|
 |
|
|
|
Article for Lëtzebuerger Gemengen
At a time when organized crime has found a goldmine in cyber-attacks, generating profits faster than drugs, and when heads of state intent on endangering our democracy are funding cyber-crime, defense no longer holds water, and leaders are repeating their mistakes, according to Carlo Harpes, head of itrust consulting and a dedicated insider since 1992.
Is now the right time to sell cybersecurity enhancements?
Many companies sell monitoring, detection and insurance tools, which decision-makers buy to ease their conscience rather than to control the situation. This often increases complexity and dependence on the cloud and external players, who are better armed, but also more exposed to large-scale breakdowns. So we need to reduce these dependencies and strengthen local skills and means of action.
Can you illustrate these dependencies?
Ukraine got cheap communication terminals from Starlink before realizing that they depend on one person, Elon Musk, who has the power to decide whether or not to shut down the majority of military communications. Many companies create subcontracts with no exit plan and no idea of the cost of a divorce.
Wind turbines in Europe were at a standstill at the start of the war over Ukraine following a cyber attack on communications equipment in the Viasat satellite used by over 5,000 wind turbines.
The EU has passed a directive on cybersecurity, NIS2. Will it be effective?
At the NISDUC user conference organized by ILR in Luxembourg in May, the experts all agreed: NIS2 simply makes mandatory what every organization should have done long ago. NIS2 does not prescribe technical solutions, but rather risk management, i.e. adequate documentation of risks and countermeasures, assumption of responsibility by management, which can be disavowed if necessary, orientation towards standards, and mandatory security in certain areas, such as asset management.
What's the situation in Luxembourg?
Sad, which brings me to my first nightmare: the HCPN and Parliament have failed to transpose the directive within the 2-year timeframe. At the beginning of May, the Minister Delegate expressed the hope that this would be done by the end of 2025, i.e. more than a year late. Where are Luxembourg’s ambitions for leadership in digitalization? The legislator received 10 well-founded formal objections, and 7 months later, no correction is available. That’s why several potential customers have told me they’d rather wait for the law and an ILR order than prepare now.
For security managers, this stagnation is a nightmare – not to mention the real nightmares experienced by CISOs after a cyber attack. Those who were once seen as troublemakers are seen, after an incident, as the big losers.
Why aren't our decision-makers vigilant in the face of these risks?
For convenience, I use tools like the iPhone, ChatGPT, Windows or Google, and my data just flies out the window. Open source alternatives offer much greater control, but at the cost of skills, time and often qualified staff, either in-house or via a service provider, a choice that is well justified. Security, too, costs time, money and loss of comfort. The trade-off between convenience and risk is hard to find. According to NIS, it’s risk analysis that should guide us, but as this reduces the autonomy of the decision-maker by obliging them to document an analysis, this mechanism is often unwelcome.
What “open source”, i.e. free, tools do you make available to support risk analysis?
OpenTRICK is compatible with ILR requirements: it already contains gap analysis forms, comparative graphs between different analyses, and Excel exports/imports to avoid repetitive data entry. OpenTRICK offers standardized objective assessment criteria, unlike the ILR method, which tolerates a subjective assessment of between 0 and 4 for a vulnerability. OpenTRICK expresses risks in terms of expected annual loss, understandable by all managers, whereas ILR recommends an evaluation by a figure which results from a multiplication of estimated figures and bears no relation to economic reality. With OpenTRICK, an organization can carry out a detailed analysis according to its own criteria and nomenclatures, then export in one click via a correspondence table what is required by the regulator.
You've also started a whistleblowing service, WBaaS?
In Luxembourg, the culture of whistleblowing is still lacking. We should take advantage of this to improve. Many companies have not communicated how to anonymously disclose a suspected breach of the law, such as embezzlement by an executive, despite the legal obligation to do so by 2023. itrust consulting has transformed a free SecureDrop tool into a WBaaS service, and offers this service at cost price. In addition to secure, anonymized routing of the alert, our experts can review its quality, suggest clarification or identity protection, then identify the appropriate recipient of the problem in the target company, and if desired, moderate, but without taking a position. As an alternative to this hosted and moderated service, we also deploy the solution without intermediaries to a customer.
And does artificial intelligence (AI) also bring you challenges?
Yes, and radical changes. Today, large language models give the most plausible answers, with a fairly high error rate.
In our state-supported CyFORT research project, we have been developing AI including reasoning engines to detect threats to systems and networks since 2023 with itrust Abstractions Lab. We have published SATRAP (in alpha) and IDPS-ESCAPE integrating the open tools TypeDB, Wazuh and Suricata around this AI, entirely designed in Luxembourg. We’re training it on our internal network and looking for other IT managers to pilot test it with or without our help. Our tools have been developed with C5-DEC, our secure development tool, with which we propose to accompany other developers towards secure development.
What do you see as the biggest projects to come?
Conducting risk analyses is difficult; drafting governance, policies and procedures is tedious but indispensable; convincing and raising awareness of their usefulness is the key to success, and then integrating our cutting-edge techniques such as SATRAP-DL, IDPS-ESCAPE and C5-DEC is the most motivating.
