Mary-Jo de Leeuw: The term 'cybersecurity' needs to be redefined
It should not apply solely to the connection between your laptop and the internet anymoreValentina Spiridonova
I do not think we would be ever able to say we are safe. There are still a lot of breaches, still a lot of vulnerabilities, and at the same time the world is getting more and more digital. For example, there are new things floating into the world, as the Internet of Things or the Internet of Toys, and they are in even worse state, when it comes to security, than websites, says Mary-Jo De Leeuw, award-winning cybersecurity expert and co-founder of the Women in Cyber Security Foundation, in an interview to Europost.
Ms De Leeuw, given the dispersed nature and the long duration of the upcoming European Parliament elections, EU officials are worried that the election process will present a tempting target for malicious actors. Are these concerns justified?
I believe that the European elections would be more about trying to manipulate the people into voting for something instead of trying to breach or deface websites, databases or the election process itself with cyberattacks. I think it would be more about manipulating general opinions, or coming with fake news or profiling and reaching people's emails.
So, in your opinion, the main threat is actually the spread of dis- and misinformation?
Yes, as well as the amount of internet trolls, fake accounts on Twitter, LinkedIn, automatic chatbots.
Who would be most interested in compromising the entirety of the electoral process? Could you name a particular country that would benefit the most from the outcome of the elections?
It really depends. If I have to look at the situation in my country, the Netherlands, during the last elections some of the politicians themselves were already doing everything they could to get elected. So, as it happened in the US with Trump versus Clinton in 2016, we also had a political party which was spreading fake news about the other contenders. They also tried buying voters' data and manipulating stuff. So it really depends on who wants to be elected the most. I do not think that threat actors outside the EU, such as Russia, would play a significant role this time in clearing the path for a certain party to win.
But besides Russia, European officials are paying specific attention to China's efforts to interfere in the elections as well. Do you think it would risk meddling in the elections?
If China uses all its resources to breach the European elections, then people would be even more worried and scared and it would make European officials finger-point at China, telling the world: “This is China, we now have a lot more reasons not to get, for example, Huawei into the 5G network.” So I think such concerns are coming more from the Huawei competitors and are not justified.
Despite introducing centralised planning, such as the Cybersecurity Act, the EU Member States are still not cyber resilient enough and data breaches are on the rise. Why is that?
A lot of people are still relating cybersecurity to the security of the internet connections that they use through their laptops and PCs, while a smartphone can also be breached. The reason is that people still do not have the so-called 'cyber hygiene' - they do not use automatic updates, they do not do any mobile patching. For example, in the Netherlands there was a survey last year in which 75% of the people openly stated that they do not even lock their phones. So introducing such centralised cybersecurity regulation or a set of rules does almost nothing to mitigate possible cyberattacks. It is just paper, it does not offer concrete set of rules for the people or a specific software. The entire framework is just paper, and as such it looks great and trustworthy, but I have not actually seen anybody roll up their sleeves and turn this plan into actions.
Why is that? When in April 2018, for example, Facebook CEO Mark Zuckerberg testified before members of the US Congress regarding the Cambridge Analytica data breach scandal, lawmakers asked him questions that were highly uninformed, showing a lack of even basic cybersecurity knowledge. Do you think this is the case in the EU as well and is part of the reasons behind the lack of good decisions and working practices in the field?
Absolutely, yes. They do not know what cybersecurity actually is, how it works, how to handle it, and some of the people do not even find it relevant. At the same time, we cannot blame politicians for not being cybersecurity aware because it is like blaming them for not being able to perform a heart surgery. But they need to turn to experts in the cybersecurity field.
Yet, the cybersecurity jobs gap is widening and has grown to three million, which some people describe as a true emergency. Do you believe that the introduction of an EU-wide open source responsible disclosure policy might actually be the solution that would give hackers and pentesters more confidence to join the sector, and would strengthen the bloc's cyber defence?
Positively, yes, because you will take it out of the blacksome. Now, for example, I hear a lot of people calling hackers criminals, but without hackers it would be impossible to secure systems, since to secure them you have to be able to dive in and see where all the breaches are. If you don't have a responsible disclosure in Bulgaria, there is no way to tell the manufacturer where these breaches are because you would get arrested and maybe you would be even thrown in jail. Moreover, a responsible disclosure is needed so you can create a Bug Bounty - invite hackers and pentesters to have a look at your system.
Actually, many experts believe that the EU institutions would be far more resilient to attacks if such Bug Bounty programme, which includes all of the EU websites, is established. Would it work?
That would be great. In the Netherlands they had kind of the Bug Bounty, introduced by the intelligence services, which was aimed at solving specific problems. Afterwards, the people who were able to find the solutions were also offered a job. So having the freedom to breach something, to dive deep into a system or a website, could make people enthusiastic about the organisation or the job opportunity, or just about the work field of cybersecurity in general. Yes, others would however accuse you of trying to drive a riot, by allowing people to deliberately penetrate websites. Still, I see it the other way around because when you ask people to have a look at the website and they find the hidden vulnerabilities, you would be able to patch it in a safe way. And I believe that anybody would rather have that than see his whole system turned down.
So, considering all aforementioned, how do you see the current state of the European cybersecurity? Is it possible to say we are safe now?
I do not think we would be ever able to say we are safe. There are still a lot of breaches, still a lot of vulnerabilities, and at the same time the world is getting more and more digital. For example, there are new things floating into the world, as the Internet of Things or the Internet of Toys, and they are in even worse state, when it comes to security, than websites. It would not be getting better, since now your refrigerator is operated by an app, your vacuum cleaner is running on an app, everything is connected, and therefore I believe that the word 'cybersecurity' should be tossed in the bin, because it only says it applies to the internet environment, when now it's more about information security and IT related problems. For example, industrial control systems, such as water treatment systems, are now also a target. It is no longer just your computer that is at stake, but the entire world instead.
What measures would you then, as an expert, recommend for the sake of security of critical infrastructure?
One of the main solutions is to make sure you pentest it on a regular basis. And I have seen some waterworks that have never been tested. Sometimes it is also good to just say out loud: “OK, maybe we have an old system that needs to be renewed.” Back in the days, you had one standalone system that controlled a specific area, which had evolved through the years. Now this standalone system, built in the 80s or 90s, is part of a bigger internet structure and it involves waterworks, but also bridges and traffic lights.
How could this be achieved then? Could we say that there is first of all a need for people to learn to differentiate between cybersecurity, cyber resilience and cyber defence?
- Yes, absolutely. They are mixed up all the way. We need to define and redefine them, as well. Because if you are talking about cybersecurity, people would often be like 'yeah, yeah, I know, but I have never been hacked' and forget that cybersecurity also concerns their electronic doorbell or their biometric authentication, or even their car keys whose signal could easily become a target for a 'relay attack'. It's not only about the connection between your laptop and the internet, it is now everywhere. Thus it is definitely in need of redefining.
What else would you like to see in the cybersecurity sector in the future?
Professionals! But I think it all starts with creating one problem owner. And with politicians who would not only make a great one-liner out of it, because of election campaigns, but will also deliver what they said prior to the ballot. It should not be like a one-trick pony, where they promise to make cybersecurity top priority and then forget about it. We need politicians who will roll up their sleeves and deliver not only promises, but also actions.
Born in the Netherlands Mary-Jo de Leeuw, is founder and president of the Platform Internet of Toys, an international community that consults on the security implications for connected toys. She is also co-founder and vice-president of the Women in Cyber Security Foundation and co-creator of the Dutch initiative Cyber Workplace. De Leeuw is a winner of the Cybersecurity Excellence Awards 2018 for Europe, was ranked #10 by IFSEC as a global cybersecurity influencer, and has won the global Iconic Women 2017, Creating a Better World for All award.