ECSO: “The digital market is an open competition on a global scale”

Cybersecurity has emerged as a hot topic in the MICE industry since the pandemic, with many of these events migrating to the digital space raising questions about intellectual property, data protection and cybercrime. It is at this point unsurprising to recognise that the development of a comprehensive cybersecurity system will be dependent on the ongoing digital transformation as they are symbiotic.

The European Cyber Security Organisation (ECSO) is today the only European public-private organisation that focuses on cyber security and accounts for a wide range of projects where the priorities are to connect, support and act on the European landscape, offering a cross-cutting vision on the rapidly evolving digital environment. We sat down with Luigi Rebuffi (on the photo below), Secretary General and founder of ECSO, to talk about investments, cooperation with the European Commission and the implementation of a Public-Private Partnership for cybersecurity.
 

Drawing on your experience and expertise, where do we stand on the discussion and public resolution of a unitary cybersecurity network?

There is not one because cybersecurity is still managed at national level. It is an internal security issue for each member state, so countries are entitled to that legal sovereignty, challenging sometimes EU common regulations. National laws correspond to each country’s legacy and political interests, which explains the different speeds and approaches to the same objectives. However, there are no major differences at European parliamentary level between the different political parties. We are working on it with high expectations since we created ECSO in 2016, and when we look back things are moving forward. We have produced a lot of legislation that has been passed in the last few years, like the NS2 regulation, and soon with the cyber resilience act and the digital operational resilience act on the financial side. This was structured from a legislative point of view from the European Commission’s (EC) ongoing strategy which has undergone several evolutions since its inception in 2013. The EC really recognises that the sector is evolving rapidly, hence these frequent updates to the ongoing strategy.
 

What is really missing to bring all these member states together around a unitary consensus on cybersecurity?

A political commitment always follows a political understanding of needs. The fact is that we are still relatively far from a public and private commitment to investment. We have good technologies, good skills, but the broad understanding of the need to protect digital transformation is still a long way off. If we don’t invest in cybersecurity, we will always be dependent on third countries. It’s not just about what the EC calls capacity building or hardware, it’s also about skills. One of the tasks of our Cybersecurity contractual Public Private Partnership (cPPP) from the beginning was to suggest to the EC priorities for investment in research. We have soon recognised that it is not only about research, but also about investment in building solutions, in providing critical infrastructure with good protection, in supporting start-ups with investment funds, etc. Now, one of the most relevant topics is how to support the growth of digital skills in cyberspace. Unfortunately, investment in education and training in this area remains low.
 

"We will have a completely different perception of what privacy is in a digital world (...) and those born into the digital age will probably have both a more appropriate perception and response to what we now consider privacy."
 

How far are we to reach the milestone of a European Digital Single Market and what are we missing to get there?

For me a European Digital Single Market is a constantly moving target, just like IT or cyberspace. It is something that has to be cyclically adjusted as it is very difficult to set a 10-year bar with continuous innovations and market swings. The targets also change intrinsically with each country's definitions, market rules, the global environment, and at breakneck speed. The European Digital Single Market is made up of legislation, policies, skills and capabilities that are dynamic rather than static concepts. This market is growing but towards something that is unpredictable to outline. What we can say is that this space has to rely on the right investment of strategists, global citizen action and well-trained professionals.
 

What is the key priority for building a European public-private programme on cybersecurity?

The concept of sovereignty is quite difficult to express in this context, strategic autonomy is much better because it matches certain views closer to the capacity of the private sector. It is basically about reducing dependence on non-European solutions. If China, for example, blocks chip exports to Europe we are in a world of trouble. This means that there has to be an industrial renewal in Europe for the production of digital materials, such as chips or semi-electric conductors. We should look at cybersecurity as we look at planning for the sixth generation of the mobile telecommunications system, avoiding the problems we had with 5G. Anticipating the next phase of cloud storage, for example. We have to target what is strategic and see what can be done in Europe, and in cooperation with our allies. The digital market is open to competition on a global scale. A competition that plays its own political game that is increasingly relevant in economic terms. Europe has to take its stand, we cannot wait only for external solutions.

What are the real threats in today’s cybersecurity landscape?

Certain threats like ransomware or DDoS are very active today. However, I would say that one of the biggest threats is also fake news. Maybe in certain countries this is on the borderline of cybersecurity, but it accounts for several internal security issues and is heavily played at the political level. It can compromise a country's security network and therefore it is a de facto IT-linked security issue. It's something you can see every day from all sides weaponising the public discourse. The European Parliament here is particularly sensitive when it comes to elections but it is much broader than that, it greatly influences the reading of reality and public discourse across populations. Even when we talk about quantum computing or the metaverse − are they really safe? Or clouds that can evolve into edge cloud by connecting to a centralised cloud system. There will always be new technologies on our doorstep and we have to know how to react from a security perspective.
 

"For me a European Digital Single Market is a constantly moving target."

With all these threats where do we stand when it comes to privacy? Is it a dying concept?

We will have a completely different perception of what privacy is in a digital world. Today, younger generations have a completely different notion than older fringes of the population. And those born into the digital age will probably have both a more appropriate perception and response to what we now consider privacy.
 

How crucial would it be to create a financial mechanism to help European cybersecurity companies grow and gain traction in the market?

Certain countries need to strengthen investment in various sectors, taking advantage of European funds. The public sector in general needs a lot of investment to strengthen its equipment and security programmes to cope with digitalisation. The private sector clearly needs to invest in manufacturing and critical infrastructure, but the understanding of where to invest also diverges. Take, for example, the EC's Digital Europe Programme, which has allocated large amounts of money in this area, including cybersecurity, intending to drive public but also private sector investment. How do these needs match up? These are the efforts we make to converge the common interest and achieve objectives that are also common.

Are they matching? We are working on that.

Why would a hacker be interested in an event?

Why are the hackers doing this? They're not going for ransom. They do it for fun just for distraction, or they do it for political reasons because they don't like what this conference is about. The part about information and data theft at an associative conference is not so threatening. These types of conferences are normally open events with information available to the public and no major secrets. You may have certain specific cases within the conference with the Board of Directors or a members-only meeting to disclose confidential market information, competitive or strategic guidance, but outside of that I'm not seeing many breaches for cyber attacks. If we talk about European Parliament or Council meetings, the issue might be more sensitive for political reasons. In this case we must always ask what is the financial or political interest of this event?
 

"A single European cybersecurity is still very far from being a reality."
 

Since the framework is changing for everyone and digitalization is through the roof, shouldn't the way we communicate about cybersecurity and educate about data protection also be changing and improving? Do you think that, like other scientific and technological disciplines, we should be adapting communication for the general public in a more logical and intelligible way?

This is a long journey and strictly linked, as you said, to education. On one hand, we have an initiative called Youth4Cyber aimed at children and young people in a primary learning phase who can progress to a potential career in cybersecurity. At the same time, we should train the citizens of the future so that in 10/20 years they will be more ready and more literate when it comes to privacy, data ownership and the challenges that are coming to the digital society. For older populations it will take longer. I was just reading today that in Italy the government is trying to recruit 2600 students aged 18-28 to teach senior people how to deal with cyber security and IT. These people are increasingly forced to go digital when interacting with friends of the same age, subscribing to news, exploring the possibilities of social media, etc. This is probably a path we should follow. We are really moving forward but we cannot just stick to the concept of vision, we have to move into the concrete reality of people's lives.
 

What main campaigns and activities do you have scheduled for the remaining of the year?

The EC is developing for a (cybersecurity) centre of competence in Bucharest and we will contribute to the creation of that community. We are developing a marketplace especially targeted at European SMEs to leverage their products, services and capabilities. We are also working on the development of the CISO network, and will organise an event in Brussels at the end of October dedicated to the European CISO. On the other hand, we continue our mentorship for women with the Women4Cyber foundation, designed on two platforms: one in academia and one for the labour market. We have another initiative called Youth4Cyber aimed at children and youngsters who could progress to a potential career in cybersecurity. In terms of certification standards, we continue to cooperate with the European Agency for Cyber Security (ENISA) to define cyber certification approaches. As for investment, we await the results of a study by the European Investment Bank to analyse the construction of a fund dedicated to start-up and scale-up companies; we’re also supporting the development of the DIGITAL Europe programme between the EC and member countries and as regions. In education, we can also highlight another project with ENISA on different profiles that will come out in September. Lastly, we are starting a deeper discussion on space with the European Space Agency that will be revealed soon.

Do you think we have fair and proportionate criminal enforcement and legislation to the risks we face with cyber crime today?

This is a sensitive issue. Sensitive in the sense that we also have some forensic experts on our team, and for me, before cybersecurity there is, of course, cybercrime. However, many tend to forget about this trigger and the natural order of things. Cybersecurity is not seen as a potential response to cybercrime, and greater awareness is needed at this level. In Italy, for example, you have the Postal and Communications Police that is managing this cyber crime department, working in parallel with other ministries and institutions that help coordinate the country's Intelligence. In Europe, we have Europol, which also goes after cybercrime on a European scale, but looking a little more into cybersecurity you have ENISA. Let's say that in the private sector this confluence of cybercrime and security remains more disconnected and has much more room for improvement.