Euro-View: Rasmus Theede on information security
BRUSSELS – When I joined my first corporate IT-security department two decades ago (at that time called Electronic Data Processing Safety Department), I was presented with a memo between the department and the CEO. The memo highlighted the rather new phenomenon called the “Internet”, suggesting that we should indeed investigate the business possibilities further but also wondering if this Internet posed any security concerns. At that time, the Internet included only a few hundred thousand connected computers.
Today, with nearly 200 billion internet-connected devices, most of us cannot imagine a life without the possibilities the Digital Age brings. Whatever you are an EU citizen, corporation or governmental institution, digitalisation has completely changed the way we live and interact.
However, along with these remarkable possibilities, global citizens and corporations alike have increasingly become vulnerable to new serious cyber threats that few can understand or predict. And in EU, where many have become masters of digitalisation, we are especially vulnerable.
In recent months, destructive cyber-attacks have once again hit global enterprises, bringing even large organisations to their knees. In the EU, the largest container line in the world, Danish Maersk Line, had global operations severely interrupted for weeks. Other critical parts of European infrastructure such as hospitals or retail and energy companies were also severely impacted.
Personally, I wish I were surprised by the impact of the recent attacks. Being in charge of corporate security in numerous large enterprises over the years, I can testify that citizens, corporations and public sectors around EU are combating thousands of serious cyber-attacks every day. Most of these attacks never reach the media, and even more are never discovered.
Even though the media’s interest in cyber security has shot up in recent years, we do not see many types of cyber-attacks today that we haven’t seen before. But the complexity and volume of attacks have increased significantly. As our valuables have moved from physical to digital form, so have the criminals. And on today’s internet there is significant money to be stolen, with very little risk.
Further, government defence departments have defiantly discovered the value of the internet for cyber warfare and espionage, meaning large investment in both defensive and offensive cyber capabilities both outside and inside the EU. As a result, we suffer collateral damage against private citizens and corporations – casualties that few seem to notice in cyberspace.
I firmly believe that the increased intensity of criminal cyber activities must not be allowed to hinder digitalisation nor innovation. However, as a truly connected society, we cannot ignore or underestimate the digital threats originating from organised criminals, state-sponsored entities and mere opportunists who seek to explore and exploit new malicious digital possibilities. With society becoming more and more dependent on digitalisation, if the emerging threats are not handled with due care, the consequences could be devastating. Further, the trust of citizens and corporations is crucial to reap the benefits of digitalisation – trust that is currently in danger of being degraded.
In the EU, we have many new initiatives on the table that in the long run will assist in countering the new digital security threats. To name a few, the new General Data Protection Action (GDPR) will bring new requirements for protection of EU citizens personal data, for example. Elsewhere, Privacy Shield will help protect data transfer between EU and US, while the EU’s Network and Information Systems Directive (NIS) will assist in protecting critical European infrastructure.
These are all good and necessary initiatives that undoubtedly will have a positive impact on EU Member countries’ data protection capabilities and cyber resilience over the coming years. And yet with all the great political initiatives, why are we hit with increasingly advanced cyber-attacks that cause corporations and citizens alike to feel helpless when it comes to protecting their personal or intellectual data?
In my daily work I have repeatedly experienced just how hard it is for corporations and law enforcement authorities to investigate digital crimes across borders, how easy it is for cyber criminals to hide, and how ill-prepared many citizens, corporations and public-sector entities are to face the new digital threats.
Close cooperation between Euro countries, including knowledge sharing and coordination of the handling of global cyber-attacks, is crucial for the future success of effective cyber defences. As there are few borders in cyberspace, the traditionally silo approach when it comes to security must be abandoned.
Further, the perception gap between legislators and daily practitioners must be narrowed by stepping up concrete advice and levels of awareness. While larger corporations usually have the scale to hire and acquire the best security resources and technology, others – especially small and medium sized enterprises (SMEs) – struggle with the term “right IT-security”.
As a result, we very often see that even basic and well-known security controls are not implemented in SMEs. As they represent 99 per cent of all businesses in the EU, assisting SMEs in setting up correct cyber-security measures is of immense importance for the EU’s economy. Strong support programs targeted specifically at these enterprises should be of the highest priority.
The Digital Age has arrived with a tempo few had predicted, bringing new threats and leaving many behind in terms of digital security awareness and behaviour. Digital security cannot be obtained through legislation alone, but requires intense and continuous involvement by the entire digital value chain from citizens and digital suppliers to corporations, law enforcement agencies and governments. And here, we are unfortunately still lagging behind.
We are still too scattered and too uncoordinated while building too many silos and implementing too many different local flavours. And for all those reasons, cyber-criminals are prospering.