CyCSO Ex.Director: Building cybersecurity culture equally beneficial to technical countermeasures against cyberthreats

The human factor and the cybersecurity culture are perhaps more important than the technical countermeasures taken and informed citizens and workers remain the best protection shield, CyCSO -Cyprus Cybersecurity Organization- Executive Director Constantinos Tsiourtos has told Cyprus News Agency.

In an interview with CNA, Tsiourtos points out, once again, the need for citizens to be aware and well-informed.

Tsiourtos spoke to our agency on the recent adoption by the European Parliament of the new European Cybersecurity Act aiming at further enhancing cybersecurity across Europe.

The first question that came up was the growing debate on the need for all citizens to be continuously informed and educated on the subject as a backing measure along with the implementation of the new EU directive that provides for ENISA, the European Union Agency for Network and Information Security, to obtain a more advanced role.

He described the issue of educating the public and turning them into informed and aware citizens as a difficult task.

“I think it is our Achilles Heel really. The human factor and the cyber security culture are just as important and perhaps even more important than the technical countermeasures. Our best shield is to have informed citizens. Personally, I cannot but express my disappointment at the incomplete and inadequate information given by the competent institutions to the citizens. There is a plan within the framework of the National Cyber Security Strategy that was designed years ago and which could be effective, if implemented. Unfortunately, this was not the case and when it was implemented, it was only partially. We need to review this strategy as a whole, “he said.

According to Tsiourtos, who cites data as regards cybercrime in Cyprus, many victims could have been saved if they had the adequate information on how to avoid dangers online. “Suffice to say that the recent tragic crime that shocked the country was made possible by the use of the internet,” he notes.

The CyCSO Executive Director also talked about the recent incidents on governmental organizations’ systems of many countries, one being Cyprus.

According to press reports, the internet domains of entire countries were hijacked. DNS hijacking, hit 40 different organizations. including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa.

“We do not know much about this incident and the extent of the breach. But we do know it has not been denied. If indeed the state machine’s network and sensitive services were tbreached, as these reports claim, we should be alarmed about the real level of security of the government, “he said.

Tsiourtos recalled that this is the second incident as only a few months back there were other reports about violations of EU’s diplomatic communication network. The reports then suggested that this violation was made possible by running a phishing campaign aimed at diplomats in Cyprus.

“The offenders seemed to have breached the system from the Cyprus network. So this should ring a bell and should urge the Cyprus authorities to act as promptly as possible, to invest in cybersecurity so to avoid or mitigate the risk of this happening in the future, ” Tsiourtos underlined.

The new EU cybersecurity act and its provisions

The new Cyber Security Directive provides for a change in the mandate and responsibilities of ENISA, which was set up with a view to contributing in the enhancement of online security so as to support EU in its determination to create a digital economy and society that citizens and businesses can fully trust.

Tsiourtos stresses that cyber attacks are growing and therefore economies and societies are deemed to be vulnerable to cyberthreats and cyberattacks and need a stronger defense system.

“Under these circumstances, and in line with ENISA’s developing role as a point of reference for advice and expertise and in facilitating cooperation and capacity building, it is necessary to strengthen its mandate, to define its role in the changing ecosystem to safeguard its effective contribution in tackling these challenges” he explains.

According to Tsiourtos, the new mandate now given to ENISA is considered to be a real challenge for the agency and now its role is even a more demanding one as it is becoming the central hub of policy and coordination between the member states and the Unions institutions on a range of cybersecurity issues.

The new Directive also incorporated the need to ensure a common approach to certification of products and services by establishing a common framework.

The CyCSO Executive Director tells CNA that a common market in the physical or digital space requires common approaches and common standards. In the same way, he points out, that the European Union has set safety standards for a range of products such as food, toys, cars etc, it is now setting up standards for the digital space.

For example, products such as our computers, mobile phones, and our smart TVs will be certified to have a built-in cybersecurity technology before they are out in the market.

“In addition to the need to effectively address the lack of confidence by consumers and businesses with regard to the safety of cyber products and services, we also need to address the issue of protecting citizens themselves from the dangers of cybercrime. Products or services with inadequate security make cybercrime easier and at the same time make prevention even harder, he added.

Tsiourtos underlines that confidence should be further enhanced by providing transparent information on the level of security of various products, services and technology and especially those connected to the Internet of Things, adding that increasing confidence can be accredited to certification at EU level by providing common cybersecurity requirements and rating criteria for all national markets and sectors.

“In cooperation with the competent authorities, ENISA will be able to disseminate information on the level of cybersecurity of ICT (information and communications technology) products, services and procedures and to issue warnings aimed at manufacturers or providers of such products, services and procedures which will require them to improve the security of all of the above, including cybersecurity, ” he says.

Tsiourtos explains that European certification will help avoid conflicting or overlapping national cybersecurity certification systems and will therefore reduce costs for businesses.

“The European CyberSecurity Strategy aims at making the EU a global model of policy, institutional and technical capacity and a leading market in the sector. The EU does not want to be dependent on other players for its cybersecurity. In addition, it will be able to embrace the European digital economy with the protection and confidence it requires to develop and compete with other global economic powers, ” Tsiourtos tells CNA.

As regards what needs to be done at national level, he says that first all the competent national authorities should be involved in the bodies set up by the European certification scheme. At the same time, a period of preparation is needed so that these authorities get familiar with the changes. The details will be known after summer period, because, as Tsiourtos said, the implementation plan for the regulation still needs to be further processed.

As regards cyberattacks, the new regulation focuses on prevention and awareness.

“In order to increase the Unions readiness to respond to incidents, ENISA will ,for the first time, acquire operational responsibilities. It will regularly organize cyber security exercises at EU level and will coordinate the member states and the Unions institutions, bodies, offices and agencies in organizing them. Every two years, large-scale general exercises should be organized, including technical, operational and strategic elements. In addition, ENISA will regularly organize less extensive exercises with the same objective, namely to increase the EU’s readiness, ” the CyCSO Executive Director tells CNA.

He pointed out that ENISA, in fulfilling its task of supporting operational cooperation within the network of CSIRTs, will provide support to member states on their request. It will for example be able to provide advice on how to improve their capabilities to prevent, detect and deal with cybersecurity incidents. It will also facilitate the technical management of incidents that have a significant or substantial impact, in particular by providing support for the voluntary exchange of technical solutions between member states or by producing combined technical information such as technical solutions exchanged on a voluntary basis by them.

Tsiourtos also points out that an EU recommendation provides that member states should cooperate in good faith and exchange with each other and with ENISA, without unnecessary delay, any information on large-scale incidents and cybersecurity crises .

He explained that in implementing the new directive, Cyprus as a member state is not required to set up any new institutions but only to create certain procedures . But this requires active participation in the new framework of cooperation and the allocation of resources as well as willingness to exchange information.

Artificial Intelligence and Cyber Security

On the big debate of artificial intelligence (AI) Tsiourtos points out that the next generation of cybersecurity products will increasingly incorporate technologies of Artificial Intelligence (AI) and Machine Learning (ML).

According to Tsiourtos, with the training of AI software in large sets of network security data and even physical information, providers seek to detect and block abnormal behavior even if they do not have a known signature or pattern.

“Experts predict that over time, companies will integrate ML into each class of cybersecurity products. Cybersecurity solutions used by AI and ML can significantly reduce the time required to detect threats and deal with incidents, often warning the analyst for abnormal behavior in real time. These technologies help reducing and prioritizing traditional security warnings, by increasing the efficiency of existing investments and human analysts, he says.

However, he points out that cyber criminals also use AI and ML to better understand their targets and launch attacks.

Tsiourtos says that experience has shown us that human ingenuity exceeds artificial intelligence.

“If AI reaches a level that can effectively halt human hackers, then I dare say that this will be the day when artificial intelligence will become unpredictable. AI is not a panacea. It can be effective by engaging a human analyst. If AI manages to imitate a human analyst, then this will open a whole new debate on how to ensure that artificial intelligence software for cybersecurity is safely performing towards humans, “he notes.

Source: Cyprus News Agency