European Security Forum: AI Threats & Opportunities and Post Quantum Cryptography
After a morning dedicated to “data security: everyone’s business” and “the new era of zero trust”, Artificial Intelligence and Post Quantum Cryptography were at the heart of the discussions of the afternoon session of ICT Spring’s European Security Forum, on September 15th.
The title of the first speaker’s intervention, “If you can’t measure it, you can’t improve it”, is a good summary of Chris Nickerson’ (CEO of LARES, photo) speech. Accumulate data is not a solution. “The analytics that we have today are almost large scale useless”, stated Nickerson. You need a good quality of data to measure the effectiveness of your cybersecurity. If defence changes constantly with new or update compliance, the attackers always follow the same methodology. Cybersecurity is a performing engineering concept and you have to measure the quality of your response to the attacks instead of measuring the number of attacks. “Data is a tool to empower our ability to be effective.”
The organizers then welcomed Alain Hirtzig, Head of CyberLabs, Cyberforce, POST Luxembourg, who shared a presentation entitled “Privacy preserving AI”. Quantity and quality of data is one of the most important factors to build advanced and powerful machine learning and AI applications. To this end, you need data sharing but this process raises up two main issues : privacy and data abuse.
To comply with GDPR requirements, you can use data full anonymization but it makes data useless. Another technique is pseudo anonymization consisting in partially anonymized the data, “not the ultimate balance between data effectiveness and data privacy”. So, the engineer presented the four main technologies used today to perform secure computing: Homomorphic encryption (HE), Multiparty computing (ML), Federated learning (FL) and Trusted execution environment (TEE).
David Cox, Director of Mastercard’s European Cyber Resilience Centre (ECRC), then took the stage virtually to share his thoughts on “Cyber Resilience and Public Private Partnerships”. He insisted on the cost and lost revenue from cyber-attacks around the world (estimated to reach 5.2 trillion in the next five years) to emphasize the importance of cyber resilience. If technology can be a respond to these threats, it can also increase the risks. For instance, AI is used by cybersecurity defence but also by the cyber criminals to program attacks. “We have to maintain human oversighted processes.”
To address threats faced by the European payments’ ecosystem, including financial institutions and fintechs, Mastercard created the Mastercard European Cyber Resilience Centre in Waterloo, Belgium, at its European Headquarters. The centre works together with central banks, industry groups, law enforcement agencies and key national cyber intelligence centres to answer the top concerns of governments, policymakers, regulators and customers. “It is a way to accelerate intelligence sharing, bringing all the competencies together under one roof. The security is in unity”, stated Cox.
Live from Japan, Mihoko Matsubara, Chief Cybersecurity Strategist, NTT Corporation, highlighted the “Cybersecurity lessons learned from Tokyo 2020 & COVID-19”. The pandemic increased vulnerabilities: people spend more time online, expanded attack surface. For instance, remote workers are a privileged target due to a low awareness. The Healthcare sector was specially at risk because cybersecurity hasn’t been its priority, with very low IT budget. Matsubara highlighted some attacks’ scenarios such as fake invites to online meetings, phishing or recruiting via LinkedIn, ransomware. She explained why a ransom shouldn’t be paid : “Only 8% of victims were able to recover all the data after they paid, 80% suffer a ransomware attack again after they paid, with 50% believing that the 2nd attack came from the same hacker group.” So, cybersecurity needs global leaders’ responses. Matsubara called for the creation of a cyber threat landscape, information sharing and a closer Japan-Europe cooperation.
Eric Singer, Regional Chief Information Security Officer - EMEA, Schneider Electric, and Lucas Colet, Cybersecurity Manager, INCERT GIE, then participated in a CISO talk. They teamed up saying that in the last 20 years, “ransomware was a turning point” to raise awareness of the importance of cybersecurity. Singer mentioned 2016-2017 and the Petya ransomware. “It really opened eyes because for the first time, the business stopped”, Colet explained. Cybersecurity is not only about protection anymore, it’s about giving value to the new digitalization business, it has become centric. This is reflected in the organization of societies : Information Security Manager accessed to the C-Level to become Chief Information and Security Officer reporting directly to the board. Colet: “Now the CISO has head-to-head conversations with the CEO.”
David Cox, CEO, Brainframe, joined the stage for a startup pitch. Brainframe provides information security management system (ISMS) for security and compliance professionals, helping to collect information, document compliance, manage work and distribute to the staff. According to Cox, Brainframe responds to a necessity. With the lack of competencies and the shortage of specialists, cybersecurity is moving to a consulting basis for small companies and startups. “The career path of CISOs started from being strictly in IT to work closer to the management”, stated Cox.
The afternoon session continued with Sokratis K. Katsikas, Director of Norwegian Center for Cybersecurity in Critical Sectors (NORCICS), Pascal Steichen, CEO, SECURITYMADEIN.LU, and Edvardas Šileris, Head of European Cybercrime Centre (EC3), EUROPOL, who participated in a round table about “Cybersecurity sovereignty for Europe”. Europe Parliament defines digital sovereignty as the ability of the EU to act independently in the digital world. “So, cybersecurity within digital sovereignty means act independently while protecting cyber space”, Katsikas highlighted. However, all the participants noted that Europe is technologically dependent on other parts of the world, in particular the United States, the cloud being a good example. “Europe is trying to create a dynamic to develop technologies to reach sovereignty”, Steichen said, mentioning Gaia-X or the European Chips Act. In the end, reaching cybersecurity sovereignty is essential to preserve the fundamental rights and common European values within the digital world. In order to do so, Europe has to choose between a protectionist approach or an open approach in which European accept to see the digital world as a global and interdependent one.
The last session of the European Security Forum was dedicated to “Post Quantum Cryptography”. André Meyer, Security Practice Lead Luxembourg, Accenture, concluded the Forum with an intervention titled “Quantum Supremacy - Understanding the future of cryptography”.
Even if you stay on the surface of things, it's hard not to mention some technical considerations: Qubits are the performance indicators in quantum computing. The first quantum computer was created in 1998 with a power of 2 qubits. Google wants to create a 1000 qubits quantum computer by 2029. “But you have other institutions, even states, working on quantum computing without making any announcement”, Meyer informed. Quantum computing and its consequences are still unknow. “We have 10 years to get prepared because when it will hit, it will hit like a truck”, Meyer warned.
Quantum computing will totally change cryptography: “A future 1000 qubits computer will decrypt any cryptography that are 500 bits or less within seconds”, meaning any current encrypt data will be decrypt. To tackle this challenge, you need a whole new cryptography and algorithms that cannot be broken by how quantum computers work.
Article by Nicolas Klein