Day “0”: 6th of December 2017
Awareness day for teens and adults
One of the founding pillars of our CyberSecurity Trends congresses is to offer to the local population a free awareness day, pointing out the main dangers each one faces on the net and proposing solutions on how to protect oneself against the most common threats.
The morning session was organized with two ninety minute sessions, attended by over 440 teens and 32 professors (i.e. 18 full College classes, constituting a new national record in Switzerland for the numbers reached!)
The Jura State Police, represented by officer Daniel Affolter, responsible for communication and prevention, and by inspector Sylvie Allemann, responsible for the IT&C cases within the Judiciary Police, presented the main problems during a question and answer session.
Our special guest, Pierre-Alain Dard, head of the Minor’s Brigade within Geneva State Police, illustrated all the problems his team is faced with, insisting on each teen’s rights but also responsibilities when acting on the net, mostly on social media.
Daniela Chrzanovski (Swiss Webacademy) showed the main risks each teen faces on the net, and led an interactive quiz inspired by the “Stop. Think. Connect” concept, ending with gifts and booklets for every teen made by Swiss Federal Police. The ten “best aware” teens of each session won special prizes offered by UBS.
The special evening for adults and entrepreneurs showed, a clear sign of the deep interest on the topic with 115 adults attending the event (27 entrepreneurs; 28 IT administrators from public sector and 60 citizens). The program was:
Pierre-Arnauld Fueg, Lord Mayor of Porrentruy, underlined in his welcome speech, the vital importance for any adult citizen to be aware of the dangers of the digital world, in order to build a solid and resilient society. Francisco Arenas, Manager Solution Business Sales within UPC Western Switzerland, discussed a recent “new deal” which will make a clear difference between various Swiss internet providers withcybersecurity of the customer as a core pillar of the contract.
Laurent Chrzanovski explained the latest evolving trends in the threat and dangers landscape and some basic yet vital measures to take to prevent most of them. On the second part of his talk, he focused, for the benefit of the SMEs, some major incidents which took place in 2017 (causes, effects and lessons to be drawn from them) as well as a new privilege for Swiss citizens: the possibility to be insured against cyber-risks at a very reasonable price, insurance contracts which are not available to the citizens of most EU countries.
The congress: welcome speech
The congress was opened by the Lord Mayor of Porrentruy, Mr Pierre-Arnauld Fueg, with the following speech
“Ladies and gentlemen, dear guests,
As Mayor and in the name of the City of Porrentruy, it is a pleasure and an honor to address you today.
We feel like the myth, which gave birth to the 13th century coat of arms of our city. The wild boar, has a legend entirely linked to security.
Here is how the myth goes: « once upon a time, a singler beast, running at full speed, was able to jump over the 10-feet high city wall as if it was a small worthless fence. This providential wild boar was hence, doubtlessly, the messenger of the Protective Powers of the City, and the Municipal Council decided, that the animal would become the emblem of the noble city of Porrentruy».
This episode made the Counselors understand that at certain points, the city wall was insufficiently tall to resist to an enemy’s assault, and they immediately decided to strengthen the weakest sections of the wall.
Nowadays Counselors and authorities are more than aware that the digital wall of our city, of our administration, of our power grid and of our citizens› protection has to be beefed up on a regular base.
We are thirsty to understand better the global trends in the now daily mutant threats to be able to take the best decisions, to adjust our standards, to enforce the correct measures topic by topic to become as good in resilience as we succeeded to be in energy use management.
Therefore, during early May, the Municipality of Porrentruy and the Swiss Webacademy created together the basic file and factsheet needed for a macro-regional dialogue platform on cybersecurity to be held yearly in our city. The 3rd of July, the City Council voted in favor of this initiative and the Municipality became co-organizer of the event, supporting it with human and financial resources.
During summer, taking into account the very short time at disposition to give birth to the 1st edition, it was nicknamed by all head organizers “edition 0.0”. Today, looking at the speakers around us, with their amazing skills and positions, it is the organizers’ “0.0 brains” which cannot believe this is real.
The City of Porrentruy is extremely honored. For us, as a local authority, we are very grateful to all decision-makers from SMEs and companies from the Jura Canton and from the neighboring French departments who are among the participants to this première.
For helping us we are deeply grateful to the International Telecommunications Union for granting its aegis, and to the Italian, French and Swiss prestigious institutions for granting their partnership and support to the congress.
We are already starting to work hard to raise next year’s participation level to the high standard set by the guests who accepted to join this very first edition.
For the achievements of this first edition and for the challenges awaiting us for the second one, we would like to thank the constant involvement, of Mrs Daniela Chrzanovski and all Swiss Webacademy’s staff as well as of Mrs Jasmine Greppin, restlessly taking up the ungrateful task of local logistics and bookkeeping with Eureca’Venture, who worked side by side with the Municipality’s team constituted by Mrs Magali Voillat and Mrs Anaïs Cuenat.
Last but not least, daily, head organizer Laurent Chrzanovski, with JeanJacques Wagner and Luca Tenzi engaged their amazing know-how and added their impressive networks besides ours. The result of their work is impressive: today, Porrentruy hosts VIP speakers from 8 different countries and 7 global organizations, and is a real 360° international platform.
The whole Municipality hopes that the congress and the charms of our city will really blossom through the knowledge and network and personal impressions you will take home after these two days.
Meanwhile, we just want to give you the warmest welcome and, with all our staff remaining at your disposition, to wish you a successful congress and very pleasant stay in our city.”
Day 1: 7th of December 2017
In the opening presentation “A CEO’s vision: To be agile and capable to change one’s vision when we come to think cybersecurity”, Xavier van NUVEL, CEO and founder of Digital Solutions and OpenOnline (Switzerland) delivered his vision on what innovation should be and, above all, resilience of a company thanks to the human factor and its capacity to adapt to an environment and threats in constant evolution.
With three keywords COOPERATION-INNOVATION-ANTICIPATION, the speaker highlighted the vectors which depend from rational agility (pedagogy, proactivity, collegial synchronization) and those which depend from emotional agility (empathy, comprehension of the situation, constructive “rebellion”).
In a world which is every day more structured around the data (transmission or exchanged), and no matter the technological tools used, the CEO and the CISO have a duty to help their teams to develop their faculties to be agile, and to better synchronize their interactions, bringing new useful ideas to the organisation.
The first speaker, Col. Marc-André RYTER (Collaborator for Doctrine within the Swiss Army General Staff), made a precise and crystal-clear dissection of the challenges and the threats of the digital transformation any “4.0 army” is undergoing, seen as a whole and, then, as seen from Switzerland taking into account the country’s geopolitical and strategic position and the means at its disposition.
The strength of the speech, enhanced by carefully chosen images, clearly showed the difficulties of the very long process, in the hands of any army decision-maker, to choose any connected device, from a simple soldier helmet to a semi-armored vehicle or to a drone.
As a matter of fact, the real data available during the preliminary analysis (finances, environment, demography and technology) are those which give birth to draft the masterplan which includes all the development measures, human as well as technical, allowing the army to decide to buy and adapt all the connected elements to be used within the last generation weapons and military equipment. The talk demonstrated perfectly the difficulties faced to be able to evaluate weapons with a strong connectivity component and the challenge of imaging future threats often hard to conceive in the present due to the timescales of the decision taking cycles.
The presentation rich in information is supported by his research in an outstanding article published in the Military Power Revue of the Swiss Armed Forces (nr 1/2017, pp. 50-62), available for a free download1.
Following Julien Provenzano (CEO of the start-up Pré-Ka-Ré) presented a nextgen prototype of infantry connected glove, that his company develops to help soldiers give “manual orders addressed through electronic gloves”. After demonstrating the equipment with a SWOT analysis, the speaker explained all the risks and threats should it fall into
enemy hands; if it becomes out of use because of a disruptive attack or, even worse, if an attack leads it to transmit false data and orders.
The public had the chance to see, not just the advantages of such a tool, but the complex range of parameters to take into consideration to secure an immense number of details where each one, can become a vulnerability.
Completing the panel “army & cyber”, Alexandre Vautravers (Responsible of the Program of Global Security at the Global Studies Institute within the University of Genève and redactor-inchief of the Revue Militaire Suisse) focused on the complexity of the very concept of today’s wars, which take place on the real battlefield, with their cohort of hybrid conflicts, on the digital battlefield, which is essentially a non-military zone (i.e. strategically speaking we witness the switching between “soft power” and “smart power”).
Today’s wars, cover four dimensions:
1 population and economy;
2 CIMIC actions (cooperation between civilians and militaries);
3 tactical operations and, last but not least,
4 all the strategic and operational actions.
The speaker then dissected the Swiss system demonstrating clearly that today, not a single army is able to solve a conflict with its own forces, if it does not have the full support of a complex public and private infrastructure covering almost all the fields of the “law
enforcement”, to which active public-private collaborations must be added, as well as regular workshops with governments and the political world.
Progressively enacted, this multi-stakeholder architecture, which sets the “cyber” dimension as its central focus point, has repercussions on all traditional security forms. It may look very complex at a first glance, but it is starting to give proof of viability and usefulness and, above all, for Switzerland is the only viable solution fitting a neutral and federal country with a traditional vocation of consensus2.
The speech of Marc German (expert in cyber-crime and corporate diplomacy) made the junction between the military world, secured “by duty” and the business one, underlining that business intelligence and cybersecurity are, in fact, two actions to be done as a single, as they constitute the two sides of a same medal, the one of the company’s survival.
He urged to the adoption of a proactive defensive as well as offensive attitude as the globalized economic world is an ecosystem where organizations are fighting to strengthen their competitiveness, optimizing their costs and where several companies do not play “bythe rules” or at least the same rules. For Marc German, “Competitive intelligence is to detain and exploit the useful information in order to generate lasting value in a company, through different coordinated actions: research, analysis and exploitation of all the information useful to the decision makers. Competitive intelligence is to transform information in intel and to transform brut matter in grey matter”.
Without crossing the limits of the law by ordering “black-ops” against competitors, an attitude which is alas widely spread, the author insists on the fact that in order to survive, grow and win a company must be offensive seek value from any information which can enable it to be one step ahead of the others. In the same time, it must also protect its own data, its methods and its know-how, i.e. its treasure, targets of the darkest wishes of all its competitors3.
The second session, devoted to the latest technological challenges, opened with a keynote speech delivered by Martin Lee (Head of Security Research within Cisco Talos, U.K.). After making a summary of the biggest attacks witnessed in 2017, the author identified a common denominator between all of them, i.e. a central point made by superposing four phenomena already well known but now blossoming: ransomware evolution and their return on investment peak, reaching 34 billion USD of gains per annum, then the “democratization of the threats “, and, third the viruses without a precise target but with a pandemic propagation power (WannaCry, Nyetya…).
The fourth phenomenon is without doubt the most worrying one as it will take time to evolve: it is the complacency of the companies in using permeable tools, poorly programmed, vulnerable and easy to attack and, above all, used for a long time without due care, often not knowing they have already been attacked for months or even years. In his conclusion, Martin Lee insisted on the importance of the IT architecture of the companies, a structure which needs to be examined point by point with a less “techie” version, much easier to understand than the famous “NIST framework”.
Concuring, Roland-Iosif Moraru (Professor and Vice-rector at the University of Petrosani, Romania) pleaded for the acquisition of a real security culture before specializing in the securing of systems. Because even if the needs are the same, the priority order is by far not identical. As an example, for the business sector, the “top 3” is constituted by confidentiality, followed by integrity and availability, while for the industrial world, availability comes first and confidentiality, last. In order to ensure the client of the availability and to counter the attacks, you must test systematically all the systems and to forecast levels of security – segmenting the control system – as well as to regularly strengthen each component of the system along with clear procedures to follow by each employee as soon as an intrusion is detected.
Security, of humans as well as of machines, constant vigilance as well as a daily knowledge of incidents or attacks targeting
companies of similar profile are the three basic axioms without which, no technology will ever solve alone assaults which become daily more perfected, mutant and evolving.
Christophe Réville (Co-founder of the IE2S Summit and specialist in strategic intelligence) discussed the dangers from a quick introduction, under the pressure of vendors, of tools with the new “machine learning” function, without knowing all the security parameters, strengths and weaknesses of each of them. Whilst often presented to decision-makers as the “allsolving” solution in terms of efficiency, cost-reduction, and errorshrinking performance, these tools can reveal themselves as the ultimate open door for any kind of in-depth attack. To illustrate, Christophe Réville declared that Artificial Intelligence “went from a reasoned and logical functioning or “left brain”, in which it lay dormant for more than thirty years (data mining, linear algorithms, a.s.o.) to a paradigm which integrates a global vision and an intuitive process typical of the “right brain “. A chaotic revolution in which behaviors induced by machines draw very improbable fractals…”.
The author also illustrated his purpose with a worrying example, the one of a group of connected computers which get rid of English (the communication language used between programmers and machines) to start creating and using a unique language, understandable only by those machines – until they have been disconnected. Would it be the beginning of a fight of machines against machines escaping any human control? The stakes of such a possibility motivated the CEOs of the 116 largest robotic companies to address an open letter to the United Nations (on 20.08.2017) asking the world community to take the necessary measures before the fight between artificial intelligences become a real and deadly danger for mankind in case of armed use.
Christophe Madec (expert in cybersecurity) and Jean-Gabriel Gautraud (BESSÉ Counsellors), explained the difficulties met by risk managers during their work meetings in different companies, as soon as the discussion on cybersecurity topics starts.
As a matter of fact, basically, a risk manager is not himself an expert in cybersecurity, and, even if he has been trained in this field, he often has to deal, within a company, not with a CISO but with a simple IT manager; hence the problem to find a common vocabulary and a common field to have a constructive discussion. By lack of digital culture, most companies, define the risk as a strike targeting their strategic challenges and not their infrastructures. They delegate to the risk manager tasks of verification and of insurance of all what management does consider as “critical”4.
In consequence, the multiple impacts of a modern cyberattack, illustrated by targeting the production chain as well as the sales and supply channels, generating internal and external prejudices, remain largely misunderstood by the decision-makers. We witness this “cultural clash” where, without men in charge duly trained and secured infrastructures, it becomes impossible to insure state-ofthe-art defences. In France today, if 95% of the top-40 companies listed in the Paris stock exchange (CAC 40) are insured against cyber-attacks, only 3% of mid-size companies and less than 2% of the SMEs have insurance.
Opening the session dedicated to new generation tools and strategies, Bénédict Matthey (Cyber Security Executive within Darktrace), together with Hippolyte Fouque introduced and illustrated some of the added-value which can be brought by tools where Artificial Intelligence is used almost exclusively in the field of a better cyber-security performance. Facing exponentially growing data quantities and employees with more and more diverse tasks, it becomes essential to allow human vigilance and expertise to focus on fundamental and verified information as well as on anomalies, many of them from human behaviors or from systems which run in an abnormal way – all being signs either of a simple dysfunctionality or, worse, of a state-of-the-art attack targeting the company.
Among the new generation of connected tools, are cars. The presentation topic of Yannick Harrel (Head strategic affairs within the German-French Technology & Strategy). In his last book, Automobiles 3.0 5, the actual on-board vehicle technologies imply numerous security problems caused by native vulnerabilities generated both by the systems and by the communication means, so that today’s cars are not just the work of the constructor (the brand you buy) but also all the equipment suppliers, mostly giants of IT&C domain.
Insisting on the fact that breaches are not always due to a lack of care or negligence in securing connected components by producers and suppliers, the speaker underlined that many software backdoors are, in fact, unknown until they are used by hackers to perform a Zero Day attack. It is only then, on this discovery that those breaches will be patched. Two factors are joining, creating very poor vehicle security due to an abuse of IT tools:
1 the first is the customers’ demand for a whole panoply of functionalities within their car, rendering its technical limitation impossible for a brand, such as the impossibility to deactivate the electronic aids meant to stabilize the vehicle in any possible situation;
2 the second is the hackers’ inventiveness, greatly aided by the multiplication of the number of access points within a modern car.
Yannick Harrel’s speech concluded with a call for autonomous or semi-autonomous cars in which each single connected component would be conceived on the base of the “security by design” methodology, flanked with its cohort of tailor-made data encryptions to still provide user sensible commands of the vehicle.
Back on the topic of Artificial Intelligence (AI) and its rôle in “4.0 cybersecurity”, Battista Cagnoni (Cyber Security Expert, Vectra) explained the reasons for a company to possess a SOC (Security Operations Center) with toplevel human resources perfectly mastering the processes as well as the technologies, before applying any AI techniques to security. It is the primary condition that the last-generation security applications – associating A.I. and Machine Learning – will be of a real benefit and offer true added-value, allowing for example to automate human actions in the field of data and info selection, actions which are mundane, to let the SOC focus on data revealing anomalies. These techniques have proved particularly intuitive in the field of anticipating methods used by criminals, allowing SOC team members to focus on resilience, defense in case of an attack, recovery and restoration of the infected zones and, after, time to make in-depth forensic analysis and incident investigations.
Above all, the new techniques bring more homogeneity and coherence to team actions to avoid friction during the crisis management process. But Battista Cagnoni is prudent: in his opinion, many cybersecurity processes assisted by AI are not totally up to standard, as they are new on the cyber-market.
One of the most important points is his illustrated advise to take care when it comes to the two keywords (AI and Machine Learning) as they become – like many other terms used in the digital world – real “open boxes for everything”.
Opening the debate on new strategies to adopt, Luca Tenzi (Specialist in Convergence) underlined the simple convergence between the physical and the digital world is still not understood. He recalled a recent quote by Scott Borg, Director of the U.S. Cyber Consequences Unit: “As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.”
The largest problem of this inadequacy is that it touches the very nature of the generation holding the decision-making power today, those who have not grown up during the digital era. Luca Tenzi’s speech, highlights how SMEs and mid-size companies face the same battlefield of vulnerabilities and dangers specific, until a few years ago, only to very big companies.
Using a picture showing all the vulnerable points of a standard wifi office scanner-printer –, the speaker highlighted mistakes or bad practices due to a lack of coherent digital culture (CCTVs, air conditioned systems, alarms, often linked to servers and only supervised by physical security specialists). He then showed,
the exponential growth of drones’ sales (mainly for infrastructure surveillance or small package delivery), a domain where (almost) only the specific sector of governmental acquisitions has special charts where security must be at the core of the drone’s hardware.
Concluding Luca Tenzi’s final quote was merciless: “The lack of technical knowledge of physical security service providers on IP-based systems and IT platforms provides an ideal opportunity for cyberattacks” (PSIM Video Surveillance Report 2017, v.6).
Artur Lazar (Deputy director of the Cyberint Centre within the Romanian Intelligence Service) brought a global geostrategic point of view complementing Luca Tenzi’s speech. Research6 – on the definition and the rôle of cyber-power, shows a real state cyberpower must, have as a base a homogeneous structure built by the four conventional powers, but this “fifth cyber power” becomes a power by itself, available to hybrid entities as well as to non-governmental ones.
Worse, we witness a total fusion between online and offline worlds, such that soon we will be unable to make any difference between them. This will expose the less resilient ones to attacks coming
“Online and offline worlds will merge to such a degree that we will no longer be able to differentiate them”
from everywhere, including domains traditionally considered as belonging exclusively to “physical security”. With sober optimism, Arthur Lazar reaffirmed that today, if criminal or terrorist groups, anonymous entities and weak States can, certainly, acquire offensive capacities and create damage – sometimes even huge ones, the real cyber-power remains within the hands of the most powerful States. This reality is due, as they have at their disposition all the governmental, economic, military, social, legal bases to make new laws and rules, to innovate, to counter-attack, to reinforce their resilience by optimizing their collaborations with the citizens and the private sector, and, last but not least, to inject when necessary colossal amounts of money, all these fields being out of reach of a non-governmental actor or a rogue nation.
The solution? To have “smart” States, political élites aware of the challenges, listening to experienced technocratic counsellors who understand the risks and possibilities at short, medium and long terms; in this way, a State can invest in a regular base and create the necessary dialogues to buff up a Citizens-Companies-State dialogue as well as international cooperation.
The fourth and last session of the day, on the challenge in information sharing, involved live streaming from the Regional Operations & Intelligence Center (ROIC) of the State of New Jersey, Joe Billy Jr. (former deputy director of the FBI) and Lieutenant Jeremy P. Russ (New Jersey State Police) spoke about the importance of a real and efficient collaboration between the private sector and the diverse State institutions specialized in fighting criminality in all its forms.
Thanks to Lt. Russ’s actions, the Private Sector Advisory Group (PSAG) and Fusion Center, New Jersey now have a “one-stopshop” for companies, which collaborate actively on security (from signaling a single potentially dangerous person in a shop to asking or providing assistance during an ongoing cyber-attack), while the ROIC offers training, advice, assistance and meeting groups, they learn the key challenges for the economic and social ecosystem of the State.
Joe Billy Jr., explained the model built by the US ROIC, where New Jersey is by far the most performant. Placed under the control of the State Police, they bring together agents from most American federal agencies (FBI and Homeland Security), shortening response time to alerts and the deployment of a ground force according to the type of incident. The financial model of the centers (public-private) involves mutual collaboration, as every one gives and receives at the same time. The very idea of such a fusion center meets the request asked by Luca Tenzi in his prior speech. It is a brand-new concept, as teams work 24/365 on all security cases, from a simple crime to a terrorist attack and from a small data hack to a massive cyberattack, including all kinds of natural of human disasters which may happen in the territory they are in charge to protect.
The intel sharing on cyber dangers and threats – aiming to protect very sensitive information – was at the heart of the speech by Chems-Eddine Zair (CISO of the International Telecommunications Union – UN/Geneva). He explained the 2014 birth, and recent implementation of the STIP (Shared Threat Intelligence Platform) common to all UN-agencies, in order to build a secured environment and allowing him and his peers in other agencies, to work in coordination and to strengthen their global resilience. The defense capacity against ongoing threats and anticipating incoming threats has been multiplied, as the platform self learns to understand the anatomy of attacks on other agencies, and constantly updates the resilience procedures for each organisation, so they all become immune if any one of them is targeted with the same techniques already used for hitting another agency.
Information sharing in the light of its vulnerabilities was shown by Dr. Stephen Foreman (Head of metadata, data management and representation within the World Meteorological Organization– UN/Geneva). When one is responsible for data in such an importat organization, you can be the target as well as the collateral victim of an attack. The WMO receives relentless updates from 185 Member State’s specialized agencies and from many different satellites and a multitude of connected maritime or airborne transport means, hence it has to be vigilant not only on the validity of all those information feeds, but also on their implications on third parties.
The challenge is huge, as in a few decades, the same reports passed from 50 baud lines (telex), to short text messages to binary representation folders or XML documents, reaching now several gigabytes, in which malware can be hidden. In order to not be a “vunerabilizing information provider”, WMO had to work closely with many government and military agencies, maritime companies, owners and lenders of cargoes etc. For example, it had been discovered that the meteorological data transmission from each huge ship, through conventional channels, was used by pirates to locate and then attack those vessels.
The day ended with Laurent Chrzanovski (Manager of the
Congress and Founder of the quarterly magazine Cybersecurity Trends) reviewing the positive and negative consequences of compliance. Permanently in contact with big companies, the speaker remarked, even more with the approach of the GDPR enforcement date, an exponential growth of the quantity of senior managers and of employees used for merely administrative tasks, flanked by law and security experts, whose only activity was to redact compliance reports for internal use and to be submitted to the State regulators – when the EU State institutions themselves, will be less than 30% really “compliant” to the GDPR rules. Exactly at the point when everybody is claiming that the ecosystem lacks security specialists, Laurent Chrzanovski considers it dangerous
the fact that most company boards consider GDPR as merely a compliancy matter as if “confidential data” could be isolated from all the rest of the security framework… For the speaker, this phenomenon is not without parallel to the exponential growth of administrators vs. practitioneers in the American healthcare structures, where the disparity reached 200 vs. 1 and a cost boom of more than 2300% over the last 40 years …
From a positive side, in countries where the insurance market is blossoming, like Switzerland or Luxemburg, the GDPR generated the recent birth, of a real citizen offer, who can choose their personal priorities on which data they wish to protect. This makes them among the very few Europeans, thanks to the insurance policies sold at very reasonable prices, to be able to afford starting a legal process in the United States, covering costs up to one million Swiss Francs7.
Day 2: 8th of December 2017
Rosheen Awotar-Mauree (International Telecommunications Union, Programme Officer, Europe Bureau) outlined the UN agency support to the Porrentruy Congress, and the leadership role this institution has in the cybersecurity domain, after the UN’s 2007 General Assembly decision. Here, the ITU developed a framework to help member States to develop continuously their resilience capacity, with the current situation in each State described on a regular basis in the Global Cybersecurity Index, last published in 20178.This index, classifying States according to their resilience capacity and uses a wide range of parameters regarding the digital security of
the States, includes public-private partnership initiatives, different courses and capacity building programs and trainings dedicated to increase human as well as technical skills.
Christos Tsolkas (Vice-President at Philip Morris International, PMI) provided a case study of a major crisis he had to face, first as acting director of PMI Greece when the economic crisis came, then as acting director
of PMI Ukraine when Russia invaded: violence in the city and employees deeply divided on the topic. Showing a number of dramatic global pictures from 2014, he demonstrated that no one is safe and each major crisis has just one solution: to build amazing teams offering to each employee the possibility of developing both personal skills and collective attitude. Nevertheless, to succeed in this operation, one must learn to build his purpose inside the company’s business model. A purpose which must become a relatable reason for all and setting the consumer at the epicenter (user-centered design). It is in this paradigm where one can find the best possibility to resist the worst and, even better, to produce results.
The second guest was Costin Raiu (Director of Global Research and Analysis Team within Kaspersky Lab). The famous researcher went through the major persistent threats (or APT) which blossomed in 2017 as well as the constant mutations and vulnerabilities which allowed last year’s most important breaches.
The most preoccupying aspect revealed was displayed by the “Lazarus” case, i.e. a criminal group specialized in advanced cyberespionage techniques, who launched its own “branch”, “Bluenoroff”,
dedicated to massive bank fraud and crypto-currency mining. The attacks became increasingly sophisticated, with many forms of camouflage and increasingly chameleon-like. As such, an attack which seems to be a bank fraud can in fact hide a successful exploit of industrial espionage or, in another case, a crypto-ransomware attack can mask a real malware tsunami aiming to immobilize entire production or distribution chains. To this, we can now add, groups specialized in propaganda and counter-propaganda of very a high level, a factor which motivates the political and media worlds to affirm attributions, often to sovereign States. The “intox” as well as the “false flags” became a major goal of the best cybercriminal groups, as well as the “free” delivery of vulnerabilities or the use of open source programs. Both parameters chosen to confuse even the specialists dealing with the origins and desired
aims of any precise attack. The actor multiplication, the ressources acquired by the most advanced groups, the voluntary use of leaks and of espionage activities aimed at financial systems disruption are in full growth, and one has logically to expect a boom of those phenomena in 2018, Costin Raiu concluded.
The last special guest was 5*Army General (ret.) Marc Watin-Augouard (Founder of the Forum international de la Cybersécurité). The General made a real case for the re-birth of a sovereign Europe. For this, he unveiled a poorly known aspect of the GDPR, being a real diplomatic and commercial tool finally in EU’s hands. As a matter of fact, from May 2018, any third country desiring to trade with countries of the EU will have to harmonize its own laws in order to allow its companies to respect this directive and to be warrant of the rights of their clients and contactors if those are European. If Europe is strong, it can use the GDPR to go much further, for instance to impose a compulsory location, within its borders, of the servers holding any data listed in the directive. With optimism, the General considers the GDPR as the first real tool to allow the EU to negotiate equally with the world’s biggest powers.
Mauro Vignati (Head of Cyber, Swiss Federal Intelligence Services) explained his mission. Without providing many details, due to the strict obligations of his function, he pointed out a key argument: with limited human resources proportionaal to the country’s size, international cooperation is the only solution to fulfill his duty. The same is valid with the numerous exchanges his service has on a regular base with the private sector. His main priority, is to defend Switzerland and its strategic interests, against the most dangerous permanent threats (APTs and their mutations).
Col. Anton Rog (director of the Cyberint center of the Romanian Intelligence Service) explained the work of the Institution he directs as well as its priorities. Under his leadership, Cyberint took a new dimension, opening itself to numerous partnerships aimed to strengthen not only the national resilience level, but also grow the knowledge of all members of his teams.
The Cyberint center was hence one of the pillars of the Cydex, the first national exercise in cybersecurity, bringing together no less than 60 public and private structures and analyzing their prevention, reaction and collaboration capacities.
The launch of an MSc in collaboration with the Polytechnical University of Bucharest, as well as the organization, with several partners, of the “Romania Cybersecurity Challenge” – where teams from all over Europe came to compete has helped. This component is reinforced by the 5th consecutive year seing the Cyberint center active participation (more than 5’000 working hours per year) within NATO’s Cyber Coalition.
Nicola Sotira (Director of the Global Cybersecurity Center, Rome) framed the digital transformation of private companies, running towards clientfriendly mobile platforms. Placed between the hammer and the anvil (i.e the needs of the Marketing department and wishes of the users to have simple smartphone interfaces), any CISO must be tolerant, adaptative and “extinguish any early fires” ensuring, at a minimum, that solutions proposed are the most secure possible even if used on such a vulnerable support by the customers. Future vendorclient relationships will increasingly be smartphone-oriented, with exponential growth arising from the enforcement of the PSD2 initiative liberalizing payment methods.
The competences of the SOCs, CISOs, CSOs will have to evolve quickly as the whole defense and resilience ecosystem will need to keep pace with new vulnerabilities and the weak points of every single smartphone type, a real infinite multiplication of the risks compared to the traditional ones all those teams and professionals know well, on the “easier” battlefield of laptops, PCs, clouds and servers.
Nicola Sotira concludes by raising a question: “Do you trust the figures that appear on your mobile phone’s display as much as you trust the money you have in your wallet?” Will the individual trust only the numbers appearing on his mobile, to abandon cash money and debit cards, and to see all kind of “intruders” coming to him to propose attractive (as well as dangerous) finance methods?
Mika Lauhde (CEO, 65° Security, Finland), member of all relevant European stakeholder groups (Enisa, Europol, EC etc.), debated broader naievity. The NIS, the GDPR and many other rules whilst steps forward have issues. Europe, has already lost all the technological battles, a reality that questions if the GDPR alone will be able to enhance the protection of its own citizens.
Drawing a parallel between existing superpowers, he showed that in front of EU’s GDPR stands (at least) one superpower which owns the operating systems for PC and servers, standards for operating systems for smartphones, own standards for cybersecurity, own compulsory certifications, own microprocessor manufactures, own smartphone control applications and control systems on social networks. All these elements are used by every European citizen and exploitable without any limit by third party multinationals and governments.
Worse, a significant amount of European research (in encryption, transmissions, specific systems) has been adopted and used by superpowers in the civilian domain up to avant-garde military aeronautics. He concluded that once the “laws and rules making” are passed, the EU will have to master basic technological tools used by everyone if it wants to survive in tomorrow’s world, if it is not to play the role of passive consumer.
Margherita Natali (Legal Support to the Division of Information Technologies, Infrastructure Service Section, International Atomic Energy Agency – IAEA) introduced the interception of the communications of the organized criminal groups exploring the methods, results and legality of such tasks. In the frame of a cyberpower governance is progressively taking the place of sovereignty,
and multinational corporations as well as individuals can compete with the old States. In this sense, States, corporations and criminals have their own professional intelligence tools, their own communication means, and can generate either breaches with powerful economic impact or major successes in the fight against criminality. In this frame, nobody should escape the obligation of contributing, each one at his own level, to the prevention against criminal actions, thanks to a reinforced communication between all actors.
To explain concretely her thoughts, Margherita Natali gave as example the “Internet Relay Chat Channels” (IRC), which are replacing social networks for certain types of conversations. The challenge is that those IRC can sometimes reveal to be real traps and sometimes tools to erase any footprint of oneself, no matter the reason of this act – legal or illegal. Among those using the Deep Web (and Tor in particular) we find more and more citizens and powerful economic actors, where the role could be to stop “doubtful communications”, to make them public, in order to build, step by step, a more transparent deep web.
Marco Essomba (Founder, iCyberSecurity), in his speech “Full Stack Cybersecurity Defence” highlighted the necessity to reform deeply the organigram and the working mode of big companies and industries. We witness today a dramatic segmentation of the treatment of the security challenges across seven major domains, with few people knowing more than two of them, a reality that makes even companies with the most advanced cybersecurity capacities fall into traps for which they are ironically perfectly equipped in human and technological means. Only a leadership that is holistic, flanked and counselled at all times by a very open-minded security officer, can change the situation. This is based on common and inter-department
trainings, vital to face more sophisticated attacks, which target all the procedures of a company, from financial to production tools, and where the human component is by far the most vulnerable point. It is vital, among those “7 levels” of defense, to have teams motivated by a new generation of directors, specifically among the engineers, mastering each one – and then explaining to the other team members, the layers to build the needed bridge between specialists and the niche professionals whose only objective is to be the best in the layer they are responsible for.
Olivier Kempf (Expert in security, member of the IRIS and of the Saint-Cyr SOGETI Thalès Chair of Cyberdefense), delivered his vision of two key elements to be handled correctly cyberdefense, and, the exponential acceleration of digital transformation.
Cyberdefense is protecting networks (cybersecurity). It also deals with other functions (surveiliance, influence, sabotage). It is based on mastering the networks, the data and the fluxes, a task which often comes with a reduction of use of all those elements and with restrictions of use, and digital hygiene and more secure tools. As such, cybersecurity has a tendency to restrict uses. On the other side, we witness digital transformation. This phenomenon is based on a user-friendly attention, ultra-mobility, decentralized uses, agile product development methods.
Beyond this ultra-mobility, the underlying challenge is the one of the data, which already enormous will grow in unexpected proportions, may it be by new kinds of uses than by the IoT. The data is the energy of the 21st century, tomorrow’s source of richness and power. From info-cloud to blockchain, from Big Data to Artificial Intelligence, we witness a kind of speed rush which is building a new informatics revolution; this is based on a multiplication of the data exchanges and, hence, a liberalization of the uses, within private companies as well as within public organizations. Both movements seem contradictory (restriction or liberation?). For Olivier Kempf, the first is a need, the second is unavoidable. We must face them both, frontally.
Pascal Buchner (Head of ITS & CIO, International Air Transport Association – IATA) introduced the audience to a complex ecosystem: civil aviation, which is structured in “silos” and vulnerable on a multitude of points. Even if, this sector could have more means to take care of its security, the weakest points are, always the human facto and complexity of decision processes. With an example, Pascal Buchner quoted numbers given by the Aviation SAC, a cybersecurity structure created by Boeing, GE, etc., which disseminates in real time information, vulnerabilities and good practices. Alas, only 46 aviation companies joined, 20 OEM and several service providers, airports and delivery chains.
IATA priority is to build bridges between the huge geostrategic regions and the different sectors which are known for not communicating easily between them, for multiple reasons. It also strives to end parallel initiatives created by different regulators in order to establish common standards allowing confidentiality of sensitive data exchange, such as the flight data. To help with this IATA developed a real “war game”, a total crisis simulation, lasting around 1h45’, which can be used as a model by any member desiring it. Its scenario? The worse possible: a very gifted enemy infiltrates planes needing an event requiring immediate coordination, exchange and information sharing to mitigate the situation.
The path towards a proactive defense is long, mostly because of reticence to constant collaboration rather than the complexity of the process itself. The speaker underlined several times the optimal defensive framework proposed is simple, but requires constant and rigourous implementation. Its founding pillar, which must follow all employees, during their whole professional life, is and will remain the continuous capacity building in cybersecurity, an element which must bring together human and technical controls held in a more regular and systemic way, using the latest available technologies.
Col. Xavier Guimard (deputy director within the STSISI – Service of technologies and information systems of the national security, within the General Staff of the Gendarmerie Nationale) synthesized his research on strategies to adopt to counter better cyber-criminality. After an analysis led over 10 years ago, the STISI succeeded to implement its own informatics systems, more than a hundred thousand encrypted mobile phones as well as an autonomous API and an autonomous IAM, both tailor-made. The advantage of a good strategy is to succeed to go beyond
the usual frameworks and to adopt disruptive concepts aimed at a better defense and counter-attack. The key to the system is its architect, whose open-mindedness creates a system easy to defend by technical staff. In this way, there is no need to have a CISO, as each officer is a CISO helping at any moment the CIO, who becomes the head of security.
The speech by Col. Marc-André RYTER (Collaborator for Doctrine within the Swiss Army General Staff), concluded that civilian
structures and armies are, today, exposed to the same threats. Both sectors actively collaborate, many identical systems and applications are used in both domains and several civilian technological novelties find a military use. All this happens with continual innovation, finance constraints and a global competition. Within cyberspace, almost all hostile
actions damage the civilian sector as well as the armed forces. In this context, damage to a national system has impacts which can endanger all the population, before causing loss or critical damage within the army ranks
Disclaimer : © This White Paper has been redacted by Laurent Chrzanovski and expresses only its author’s point of view.