A redefined edition of European Security Forum – or ESF – took place last September 15th, at the ECCL, in parallel of ICT Spring. This first ever phygital edition allowed the participation of experts located all around the world, who shared their vision, discussed the latest trends and advocated their best practices.

Master of Ceremony Gregory Wawszyniak Dumont (Public Relations Officer at SECURITYMADEIN.LU) officially opened this phygital edition of European Security Forum.

The conference started with a video of Franz Fayot, Minister of the Economy of Luxembourg, who stated: “the Ministry of the Economy is very actively involved in cybersecurity and has been since 2001, always with a positive and inclusive approach”. He explained that the wakeup call was the “I love you” virus back in 2000, which showed how vulnerable we were to cybercrime. “The impact of cyberattacks can be dramatic and mass outbreaks can be very hard to stop. Everybody can be prepared for cyberattacks”, he highlighted. The Minister also said that the new cybersecurity strategy of the government will be published in the beginning of next year, it focused on a business-friendly and positive approach: cybersecurity concerns all individuals, cybersecurity creates trust among citizens and businesses, cybersecurity is an economic opportunity and finally, it is a collaborative task involving governments, companies and individuals. “Cybersecurity is, at the end of the day, about empowering people. Attackers often target our human weaknesses, which are triggered easily, especially if we are unconscious of cyber risks and best practices,” highlighted Franz Fayot, who concluded: “Cybersecurity also requires good coordination, inside organizations and among humans. It’s not a product, it’s a process”.

Pascal Steichen (CEO, SECURITYMADEIN.LU) then took the stage. The expert first described the local ecosystem which he labeled as “reliable, dynamic and open”. He added: “The Ministry of the Economy has been part of it since day 1, back in 2000, in the creation of a robust cybersecurity strategy. In fact, cybersecurity is a factor of economic attractiveness”. Pascal Steichen then listed some of the main initiatives that have been launched in Luxembourg, with the Cybersecurity Competence Center and the national brand for cybersecurity, being the latest projects. “In Luxembourg, more than 300 companies are active in the field of cybersecurity, with a diversified solutions portfolio and 68 startups from 4 incubators,” highlighted the CEO of SECURITYMADEIN.LU. He also underlined that the country is open and aims at the democratization of cybersecurity through a collaborative approach coordinated at national level, and by fostering open source communities and a data-driven economy. He ended his presentation by sharing the first lessons of this cybersecurity journey: “building a culture of security takes time, pragmatism and persistence are key, live the concept of co-competition, partner with peers, and share at all levels – governance, operational, sector specific”.

"Social Engineering - The dangers of a friendly face" was the name of the keynote speech given by André Meyer (Security and Cyber Defense lead, Accenture). The expert first defined social engineering: “it is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”. He then shared an example of a test project which was led within a German ban more than 10 years ago. “In a month, I was able to get a domain admin account, to access the CEO’s emails for the previous 12 months, to take a selfie picture in the CEO office with his PC unlocked and latest board meeting minutes on the screen, etc,” he explained. André Meyer then shared the 6 pillars of how to make people like you:  reciprocity, scarcity, authority, liking, commitment and unity. “In the current context, you don’t even have to be the fact that is known by people. There is a new landscape: spoof websites, pretexting, vishing, fake news, SMiShing, phishing, etc,” he added. As a conclusion, he listed the keys to prevent such threats: awareness, trainings, penetration tests and continuous monitoring.

“How is the cyber threat evolving and are we up to the challenge?” was the question asked – and answered - by Dr Jamie Shea (Professor of Strategy and Security at University of Exeter & Former Deputy Assistant Secretary General for Emerging Security Challenges at NATO). “Cyberthreats were new in the early 2000s but now, anyone can be a target. Moreover, there are new vulnerabilities: for instance, with the democratization of space activities, new threats have appeared”, started Jamie Shea. According to the experts, the cyber weapons can also sometimes cause more collateral damage, as, for instance, an attack on a state or government could have a disastrous impact on companies. “Moreover, those are weapons with multiple uses: cyber is difficult to track and it is tough to know when it will end.  For intelligence gathering to the spread of disinformation or propaganda but also to more conventional criminal activities, cyber can do a lot,” he added. He also explained that we are now moving from conventional attacks to attacks against much broader anti-societal campaigns. He also advocated the sharing of information, in order for Interpol to work on a standardized law on cybercrime, so that attackers are dealt with equality wherever they are. “NATO and the EU are also experimenting a tool box. Also, we need to exploit the expertise and knowledge of the private sector. Cybersecurity is a team sport”, he concluded.

A round table discussion entitled "EU Cybersecurity Act and the implementation of the NIS Directive" brought together Sheila Becker (Head of Network and Information Systems’ Security (NISS), ILR), Dr. Gabriele Lenzini (Senior research scientist in Security of Socio-Technical System at SnT) and Konstantinos Moulinos (Information security expert, EU Agency for Cybersecurity – ENISA). It was moderated by Alexandre Dulaunoy (Security Research, CIRCL). “It’s a lot about collaboration, at ILR we advocate a collaborative approach to reach the goal of having a common level of security. Yet, the issue is harmonization in Europe, therefore, we are trying to establish communities” started Sheila Becker. She also discussed the need to share information about threats and incidents, but also preventive information and measures as well as best practices. Gabrielle Lenzini also insisted on the need to harmonize and collaborate, even in the field of research. Currently three pilot projects are taking place in Luxembourg, with the participation of several actors. He added: “the value extracted out of information sharing is evident and will be beneficial for all. We are sharing our research with the private sector and are even developing programs together, around the awareness of cybersecurity. It is key to have interdisciplinary projects”. According to Konstantinos Moulinos, “all member states see the NIS Directive as a step forward and have a national cybersecurity strategy. The compliance phase is over and they are now moving to implementation”. He also focused on the collaboration with the private sector, but also on the coexistence with other legal regulatory frameworks such as PSD2 and GDPR. He concluded: “We need to create a strong cybersecurity industry in Europe, and even encourage companies that are not concerned with the NIS Directive, to finally create European cybersecurity products”.