“This week, there is not only Cybersecurity Week, but also the European Consumer Protection Week and the African Microfinance Week,” said Pascal Steichen, CEO of Securitymadein.lu, on Monday, as the week dedicated to cybersecurity issues officially starts, with some 40 events planned.
“At the beginning of the year, in partnership with the University of Luxembourg and two companies, we formed a consortium to develop an African cybersecurity resource centre, which started its operations a few months ago in Senegal. It will launch its activities in Rwanda this week, where Microfinance Week is taking place,” he said.
What has brought cybersecurity into all the conversations? Covid and the numerous attacks?
Pascal Steichen: We noticed this trend three or four years ago. At the time, we would proactively inform companies that one of their machines was involved in an attack or that an international network had informed us that the company was targeted by an attack. Today, we have received many more requests for help on the subject. The other big issue is the digitalisation effort in many sectors. Covid has reinforced this movement because society has understood that we are dependent.
As for Thales-Google, we have to make sure that this is a technological transfer and not a 'hidden service', otherwise we would no longer be in the framework of the privacy shield.
In view of the data losses and attacks, is there growing concern in Luxembourg?
There is a lot of discussion. The different regulations and, above all, today, the applications of these different regulations, with regard to the Schrems and Schrems II rulings, etc., are a source of concern. We are aware of the application to be made with the GDPR and there is all the discussion about migration to the cloud. There is a big push from technology providers. At the European level, the discussions revolve around Gaia-X, or how this migration will be compatible with European rules. These discussions will require a lot of structural adjustments in companies.
Why? Because cloud solutions are provided by American players?
This is very clearly part of the problem. According to Schrems II, if you go through an American or Chinese or Indian or African player, you cannot input the same data...
Is the Thales-Google agreement on a "sovereign" cloud in a French company controlled mainly by the French the beginning of a solution?
This seems to be the beginning of a solution. Of course, we will have to make sure that it is a technological transfer and not a 'hidden service', otherwise we would no longer be in the framework of the privacy shield. Perhaps there will be a new privacy shield, that's another question, but ideas along these lines could become the solution today. Besides that, there are a lot of efforts being made to strengthen existing European clouds or to create European infrastructure or capacity for the cloud.
The American cloud providers remain connected to the American continent. Can we guarantee where the data is?
There is someone who knows exactly where the data is. You have to have operators or system administrators who know where the data is, otherwise it doesn't work. How is the data managed? Via which mechanism? According to which algorithms and which technology? We will distribute the data to ensure good redundancy. The question with Thales and Google is whether it is really a transfer of technology or whether the data is distributed over capacities under Thales’ control. Or is it connected to Google’s global infrastructure?
If we want to solve the problem, should we imagine that the whole infrastructure is disconnected from the American or Chinese or other infrastructure on European soil?
To put it simply, that’s it. Going to the cloud, from a pure operational security point of view, provides many advantages. It’s much better for a small company than trying to do it yourself. But it’s a different issue for data management. The choice of cloud provider is fundamental. You have to look at the operational part and the skills, but also the structural and regulatory issues. It is not at all easy to migrate to a cloud provider.
Today, we still have the choice to avoid falling into a situation of dependence.
Do you think we can believe the giants when they announce that they have come together in the “trusted principles” and say ‘Don’t worry, we have agreed to respect the respective rules of the game for each place’?
It's probably goodwill. But, again, that focuses on the operational security part to make sure the data is in the right place, but it doesn’t at all prevent the US state from asking the provider to have access to the data, no matter where it is on the planet. And in China, in my opinion, it must not be very different.
Is it naive to believe that we can do without American or Chinese technology?
That’s like saying in a general way that we can’t do without technologies anymore. That wouldn’t be true either. There are perhaps many people who have become dependent on a technology, especially when you look at how our children are educated or introduced to technology. Today, we still have the choice to avoid falling into a situation of dependence. In 10 or 15 years’ time, we may be in a situation where we can no longer turn back. And in business, it’s the same.
Open source offers possibilities, doesn’t it?
Yes, there are a lot of technologies that exist, which are not well-known and which do everything. It’s just that they’re not all ready to go and waiting for you to simply sign up. It all depends on how fast you want to go. If you want to go very, very fast, it’s certainly easier to subscribe to ready-made offers. If you want to think about it a bit, there are ways to act without choosing the big names that are easy to find...
The new centre of competence, which is being set up in Bucharest, is there to encourage open source developments. We must consider these solutions to strengthen technological autonomy for the benefit of each individual player.
States and the Luxembourg state have a particular responsibility in the idea of regaining autonomy, don't they?
There are clearly responsibilities. We are also seeing more and more actions in this direction, very much pushed by Europe, where many programmes allow to ensure the sustainability of open source, which is already widely used, and where we try to push for open source development. Like the major IPCEI cloud services project, which wants the technology to be open source so that the whole economy can benefit from it.
Closer to cybersecurity, the new centre of competence, which is being set up in Bucharest, is there to encourage open source developments. We must consider these solutions to strengthen technological autonomy for the benefit of each individual player. They should no longer be obliged to link up with a supplier and find themselves in trouble. This will have to be developed a lot in the future, but it has been put on the agenda of companies and politicians.
This means that teams are being set up to look at open source projects and possibilities. First with what is widely used and useful. Quality mechanisms should be created. Today, we have relied a bit on the community, which has not necessarily helped. On the proprietary software side, the company has an interest in the quality of its software, a choice that is not always easy to make. There are challenges on both sides and different solutions on both sides.
Is this something you recommend to the state?
There are more and more discussions. For three or four years, the Syndicat intercommunal de gestion informatique (SIGI) has been in the process of fully migrating to an open source infrastructure. It’s a multi-year project, but there is a will to do it. I hope that other areas will follow suit. A big step took place two or three years ago when CERN in Geneva decided to go in that direction. It was quite easy for them because they already had a lot of open source technologies. It resonated a lot.
What would be the facilitating elements towards the more widespread adoption of open source?
The discussions around the GDPR, this technological autonomy. Because there is this dependency, I also need this technology to be under my total control. People need to be able to say to themselves that it is in their interest to have a solution that they control, that they master, that they can look at in detail. The challenge is to have the market to support this development. If you have an open source project developed in such and such a language, you have to find the skills to implement it.
Which is difficult in Luxembourg...
Naturally, it is a small country. There are a few less players. This is a subject that needs to be brought up to the European level and this is what is happening.
Among the developments, we are beginning to hear about quantum technology, which could mean that there would be no more secrets...
A consciousness is forming in some people’s minds about this. It’s still hard to say what’s going to happen, but I’ve seen a few start-ups recently that have ideas on the subject and are focusing on it.
Where are we in the protection of our health data? Our critical infrastructure? I mean, after the terrible year of attacks related to the remote switchover of a large part of our companies.
In the update of the national cybersecurity strategy, there is a chapter on this topic, which shows there is a political will. It’s not just on the radar but on the agenda. During covid, there was this action by a group of private players who volunteered to support hospitals at the technological level so that they could focus on health issues. We now need to structure this in a coherent and complete way, and continue to make efforts.
You have been working for several years to structure and federate the world of cybersecurity in Luxembourg. How far have you got?
It is a subject that is constantly changing. There was a big effort during the third version of the national strategy, in 2019, when we published the list of players. Since then, we have worked on the cybersecuriteluxembourg platform to have up-to-date and dynamic content. Today, we want to put things together even more visibly. Very soon, we will publish the new national cybersecurity portal, which will show that the interministerial coordination committee is really moving forward with a common portal and different entities behind it.
We are going to remain on these two pillars: on the one hand, the High Committee for National Protection and GovCert, in charge of protecting the state, public security and critical infrastructures, and, on the other hand, we, in charge of supporting the economy to protect small structures and municipalities. We need to be close to the actors and suppliers.
What is interesting is to see the emergence of this two-pillar strategy at the European level with Enisa, which supports the member states, and the new centre of competence, which is more concerned with market development and innovation. This is a very positive development: our choice was not so bad.
In Germany, a few days ago, a sort of national cybersecurity committee was created, involving four ministries at federal level, with a large agency underneath that will take over the activities of the European centre of excellence. There is no longer a single ministry that centralises everything. I hope that we will also see this in France. Another example from Germany, since I was there at a trade fair last week: we discussed with a Land, which wants to adapt our model.
This story was first published in French on Paperjam. It has been translated and edited for Delano.