2022: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

By spring 2023, the CCB should count 120 employees: 60 more than a year ago. Phédra Clouner, Deputy Director, explains “We are fully engaged in the implementation of the European Cybersecurity Act. It introduces a cyber security certification framework for ICT products, services and processes for the whole EU. Each member state must appoint a National Cybersecurity Certification Authority (NCCA) for this purpose. In Belgium, that task has been assigned to the CCB. This move will entail extra work, hence the significant recruitment.” 

A lever for internationalisation 

The certification body has a double mission: firstly, it will represent Belgium and Belgian interests at the European level, including in determining the schemes that will be used for cyber security certification. “The concrete elaboration of the Cybersecurity Act has yet to take shape. We already know that there will be three levels of certification: ‘basic’, ‘substantial’ and ‘high’. As NCCA, we will issue the certificates for the highest level, and will also be responsible for monitoring this European certification in Belgium.” 

According to Clouner, the importance of European cyber security certification cannot be underestimated: “We will finally have a uniform system to compare the cyber security of IT products, services and processes. For companies, it means only going through certification once for the entire EU. This can become an important lever for the internationalisation of Belgian companies. Moreover, our ambition is to become one of the European countries that is least vulnerable to cyber threats. The more we can certify at a high level, the more this will contribute to cyber security.” 

Many regulations in progress 

In addition, the CCB remains the national coordinating body for cyber security. “There are many European regulations coming up or being implemented. To give one example, the NIS2 directive, which aims at enhancing and monitoring the cyber security of critical sectors,” says Clouner. “By 2024, digital service providers and new sectors including the public sector, postal services, chemicals and manufacturing will also have to comply with new requirements. This is a whole new security framework that we are preparing.” 

At the same time, the European Union is increasing investments in research and development, and in innovation in the field of cyber security. The European Cybersecurity Competence Centre (ECCC) was set up for this purpose. “The aim is to pool and better coordinate research, technology and industrial development investments in the field of cyber security in the Union, across the borders of civilian and defence organisations. The ECCC will also manage financial support from, in particular, the Horizon 2020 and the Digital Europe Programme. Our role is to be the national hub and support this competence centre and coordinate investments from the EU programmes in Belgium,” Clouner explains. 

New initiatives for 2023 

In order to offer Belgian projects a greater chance of European financial support, the CCB will set up the Belgian Strategic Advisory Group in 2023. “We will gather representatives from the Belgian cyber ecosystem around the table: representatives of government services, academia, and stakeholder organisations. In this way, we will get a good view of what is happening in the field, and we can better inform the community, through all of the partners, about investments the EU can potentially support.” 

Another priority for 2023 is to further increase the cyber resilience of the Belgian economy. “We will fully focus on raising awareness and cyber resilience among companies, through the portal  'safeonweb@work' and a campaign, which will also run on television. We will develop tools to help companies evaluate their cyber security maturity and identify their vulnerabilities, and direct them to specialised advice, for example. Finally, we are working on a quality label for websites, which will allow users to easily see whether the site they are visiting is sufficiently secured,” concludes Clouner. 

“Looking at 2022 through a legal lens, you can only conclude that this was the year in which major steps were taken in terms of more cyber security and hygiene,” opens Thomas Declerck, Senior Associate at law firm Allen & Overy and specialised in cyber security. “The EU has clearly strengthened its position as a global leader in cyber security this year.” 

The movement towards more European regulation on cyber security has been going on for several years. “For example, the new Network and Information directive NIS2, which was adopted in 2022, builds on the first NIS, adopted in 2016. For a number of sectors, it determines which cyber security measures must be taken and can therefore be legally enforced.” 

NIS2 expands the number of sectors covered by this scheme, while also tightening the obligations. “To give just one example: it has been established that the entire management team of a company - and not just the CISO - needs to be concretely involved in managing the risks and complete additional training on cyber threats. The regulation makes a real effort to build cyber governance reflexes. It should no longer be a mere IT issue,” says Declerck. 

Start of a new cycle 

In addition to the further expansion of existing regulations, the EU also launched many new initiatives in 2022, such as the Cyber Resilience Act (CRA). “This is a proposal of a series of mandatory conditions for digital products, which producers must meet to be granted the right to sell on the European market. Products that meet these cyber security requirements will receive the well-known CE label.” 

Similar initiatives were also taken with the Artificial Intelligence (AI) Act and the AI Liability Act, which should lead to clear rules on the use of AI, a technology that is inextricably linked to cyber security. Unlike the NIS2, which has now entered the phase of implementation at a national level, these are all legislative initiatives that are just getting started. 

“We have clearly started a new cycle of regulation in Europe,” Thomas Declerck adds, also emphasizing that sufficient time should be allowed for the implementation phase. “If you start adding new rules too quickly, it will create too much bureaucratic burden for companies. To some extent this is inevitable, but if rules are perceived as just a bureaucratic obligation, they are de facto missing their purpose.” 

National level remains essential 

However, if the further roll-out and implementation of these rules happen at the right speed, this could turn into a competitive advantage for European companies and organisations. “Many of them already start realising that cyber security can grow to be a USP for many sectors,” Declerck has noticed. 

The implementation of these rules is done at the national level. For Thomas Declerck, this also shows why – despite the obvious Europeanisation of the regulatory framework for cyber security – national actors still have a crucial role. Moreover, he also sees many reasons for optimism: “Belgium has taken important steps in recent years. This is not least to the credit of the Centre for Cyber Security Belgium and organisations such as the Cyber Security Coalition, who create a forum for discussion and knowledge sharing,” he concludes.  

On 13 May 2022, CyberWal (short for ‘Cyber Security for Wallonia’) was officially launched as a strategic initiative of the Walloon Region. Since this day, all actors working on cyber security within Wallonia are assembled under the umbrella of this consortium. CyberWal is the brainchild of Professor Axel Legay (UCLouvain) and should be seen as a real game-changer in the Belgian cyber security landscape, combining education, research, and innovation projects. 

The Galaxia business park in Redu, in the province of Luxembourg, was chosen as the base of operations for this consortium. "Above all, we should welcome this necessary initiative,” says Georges Cottin, Deputy General Manager of the Group IDELUX, the province’s agency for sustainable economic development. "Getting this chance to establish and, above all, develop a fully-fledged ecosystem is an exceptional opportunity for the region and for our country." 

European Cyber Security Centre of Excellence 

The ecosystem also emerged thanks to the federal government's efforts, as it is inextricably linked to the decision to house one of the European Space Agency's (ESA) operational centres in Wallonia. “The ESA is setting up a Cyber Security Operations Centre at its site in Redu, where the European Space Security and Education Centre (ESEC) is located. This illustrates the key role of the ESEC in terms of cyber security in Europe, which was reconfirmed by the 22 Member States of the ESA in November 2022,” Georges Cottin explains.  

These initiatives should eventually lead to the official inauguration of the European Cyber Security Centre of Excellence by the end of 2023. The 3,300 m2 state-of-the-art infrastructure, provided by RHEA Group, an international group in engineering consultancy, will welcome a vast group of cyber security professionals. This concentration of knowledge and actors thus provides the perfect context for the expansion of CyberWal. “All this will eventually lead to a true Belgian space and cyber valley with European ambitions,” Georges Cottin said.  

International visibility 

Georges Cottin also highlights the role of the Walloon government in the development of this site and the accompanying ecosystem around cyber security. “Thanks to funding from the regional economic recovery plan, and the support we received from Minister of Economy and Digitalisation Willy Borsus, today we possess a quantum cyber security demonstration model and a cyber range, which will be used for training and testing. The infrastructure is at the disposal of both our universities, research centres, and companies.”  

This focus on training will become one of the spearheads of this newly established ecosystem in future. In December 2022, for example, a training week on cyber security was organised. This initiative brought together seventy students from Belgium and the Grand Duchy of Luxembourg and will continue over the next two years. “This contributes directly to CyberWal's higher goal of building bridges between the needs of institutions and companies on the one hand and the academic and research world on the other,” Cottin clarifies.  

CyberWal’s clear objective should eventually lead to increased, international visibility of the region, and by extension of Belgium, in the field of cyber security. “The ecosystem allows us to go beyond the borders of our own region. At a time when Europe, in terms of cyber security, is increasingly federalising, this is a crucial development,” concludes professor and CyberWal inspiration Axel Legay.  

The ongoing development of Industry 4.0 is causing a true transformation of business. Sensor technology, Internet of Things, automation, and Machine-to-Machine communication are being implemented in more and more so-called ‘Factories of the Future.’ With booming digitisation and connectivity, new opportunities are being created at a record pace. However, this trend undeniably increases the complexity of technological development and the need for cyber security measures.  

Advanced manufacturing and digital transformation are a focal point for Sirris, the collective centre of the Belgian technological industry. “Our goal is to help companies realise their innovations and reap the benefits of technology. By building bridges between industrial players and technological innovations, we facilitate progress,” explains Tatiana Galibus, Cyber Security Ambassador at Sirris.  

In reality, this support very often comes down to guidance around the development and implementation of cyber security in an OT environment. For example, Sirris organises several masterclasses for companies from all possible sectors and of all scales. These courses are deliberately hands-on and focus on the specific questions presented by the companies themselves.  

“This helps participants to take steps forward quicker,” Galibus notices. Moreover, the results in the field prove that this approach pays off. “For example, one of the companies that we worked with this year discovered during the training programme that they were under attack. It’s hard to imagine a better proof of relevance.”  

Increased maturity  

For Tatiana Galibus, this illustrates the broader movement of increased maturity regarding cyber security in the Belgian industry. “As a result of increased awareness, companies have become smarter in dealing with the threats and resources present, so the trend is clearly positive. I would say that a year ago, it was still very different: you could feel a clear lack of maturity in the field. Thanks to the Cyber Security Coalition, more companies also find the way to Sirris for a masterclass or an innovation project.”  

Contributing to over 1,300 innovation projects a year, Sirris is evolving with its partners in the field of cyber security as well. “By working closely with our industry partners, we better understand how they operate and what their issues are,” Galibus says. “I often work with engineers today, searching ways to further secure their machines and the operational technologies used. This knowledge sharing is very valuable and relevant.” 

Consequently, Sirris expects a further acceleration of cyber security awareness and developments in the field of OT in the coming year. “2022 was the breakthrough year for us. As a result of the increased maturity level in cyber security, companies are looking more for support and are contacting us faster. This helps us to increase the level of cyber security in the industry even more. A clear example of this is the energy sector, with which we have been working closely to facilitate their gigantic transition movement,” Tatiana Galibus concludes. 

“The fact that even the City of Antwerp is anything but infallible shows that safeguards in all layers of the system are crucial,” clarifies privacy expert Bavo Van den Heuvel. He is co-founder of Cranium, an international consultancy firm that provides advice on privacy, data protection and security. 

Van den Heuvel links this reality to the still-palpable fallacies regarding data protection. “It remains too often an afterthought, something people think about after they have built a system. However, we always advocate involving security from the beginning. It is the only way to - hopefully - arrive at an inherently secure system.” 

Lots of promising innovations 

Yet Van den Heuvel stresses that there is also a lot of promising innovation in the pipeline within the privacy field . “Every hacking is actually a learning moment for us as security professionals. So, in practice, hacking is more valuable than any cyber security marketing campaign.” 
One such technology generating high expectations is differential privacy. Simply said, this technology adds noise to the given source data, making identification (especially for players with bad intentions) more complex. 

The use of synthetic data is also gaining importance. “This is data generated specifically to be used during the testing phase of new systems; it is very similar to the real data. Because security in this phase is much lower than in production environments, it is risky business to begin with using all your real data,” Van den Heuvel explains.  

Context calls for greater efforts  

These kinds of innovations are not only necessary in the constant race against hackers, they are also a crucial by-product of the many initiatives being launched - certainly at the European level - to further facilitate the international exchange of data.  

“I am referring, for example, to the European Identity Wallet, which should eventually enable European citizens to identify themselves digitally anywhere in Europe. While it will enable a further opening of the market, in terms of security it is far from straightforward. This is because the regulations surrounding identity cards differ from country to country, and are therefore not exactly the same from a security perspective,” Van den Heuvel clarifies.   

‘Spotify for data’  

Plenty of evolutions can also be noted at the Belgian level. “This can certainly be linked to the efforts of the Cyber Security Coalition, which ensures an open communication culture where everyone can share their concerns.”  
A clear example is the creation of the Flemish Data Utility Company, explains Van den Heuvel. “The idea behind it is that citizens themselves will be able to exchange their data in a secure way with certain authorities or organisations. Think, for example, of an energy provider, to whom you will give access to a specific part of data from your personal data vault, enabling them to work out a personalised proposal for you that takes into account much more data than ever before.”

This kind of evolution can trigger a broader mindshift around data sharing, according to Van den Heuvel. “You get into a logic of buying and selling: a very valuable trend because it makes trying to obtain data illegally much less interesting. It amounts to the creation of a kind of Spotify model for data, and we know that this model has pretty much ruled out illegal music downloading,” he concludes.  

(photo: Iris Walravens)