Information Act.
Then came the work on two essential building blocks – on the architecture of the eGovernment system and on identity in cyberspace. Firstly, how does an eGovernment architecture look like for a small country – is it centralised or is it decentralised, what kind of security requirements does it stipulate, what standards does it use? One could argue just like today, in the case of cloud discussions, in order to achieve efficiency, one should put all data into one big repository and use this as a hub for the provision of governmental services. There was a strong school of thought propagating this so-called efficiency-based solution. The other school of thought, which was put forward by Cybernetica’s researchers and engineers, noted that for a democratic society a decentralised system, where organisations interact with each other via peer-to-peer communication, the data resides with the organisations that are responsible for it, and where the security aspects (like certification management, timestamping of the transactions etc) of the system is given to a relevant responsible government body. This system today is called the X-Road, which is basically the operating system of the Estonian eGovernment. It has over 700 organisations connected to it, with annually over 2.7 billion transactions being made from healthcare to transportation. The decisions based on security assessments made in the mid-2000s have enabled this technology to have had zero downtime over the years and enabled it to succumb to the first ever major cyber attacks directed against a nation in 2007. Yes, certain nodes failed, but the system was redundant and stayed operational. Cybernetica is happy to note that based on the experiences learnt form building the Estonian X-Road, it has created a product called the Unified eXchange Platform, which enables to power around ten eGovernment systems around the world, and will be adopted as a base technology for the first ever Japanese Data Bank.
The second building block is identity. In order to provide anybody services on the Internet, one needs to know with whom they are interacting; that is, a strong identity is needed, both from an enrolment perspective, but also from the technology tool perspective as well. Furthermore, imagine the efficiencies for the society (and Oliver fully understands that this is not the case always for all countries) if this identity is universal: that is, it is not only used by governments but also by private and other sectors as well. After extensive technology, security studies a PKI based identity card system was opted. First a pilot was run, and the cards were enrolled in 2002. It took some years, for people to get accustomed to the card, the private sector to push it, but today there is really no imaginable alternative. Estonians authenticate to all web-based systems (not only government) and sign all documents with their eID tools. Over the years, they have made the infrastructure more resilient, introducing the mobileID and then also Smart-ID, a purely software based eID solution that provides an alternative to a chip based infrastructure.
There was a slight scare in August 2017 when a security threat was discovered that affected 750,000 ID and e-residency cards issued between 2014 and 2017. It was reported that a code library developed by Infineon, which had been in widespread use in security products such as smartcards, had a flaw (later dubbed the ROCA vulnerability) that allowed private keys to be inferred from public keys. Luckily, they had the capabilities in the country to analyse and design a workaround to the system. Imagine, if we didn’t…
In this context it is important to note that an eID and its technology are thing that are the basis of a nation’s sovereignty. From the lessons learned in Estonia, we cannot overly rely on one technology in these critical cases, but need to have multiple options between what to choose from. To Estonia, this is very relevant today in EU discussions on the eIDAS2 regulation about the next generation EU digital identity, the EU wallet ecosystem. The solution proposed should not only be under the full control of the user to initiate interactions, the wallets themselves need to be under the full control of the countries that issue them. The dependence on secure hardware components (bearing in mind that no serious smartphone makers are from Europe) is maybe not always advisable, they are hard to replace or cumbersome to modify. Software-based solutions, with the option to quickly modify, upgrade them, is a must and should definitely be stipulated as one technological alternative, especially if it has proved its security and usefulness.
The creation of these two key cybersecurity solutions has enabled Estonia to secure its foundations, create a culture for security and enable it to build quite a sophisticated ecosystem on top of it. Estonians declare their taxes in 30 seconds, do not carry prescriptions, access all of their medical data online, and vote online. In the last elections about 45% of Estonians voted via the web. And that is at the general elections, which no country in the world is actually doing, because of mostly cybersecurity fears. Since 2005 they’ve been showing the world that the impossible is possible. That subjective fears that often are spread can be overcome with logical research-based argumentation and proof that the technology works as described and not in any other ways. Also, during the 17-year experience that Estonia has been running this system, there have been no security incidents: yes, there have been misinformation campaigns, but no incidents. In the next local elections, they will try out Internet voting system mobile…
Oliver believes that in order for all these innovations to succeed requires three fundamental things: first, understanding the state of the art in technology and research, foresight on how these technologies impact the society or its users and incremental investment in order to keep them alive. As soon as you stop investing in these technologies and the underlying research, the technology becomes vulnerable, it becomes unusable. The complexity of the technology world is increasing, is in constant flux, one needs to invest regularly in order to stay in the game, let alone stay ahead of the game.
So what does the future hold for Cybernetica and Estonia, what are they currently working on?
One aspect that they are keen to understand better is the notion of privacy in the digital world. What are the technologies that enable us to give people more control, more transparency over the usage of their data? Are there any solutions that when deployed, could give data holders competitiveness in the usage of this data in a way that personal data is not revealed, or only revealed when there is a real cause or need for it. Cybernetica has been working on privacy enhancing technologies (PETs) since early 2010, including being part of the last three DARPA privacy programs. Today, we see that the world is getting ready for technologies like secure multiparty computations or zero knowledge proofs – more and more service providers, with even the likes of Meta are coming up with practical needs. The Estonian government has initiated a Privacy Enhancement Technologies program, which is in its infancy today, but probably has great potential for bringing additional guarantees, trust to the owners of the data, but also enables the unlocking of some of the value in confidential data. Imagine the benefits in healthcare or financial services …
Finally, Estonia is not an island, by far. It is a small, micro player in a big pond, it is dependent on everyone in the ecosystem, from browser manufacturers, to hardware producers to operating systems developers. All these stacks have an occasional vulnerability, serious flaw diagnosed that’ll have a significant impact on infrastructure like the ROCA vulnerability diagnosed for ID cards in 2017. In order to be safe, there has to be a good operational picture on what is going on in the world, one needs to build coalitions with governments and relevant institutions to get the information on possible threats and vulnerabilities as soon as possible. One needs to have the capability to process this information if relevant and have a clear understanding of its impacts. The world is interconnected – one vulnerability might impact in a place where least expected. Some interdependency analysis has been done in Estonia, but there is a lot more to do.
Oliver hoped that his speech gave quite an explicit overview why they believe that investing in cybersecurity is a must. Without these investments one actually cannot guarantee the credibility of a digital ecosystem. The thought of being left out of a cybersecurity competence centre, as was possible when the eventual evaluation results were announced, was, to put it bluntly, scary. For Cybernetica, being part of the European ecosystem, is fundamental, especially in today’s geopolitical context where they see more and more regionalism.
He was very happy to see that the work done over the last two years on the competence centre pilot program has had real impact. That all four projects have delivered concrete results in their specific domains, like looking at the challenges in, for example, supply chain security assurance or medical data exchange. He was also glad to learn that all four pilot programs are in the process of formulating a unified research roadmap for the Competence Centre Program. Cybernetica already sees that the network has enabled them to strengthen their existing ties but also formulate new ones in the European cybersecurity ecosystem – pursue new projects, create new alliances. It is evident, that when collaborating, they are stronger, better prepared to the challenges that lie ahead.
Finally, he noted that we hope that the European Cybersecurity Competence Network and Centre will leverage the work done in the four pilots and continue the pursuance of their goals, also the facilitation of contacts between different research bodies. At times, looking from Estonia, it is not clear how the new big picture with activities being pursued by national governmental nodes will all fit together into a European wide network. But then again, he was sure that, as with any new initiative, time will sort things out.
Bart Preneel, Head of Computer Security and Industrial Cryptography (COSIC), KU Leuven
The last session before the evening event on the first day of Momentum! was a keynote speech by Professor Bart Preneel. The talk showed a common understanding with CyberSec4Europe’s visions in many important areas.
Following the previous talk, Bart agreed on the importance of certification for building secure systems. However, while certification nowadays is mainly focusing on limited components like smart cards, complex systems (e.g., smart phones, computers, etc.) are hardly ever certified, increasing the risk of market failures. As a consequence, current certification schemes need to become more efficient and cheaper, and at the same time significant additional research efforts are required to also certify complex real-world systems. This will also require a paradigm shift from detecting security incidents (e.g., with the help of AI) to building secure systems in the first place.
The task of building secure systems directly leads to the challenge of more secure processing of (outsourced) data. While confidential computing using trusted enclaves such as, for example, Intel SGX or ARM TrustZone, offers one part of the solution, it still requires trust in chip manufacturers or the like. Another important part of the solution is the use of advanced cryptographic primitives such as secure multi-party computation (MPC) or fully homomorphic encryption (FHE), which protects data while it is being processed. These solutions started with a overhead of up to 10^12, and now reached sufficient efficiency for certain applications, with an overhead of about 1’000. DARPA is investing money to increase efficiency by an additional factor of up to 100 by hardware support, leading to fully practical solutions there. Unfortunately, while Europe could definitely make a difference here, Bart points out a lack of a clear European strategy and funding in this domain.
Therefore, in order to reach European sovereignty, the European Union may decide to accept, for example, the US as a strategic partner with all the related implications regarding self-sovereignty. If not, Europe needs to build their entire own ecosystem, going beyond the European Chips Act, but also including software, operating systems, network equipment and the like. However, as it might not be feasible to fully rely on EU-only products, a possible way out is the use of end-to-end secure architectures, which could, for example, allow the transfer of sensitive data over potentially insecure network layers (leaving aside the important challenge of metadata). However, this may lead to tensions with strategies of law enforcement, for example. Therefore, clear policy decisions need to be taken. Furthermore, open systems will play an important role on the way to European sovereignty.
A last major topic of the keynote speech was related to the current research landscape. With many important players such as the ECCC and its national coordination centres (NCCs), ENISA, ECSO, Europol, as well as national governments with major investments in cybersecurity, it is hard to generate a common European vision. This leads to the situation that excellent research is performed within the EU, but final decisions – for example, on the selection of post-quantum cryptography – are taken by NIST. What is thus needed is a politically supported, bottom-up strategy to bring the many different views and approaches together. Finally, Europe needs to continue their large-scale investments in research funding, but should thereby critically question the current approach – while sometimes a novel idea can lead to a market-ready product within a year or two, other research activities require decade(s) to reach maturity, as was the case, for example, with MPC or FHE. This should be better respected by the funding models, where currently most projects have roughly the same duration, such that more flexibility of the funding mechanisms for different research ambitions is required.
Ievgen Vladimirov, International Cybersecurity University, Kyiv
Ievgen introduced his keynote speech, ‘First-of-a-kind global cyber war‘ by reminding the audience that life is the most important investment. And the importance comes to people if it is interrupted. War is the disruptor.
There are five recognised dimensions or domains of warfare: land, sea, air, space and cyber – the latter added in 2016 by NATO. The fifth is important because it has three interrelated layers of cyberspace. All layers are interconnected. Starlink has helped Ukraine in its cyber defence.
The first cyber war was held in Ukraine and it started much earlier in 2014 than the current aggression that started in February 2022. Ukraine was the most targeted country from July 2020 to June 2021. There is a real clear connection between the cyber attacks and what is happening on the ground in Ukraine right now.
Cyber attacks can hit targets much further away than any rocket can reach and we can see with the number of countries that have been targeted. We all have one overriding question: if all of the attacks were military instead, how could we prevent and not make a mistake with a price that might result in a worldwide war?
How to move forward? This is the first real cyber war which has been ongoing already for eight years. We have to research it and draw conclusions for the next generations. We invite you to join on this journey so that we can create the basis for new legislation. We have to understand the difference between military and non-military cyber attacks.
A number of examples:
- 2014 – a cyber attack on the election system at the time of Ukrainian parliamentary elections
- 2014 and 2015 – cyber attacks on the energy grid
- 2021 – the same attack on US critical infrastructure
Any cyber attack on state military and critical infrastructure which causes the failure of a critical service is equivalent to military agression. If we consider, this then we could be prepared. But we cannot or do not see a cyber attack in the same way as we see attacks on the streets of our cities.
To conclude, we are making a call for collaborative research and European-wide legislation.
Question from the audience: What kind of data do you have?
Answer: All kinds of data which we have been gathering since 2014, collected by government stakeholders, which we are willing to share.