Kick Off Meeting
In the wake of the official launch of all four Cybersecurity Competence Network pilots on 26 February, representatives of the 43 CyberSec4Europe partners came to Brussels for a two day kick off meeting on 28 February / 1 March. Over the course of the meeting, each of the project’s ten work packages was given a two-hour slot to introduce themselves and to start the planning process for the 42-month process.
Kai Rannenberg, project lead from Goethe University Frankfurt addressing project partners and guests.
The panel gets underway! See below for a summary of the discussion.
Evening Panel Discussion
On the evening of the first day, over a hundred guests were invited to listen and then question a panel that was asked to discuss the question, “What do stakeholders expect from the Cybersecurity Competence Network pilot projects?”
Julia Reda is an MEP and rapporteur for the Cybersecurity Competence Network Centre Regulation. She said that it’s critical that the infrastructure on which applications are running has to be secure. Training is also important, as is the need to ensure diversity. This is male dominated field, and we should capitalize on the power of diversity, perhaps using consumer organizations’ applications as the entry point for cybersecurity: most people are not affiliated with academic institutions. From the EU parliament perspective, it’s important to stress the strategic role of European, the trustworthiness of the IT infrastructure using security and privacy by design. Julia also mentioned participating in a hackers’ group to see the state of cybersecurity from the ‘other side’. She is also chairman of the Horizontal Cybersecurity Working Party which takes a different approach based on citizens’ use of digital services. The activity of the network should be based on the activities of the pilots.
Daniel Ioniță representing the Romanian EU Presidency agreed that we should be taking citizens into account. The initial plan was that it should be a centrally-led network managed by the Member States, but now the network is conceived as being self-sufficient led by pilots.
Jean-François Junger is Deputy Head of Unit at DG CNECT’s Cybersecurity Technology and Capacity Building and said that it is everybody's business, together. A well-managed certification scheme is a critical instrument to assure people that the network infrastructure is secure, getting strong industry support for projects bring different communities together and work together. Trust and confidence are the key elements to achieving success.
He also observed that this project, along with the other three pilots, is different from all other H2020 projects and that we need to help the Commission ensure the viability of the proposed future Competence Network. The Cybersecurity act will reinforce the use of ENISA and create the certification scheme to enable industry to get assurance on critical hardware and software. The EU has allocated 2 BEUR for cybersecurity through both Member State and industry investments. Once the law is approved, the EU will want to have the pilots preparing for its execution and the rolling out of the network of competence networks. The four pilots should work as one project and strive to bring the various different communities together.
Roberto Cascella, Senior Policy Manager, ECSO Secretariat, started a long time ago with NIS and then moved to ECSO, continuing to pursue ECSO’s original direction which is to address in a collaborative manner, certification, the Cybersecurity Act, industry and citizens.
Jean-Pierre Quémard, Chair of the CEN-CENELEC Focus Group on Cybersecurity, reflected that the main objective of the competence centre project is to develop competence in Europe. In France there are 750 security companies, of which 82.5 % have less than 15 employees. In the US the same sector companies are 50 to 100 times bigger. There is a lot of duplicate work effort, people working on the same engineering topics.
There is a need to make the European community more cybersecurity resistant. With more collaboration and harmonization from the R&D point of view, we will retain competitiveness and get more results, such as,
- exchanging information on vulnerabilities among countries
- increasing awareness and training of normal citizens and to make them aware of risks
- recruiting and add people (Because they do the same time)
- supporting European regulation
- completing standardization work started by R&D projects that don't have the budget to complete the standard
- promoting the eIDAS regulation which was lost in the GDPR noise
There are too many companies delivering the same product, for example, in support of eIDAS based trust services. The concern is that competence centres should continue the work CyberSec4Europe and others have started. For example, the promotion of common criteria and (self-)certification with IoT devices through security and privacy by design. Commercial identity management services are also important: we should not solely rely on Google and Facebook. Competition is good but now the projects must collaborate.
Wojciech Wiewiorowski, Assistant EDPS, European Data Protection Supervisor recalled that the first personal data law in the world came from the State of Hessen.
What does privacy by design mean in practice? Buzzwords are proliferating and not contributing to the store of knowledge which is lost on regulators. It’s important to go beyond buzzwords and go to practical projects which give answers to what is privacy design. Privacy needs security and security needs privacy to go into practical solutions that will become state of the art technology. The GDPR states the need to be state of the art, different platforms and entities and each creates its own environment
For example, the authorities spent five years trying to regulate smart metering solutions because they appeared interesting. But they were not state of the art and due to inept marketing never took off – altogether a waste of time. It’s important not only to consider prevention, but also how to help people who have been victimised recover.
With the GDPR and certification scheme, there is pure overlap with security and privacy: should it be so, should each product be certified separately for different schemes simultaneously? According to a recent Symantec report, innovation produces the biggest growth in intelligence.
Frederico Oliveira Da Silva representing the European Consumer Organisation (BEUC) said that there was no definition for security by design or what the regulation means by it.
Too many products have vulnerabilities and it is not possible to recall an insecure product from the market: the laws in most countries simply don't support it. Three years’ ago testing started on "My Friend Cayla", an interactive doll that connects to an app on a mobile phone or tablet through a Bluetooth connection, as well as other similar dolls to evaluate its vulnerabilities. Several Member States were contacted about the results but two years later the doll is still on the market. Only in Germany which has strict privacy laws to protect against surveillance did the authorities act instructing parents to destroy the spying doll but without getting their money back. If it were voluntary, manufacturers would have no incentives. Consumer products really are the weakest link. However, consumer organizations have started testing products for some time and are starting to also test connected products
2017 tested again SIM cards for children-location devices vulnerabilities. 17 consumer devices were tested by ethical hackers, and, despite most of them getting hacked, the majority of devices are still on the market with just two vendors having fixed their bugs. Certification schemes do not cover all aspects which is where the gaps and vulnerabilities are. However, it should be possible to enforce a legislative approach through data protection (GDPR).
The panellists were asked to identity their most important cybersecurity issues:
- Julia: open source certification program. Having espoused the use of open source, Open SSL vulnerabilities "were an eye opener"
- Daniel: "Hackers use no antivirus or security software to slow down their machines but they use the full power to attack, not protect"
- Roberto: certification is no silver bullet. There should be processes in place to address zero days and provide fixes
- Jean-Pierre: consider risk analysis – there should be a checklist for the general public and training
- Frederico: how do you make cheap routers (RRP 20 EUR) cyber secure?
The panellists were then invited to identify in two words the top threats:
- Julia: cyber security issues created by legislation through unintended consequences.
- Daniel: human factors – not respecting the rules, training and education, lack of skills, new technologies
- Jean-Francois: trust and skills and awareness (everyone needs to know)
- Roberto: trust and reliable supply chains
- Jean-Pierre: Identity management
- Wojciech: dual use technology and how to make secure technology and not to feed the criminal market, what to do when the data is stolen to recover to the situation before an incident
- Frederico: Vulnerabilities of interconnected products and the lack of legal basis to remove old products from the market
There followed a discussion on how the odds are stacked against SMEs getting involved in H2020 projects, despite the EU’s commitment to supporting SMEs generally. An interesting debate ensued on the difficulties involved in getting ethical hackers involved. It was observed that when lawyers don't know how to answer they say it is an ethical issue whereas when business people say it’s a matter of trust.
The lively two-hour debate was moderated by David Goodman, Senior Consultant, Trust in Digital Life Association, and was followed by a networking reception, hosted by the Representation of the State of Hessen to the EU.