2021: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Cyber security law is slowly becoming more mature. For instance, the legal structures that enable the enforcement of privacy rules are being developed. "We have reached the point where we will finally be able to evaluate if the structures that have been created are effective", opens Paul De Hert, Professor of criminal law and privacy expert at the VUB University. "Think of the Bruvax scandal in Brussels, where data on vaccination could easily be retrieved. It remains to be seen whether a court will effectively punish this privacy leak."

These evolutions in data protection and cyber security law are the result of the implementation of GDPR and the so-called NIS Directive in the past years. "Before those regulations were put in place, cyber security was a matter of cashflows, not legal structures. Since 2018 this has changed and security has also become legally enforceable."

Who whould take decisions on data?

An indirect consequence is that privacy has become a topic in the public debate. The best-known example is the case of top civil servant Frank Robben, who created large data systems on health, on behalf of the government. These are inherently very privacy-sensitive issues. But at the same time mister Robben also takes part in the Knowledge Centre of the Data Protection Authority. He has become a symbol of the so-called ‘pragmatic’ approach to privacy protection, which critics say is potentially very dangerous.

"This case illustrates that we need a much more fundamental debate about what kind of big data and AI governance our society wants", De Hert explains. "Frank Robben represents an expert model, which assembles a lot of data, that in a next step is accessible for a limited club of experts to use. For opponents, including myself, this is the wrong approach. Decisions about these data should only be taken by parliament or by a structure that guarantees a democratic debate and participation."

"Debating both models is essential for our democracy. In the Netherlands, the existence of an expert model, which tends to be much more closed, even led to so-called ‘benefits scandal’ that brought down  the government. But I notice that this discussion is not an issue for Flemish media. Unlike in Wallonia and Brussels, the privacy discussion is caricatured in Flanders", says De Hert. "The Flemish press is apparently not interested in privacy. 2021 was the year in which the privacy discussion was conducted asymmetrically."

The need for better cooperation

Partly because of limited media reporting, a number of praiseworthy initiatives to increase the protection of privacy did not get enough attention. De Hert: "During the discussion about the difficult choice between privacy and healthcare, for example, the Data Protection Authority took a very courageous stance. But it did not receive the support that I expected from the government. This illustrates that the Belgian privacy policy and the structures to support it need to be strengthened. The Data Protection Authority should be consulted more and play a bigger role."

The need for an organisational reform was included in the evaluation report led by the Secretary of State for Data Protection Mathieu Michel on the occasion of the GDPR's three-year anniversary. "Today our country has five different authorities for personal data. They need to cooperate better", says Paul De Hert. "Moreover, there is a tendency for the establishment of regional authorities with the same competency. But those in favour of such regionalisation should ask themselves if a regional authority will be able to operate independently."

In 2019, the NIS legislation came into force in Belgium, prompting many companies to increase their cyber security efforts. "There have been clear steps in the right direction. Where the focus used to be mainly on the IT environment, we now also see attention on the security of industrial equipment and critical infrastructure. This is necessary, as many companies have made the switch to Industry 4.0, making them easier prey for hackers,” states Wim Van Langenhove, Head of Cybersecurity Advisory Services at Orange Cyberdefense Belgium.

More and more systems and processes are interconnected; as a consequence, more people have access to sensitive company information. "Once a hacker gets hold of that data, he can manipulate equipment, and cause a lot of damage to a company. Look at what happened at Picanol, for example. Fortunately, we can learn from such attacks. The importance of creating extra barriers and segmenting company networks becomes clear," adds Dirk Daems, Senior ICS Security Consultant at Toreon.

Raising awareness

Nevertheless, the human factor remains decisive. 80% of successful cyber attacks can be attributed to human error. "That is why we need to create more awareness, especially among people on the shop floor. Every company should have a structured, overarching approach that maps out all cyber risks and involves multiple actors, including suppliers", Wim continues.

However, getting everyone on board is not so easy. The OT/ICS Focus Group acts as a lever to put cyber security on the agenda. "During our sessions, we try to reconcile IT and OT professionals. The group is very diverse, which creates a nice dynamic. Our members can implement the ideas from the sessions within their own organisations."

Taking a leading role

The Focus Group has already addressed five themes: Anticipate, Identify, Detect, Respond and Recover. Wim Van Langenhove explains, "We have based our approach on the NIST Cyber Security Framework. Each pillar is treated separately, and we dive deep with keynotes. For example, how to set up a cyber security structure within an organisation. We also strive to inspire each other with practical examples. We keep the sessions as interactive as possible, so that everyone can learn from them.”

"At the same time, we also try to respond to current events, and pay particular attention to new technologies,” adds Dirk Daems. "After all, the cyber world evolves continuously. Thanks to the Coalition, we are in the front row. By uniting forces, we progressively gain insights that help to reconcile the IT and OT professionals and set the tone for a strong cyber security approach in Belgium."

Eurofins Digital Testing is a global group headquartered in Belgium specialised in product testing and laboratory services. It provides a broad range of digital testing tools and services and also helps companies in dealing with cyber security threats. Bill Chard: “We cover infrastructure, cloud systems and devices and offer pen-testing, consultancy and training on cyber. My main area of focus is connected devices and for that domain the EU Cybersecurity Act could have a big impact.”

The Act was voted in 2019. This certification framework will provide rules, standards and procedures to evaluate the security properties of a specific product or service. But the process of implementation takes time. “The first scheme that is being developed is EUCC for ICT systems, soon to be followed by a scheme for cloud systems. Both are due to come into effect in 2022, and then manufacturers and developers of affected systems will have to become compliant by mid-2024. Other schemes for IOT or industrial automation & control are probably still a couple of years away.”

A good reason to join the Coalition

Legislation is already in progress in EU states including the Netherlands, and in the UK (not directly linked with the CSA as the UK is no longer a European member state). Belgium is at an earlier stage in this process. “For us this was a good reason to join the Cyber Security Coalition. It is an important stakeholder in how these schemes will be implemented and we hope to have a voice in this. And in the Focus Groups we can exchange with other companies and institutions on the evolutions and the impact of the Cybersecurity Act”, explains Bill.  

Eurofins Digital Testing has a large capability in testing and assessment. “Our group already acts as certification body for many standards in different industries. We will be aiming to offer services and certification for the EU Cybersecurity Act too. We are preparing for it and recommend our customers to do so voluntarily. Taking into account that the certification schemes will be gradually rolled out over the next two to three years, companies will need another couple of years to comply with these rules and standards.” 

Bill Chard is convinced that certification under the EU cyber security schemes will be recognized in other parts of the world. “Certification of cyber security properties will become mandatory. As Europe is a frontrunner, this can offer competitive advantages. Having a label or certification will reassure end users. So manufacturers that succeed in being the first to have it, even in an environment where it is not yet mandatory, will get the most benefit from it.”