20 April 2023

Europe, Cyber and the Cloud: A View from the International Cybersecurity Forum

Dan Lohrmann

How is the cybersecurity industry — including government activity — different in Europe than in the U.S.?

More specifically:

What are the top cyber defense priorities for C-suite executives in France?

How do European Union (EU) companies and governments think differently about security in the cloud?

What is France’s view of American “tech giants” as the world faces more threats in cyberspace?

Why do many global experts prefer to interact and engage on a range of cyber and tech topics in Europe rather than come to the upcoming RSA Conference in San Francisco at the end of this month?

How are the war in Ukraine, NATO military cooperation on cyber, and a long list of U.S./EU tech topics changing the global cyber defense landscape?

What can be done to enable more nation-state cooperation on defeating cybercrime, fighting online predators and strengthening global partnerships with criminal justice agencies?
Where do cybersecurity and technology pros in Europe go for inspiration, learning and career growth?

Is there hope that the “good guys” can work together worldwide on cyber issues and be more effective given the fact “bad actors” still seem to be one step ahead on a range of topics?
These were just some of the questions that I was hoping to answer as I headed to the International Cybersecurity Forum (FIC), which was held in Lille, France, from April 5-7. I will cover many of these topics in this “open trip report” from my pleasant and memorable week in France.

But before I dive into specific details, I want to begin by offering perhaps my top lesson learned: There is tremendous benefit to engaging in and discussing cybersecurity topics with people and teams from different countries, cultures, career circumstances, backgrounds, government laws and regulations, economic situations, languages and more.

I think this is especially true for Americans who think that the tech world largely revolves around us. But we have many blind spots. Assumptions and even cyber solutions that may have worked pre-COVID or pre-Ukraine war, or even last year, may be invalid moving forward. Also, our cyber attack surface and global threats are changing fast, as AI developments, ChatGPT, leaks of classified military information and other top stories have shown us in the past few months. Of course, these conversations include people, process and technology solutions.

I came to realize that all these questions and answers are much more complex and nuanced than I had originally thought. At the same time, I also learned that the FIC offers a unique and helpful event to build upon for this evolving international dialog.

Just as cloud computing adoption scales and changes (including the number and nature of cyber attacks), technology is constantly evolving, our cyber threat landscape changes, constant monitoring is essential in cyberspace with advanced tools, and our workforce changes, our cross-cultural industry communication must also grow to be effective.

Bottom line, the people side of cybersecurity coordination must keep up with the dizzying level of technology advancement if we ever hope to make lasting progress against global bad actors as cyber defenders cutting across nation-states.

For those of you who are interested in helping in these efforts, one bit of good news is that this International Cybersecurity Forum is coming to Canada this October and Texas next year. (More on the U.S. conference in a later blog after the Canada conference in Montreal.)

FIRST IMPRESSIONS

Earlier this year, I was invited to participate as a plenary (keynote) session panelist at FIC in France on the topic “Is Cloud Security Pie in the Sky?” I had never heard of the FIC conference before, but after doing some research I learned that over 19,000 people were registered from 60 countries, and the interest and participation has grown steadily over 15 years in Europe.

Dan Lohrmann
The theme of this year’s event was “In the Cloud We Trust?” Our session abstract details can be found here. The participants came from a variety of international backgrounds, such as:

Adeline VILLETTE - Head of Security Advice Office, DECATHLON
Adrien LAUGIER-WERTH - Co-founder, BRYAN & TAILOR
Yegor Aushev - Co-Fondateur, Cyberunit
Jean-Claude LAROCHE – Président, CIGREF
Jean-Philippe POIRAULT - CEO Big Data & Security, EVIDEN
Vincent STRUBEL – Directeur, ANSSI
Julia SIEGER – MODERATRICE, FRANCE 24
Victor GEVERS - Hacker néerlandais, GDI Foundation
Dan Lohrmann - Field CISO at Presidio and Senior Fellow at CDG*
You can watch the keynote panel session here:

Note: Although much of this video is in French, the panel session on cloud security was entirely in English beginning at the 1:22 mark.

MORE CONFERENCE LESSONS LEARNED

On the first question, it is clear that cybersecurity is a top priority for government and private organizations throughout Europe and the other 60 countries in attendance. Many of the cyber topics that are hot in France are the same as in the U.S., from ransomware attacks to phishing training to cloud security themes we covered in our session.

And yet, there are noticeable differences that I saw. I think some of these differences are described well in this article by Janna Brancolini for the Center for European Policy Analysis:

“The EU’s emphasis on privacy in its mission to advance cybersecurity could drive a wedge between public and private partners.

“Europe approaches cybersecurity differently than the US, which sees it primarily as a national security issue. In the European Union, the emphasis is on protecting privacy and warding off economic danger, says Sandra Joyce, head of global intelligence at Mandiant, a cybersecurity leader. Cybercrime costs Europe an estimated €5.5 trillion ($5.9 trillion) per year, according to the European Commission.

“In 2021, the European Commission proposed an update called NIS 2. It expanded the scope of critical infrastructure to include space, express delivery, food, waste management, public administration, telecommunications, and digital services such as social networks and data centers.

“Under both NIS 1 and 2, national authorities issue certificates confirming that a product has passed security tests commensurate with the product’s risk level: basic, substantial, or high. All EU countries are obliged to recognize the certificate, easing trade across borders and saving businesses time and money on multiple certifications, according to the European Commission.

“The goal of strengthening national security is never mentioned.”

The one caveat that I would add to this analysis is that the war in Ukraine has altered that cybersecurity landscape and brought our global cyber war into a clearer view in European capitals. I heard a lot about public- and private-sector cyber attacks against NATO countries over the past 12 months at FIC, and there was a common theme about partnerships that transcend traditional barriers.

At the same time, there seemed to be a love-hate relationship with U.S. dominance on most technology fronts, with a special emphasis placed on cloud security partners like Amazon Web Services (AWS), Microsoft and Google. While there is clearly a huge dependence on these companies (and other U.S. firms), there were also many speeches and panel discussions around growing their own alternative cloud providers, while insisting that European data stay in Europe. (Some call this the balkanization of the Internet and/or Internet “walled gardens.”)

For more, read this article, which is in French but easily translated into English with Google translate, with the English headline: “France must become a great cybersecurity nation.”

At the same time, there were powerful panel discussions at the conference highlighting global best practices and partnerships in areas like fighting cyber crime from the U.K. to South Korea to France to the U.S. For example, online child protection, along with illegal trafficking of humans in different contexts, was described and discussed in detail in one of the tracks.

Experts from all over the world were clearly working together on a personal and team basis, and I was impressed with the tracks and detailed program covering numerous cyber-related issues.

For example, I learned a lot at the “Trust and Safety Forum” with global speakers such as:
Sophie MORTIMER - Revenge Porn Helpline Manager, SWGFL (U.K.)
Soyoung PARK - International Cooperation Lead to combat image-based abuse, NCII KOREA COMMUNICATIONS STANDARDS COMMISSION
Sigurdur RAGNARSSON - CEO, VIDENTIFIER
Jean-Christophe LE TOQUIN - Co-founder, Trust & Safety Forum
Jan Ellermann - Senior Data Protection Specialist, Europol
The expertise, global cooperation and sharing of best practices was simply incredible. I had helpful and thought-provoking conversations with Soyoung Park from South Korea, who manages their digital sex crime content bureau and coordinates international cooperation.

Overall, the in-depth discussions taking place offered a refreshing gathering place for the world to dig deeper into many complex cybersecurity topics, including people, process and technology issues, which I have not seen on such a global scale with diverse perspectives.

The reception for speakers and international visitors provided another unique moment to meet individuals and teams from around the world who had gathered in Lille. The picture below shows the venue for this evening cocktail social.


EU CYBER HISTORY AND COMPARISONS
Before I attended the conference in France, I did some homework to learn more about cybersecurity in Europe and the EU policies, regulations, procedures and key organizations. For those interested in digging deeper into these topics, I found these articles helpful:

European Council and Council of the EU - Cybersecurity: how the EU tackles cyber threats

FINAL THOUGHTS
The recent intelligence data leaks at the U.S. Department of Defense have reminded us (again) about our interdependencies and the international nature of everything that we are doing in technology and cybersecurity.

And yet, even with my seven years of living in the U.K. in the 1990s, I had to relearn the importance of international diplomacy during my recent trip to France. My eyes were opened anew to the critical nature of global conversations on a range of hot cybersecurity topics.

There are numerous takeaways, but I urge interested readers to become more engaged in the international dialog that is raging on all topics related to cybersecurity. Ensure your law enforcement and intelligence operations in cybersecurity are engaged with international partners — either directly or indirectly.

And thinking about pragmatic steps you can take, consider attending and/or speaking at the next FIC event in Montreal in October 2023. Or, if you can’t travel to Canada this fall, get ready for a new edition in Texas in mid-2024 (more details to come).

I am planning to become more involved with this excellent international cybersecurity forum.

*The Center for Digital Government is part of e.Republic, Government Technology’s parent company.

No comments: