Luc Feller and Xavier Bettel present the government's new cybersecurity strategy to journalists on 8 May 2018
Photo: Ministry of State
The Luxembourg government recently published its new cybersecurity strategy, the third version, updated to reflect the increasingly digitalised world. The new strategy is the fruit of the work of a task force lead by the high commissioner for national protection, Luc Feller, who revealed it to the public along with the DP prime minister Xavier Bettel, on 8 May 2018.
Cybersecurity and data protection are the hot topics of the moment (almost right up there with Brexit), especially in the light of affairs like the Facebook/Cambridge Analytica scandal and the imminent implementation of GDPR (general data protection rules), set for 25 May 2018. Delano (online, print and Delano Live) has covered the topic of GDPR in some detail (although, like Brexit, there will be more), so in a series of articles this week we will take a look at the broader issue of cybersecurity. And it is a broad issue, vast even.
In this first article on the theme, we take a look at the government’s recently published cybersecurity strategy. We will also take some time to look at definitions as it is important to understand what is meant by cybersecurity and get an idea of how much is touches the lives of individuals and businesses alike.
Luxembourg’s cybersecurity strategy has been designed to reflect the objectives of the recently published European Commission package on a national level and has been developed by a task force lead by the high commissioner for national protection. In line with the “Digital Lëtzebuerg” initiative, the strategy seeks to bolster public confidence in the digital environment, as well as enhance the security of information systems by improving the ability to identify cyber-attacks, protect digital infrastructures and raise stakeholders’ awareness of resilience.
The strategy begins by defining cybersecurity as,
“The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment, its organisation and its users’ assets.”
It states that user’s assets include: connected computing devices, personnel, infrastructure, applications, services, telecommunication systems and the, “totality of transmitted and/or stored information in the cyber environment.”
“Cybersecurity,” it is explained, “strives to ensure the attainment and maintenance of the security properties of the organisation and user’s assets against relevant risks in the cyber environment.”
The strategy contains three guiding ideas, “Building public trust in the digital environment; protecting digital infrastructure and promoting the economy.” Within each of the guidelines there are clear objectives as follows:
Building trust in the digital environment: knowledge sharing between all stakeholders; dissemination of information on risks; raising awareness of all the parties concerned; responsible disclosure and combating cybercrime.
Protecting the digital infrastructure: a census of critical and digital infrastructure; security policies; crisis management; standardisation; strengthen international cooperation; cyber defence; strengthening the resilience of the state’s digital infrastructure.
Promotion of the economy: creation of new products and services; pooling security infrastructures; benchmarks on widely operated systems; the Cybersecurity Competence Centre; risk management and informed governance; training; collaboration between parties involved in information security; collaboration between experts in incident response; priority for research startups; code disassembly and identifying vulnerabilities.
Throughout the course of this week, Delano will come back to some of these guidelines in greater detail and, with the assistance of cybersecurity professionals, provide more context and practical advice.