As cybersecurity professionals, we at the Cybersecurity Advisors Network (CyAN) are acutely aware of the critical role that technology plays in shaping our society. As our primary focus is on information security, data protection as well as Trust & Safety, we recognise the broader implications …
The latest episode of CyAN’s Secure-in-Mind video and podcast series features Craig Rowland, CEO and founder of New Zealand-based Sandfly Security.32 “The Internet runs on Linux” – over 90% of the top million websites run on Linux, and it’s a critical part of the global …
Cybersecurity Advisors Network (CyAN) is proud to be a part of the CSG Awards 2024, as Advisory Partner. Our strategic member in Middle East – Dubai, Bharat Raigangar, is part of the Jury committee to identify the Best Minds in The Cyber – AI domain.
CSG Awards is an initiative to recognise the cybersecurity leaders and CISOs who have worked hard to immune their organizations from cyberattacks. This initiative will also offer networking opportunity for the global CISOs who are from the region and from the other parts of the world.
This event is also the recognise select cybersecurity ecosystem partners and stake holders who enable the industry with best and unique solutions and initiatives.
CSG Awards is also an opportunity to learn from each other’s experience and showcases vendors and technologies which are unique and futuristic in nature.
This year (2024) CSG Awards is happening in Shangri-La, Dubai under the guidance of the technology and cybersecurity honchos in the region including Arun Tewary, Digital Acceleration Veteran, Strategy & Technology Adviser, Director & CIO, Dr. Mathew Nicho, Associate Researcher – Associate Professor, Research & Innovation Centers, Rabdan Academy (UAE Ministry of Interior), Bharat Raigangar, Board Advisor, 1CxO, vCISO Cyber Securist & Mentor – Digital Transformation Cyber Resilience – Cyber Insurance-Supply Chain Threat Mang and Illyas Kooliyankal, Founder and CEO, CyberShelter, the CISO Factory and GCSCP CyberSecurity Career Platform
It’s been a while, but we’re pleased to finally bring you the latest episode in our State of (Cyber)War podcast series, part of CyAN’s Secure-in-Mind channel. Hugo Tarrida and John Salomon take a crack at understanding China’s cyberwarfare capabilities – what are the country’s motivations? …
AI is causing unprecedented changes that are both creating new opportunities and transforming individuals, businesses, and society. The current AI landscape is characterised by increased competition and dependence on a small number of dominant players. These players have the talent, resources, data, and a willing mindset to reach into their deep pockets to succeed. As each European AI player hopes to have greater control and influence over its own AI destiny, this presents a threat to their nation’s strategic autonomy as well as possibly to the EU as a whole.
The recent announcement of Mistral, a French leader in AI, partnering with the U.S. technology giant Microsoft does not spell an abandonment of the French quest for strategic autonomy. I would argue it is a pragmatic approach to ensuring its survivability, profitability, and leadership in France and Europe.
Google and Microsoft have indeed positioned themselves at the forefront of AI research and development, leveraging their vast resources, extensive data repositories, and cutting-edge computing infrastructure. This dominance is a function of both their financial muscle as well as their strategic foresight in recognising technology’s transformative potential across industries and society.
The landscape of global AI innovation, particularly its concentration in US firms, presents a nuanced challenge and opportunity for Mistral, which seeks to take the lead in championing France’s strategic autonomy ambition. Understandably, it wishes to follow a path that is less reliant on external powers and more reflective of French and possibly European values and interests. Looking out Mistral’s windows in Paris is a battleground and a breeding ground for creativity. The dominance of US companies in AI raises the bar for technological innovation and market penetration. However, it also identifies a clear possibility for differentiation based on values, regulatory compliance, and strategic alignment with French and European autonomy and resilience objectives. The European Union’s emphasis on privacy, ethical standards, and regulatory environment, as shown by the General Data Protection Regulation (GDPR), is a unique proposition that European AI businesses can use to differentiate themselves from their American counterparts.
Achieving strategic autonomy is difficult and non-linear. Is the EU AI Act a unified strategy among EU members? The necessity for significant investment in R&D, as well as the imperative to close the technological gap with global leaders, are formidable challenges. Furthermore, the EU’s approach to AI in defense and security lacks strategic focus and operational readiness, underscoring the challenge of integrating AI technology in a way that improves strategic autonomy. In this scenario, a European AI leader seeking greater strategic autonomy must negotiate a complicated ecosystem, innovate within the EU’s demanding regulatory framework, and bridge the gap between technology and capability while contributing to the EU’s broader strategic objectives. This is a dance that involves not only technological innovation but also strategic alliances in Europe and around the world, all to improve the EU’s position in the AI environment. Mistral’s role is to push the boundaries of AI innovation, comply with French and European principles and legislation, and contribute to the strategic goals of its country and the EU.
It is critical to understand that partnerships between companies from different geopolitical realms are more than just transactions; they are strategic alignments that can serve multiple purposes. Mistral’s partnership with Microsoft could provide access to advanced technologies, larger markets, and significant resources. The difficulty, however, is to use the collaboration to strengthen its strategic autonomy rather than becoming subordinate to Microsoft’s objectives.
The realm of values and regulations serves as a differentiator and a means of keeping some semblance of autonomy. The GDPR embodies European entities’ long-standing commitment to privacy, ethical AI use, and strong data protection regulations. By incorporating these values into the core of its products and services, Mistral can not only differentiate itself in the global market but also appeal to consumers and businesses that are increasingly concerned about privacy and ethical considerations.
Furthermore, focusing on niche areas where Europe has a competitive advantage or on sectors that are underserved by U.S. tech giants could offer another differentiation strategy. Specific artificial intelligence applications specific to French healthcare, agriculture, or environmental sustainability could be part of this strategy and aligned with European societal values and political priorities.
Strategic partnerships within Europe and with other global players could also elevate Mistral’s position. By forming alliances with other European tech firms, and research institutions, and leveraging EU funding mechanisms, it can contribute to and benefit from a collective effort to advance European technological sovereignty.
Mistral’s ability to differentiate itself while partnering with Microsoft is dependent on its ability to strategically leverage the partnership for growth and innovation while adhering to European values and regulatory frameworks, and actively contributing to France and Europe’s strategic autonomy in AI.
How can Mistral’s seemingly sudden change of sentiment be transformed into a strategic advantage, especially as it navigates the complex and competitive AI landscape that is predominantly American?
Its previous position of opposing U.S. big tech can catalyse innovation, driving the company to develop unique AI solutions that address gaps left by U.S. firms. This could involve focusing on niche markets or sectors where French or European companies have a competitive edge or societal values that demand a different approach to AI applications.
Finally, Mistral has a unique vantage point, straddling the technological and regulatory environments of both France and the United States, offering a fertile ground for cultivating a distinctive competitive edge. This dual insight, leveraged astutely can propel it to not only thrive in its local and EU markets but also carve out its share on the global stage.
This simple yet powerful statement highlights the immense potential of quantum computing to revolutionize the cybersecurity landscape. While still in its early stages of development, quantum computers possess the game-changing ability to perform calculations that are impossible for even the most powerful classical computers. This …
“Any sufficiently advanced technology is indistinguishable from magic” was a poignant observation by Arthur C. Clarke in 1973. I find this quote befitting our reality where the pace of change brought about by technology is unparalleled. It implies that we often have unrealistic expectations about …
In 2021, the OECD Working Party on Security in the Digital Economy published a report for policy makers on encouraging vulnerability treatment. Among other things, the report provides information on digital vulnerabilities and how they tie into product security, and issues recommendations not only for the establishment of common vulnerability disclosure (CVD) programs, but also for how to create a constructive environment where ethical hackers can search for, report, and help remediate software security bugs without fear of legal retaliation – civil or criminal.
This is a big deal; the OECD already recognized the need for better secure-by-design principles in parallel reports mentioned in the paper [1] [2]. In the meantime, the European Union’s Cyber Resilience Act (CRA) places major requirements on software publishers, importers, and distributors for enhancing the security of digital products – both during the design and aftermarket phase. See my quick and dirty overview of this law here. Together with increased cybersecurity and resilience requirements such as the significant supply chain risk management requirements placed on critical economic sectors by the NIS 2 directive and other recent rules, the EU has signaled a major growth in attention to, and understanding of, digital security and the need to protect society and the economy by making software more robust.
Policies to protect ethical hackers and thus ensure timely information about new security vulnerabilities before the bad guys can find and abuse them have also seen a slow shift towards more pragmatic legislation. The Good Faith Cybersecurity Researchers Coalition (GFCRC), a not for profit industry initiative supported by CyAN, with the objective of coordinating industry action and education for better shielding of ethical hackers, has been tracking numerous moves by governments around the world in this direction.
Legal protections, from both criminal (arrest, prosecution) and civil 1(harassment, lawsuits) jeopardy, go hand in hand with constructive resources and guidance for ethical researchers. These consist primarily of two major elements:
A wealth of material and services in both categories exist around the world, as Nick Kelly and I point out in our 2023 article “Protecting Responsible Cybersecurity Vulnerability Research” for the European Cybersecurity Journal on this topic (ECJ Volume 9 (2023) Issue 1). However, there are some significant gaps.
Specifically, the European Union Agency for Cybersecurity (ENISA) could, and should play a key role in informing EU policy that influences both Europe-wide legislation and national laws, to be more accommodating towards good faith vulnerability research.
ENISA has two great strengths that build on its good reputation in the industry – it has a strong track record in issuing good practices guidance (my favorite example of this is the excellent ISAC in a Box toolkit), and it is the best placed organization in Europe to coordinate and encourage public-private cooperation to help secure European digital society and institutions. It also provides occasional original vulnerability research. The agency has a reasonable track record of supporting and working with private sector work such as the EU ISACs, but like many EU institutions (speaking as a committed Europhile), it could do more to strengthen and share proven techniques and initiatives.
CVD tools and materials are a great example of where I believe ENISA should and could provide much more active leadership, as well as maturing and disseminating good practices. There are some materials that provide a decent start to this, but all are in need of updates.
The Good Practice Guide on Vulnerability Disclosure dates all the way back to 2015 – especially given ENISA’s recently announced and highly welcome closer cooperation with CISA, it would make sense to revisit this guide and ensure it’s up to date. The State of Vulnerabilities report dates from 2018/19, and while the methodologies and recommendations described in the paper remain valid, it does not take into account the massive spate of supply chain vulnerabilities and attacks experienced globally in 2020/21, such as SolarWinds, Accellion, the four zeroday CVEs lay at the root of the 2021 Microsoft Exchange server breach, and others. The overview of Coordinated Vulnerability Disclosure Policies in the EU is reasonably complete and up to date, as of April 2022. However, it does not mention e.g. the Belgian cybersecurity legal reform of February 2023, a major milestone for EU member countries.
None of these papers mention the OECD digital economy working party’s recommendations; this is a major gap, considering three key EU member countries plus the EU itself are members of the G-20. Furthermore, given the need for ethical researchers and firms alike to have access to up-to-date information about what laws apply to them right now, it would make sense for an entity like ENISA to provide more up-to-date guidance of national laws, similarly to Global Legal Group’s list of national cybersecurity laws.
In my view, the biggest issue is the lack of a direct, easily accessible path to the correct vulnerability disclosure policy or process. Security bug hunting is a highly technical process, requiring a great deal of skill, time, and dedication. ENISA, like so many other organizations providing (mostly) correct and thorough information, falls into the trap of “all the information is there”. Yes, it is. However, like many national cybersecurity agencies’ good practices offerings for small businesses, there has to be more of a balance between correctness/thoroughness and usability/accessibility – especially for non-subject matter experts and people less experienced or familiar with process documentation, or non native English speakers.
ENISA is not an operational body, meaning that even though it conducts some original technical research, it does not perform incident response or vulnerability management functions. Even though it is closely connected to CERT-EU with whom it collaborates on the publication of some cyber-threats and -vulnerabilities, the scope of that body itself is limited to EU institutions and agencies. As a result, it is unfair to expect ENISA to provide a Europe-wide CVD process…or is it?
In my anecdotal experience, there are significant cybersecurity gaps among European institutions between the admittedly excellent guidance that agencies like ENISA provide, and the often lackluster operational capabilities of member states and national agencies. I am fully aware of the challenges of European multistakeholder politics, and the need to strictly respect boundaries established by European rules, such as the European Cybersecurity Act. However, given the fast-moving nature of cybersecurity attacks, and the ongoing risks from critical vulnerabilities, bureaucratic niceties should not limit industry and society’s ability to quickly respond to evolving threats.
The inflexible nature of this rules-based, formal approach to collaborative cybersecurity was perfectly illustrated in an industry working group discussion of mandatory incident notification under the NIS2 Directive, chaired by ENISA representatives a few years ago. The EU approach to critical incident reporting is very tidy, incorporating national competent authorities and some to-be-defined central repository. Nobody was able to satisfactorily answer questions about what would actually be done with such incident reports (e.g. used to create playbooks for TIBER-EU or exercise scenarios so others can learn from them?) or how they would be securely stored.
Especially given the lack of CVD policies or ethical hacking-friendly laws in many countries (see again the Coordinated Vulnerability Disclosure Policies paper mentioned earlier), it would make enormous sense for the agency to
a) provide an easy way for a researcher to find and navigate to the correct way to report a new, critical flaw, and
b) if such a channel does not exist (for example due to lack of a national capability), to provide it, and to funnel the information to the right place.
Furthermore, ENISA already chairs the EU CSIRTs network. Unlike FIRST.org, this group pointedly excludes all but “official” CSIRTs and CERTs appointed by member states, and CERT-EU. Absent many national CVD reporting mechanisms and rules, it would be beneficial for ENISA to take a more flexible approach to non-member state CERTs/CSIRTs and other trusted operational cybersecurity entities. There is already precedent for this, in the form of ENISA’s engagement with the EU ISACs community, even though its rules about whether or not a member ISAC must be “European” are somewhat confusing. In this way, the agency would have even more reach to communicate reported vulnerability information to the correct body.
EU institutions move slowly, and unless multiple critical industry actors (such as large firms in the many economic sectors defined by the NIS2 Directive) collectively exert pressure via ENISA-chaired working groups or via their national authorities, the situation is unlikely to change soon. We can only hope that, while more and more governments adopt legal reform to protect ethical hackers, and cybersecurity agencies develop and implement CVD policies and processes, European industry itself can work together to ensure fast, unbureaucratic access to emerging cybersecurity vulnerability information, so we can fix bugs as quickly as possible.
Introduction: The integration of Artificial Intelligence (AI) in our digital world has profound implications, especially for professionals in cybersecurity, privacy, and data security. The Australian Government’s “Safe and Responsible AI in Australia consultation” interim response offers pivotal guidance in this realm. This article explores these …
