The first speaker at the EIF Breakfast Debate on 16 May was Andrea Servida (Deputy Head of Unit, Internet, Network & Information Security at the DG Information Society & Media, European Commission).
Servida pointed out that while we are all part of one ecosystem (referring to the networked dimension) at present we are stuck in a finger-pointing mode. Blaming others won't improve anything, we are all affected and we all have to take up our responsibilities. Accordingly, the Commission is working on a unified EU strategy for cybersecurity, due to be published in September of this year. Servida enumerated the aims which the Commission hopes to achieve in promulgating this strategy. First of all, it is necessary to establish a common set of definitions. Building on that, to clarify the roles and responsibilities for CERTs, defense intelligence, prosecutors, industry, and so forth. Servida asked rhetorically why there isn't an insurance sector growing up around cyberdefense and data breaches. Precisely, he says, because there is a lack of baseline information. The Commission hopes to address this by establishing baseline requirements for risk management and introducing new information-sharing mechanisms (public-private and between member states).
Next up was Andrea Rigoni (Director General at Global Cyber Security Center). Rigoni applauded the notion of a common EU strategy, pointing out how much confusion his organization sees among the member states. In the case of Italy (Rigoni's example) about 90% of industry is SME. In these businesses you typically don't have one person focused on information security but rather a CEO that's also the CIO, CSO, CFO, HR, and maybe also locking the door each night. It's very difficult for the government to have visibility into the data protection posture of such small firms.
Rigoni pointed out that while we as a species have had millenia to sort out our strategies for responding to threats in physical space we don't have that luxury of time in developing our defense strategies in cyberspace. The pace of technological advancement is simply too rapid. There aren't clear boundaries as in physical space and it's difficult to establish clear attribution in case of a cyberattack. Cyber, he said, is much more complex than physical.
Rigoni then went in depth on the notion of digital identity. He highlighted the distiction between identity (who you are) and identifiers (credit card numbers, email addresses, etc). According to GCSEC's research, between 84-88% of internet users are reusing the same password all over the place. Rigoni said that quite often with smaller online providers they aren't even doing the basics to protect their users' identifiers (for example, storing passwords in encrypted formats). It would be helpful if the EU strategy could address this problem as part of defining a baseline behavioral norm for online firms.
Rigoni asked his listeners to imagine the Italian government trying to impose some data protection requirements on one of the big players like Google, Facebook, or Amazon. (Not, he was quick to point out, that these firms are careless with user data - on the contrary, they do a much better job than average.) But just imagine, for the sake of discussion, this David and Goliath scenario of the Italian state trying to tell Apple how to store user passwords. This clearly shows the need for Europe to speak with a unified voice on these issues.
In closing, Rigoni gave examples from other industries such as the electrical grid operators, telecoms, and transport where international cooperation mechanisms are in place. He suggested that we needn't reinvent the wheel, that there are clearly elements we can usefully transpose from these other industrial domains to address the problems of internet security.
Closing out the evening's talks was John Suffolk (Global Cyber Security Officer at Huawei). Suffolk described Huawei as an international company which happened to be Chinese and thereby for various reasons subject to more intense scrutiny by some governments. He gave a bit of personal history, how his career took him from working for the UK government to an executive position within a major Chinese company.
Suffolk asked the audience, "What is the most secure internet browser? Do you know? Do you care?" A big part of the problem, he said, it that we give almost no advice to consumers, even the basic default security settings on our software and devices can be switched off, and there isn't any penalty for that. Our networks weren't designed to be defended, security is still an afterthought, and we have to get out of this finger-pointing mode or else, "we'll be sitting in this room ten years from now and the situation will be much worse."
Suffolk spoke to the supply chain problem, pointing out that a significant proportion of components installed in Huawei devices are of non-Chinese origin. In the end, no-one really knows that's inside all these chips, what code is running on all the compenents in a systems and, he said, "people in America can be bribed, too." Suffolk said, "We have already heard the language of war in this room tonight. I'm more interested in how we stop a war from happening." The answer, he said, is international collaboration. We see national goverments purchasing zero-day exploits on the black market right now. If this sort of behaviour is legitimized, he asked, who can be surprised when others do the same?
Huawei does business in about 150 countries. Many of these countries, Suffolk said, take their cues from Europe. That's one reason why getting the EU strategy right is so important - it will likely form the basis for legal norms even quite far from Europe's sphere.
Suffolk went on to point out that we've all got to do basic hygiene, such as patching our systems, keeping our antivirus up-to-date, and so forth. If we don't start doing the basics we'll never get there.
He then spoke to the question of IP theft. He noted that employees had stolen from employers and governments had spied on other governments throughout recorded human history. This, he said, is not going to change. But, he asked, if IP is factored as a financial asset why is it that companies can claim IP was stolen without being forced to take a commensurate write-down on their books? After all, if value was lost the investors should understand that the value of a company has fundamentally changed. Suffolk proposed that the role of financial auditors needs to evolve in order to address these type of IP issues.
Suffolk said, Huawei is a Chinese company by act of fate and as such is subject to more intense scrutiny. "We accept and embrace that," he said, "that scrutiny helps us." In closing, Suffolk declared that Huawei would be "delighted" to work with the EU and its member states to resolve any issues.