Less than 20 years ago, the “I Love You” virus caused havoc around the world. For 10 days, this malware spread across all networks, infecting more than 50 million machines and causing between $5.5 and $8.7 billion of damage. “10% of all computers connected to the Internet were affected,” explained Pascal Steichen, CEO of Securitymadein.lu, the national cybersecurity platform. He opened the event “Cybersecurity for successful innovation: Challenges and tools” organised by Luxinnovation on 17 October as part of Cybersecurity Week.
“I Love You” was the trigger for a major reflection that led to the publication of OECD’s guidelines on IT security in 2002. A year later, Luxembourg launched its first initiative in this field with the creation of Cases.lu, Cyberworld Awareness and Security Enhancement Services.
“The period 2008-2012 was pivotal for the ecosystem”, recalled Mr Steichen, referring to the successive creations of the Computer Incident Response Centre Luxembourg (Circl) in 2008, the Bee Secure initiative (the result of a partnership between the ministries of the Economy, of National Education and of Family) in 2009 and Securitymadein.lu in 2010, bringing together the Cases and Circl platforms. All this resulted in the first national strategy implemented from 2012 onwards.
Finally, in 2018, Securitymadein.lu added a third string to its bow with the creation of the Cybersecurity Competence Center, while the issue of cybersecurity is becoming increasingly important. “Being permanently connected via different devices obviously helps us on a daily basis, but it also increases potential risks and the exposure to threats,” said Mr Steichen.
A well-proven ecosystem
This public organisation has considerably contributed to the development of a substantial private ecosystem in Luxembourg, as described in the mapping presented at the opening of the Cybersecurity Week.
It lists 304 companies that are totally or partially active in this field, 74 of which (employing about a thousand people) have cybersecurity as their main activity. 22% of the 304 companies are start-ups, more than a third of which have cybersecurity as their main activity.
“The solutions proposed by these companies include governance, risk management and compliance, access management and data security,” summarised Mr Steichen, who was able to highlight a very positive development over the past two decades.
“Building such a security culture takes time. Pragmatism and perseverance are essential and it is important to have a strategy, starting small but evolving quickly.”
He also welcomed the fact that the government was involved from the outset, in order to give the necessary impetus. “However, it is important that the framework for its intervention be well defined, in order to encourage and not hinder competition in the market.”
Increasingly sophisticated threats
In this market, some major players have built up a worldwide reputation, such as Kaspersky, an international group specialising in information systems security (antivirus, anti-spyware, anti-spam, etc.) founded 22 years ago.
Timur Biyachuev, VP Threat Research at Kaspersky Lab, recalled that while in 1994, one virus was created every hour worldwide on average, there are now 360,000 new cases per… day.
“Today’s most sophisticated threats are highly targeted,” Mr Biyachuev said. “No security provider has full visibility of all existing attacks and threats.” In the first half of 2019 alone, 105 million attacks from 276,000 unique IP addresses were detected by Kaspersky.
The exponential deployment of connected objects statistically increases the occurrence of attacks. “40% of so-called smart buildings were attacked in the first half of the year,” he said. “’Simple’ infrastructure protection is no longer sufficient. In the future, the risks of damage are increasingly significant for citizens, as all systems are increasingly interconnected, including in-between cities. We must all ask ourselves if we are ready for the future.
Luxembourg, the right place
The examples cited below by Dr. -Ing. Marcus Völp, Research Scientist CritiX at the Interdisciplinary Centre for Security, Reliability and Trust (SnT) of the University of Luxembourg, perfectly illustrated this point: taking control of connected vehicles from a simple laptop; hacking into health equipment; accessing billions of medical data from private patients… “In recent years, we have seen a greater sophistication of attacks while, at the same time, the level of knowledge required to develop such attacks has decreased,” noted Mr Völp. “It is very easy to acquire tools and software on the Darknet.”
In the face of this increase in threats, the usual “best practices” are no longer sufficient.
“Being able to go beyond these ‘best practices’ is a strong argument. Luxembourg is the right place for this, at the right time: the country is sufficiently agile and flexible and has strong support for academic research and technology transfer.”
Integrating the human being
It must be said that the subject matter is particularly rich in terms of how to approach it, as evidenced by some data presented by Jurgen De Wever, Strategy Manager at Siemens Digital Industries Belux. “90% of successful attacks were based on vulnerabilities for which a patch had already been released. And 34% of companies with automation and process control systems have been attacked more than twice in 12 months.” He also indicates that 44% of the companies attacked are unable to identify the source of the incident. In 2015, the average time taken by a company to identify an attack was 205 days. “Clearly enough time to go bankrupt,” Mr De Wever ironically said.
While the trend of increased digitisation is developing, industry is still partially spared by the phenomenon, as many processes are still manual. “But the challenge is clearly to be able to integrate all aspects of the issue, including both the requirements of IT security and those of operational technology security.”
The other challenge is to adopt the right approach: “The greatest risk comes not from the outside, but from the inside,” says Mr De Wever. “This aspect must clearly be kept in mind regardless of the approach: the way in which these new technologies are used also influences the cybersecurity strategy to be pursued.”
A competitive advantage
This “human” dimension was also highlighted during two small round tables that completed the programme of this morning, which was rich in information and exchanges.
“The interest of such a cross-sectoral event is indeed to show that this topic is not only reserved for technology specialists, but directly concerns all levels of company management,” explains Jean-Paul Hengen, manager of the Luxembourg ICT Cluster. “Building cybersecurity infrastructures should not be seen as a cost, but as a competitive advantage. That is how the Luxembourg government sees cybersecurity.”
Pictures : Luxinnovation / Marie De Decker
