As a major banking centre, Luxembourg has spent decades building up expertise in protecting confidential information and creating a climate of trust. Cybersecurity has been high on the government agenda for the past 20 years. The intention is not only to help companies and citizens protect themselves against increasingly sophisticated cyber-crime, but also to strengthen the public’s confidence in the country’s digital environment and turn cybersecurity skills and infrastructure into a real economic asset.
“Multiple players with complementary skills form a mature ecosystem for cybersecurity,” says François Thill, Director of e-Commerce and Information Security at the Ministry of the Economy. The players include around 150 companies as well as specialised government bodies. The Interdisciplinary Centre for Security, Reliability and Trust (SnT) of the University of Luxembourg and other public research centres carry out high-level research in the field.
At the international level, Luxembourg is widely recognised as a centre of excellence in cybersecurity and a trusted data hub. Estonia opened the world’s first digital embassy here in 2018 to store valuable, sensitive government information, and Monaco is in the process of opening the second one. Luxembourg also stands out for its involvement in a series of European pilot projects launched in early 2019 to strengthen cybersecurity research and coordination across the EU. It is the only country to participate in three out of the four projects.
A culture of sharing
Providing companies with hands-on tools that help them increase their level of cybersecurity is a government priority. “Software developed by Luxembourg’s public sector CERTs – Computer Emergency Response Teams – is made available to the national and international community via open source,” says Mr Thill. “We are also actively sharing information about cyber threats.”
Identifying risks and developing strategies to reduce them is extremely important for any company with a digital dimension.
A high number of Luxembourg organisations are connected to the malware information-sharing platform MISP, where 1,000 companies worldwide provide input about threats and attacks. “This is a complete game changer as participating companies are not limited to relying on their own logs to see what is going on, but get an over view of the occurrence and nature of wider malware threats and campaigns. Authorities can also use MISP to identify cybersecurity tendencies and launch awareness-raising activities to improve companies’ resilience to threats.”
Mr Thill is also keen to promote the democratisation of cyber risk management. “Identifying risks and developing strategies to reduce them is extremely important for any company with a digital dimension, and it also represents a big challenge,” he points out. “Most companies, in particular SMEs without specific expertise in the field, have difficulties estimating the risks and their consequences. We support them by bringing together national experts able to come up with a structured risk evaluation as well as a probability and impact assessment of main threats. This information can then be shared within the business community.”
Cyber insurance: a new market
With the increasing awareness around cyber risks, the demand for solutions is growing. “The cybersecurity market in Luxembourg is well established and offers a lot of business opportunities and potential partners,” says Pascal Steichen, CEO of Securitymadein.lu, a public entity helping private companies manage the cybersecurity aspects of their digital transformation.
A new market niche under development is cyber insurance. In addition to insuring organisations against the effects of cybercrime, it also has a positive effect on the general level of cybersecurity. “Companies will obtain an insurance if they fulfil certain security criteria. This means that insurance companies will be able to play the role of an informal regulator of cybersecurity issues, in particular in the SME community. SMEs may count on the emergency support teams of their insurer,” Mr Thill explains.
This new niche also means that insurance companies are becoming interested in investing in cybersecurity firms.
The Ministry of the Economy has been actively involved in shaping insurance companies’ interest in the cybersecurity market, and a first Luxembourg insurance firm is launching a dedicated policy for SMEs this year. “This new niche also means that insurance companies are becoming interested in investing in cybersecurity firms. They need to connect themselves with experts who can help their clients avoid disasters,” Mr Thill adds.
Managing digital identities
Luxembourg was the first to develop a highly reliable system for digital identification, and is also one of the first countries to implement the European regulation on electronic identification and trust services for electronic transactions on the EU’s internal market (eIDAS). The adoption of this regulation makes it possible for citizens from other EU countries offering eIDAS compatible digital identifications to conduct secured internet transactions in Luxembourg with their national ID. An important step for a country with a high number of cross-border commuters.
A new and extremely important field in the data economy, however, is the removal of identifiable information from personal data. “Much of the most precious data for innovation is related to human activities,” Mr Thill points out. However, the storing and use of personal data is subject to very strict rules specified in the EU’s General Data Protection Regulation (GDPR). “Privacy is a basic human right, and I don’t see the GDPR as a hindrance but as a guide for doing things properly and gaining the trust of your customers.”
Privacy is a basic human right.
Companies that have collected valuable data related to their clients can only share it with others if it has been properly anonymised. “There are of course technical solutions for doing this, but the challenge is to make the anonymisation sustainable over time,” says Mr Thill. “When combined with other data series, including new attributes, re-identification of individuals may become possible.”
Determined to create an excellent environment for companies to work with data in a trustworthy manner, Luxembourg is now focusing on the development of a certified service for the pseudonymisation and anonymisation of data that is fully compatible with GDPR. The ambition is to gain the official approval of the National Commission for Data Protection and of the European Data Protection Board.
Secure data lakes
Luxembourg’s intention is to couple the high performance computer (HPC) under development with major data lakes containing valuable raw data. The country is already home to one of the world’s largest data lakes for space data analytics. With support from the Luxembourg Space Agency, leading space-to-cloud analytics company Spire Global has launched an open source data lake that is accessible free of charge to all start-ups, research institutes and public agencies in Luxembourg.
In order to provide an attractive environment where companies can link their own data with accessible data lakes in full GDPR compliance and process it through the HPC, the next step is to create a kind of virtual, secure and controlled laboratory for handling data. “This would allow companies to provide access to their anonymised data for a fee without risk of violating the rights of their clients due to very low and controlled risk of re-identification. We would be able to analyse in advance what data series are to be linked, determine the potential impact on privacy and make sure that there is no exfiltration of data that might be harmful for people or the companies making it available,” says Mr Thill.
Potential for start-ups
There is ample room for new entrants in Luxembourg’s expanding cybersecurity ecosystem. “We are still looking for everything related to the data economy, i.e. companies in the fields of cybersecurity linked to big data lakes, high-capacity communication and so on,” says Mr Thill. “There is also a lot of potential for security operation centres, threat hunting and intrusion protection systems.”
We are still looking for everything related to the data economy.
This expertise can be enhanced by international companies or start-ups. “Our market is mainly service oriented, so start-ups developing new products are welcome,” says Mr Steichen. “There is also a high demand for experts in areas such as artificial intelligence, fintech and HPC.” As in many other countries, the need for specialised human resources exceeds the supply. “Fortunately, our country has many attributes to attract great talent,” concludes Mr Thill.
Photos: Jan Hanrion/Patricia Pitsch / Maison Moderne Publishing SA