2023: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Ellen Stassart became Head of Belgian’s National Cybersecurity Coordination Centre (NCC-BE) in 2022. She is the representative for Belgium in the Governing Board of the European Cybersecurity Competence Centre (ECCC). “To comply with European regulations, each Member State had to establish an NCC. In some countries, this body falls under federal services, such as economy or justice. In Belgium, the NCC is a transversal, national body under the Chancellery of the Prime Minister as part of the CCB,” Ellen explains the position of the NCC-BE. 

The main task of the NCC-BE is to coordinate all cybersecurity investments for Flanders, Wallonia and Brussels, for the purposes of two major programmes. “This is about investments in the broad sense – money, manpower, time, training and so on – that fit into the framework of the Horizon Europe programme for research and innovation, and the Digital Europe programme. We help to make these actions concrete. In addition, it is also the NCC-BE's duty to support the ECCC in strategic tasks.” 

European support 

The European Commission directed the Member States governments to have a project proposal ready by 2023. “50% of the investment for this project is paid by the country itself, 50% is supported by the European Commission. By doing so, Europe is showing that it supports each country to set up more actions to enhance cybersecurity,” Ellen Stassart states. Although this assignment was not a competition, countries were ranked on their proposal. “Belgium made a strong commitment to invest in the NCC-BE, because this is a 50% Grant. Its preparation and submission were an administrative and bureaucratic adventure!  Our proposal scored well, and we hope it will provide good support to beneficiaries in Belgium of future national and European funding.” 

Our country can continue to count on another type of European support, as well. “Europe usually transfers funding directly to companies or agencies that submit a project. Something new is the extra funding that will be transferred directly to the NCCs, and that the NCC will distribute further on a national level. This is called the Financial Support for Third Parties and will amount to 240,000 euros for the four projects in 2025. The intention is to make this project budget much bigger in the future, because we believe in the premise that, as our country's national hub, we know much better where the priorities lie.”   

Mutual reinforcement 

The ECCC is only as strong as the group that is part of it. “This is why we choose to be a very active player in the Coalition Focus Groups. Belgium hosted a meeting mid-December to draw up a concrete and implementable action plan based on all the priorities. By taking an active role, we can ensure that priorities for our own strategic plan are incorporated as much as possible into the action plan.” 

In order to know what the Belgian economy needs, as well as to create more awareness, the NCC-BE is gathering input from the field and the existing (cybersecurity) associations. We have to ensure we don’t reinvent the wheel; Ellen warns. “By creating an overview of the existing awareness initiatives, both in Belgium and in Europe, we can work together to reach each target group, in a dedicated way. We want to reinforce each other, but also create more synergies between regions and different groups.” 

“The NCC strives to bring together all research, innovation, awareness and training initiatives, , and coordinate all this to make Belgium one of the least vulnerable European countries. We keep our finger on the pulse so that we know where to invest.,” Ellen Stassart concludes. 

These are undoubtedly turbulent times. The wars in Ukraine and the Middle East, for example, are often the breeding ground for cyberattacks targeting utilities, public infrastructure… and the financial sector. “Every day, hackers attempt to penetrate our systems. Especially when certain software systems need an update, we see the number of cyberattacks increase noticeably,” says Simon De Schoenmaeker of KBC. 

Red, blue & purple teaming 

Simon has been working for KBC since 2011, initially as Systems Engineer Telecom and today as Information Risk Officer. He has seen first-hand the increasing sophistication of cyberattacks. “With my team, we are trying to find appropriate answers to this. We believe that we can optimise our security by regularly testing our security systems and protocols. We do this, among other things, through ‘red teaming’: where we give ethical hackers free rein to break into our systems. We then examine whether our protective systems are efficient enough, and whether we can respond sufficiently quickly to repel the attack.” 

While the exercises are particularly educational for KBC, this remains a one-sided approach. That is why for several years the company has also been using so-called ‘purple teaming’, where the red and blue teams join forces. Simon: “Both methods complement each other impeccably. Red teaming will always be useful, because it is the perfect way to put our procedures and processes to the test. However, these exercises are secret and the blue team is only informed at the end, when it is faced with essentially a fait accompli.”  

“If you have a sufficiently mature organisation, purple teaming can lead to new insights more quickly. Involving the blue team from the start gives you more interaction, allowing you to share knowledge more quickly and provide direct feedback.” 

AI: friend or enemy?  

But a company needs sufficient manpower to carry out these types of exercises. “That poses a problem with the current labour shortage,” Simon continues. “And it is precisely why we regularly organise training courses to make our staff aware of existing security risks. We look at emerging technologies that can help us automate the exercises, as well.” 

“AI will certainly play a role in this automation. At the same time, we must keep aware that hackers will also use technology to achieve their goals. The key is to continue to put cybersecurity high on the agenda, in order to be as prepared as possible”, KBC’s Information Risk Officer concludes. 

Bug bounty programmes give ethical hackers the opportunity to detect vulnerabilities; and in the event of a successful detection, they will then be reimbursed. The model has become increasingly established in recent years. “When we started our company about eight years ago, we always had to explain and defend the model. It was difficult to convince people to pay hackers. Today, even the average person knows the principle,” says CEO Stijn Jans of Intigriti, a Belgian company that has become a European leader in the field of ethical hacking. 

The increasing success is mainly linked to the changes that the business world and society have undergone in recent years. Since the global COVID pandemic, for example, more and more companies and sectors have become highly dependent on online applications, and are therefore potential victims of cyberattacks. “Just think of sectors such as fintech and e-commerce, which are increasingly prominent in our world,” Jans states. 

Social impact 

“Our growth path is of course great for us as a company, but is especially valuable for the community connected to it,” Jans continues. “Intigriti is crowdsourced. We work with an international community of hackers, spread across more than 150 countries. So we can avoid situations where certain systems are always tested by the same people; this approach prevents tunnel vision from developing. In addition, it ensures our hackers' creative ideas are optimally utilised. So it is an opportunistic model.” 

Intigriti prides itself on its social impact. “We also work with hackers from countries where economic conditions are more difficult. The compensation they receive can significantly impact their quality of life. The social added value is therefore not only limited to the security aspect. That is precisely why we strongly believe in the added value of our project,” Jans continues. 

Whistleblower Act  

The Cyber Security Coalition strongly believes in the project and uses the community to better secure their business. In addition, bug bounties also received a big push from the Belgian legislature this year. Since the Belgian Whistleblower Act came into force in February 2023, everyone in our country can legally test companies' security. If a vulnerability is detected, it is then up to the company itself to deal with it and provide an appropriate response. In this way, the government wants to encourage the business community to work on sound security architecture and clear recovery plans in the event of a cyberattack.  

“It comes down to the legal anchoring of our model,” says Stijn Jans. “The groundbreaking initiative is primarily the work of the Centre for Cybersecurity Belgium (CBB), which deserves a lot of credit. Belgium is putting itself in the spotlight as a pioneer and can now also pull this bandwagon at European level. Throughout the EU, more and more people are interested in this way of working.” 

Supported by the change in law, Intigriti is looking to the future with enthusiasm. “Our model should become even more mainstream, while the quality of our community will continue to increase. Not only through numerical growth, but also the steadily improving technological tools we have available. The ethical hacker community will certainly continue to embrace AI. However, because our model is clearly focused on the creative inspiration and out-of-the-box thinking of our hackers, we do not believe that AI will replace our activities.”