For Pascal Steichen, CEO of SECURITYMADEIN LU, Luxembourg’s example of openness to the outside world could serve as a model for the construction of an autonomous and strong European cyber security ecosystem.
On June 23, 2022, the board of the European Cyber Security Competence Center (ECCC) met for the first time in Bucharest since its launch in 2021.
Headquartered in Romania’s capital, the ECCC’s main mission includes funding and coordinating cybersecurity research projects. More broadly, the center aims to support the cybersecurity community in Europe.
In February 2022, Pascal Steichen, CEO of SECURITYMADEIN LU, was appointed Chairman of the CCCE’s Board of Directors. For the occasion, Pascal Steichen talks about his goals for the centre, as well as his vision of an autonomous and strong European cybersecurity ecosystem.
Pascal Steichen, what will be the concrete objectives of the European Cybersecurity Competence Centre?
The objectives and missions of the ECCC are to coordinate all European funding in the field of cybersecurity – in research and innovation, in infrastructure – and to consolidate it to give it coherence. In a way, it is the arm of European funding for cybersecurity. It complements ENISA, which is the operational arm in terms of threats, attacks and vulnerabilities.
The Centre provides subsidies for projects and solutions. Another important mission is to map all the expertise, services, skills and technologies that exist in Europe, in order to mobilize them and involve them in the European cyber strategy. It also aims to identify the champions of tomorrow.
The idea is to provide a list of all the European players competent in cyber domains, and to match them with companies. The CCCE is therefore more market, research, innovation, technology transfer and economic development oriented.
Luxembourg has already mapped its own ecosystem. This is an example that we can apply at the European level, and that I will bring to Bucharest as the new Chairman.
“The European strategy of cyber technological autonomy […] requires openness, exchanges and interactions between European countries.”
Pascal Steichen, CEO of SECURITYMADEIN.LU
You were present at the last International Cybersecurity Forum (ICF): what were the highlights of these meetings for you?
There was a very good balance between public players – administrations, territories, European institutions – and private players (from large groups to startups), not forgetting research organizations.
It was also an opportunity to discuss with national and regional agencies from other countries, which are developing projects and activities that can inspire us. In addition to the official program, meetings and small events were organized to exchange ideas and best practices among peers.
This is one of the few forums where you can find concrete, pragmatic information that can be put into practice immediately. Within the framework of the future CCCE, it was also an opportunity to exchange and answer many questions on its missions, and to clarify its functioning and activities.
How does Luxembourg contribute to the establishment of an autonomous and strong European cyber ecosystem?
Luxembourg remains a small country with an international outlook. Its model of openness to the outside world is sought after by other countries, when it comes to achieving a united and aligned Europe, especially in terms of cyber security.
For example, the European strategy of cyber technological autonomy with respect to large groups, including Americans, requires openness, exchanges and interactions between European countries.
In this field, Luxembourg has a card to play: we are certainly a small territory and a small area, but we can really share our experience, and show how a model like ours could be deployed and work at the European level.
The cybersecurity of European institutions was also discussed at the FIC. What about Luxembourg-based organizations?
ENISA, as the European Commission’s operational arm for cybersecurity, supports the European institutions in their cybersecurity efforts, both in terms of prevention, protection and policy. A second actor is the Cyber Emergency Response Community (CERT) EU, which acts like all national CERTs, as a firefighter for the European institutions.
In Luxembourg, as in the rest of the EU, daily interactions are carried out, and a system of mutual aid between these CERTs exists. But the first level of cyber response is managed by the institutions themselves, which can then ask for help and resources to national cyber organizations, in case of alert or attack.
“[…] in terms of protection, regardless of the size of the company, the first step is prevention”
Pascal Steichen, CEO of SECURITYMADEIN.LU
Beyond phishing and ransomware intrusions, espionage is one of the main motivations of cybercriminals. What is the situation in Luxembourg?
60-80% of attacks are motivated by money, whether they are ransomware, Distributed-Denial-of-Service (DDoS), phishing, etc. From one year to the next, this number does not change much, both in Luxembourg and in the rest of the world. The vast majority remain small cases, the largest intrusions are less numerous.
The remaining 20-40% are acts of espionage, where the motivation is rather industrial or geopolitical, private (from a company to another company), or state (from a state to a company or another state). In this respect, the Grand Duchy, its government and its companies can also be targeted. This is quite conceivable.
Against DDoS, we have set up a protection structure, a scrubbing center, a sort of centralized data cleaning station, which analyzes the traffic. So, in the event of a massive DDoS attack on a major organization, this national center steps in and redirects the attack to a black hole, where a machine will analyze, clean up the traffic and send it back to the attacked entity.
NIS 2 was widely covered during the show. How are you preparing the Luxembourg ecosystem for its implementation, and where does the country stand in this area?
While NIS 2 includes changes and involves new sectors and actors, it does not bring any major novelties. Luxembourg transposed NIS 1 rather late, and we are not as far along in the process as France, which already has a national law on the subject.
But the processes and systems are in place. Our objective is not to focus on the sanctioning aspect, but to also work on guidance, so that the players reach a certain level of maturity.
Today, there is still too much homogeneity between players: some are very mature, such as the financial sector; others are not yet mature. Acquiring maturity means integrating cybersecurity into the governance of the company. If cybersecurity is part of the company’s governance, then the company can be considered mature enough and therefore ready for a cyber incident.
These are the types of gaps that NIS 1 and 2 want to address. It is indeed in the interest of every company to protect itself and to invest more to protect its capabilities and assets. However, such an investment requires a vision of the company and its activities. The NIS directives therefore force companies to invest in cybersecurity and to gain maturity.
Once this maturity is acquired, companies realize that this investment is ultimately beneficial for their competitiveness and that they can even generate a return on investment. Therefore, SECURITYMADEIN LU supports them and helps them understand their needs, identify the most direct and important impact of their investment, and develop a cyber protection plan. Once this is in place, we step back and let the market experts do the implementation.
What is your specific advice to startups in this area?
Cybersecurity concerns them. Especially in Luxembourg, where many startups (fintech, spacetech, biotech…) are primarily specialized in technology and few in cybersecurity. We have therefore developed a dedicated support program, delivered by experts who know the world of startups and who can advise them specifically on cybersecurity.
More generally, in terms of protection, regardless of the size of the company, the first step is prevention: among other things, by making teams aware of cyber risks and good practices. This is an absolutely necessary investment, which is not very costly, although it is time consuming.
In addition, there is a whole series of basic technologies, such as antivirus and firewalls, which protect workstations, networks and infrastructures, and prevent any propagation. Next comes a risk-oriented approach: this involves looking at the company’s context, mapping its assets and identifying the associated risks, and especially its major risks. This mapping will be used to prioritize the main assets and sensitive infrastructures that need to be protected, to better budget the investment in cyber protection.
The next step will be to prepare for possible incidents. In this aspect of reactivity, we advise companies to set up incident management mechanisms, either with a dedicated internal team, or via an external service provider who has a Security Operation Center (SOC), managed services, and who will intervene in case of an incident. These are three basic, common sense cybersecurity approaches that we can advise any company, especially startups, that individuals can also implement for their own assets.
