Mr. David Hickton, Founding Director of the Institute for Cyber Law, Policy, and Security University of Pittsburgh, delivered a keynote during this Coalition event, that brought together an eclectic mix of stakeholders. Joining him in a panel discussion were Mrs. Catherine Van de Heyning, public prosecutor, Mrs. Caroline Frère (FCCU), litigation lawyer Mr. Thomas Declerck (A&O Shearman) LLP) and assistant professor and researcher Mrs. Laura Drechsler (CITIP KU Leuven). This article wraps up the key takeaways from the panel discussion.
An ever-growing range of threats
Risks and attacks increase every year. In Belgium, corporate IT security audits reveal that 98% of companies report facing risks, 66% have suffered an attack in the last two years and, of these, 87% have suffered financial damage or loss of reputation due to cyberattacks. All this has consequences for both public and private companies.
There are even fears that a massive cyberattack could trigger a major global crisis on a scale comparable to the COVID pandemic - and we are not prepared for such an attack, leading to devastating consequences. What makes the situation even more challenging is that more and more objects are connected via the Internet of Things, meaning the risk of an exposure to attack multiplies. Also on the rise is the number of criminals with new strategies and technologies – for example, AI now allows voice recordings and images to be generated to create fake videos.
The means to fight: institutions, laws, tools
In the event of such an attack affecting the internet and our systems, responsible governance in both private companies and public institutions means ensuring data integrity, service continuity and confidentiality.
Prevention remains the best defence, starting with the detection of vulnerabilities in systems. But it also means breaking down barriers: opening up a dialogue between public authorities and the business world. The Centre for Cybersecurity Belgium is the national authority responsible for supervising, coordinating and implementing solutions. But, in addition to national initiatives, we need European cooperation, which could take the form of a cyber defence agency.
Especially when it comes to AI and Quantum, because existing laws do not cover the use or consequences of these types of technologies. Above all, technologies evolve rapidly – and much faster than legislation. We need to anticipate, where possible, future technological developments so that an act identified as criminal today will also be criminal in the future.
Proportionate responses to the threat
The perpetrators of cybercrime, whatever form it takes, should go to prison for the damage caused. A theft, whether committed via the internet or in a physical shop, remains a theft and should be punishable. Therefore, it is necessary to gather a lot of evidence to accuse someone of criminal activity and it is important for companies to be able to report threats to authorities on an international level.
This includes ransomware cases. As a rule, companies should not pay ransomware. But if a company chooses to pay, the attack should still be reported. Also their contacts must be informed. This allows the company’s business circle to be on guard.
It is worth noting that while we are seeing more and more attacks, cybercriminal networks are also being dismantled more often. Certainly, because there is no shortage of tools to fight or punish cybercriminals or non-cooperating countries.
Do too many laws kill business?
The question is whether the law stands in the way of economic progress. Companies must now consider a range of legislation. Behind every piece of legislation, there are issues to understand. The purpose is to find the right balance between overabundance of laws and entrepreneurial freedom. At the same time, the business (customers, suppliers…) demands more security. Laws are therefore a necessary evil.
Faced with cybercrime that knows no borders, the authorities are fighting it without always having an appropriate and legal response that takes into account the borders and the right to sovereignty of each country.
Furthermore, in an era where companies become more powerful than governments, there is a way to enhance public-private cooperation. Yet there remains reluctance on the part of the private sector to be transparent regarding the cyberattacks.
In conclusion
There is no shortage of legal avenues in the fight against cybercrime - the question is how best to navigate them? Clearly, there is currently a lack of resources to effectively investigate and combat all threats and attacks. There is also a challenge in terms of implementing effective prevention in a democracy so that individual rights, such as privacy, are also safeguarded.