The Cybersecurity Union: Notes from ENISA's Cybersecurity Conference
The stage was set in Brussels.
I had a crowd of the highest political authorities in the EU: heads of government, secretaries of state, and leaders of the cybersecurity strategy for entire countries. And I won’t lie: I was nervous, shaking even. But this was an unbeatable opportunity.
My goal was to speak on behalf of the whole Ethical Hacking community. To explain what’s needed, from our point of view, to strengthen the EU’s security posture. I was asked to deliver a keynote speech.
This is what I’ve talked about:
Weak security can break democracy
Cybersecurity is a sovereign concern. It’s not exclusive to private companies, and much less to individuals. States need to put this at the top of their priorities.
Because weak security can lead to attacks that expose information for entire countries, take Ireland’s Health Service Executive attack. Or the recent attack on Estonia’s Apotheka, which exposed data from half of the country's population.
And this is only the beginning in my opinion. Cyberattacks can disrupt elections. They can break the integrity of our institutions. And that leads to the slow collapse of society as we know it. Trust in institutions will erode, citizen's data will be exposed, and criminals will be able to break through the security of institutions we thought were unbreakable.
If we want to uphold European values, we need to defend them - on all fronts.
The Continent must move faster
Security is about speed and agility. The root cause of attacks is always vulnerabilities, and their exploitation is becoming faster. Recent estimates point out that 80% of exploits are public before CVE disclosure and 15 minutes is the average between a CVE being published and mass criminal exploration with automation.
We can’t wait days or even weeks to patch CVEs. Much less to know they’re there. Time to Detection and Time to Mitigation must be drastically reduced.
Strong, but simple, regulation
As much as regulation has helped Europeans in the past, this is something that is hindering innovation in the private sector. Because every technology company must decide where to allocate resources, and obviously they’ll first choose to be compliant. The more expensive it is to be compliant, the more investment we divert from technology and innovation.
I believe in the positive impact of regulation in cybersecurity. But it’s often too much - the end result is good but at the expense of sapping away resources. We need to find middle ground.
Beyond Problems: What can we do to do better?
Pointing problems out is easy - but now more than ever, we need solutions. And there are solutions we can begin implementing right now to address this.
Build a European public-private cybersecurity cluster
Private companies drive innovation. We can’t allow this innovation to be lost in the randomness of the market. Incentivize them with proper funding and collaboration to secure national and European institutions. This will give them the fuel needed to refine their technology so they’re ahead of criminals.
Shift focus to prevention
If we want to prevent attacks - especially the most devastating -- we must anticipate their moves. And that means mitigating vulnerabilities. We need speedy detection and teams ready to patch vulnerabilities. The goal is clear: if attackers do it in 15 minutes, we need to do it in 14. We need automated solutions capable of identifying vulnerabilities at a massive scale, and fast. Which leads me to the next point.
Implement Automated Pentesting to critical systems across Europe
Along with the previous point, we need to get all critical systems in Europe secured with Automated Pentesting. They’ll be protected 24/7, with new vulnerabilities being tested soon after disclosure. This will lower the Time to Detection, which will help in the goal of lowering the Time to Mitigation - and in turn, improve our security posture.
Recognize Ethical Hackers
They’re the backbone. They work on CVEs and find the most critical vulnerabilities. Their work has a net positive impact for millions of Europeans - and they must be properly rewarded for the work.
What started with Belgium making the work of Ethical Hackers legal got expanded with NIS2 – but it’s still not enough. NIS2 is still unclear on many aspects of its reach. We need to assure Ethical Hackers that they won’t face consequences as a result of their work. We need to work together with them and give them the right incentives - which go way beyond money.
Act as a Union
And lastly, we need to act as a proper Union. A Union that collaborates on matters of security and prevention, which realizes that an attack on a member is an attack on all. All European countries are connected, and research, sharing, and joint work will benefit us all.
It’s time to act
I’ll be completely honest: even though these solutions are available right now, this won’t be an easy task.
We’re talking about protecting hundreds of thousands of assets across dozens of countries. It’s a huge endeavor and it’ll require a lot of coordination.
But there’s no other choice. Because the costs of inaction are far more dangerous than what we can possibly imagine. Inaction is not an option.
Let's make Europe Cyber Resilient.
Let's secure technological progress.
See the full keynote
Interested in watching the full keynote? Play it here or save it for later: