From Christina Rupp’s initial talk, we have seen that Germany’s governmental cybersecurity architecture is a complex ecosystem. In this Panel Session, we will discuss challenges and requirements of European institutional cybersecurity architectures and how such architectures should be equipped to address current and future threats .
And then to my right we have last but not least, Professor Berg, he holds the chair of mobile business and multi-let security at good university in Frankfurt. And he was a member for many years in Anissa's advisory group and is currently coordinating CYBERSEC for Europe, which is a pilot for the European Cybersecurity Conference competence network that the EU is establishing and that we have also seen seen on the map just previously. So in this panel we have 30 minutes for a conversation among the four of us. And then I would like to open the last 10 minutes for questions from the audience but also from those of you who are joining with us virtually so that we can high enough have also have an interactive, interactive session. And I would like to start by just asking all three of you an opening question. And this is linked to the title of the session that of this panel that we have, that we have the challenges, now we have the stakeholders. So I would like to like to know and would be interesting to hear from your point of view and sector, what does the threat situation currently look like and what do you consider as the greatest challenges at the moment for governments in addressing cybersecurity? And maybe I would start with you be to share your thought a little bit on that issue.
Yes, sure. Thank you. Thank you Christina. Yeah, and hello to everyone obviously discussing current situation From a national point of view, I think the general lack of, I would say broad political acceptance of what I call required actions is an interesting discussion. I've just been in a meeting with the National Cybersecurity Council a few days ago and the public sector members are already discussing budget restrains versus improved security. So I think the, that discussion is not done yet even though that we see great, we saw the this morning explaining that also I believe that we have still a very big gap on broader skills among users in general terms that they simply just are not aware of what the risks are and then lack of skilled people in the industry. I think the challenge we are facing in Europe that we do not educate enough people to really work with with security in this software development is definitely also a a large, large challenge. And lastly, I think, yeah, I was happy that you just said that sharing of knowledge, I've many times said that no sharing, no knowledge. I think we need to crack thatnot figuring out how can we move information about incidents based practices, et cetera among, you know, all the friendly organizations that works together. How can we, how can we literally learn from learn the lesson of of breaches, et cetera.
Thank you. Bakka, maybe a COPA you would like to join in. Do you share his assessment or like some, is there any other aspects that you would like to have?
Well, yeah, for large part I can confer with you in the Netherlands specifically where I come from, I can see that there is a big dichotomy between the public and the private sector. The public sector being very bureaucratic and slow and maybe less well aware of the instant day to day problems. And the best cyber security people tend to want to work in the public sector and the private sector cause they pay better salaries, they give education, they let you go to conferences like this. Maybe it happens in the public sector as well, but the, and there is also not written factual but feeling from the private sector. When you look at banks where I used to work for the past 20 years, they look at the public sector and the government as those guys who can't do it and there are a lot of failures, not even in security but in general and a lot of big budgets and yeah, I think awareness and expertise, content awareness content is not seen as a very important part of the job. And I have experienced job application just for fun to go to the Dutch government and apply for the job of head of identity for the whole
Everything. And I was one of the three candidates just to see how they thought about it. The number seven requirement on the list of requirement was preferably some knowledge about identity management being the head of the Dutch everything passport, digital identity log on, anything with government identity, preferably some expertise in identity management and a lot of political skills and I think this pretty well brings the picture. That's exactly what we all thought from the private sector looking at the government.
So yeah, that's a problem.
So I could subscribe to what colleagues have have reported from all our neighboring countries, but it's still like to bring up viewpoints that I consider important both from a German perspective and also from this cyber Europe European initiatives that we are looking at and and I think number one is obvious the in in a way the change situation after the invasion into Ukraine because that has definitely raised awareness for many, many people but obviously has also changed many things from a theoretically into a very practical approach. But I think that is something that people are actually aware of. The second thing is that digitization efforts you need to actually underpin with securities. That's already something where only I think some parts of the governments are actually understanding that. We've see an interesting discussion at the moment with the German federal office of IT security, which is supposed to be the core of the secure digitalization in in in Germany.
And at the same time it is stuck into a very funny situation where the government is not implementing its own coalition contract at the moment where it says to to, to implement something there, okay, they're busy with Ukraine and other things, they shouldn't blame them too much for that but definitely that needs to happen. But the number three is maybe from my point of view, one of the most important things and that's actually the whole issue of digital severity and the play out of digital ity against convenience. Because in digital severity I think you hear that on the lips of every politician every Sunday or, but what it means of course is the means to sometimes give up on convenience, easy to sign up, easy to do solutions and the understanding that severity means getting your act together and do more work and live with certain inconveniences, that is actually something that I think is still under is important but under not fully understood.
I have the feeling, let me give you an example from coming from Covid also and we had a kind of unification of society and all of these Zoom and and digital conference platforms were coming up and suddenly most people said yes, we take the easiest book solutions that you can start for we with Zoom offer of this and that and you go into that service that is most convenience, that easily works with my own laptop, smartphone and so on and that are basically the ones from the big hyperscalers. At the same time all of that information of all these kind of quite serious meetings is happening somewhere and it's actually not digital ity. The digital server paths would be to say hey, we have locally hosted things, we have things like big blue button which we can host locally, which we can understand which can work out, we can ask the newest IT provider to set up something for us.
All of that is less convenient because it's a bit more than a few clicks. It requires a strategy and requires to do something And if we are cyber for you, we didn't have that in the work plan but we after Covid we decided we do something, we're happy that we had some actually Bill and people who said we have this, shouldn't we make this a strategy and said yes, we should make this a strategy, we should eat our own dog food. And I think eating your own dog food in terms of ity is something which is not enough happening and we need more of that and that's why I like to highlight that very much and especially in the area of confluence services and communication because that's what we're doing here. So
Yeah, thank you very much. Very interesting. We have mentioned now like some of the areas of awareness sovereignty, but it would also be interesting like we have seen these many actors on the screen right now and you have mentioned many challenges that we are facing. What stakeholders do you think are most important in actually addressing or working on the challenges that you have touched upon? Kind of what actor do you see in charge or maybe you can also share experience from your country of kind of best practice how it is handled there or what you would like to see more. Maybe you can start and then we go the round back.
Let me start by saying I'm absolutely impressed by this land that you have raised there and I know that for example, the people who are trying to set up the German National Competence Center for it are if they haven't seen it already, may probably they have, but they will be very happy that this exists because it's really difficult to say who's not responsible and and again bringing in a result from cyber for Europe, we have a feeling that a lot of things has to actually come bottom up because that is where people understand what is happening. You can have wonderful strategies from the top and you need support from the top but let's say candid reactions on what is really going wrong and how could do something better needs to come from bottom up and from that point of view, I'm not sure that I would say that any of these entities that you have your list should take the leadership.
Some of them of course should take coordination that mean the federal officer Cs, they should take ation of the federal states as much as they as they can. But I fully subscribe to the situation that EN has not even as our or smaller country, federal state would say, hey, certain things we need to manage on our own because it's part of our civility. So I think all of the entities that you have and I'm going to give, I'm usually give chocolates to people who come up with things that are missing in your map and are important.
Okay. Yeah. On your experience maybe also how, how does the cybersecurity architecture look in Denmark and how does it relate to the challenges that you've previously raced?
I think the, it's crucial that we are able to, I'm just thinking about the, this very, very complex structure that you're mentioning and I've sometimes tried to explain also in council meetings in other cases where this is like, you know, we know these enormous US highway junctions that are roads going and bridges in all directions. There's so many initiatives going on right now which are at some point of course great, but it's also a challenge. I think we are facing something where we need to figure out a way to have a combined management that can structure what is happening and put the priority right And in the same way also keep up the independence of the various branches of government. We, we saw that around Germany, we have the same discussion going on in Denmark. You have the sectors, you have the ministries, but at the same time you might also need a minister and and and how do you organize that?
I think what we are facing with cybersecurity generally is that we have a tradition of seeing this as an IT problem, but I think today it's a matter of how we put our society together. It has moved and, and and that is might not just sunk in completely in the different organizations. I think we need to figure out a way to to to work with that. That's why I talk about political leadership. We have one one party in the Danish parliament that is proactively trying to propose something or the other, well yeah okay we don't want to have the the Russians to do something bad and we are aware of that and they are of course the military organizations etc. But that's just not on a, you know, it's just not sun in yet. I had one comment is that if you look at foods safety and how big the organizations, the public organizations are that works with food safety, you know, I think in Denmark we probably 2000 people in that governmental body and I don't know how many that works with cybersecurity. That's definitely not the same amount of people. So yes,
You Coba, you would like to tell, I wish I would have the same type of map that you prepared for Germany and up level the levels up. No,
This was, this was not what I expect.
That's, I, I'm not sure if it's that full and complex in the Netherlands because I think the operational stuff is mostly done by the public sector and they work together and since the five or six years I've been helping one of the banks that I worked for, for the three big banks in the Netherlands to set up a fraud detection center jointly. So and also a center to do the know your customer due diligence, you have to identify every person do background checks. It takes 5,000 people per bank per year doing this full-time just identifying customers re-identifying it's against a white money laundering and terrorism finance that's not really cyber crime but in these areas that are closely related they, they are working together in the private sector quite well because they really feel the pain and it's, they do it because they have had fines due to the legislation.
So legislation could have a good impact but I think it's quite scattered and there is really a difference. The government and the private sector don't work together and they see, they look at each other as I said from different angles and I think if that bridge could be solved because the power is with the government, they have power, they have legislative power, power for policies enforcement, but the private sector has the, has the people, the knowledge, the the skills. Maybe not the time, maybe not the, but they have the operations and I think that could, if that could be repaired it's always better to have one big net to catch cyber crime than each one their own and not knowing where to to for instance disclose your vulnerabilities and that if you make that better and I think that could help a lot.
Yeah. Yeah. I think it's interesting that you've also mentioned like already public private corporation but I think Yca wanted to join in on your comments,
Just a small comment on on the collaboration for, for security part because the, what the Danish government managed to do more than 10 years ago, actually 15 years ago was to get the finance sector and the governmental sector to work together on one shared national e I D service. I think that's a something that has obviously I will speak about it tomorrow also on, on my session. So just a small advertise for that, we'll find that in the program. But the point is that I think that's one of the reasons why it has been adopted that well in Denmark is that they, they obviously the finance sector had a huge interest in securing the access to the bank environment. I think it is obvious for everyone and the government sector was struggling to, okay, how can we automate and make access to public services more efficient?
Obviously self-service and all the stuff that you can do but they, they've somehow managed to do that and I don't know, I was not in that room 15 years ago when that decision were made but they've been able to, to do it and and redo it and and continue to do it and and actually the banks are working together on the same year at e-service also. So they share that among the banks in some shared companies. I think that's a critical understanding that can be well used in other European countries figuring out what could be the political path that happen
In the Netherlands. They tried from the private sector but government was not interested so no didn't work yet. Yeah, let's hope for the aid wallets then they have to work together in a way that cooperation didn't work
Out's go back and try again but I don't know.
Yeah, much remains to be done. Maybe it would also be interesting to hear, okay he's like coordinating CYBERSEC for Europe as I've mentioned. I think it also includes many partners and associates. Maybe you can share a little bit of your learnings like somehow how it has been like somehow assembling this whole thing and your learnings of somehow how this can be applicable, maybe how we can approach cybersecurity issues at the European level
And was the idea in principles we are supposed to be one of the pilots to be the blueprint or an element of the blueprint for the European Cybersecurity Competence Center. I think the first learning is that's a positive learning. European-wide collaboration can work even under the conditions of covid. So I am happy to praise the contributions for example from our partners which were essential for example in this big blue button strategies that definitely and my understanding was they were embedded in a nice scenario in the Netherlands but pretty aware people were doing something and we could see that there is let's say a good understanding from our French partners who know where we cause that from Tous and not from Paris. So they know this idea that you very often have that and decisions are made somewhere in the center of the metropolis and and what happens elsewhere is maybe considered but only if you're very lucky.
And so they're very helpful in in shaping our third say, if you want to do something real we need to cover all the edges and that means and thing that happens in in a place like to lose us. So needs to, needs to work out. So these are seeing good learnings. Another good learning was indeed I think this kind of open source usage strategy or not just open source praising strategy challenges that we, that we of course had was that it's always not easy to have application people talk to security people. But I mean that was a challenge that we set to ourselves and we are still in working on it. We have some nice low hanging food court in certain applications in medical transfer in smart cities where security is now from the pilot, from the demonstrated project that we have better than before.
So that was working, that was working out. I would say the biggest challenge was that communication was very suddenly communication in the way as you expected to be person to person communication was suddenly interrupted and we needed to deal with this covid scenario which to some degree I think we, we succeeded with. But on the other side only now afterwards we are seeing what we missed to some degree and especially in terms of you're talking about associates, we had a wonderful associate project and programs set up budgeted for that, everything and so on and then nobody was allowed to travel and now we're trying to catch up with it but the project is in is a funding project, funding is ending end of the year so we can only do so many and do so many things. I think the biggest challenge is probably that the funders have not understood that this is a long term activity.
I mean we shouldn't complain it was in almost four years but especially in these days and to achieve something one needs to work longer. But you also see with the ECC itself, by the way ECC was set up by a commission proposal in or started by a commission proposal in 2018 already relatively fast in 2021 there was an agreement or 2020 end of 2020 an agreement among the three pillars of Europe to get something going 2020 once they started. But still there is no executive director for a number of European things. Still some of the funding programs in Horizon Europe are not made in a way that the nccs can actually fund small projects for small companies. They can do something in the in digital Europe program where you need to co-fund 50% which is then a killer for quite a few of the small enterprises. And so what we see is that you need to really have a very long term perspective to get something going and you should actually make sure that initiatives are at least long enough as one innovation cycle.
Thank you. Thank you. I see that we're almost running out of time. So I think one last question before we up for we open up for questions from the audience since we're already at the European level, I think it's worthwhile to mention that there are like somehow many changes in directives probably coming up and which is the this directive and the Cyber resilience act. And when we look at like somehow combine it to the actors, the national cyber security architectures that we have seen, it would probably also have many, many implications for national cyber security architecture. So maybe if each of you could like somehow maybe use two minutes of your time to think about like somehow how do you assess the current state and maybe also with certification Cyber Resilience Act or U coba like somehow because the banking sector is kind of covered by the misdirect of maybe like somehow what do you you assess as practical implementations for the this directive and the Cyber Resilience Act? Maybe two minutes each and then we open up for questions from the audience. Would you like to start? Yeah, yeah,
Yeah sure. I think the, the Cyber Resilience Act is something we definitely need. It's too easy and too simple to put out a product on the market and tell people that this is secure and there are no verification, there are no nothing. You can just put a stick on it. It's, it's simply it's, yeah, it, it it, it needs to change and it needs to be worked out in a way. I know German is working with the, with the BSI approval and certification might be too heavy in my, from my point of view because it takes all this re-certification. But I believe that you in some way can work with a self declaration process and then the government has a body that can pinpoint product for kind of sample control and therefore you can, you can work with that in more life, similar way that you work with food safety as one example. But I think the general thing that government and private sector also works together on the kind of preamble to to to legislation or to a rule set a standardization. We've seen that a few times that a large governmental project is being decided within the government and then when it comes out then there's a lot of discussion maybe universities has opinion, maybe private sector members has opinion and then you start up ending up and miss. So putting things into a more structured process is definitely an advantage from my point of view
For you talk about the banking sector, they're already heavily regulated of course and there are a lot of legislations that are already looking at this, not specifically for cyber security, but being the head of identity for one of the larger banks in the Netherlands globally I had one audit, four audits per year the central European bank and they would dive into the systems looking at really what's there and then what it worked the effect of the security then the national bank in the Netherlands, then the internal auditor and the external auditor and that that would be very costly and time consuming just to answer to the requirements for cybersecurity risk management. Also our own department. So I suppose that banks won't have lots of impact because they're already heavily, yeah they lose their money if they don't they lose their banking license potentially. But I'm now working with hospitals in healthcare and they don't even have an identity management system or don't know really what access control is. And I found in within one week interviewing five people, I found really large gaps and no understanding. So for that especially look looking at healthcare and looking at pharmaceutical machinery and stuff and software that could be a large improvement I think in the weaker sectors impacts will be larger.
Well two points I think I'd like to make these, many of these regulations that you were referring to are actually referring to certification and that's an interesting move given that for example, when about 15 to 20 years ago, depending on how you count inza was designed, there was an idea by some people in the commission to say we should do some certification to improve the security in the European field. And basically that was all negotiated out. Some people say lobbied out by the interested industry parties who said this can also be only be done by the market itself. We don't need this. Now 15 years later people in the commission have said well it didn't really work out with the market so we are going again for certification and we're going into stronger and with a stronger instance. But all of these things that you mentioned, it's a moment draft and it will be very interesting to to watch and to see how much of the certification and enforcement activities are as a moment written into the documents will stay after the he run SU typical machinery and how much is left.
That will be interesting. I know there is lots of lobbying going on for many parties for good and also good reasons and to reduce the the effort there. So it's interesting to watch that one. The second one is, and you were asking for leadership and now you bring me to an example where I think leadership is maybe needed within the European commission. And let me, and that's two examples. One example I to bring with two legislations that are coming in parallel and it's so absurd in a way we have the EID version two regulation which goes towards digital wallets, which I think is a nice regulation in terms of making an offer to the citizen, but it's a quite big demand both to the technology sphere also to the member states to get their act properly together. Probably very much of that will maybe smart card base but quite a bit of will end up with some smart smartphone solutions, which is actually an interesting challenge in itself because of the inhibit insecurity of smartphones.
But something may happen there, no at the same time and I think many of the cybersecurity people don't really see that we have a legislation initiative coming by the commission and officially going for child protection. And basically what it does, it says we want to do child protection in, in against porn and against any kind of whatever is happening is this really terrible business. And but basically easy measures that are put into the draft are an either and forbid encryption by service providers like social networks or break encryption. So ask to have break and broken encryption in the smartphone or to have some kind of so-called client scanning software in the smartphone that would checks the software for any kind of illegitimate or whatever pictures. Now if you look at this with the, and from the perspective of an IT security and specialist that offers, you would say all of the three of them are basically attacking exactly those mechanisms that we are trying to implement to get better security.
We're trying to get smartphones hardened against attacks, we're trying to get security and encryption established and we are trying to make sure that our service providers are doing a proper job with encryption and how this thing comes and basically on all of these area says we want to do something different. I mean officially it says we want to set up an entity that is later going to make some recommendations and some enforcement. But practically when it comes down to in all of the preparation office, it came down to weakening its infrastructure and the security of IT infrastructures and that's where we want to go for digitalization and and seeing. So somebody in the commission needs to take leadership and say, hey, we never had any success in helping in helping vulnerable groups by weakening infrastructure. And again that's, that's my leadership conclusion here.
I also see that in some of the policies and proposals that there is a tendency to understand that legislations are impacting each other and are complimenting each other and they should be harmonized horizontally across domains and industries but also topics. And I hope this will help to repair this, but on the other hand it's a classic usability, security and privacy are the triangle that are always impacting each other. So I don't think this will ever be helped for.
Yeah, I feel like we could, could probably continue the discussion forever on this panel, but I think that there are already questions from the audience. I think we might have also a question from our virtual audience. You not have
From the virtual. Okay. Then I would like to give you the floor and please maybe you can state your name and maybe also the question like who is the who the question is addressed to?
Yeah, thanks Mike Leer, I'm the C from the Germany organization so I have maybe provocative question to you as well. When I first stumbled over this cybersecurity architecture paper document, I found 100 pages and now my question is, is it a more symptom or is it already cure of the problematic of the problem which we started with, is it a sign or is it a signal? This is the first, A second statement is we have a very well working ecosystem on data and connectivity and communication, et cetera, which is the I C T industry. Why is it, why is so less let's say learning from that one or so less spill over to the IT thinking from that domain? That would be my two questions. Thanks.
Okay. Yeah. Then we keep the second question that we also have a room that our panelists can answer also questions. Yeah,
I know. Sorry. Yeah, sorry. My name's Mark Troy, I work for a last pass. I manage the solutions consulting team. I live in Netherlands as well. I live the first half of my life in the US and the second half in the Netherlands. And one of the things that I was amazed by when I first moved there is the fact that there was this notion of temporary one time passwords with all the banks where consumers I think understood how this mechanism worked. This goes back to just after the millennium and I was pretty impressed by that and, and as of late, and we were, we were talking about this earlier about Digi ID and the fact that it's really simple as a citizen for basic services. And if I look back at my relatives in the US there's no commonality in any of this stuff. It's all over the board and, and no one particularly understands it. So my question really is I saw some of your network having to do with communication. I was completely memorized, mesmerized. Is it just simply easier in a smaller country like the Netherlands or Denmark with populations under 20 million to solve these issues?
Well, our country is smaller, meaning we don't have the fed federal state and the federations and, and all those layers of politically we have one government, but of course the, the DJA is done by the interior ministry and they try to make sort of wallet which was more generic or federation model, but it took them at least 15 years to get to the current dja. Like it works, the banks are really working together on anything with cyber crime. I noted the big CSOs or the large banks, they have their monthly meeting discussing what's going on in the world, just like the C council here in Kaar call sharing even I know that Raba or ARO and I g share have a hotline sharing vulnerability data. And for the banks specifically for the banks, they have a very good detective control. After you log in, everything looks fine, but there is a very big fraud engine behind the screens so they can even see if someone else logs in for you. So they can make the logo easier because defective controls are stronger.
I just have to interrupt maybe to answer the questions that on the room very briefly. That would be great because we have to close down, but I need, I'm looking forward to the answers of that questions
And maybe we have another question here, but otherwise I, I can maybe also just answer on the question. If the architecture that we have seen of symptom or cure, I think as we have seen like it is different in Germany that we have the many entities and I think it's not necessarily, I think it's a symptom actually because it is a crosscut issue. So I think it's not necessarily a bad thing that we have many actors involved and we see that we have many new actors that have been established and also many actors that have already existed that have kind of taken up the issue of cybersecurity. But I think that makes it even necessary. It is not the cure to have this system like that, but what I think the cures that we need is like somehow strong coordination between the actors, I think to maintain that is necessary. And let me just one quick question and then
I I'm not fully under sure that I understood the ic, the spillover question, was it from the I C T industry to the IT industry? Was that what you meant? Okay. So my understanding is that that hasn't happened to that degree as it could because the telco i c t industry was not able to develop a coolness factor. Banks are cool because they're dealing with money. Closing companies are cool because they deal with fashion and the big money in the I C T industry was done by Apple. Huawei putting devices, let's say making even bigger money with switches is something that isn't coming to the, isn't coming to the public beyond the experts. And that's why nobody understands the power of that industry and that's why they're not as influential. Again, that's just my personal view out
Of, Okay, one quick question, one quick answer and then I would like you to continue that discussion outside. I think that is a real interesting topic and it should be continued. So, but quick question
At the moment we coming towards a recession, money's limited. You talked about certifications, there's a international lack of skills. So how are we going to certify easily without creating a big difference between the haves and the have nots? And especially when there's money limited and all the structure that you talked about, you need a strategic approach to that because if all your money is going on that structure, you're not spending it on the real cyber security issues you want to spend it on. So how would you strategically look at it? I don't mind who answers it
And maybe under certification you would like to answer
It. Well, one element I think of course and if you would make certification results and evolution results more available also to the have nots and not just stay within the evolution labs and the state funders that say, Okay, we're going to evaluation, but we're not going to the evolution report even fully to the, to the manufacturer who's doing the things. And we are definitely not giving it out to the public. And that of course is something that should not happen. We should have more public evaluation results available and then more people can profit from it. And that would we use, I suppose the price of the whole exercise already by at least 60%.
Okay. Christine, Don mind some final words?
Yeah, maybe like somehow you would like final? Yeah, yeah. One minute max.
Well, my final words would be you cannot, you can estimate risk and it'll change every minute, but you cannot measure security. And I think that's one big problem that should be stated because that is what all the policy makers and executions and certifications will never be able to solve.
Okay. Bak, now you have the last word words for this panel. Last
No, I think the, as I said, we need to move cybersecurity to a more broader perspective. You see, from a political point of view, it's a foundation of a modern society, it's a foundation of a democracy and those things needs to be seen as they should be seen and not as something needs to fixed in an engine room.
Great. All right. Thank you very much and thereby we close this panel for today, but I'm sure like somehow as has been mentioned, it is a topic that can be continued outside and I hope like somehow over the course of the conference. So I think Yakka, Yaba, and Kai for this interesting conversation, it has been very fruitful and very new insights. So, and
Thanks to you Christina, that was a great power.
How can we help you