Mikko Hyppönen among speakers at virtual event to reflect on the continent’s cyber strengths and shortcomings
Europe needs to play a greater role in shaping international rules on cybersecurity and data protection, industry leaders from across the continent have warned.
Speaking at an online seminar hosted by the European Cyber Security Organisations (ESCO) yesterday (September 9), security experts said the continent must also do more to develop its own cybersecurity resources.
Speakers pointed out that Europe risks being squeezed on two fronts: by growing threats, and a failure to create industry-leading firms in cybersecurity.
Underinvestment in cybersecurity is leaving Europeans vulnerable to exploits from a range of threats, from ransomware and security vulnerabilities in IoT devices, to the abuse of emerging technologies like machine learning and cyber-attacks on critical national infrastructure.
According to Mikko Hyppönen, chief research officer at Finland-based cybersecurity firm F-Secure, Europe’s cybersecurity spending is particularly meagre when compared to the US or China.
However, he added that technological advances in security over the last few years offered reasons for hope.
“When we look at the security situation it is all too easy to get depressed,” Hyppönen admitted. “We constantly hear about leaks or data breaches or hacks.
“We must not forget the fact that we are actually making great developments. If you look at how far we have gone over the last 10, 15, or 20 years, the situation is really night and day.
“That is easy to forget, as we keep finding new vulnerabilities in the systems we build. But if you look at the operating systems we run on our phones today, they are clearly superior in their operating system model to anything we were running on our computers – or even are today.”
However, cybercriminals have in parallel also become more sophisticated, warned Hyppönen. “If we had the technology of today to fight the enemy of five years ago, we would be in great shape. But we are fighting the enemy of today.
Europe faces growing threats from ransomware, which Hyppönen said is only now beginning to make good on its rich promise as a cybercrime tool, and from the IoT.
The IoT threat comes less from truly smart devices, and more from cheap or “stupid” devices where the manufacturer adds connectivity – possibly over 5G – to gather data without the user’s knowledge or consent, he added.
Mikko Hyppönen delivering the keynote at Black Hat Asia 2019
Malicious machine learning
Hackers are also turning their attention to machine learning systems.
Hyppönen said that cybercrime groups are already trying to “poison data” to disrupt F-Secure’s own machine learning technology. And as this technology falls in cost, hackers could use machine learning algorithms to create smart malware that reconfigures itself to make attacks more effective and harder to detect and mitigate.
Europe is behind its rivals in the race to counter these emerging threats, too. Fragmented markets and multiple languages, as well as a lack of venture capital support, are holding back the development of European cybersecurity firms.
“We tend to lose the crown jewels. When we have the occasional success story they [are] early on sold to [the] US, or maybe today to Chinese companies that are all too eager to buy them.”
Despite Hyppönen’s concerns, there are opportunities for Europe to play a leading role in cybersecurity, according to Rayna Stamboliyska, vice president for governance and public affairs at bug bounty platform Yes We Hack.
GDPR, she said, is a “clear embodiment of European values” that can serve the continent well in protecting its businesses and citizens.
DON’T FORGET TO READ Changes to Japan’s data privacy law echo Europe’s GDPR
Growing businesses to exploit European expertise is difficult, however. “We need to break through the glass ceiling,” she said.
“In Europe, we are good at putting forward innovative products and companies, but we can only grow them up to a point. Then they are swallowed by the non-European players,” she said, echoing one of Hyppönen’s worries.
Stamboliyska recommended that Europe’s government agencies and cybersecurity industry must be more proactive in sharing intelligence on security vulnerabilities, and to use data more profitably and securely.
With non-European countries emulating the GDPR model, there is an opportunity to develop international norms around the European view of security and privacy. This, in turn, could help European businesses, said Stamboliyska.
Csaba Virág, head of competence building at blockchain security software vendor Guardtime, went further.
Data is the new uranium, he suggested: powerful but in need of careful handling. “Do we know what to do with it?” he asked.
“We have GDPR and individual rights, but what happens when you try to delete data?” European countries need to roll out more cybersecurity awareness training for everyone using IT resources – not just those working in cybersecurity but critical workers like nurses and police officers too.
As ransomware and other cyber-attacks increasingly pose a risk to daily life, this training should also be mandatory in schools, universities, and workplaces, added Virág.
Europeans must also scan the horizon for emerging threats, according to Luigi Rebuffi, ECSO’s secretary general.
“Technology is evolving and it is impossible to say what future digital security will look like,” he said.
“The security consequences [of technology development] are hard to anticipate. We need the strength to see how it will evolve and how to strengthen our resilience to counter the threats.”
ECSO is the European Commission’s private sector, non-profit partner responsible for implementing the EU’s public-private partnership on cybersecurity.
YOU MIGHT ALSO LIKE France tops blue-chip cybersecurity maturity index