This simple yet powerful statement highlights the immense potential of quantum computing to revolutionize the cybersecurity landscape. While still in its early stages of development, quantum computers possess the game-changing ability to perform calculations that are impossible for even the most powerful classical computers. This …
“Any sufficiently advanced technology is indistinguishable from magic” was a poignant observation by Arthur C. Clarke in 1973. I find this quote befitting our reality where the pace of change brought about by technology is unparalleled. It implies that we often have unrealistic expectations about …
In 2021, the OECD Working Party on Security in the Digital Economy published a report for policy makers on encouraging vulnerability treatment. Among other things, the report provides information on digital vulnerabilities and how they tie into product security, and issues recommendations not only for the establishment of common vulnerability disclosure (CVD) programs, but also for how to create a constructive environment where ethical hackers can search for, report, and help remediate software security bugs without fear of legal retaliation – civil or criminal.
This is a big deal; the OECD already recognized the need for better secure-by-design principles in parallel reports mentioned in the paper [1] [2]. In the meantime, the European Union’s Cyber Resilience Act (CRA) places major requirements on software publishers, importers, and distributors for enhancing the security of digital products – both during the design and aftermarket phase. See my quick and dirty overview of this law here. Together with increased cybersecurity and resilience requirements such as the significant supply chain risk management requirements placed on critical economic sectors by the NIS 2 directive and other recent rules, the EU has signaled a major growth in attention to, and understanding of, digital security and the need to protect society and the economy by making software more robust.
Policies to protect ethical hackers and thus ensure timely information about new security vulnerabilities before the bad guys can find and abuse them have also seen a slow shift towards more pragmatic legislation. The Good Faith Cybersecurity Researchers Coalition (GFCRC), a not for profit industry initiative supported by CyAN, with the objective of coordinating industry action and education for better shielding of ethical hackers, has been tracking numerous moves by governments around the world in this direction.
Legal protections, from both criminal (arrest, prosecution) and civil 1(harassment, lawsuits) jeopardy, go hand in hand with constructive resources and guidance for ethical researchers. These consist primarily of two major elements:
A wealth of material and services in both categories exist around the world, as Nick Kelly and I point out in our 2023 article “Protecting Responsible Cybersecurity Vulnerability Research” for the European Cybersecurity Journal on this topic (ECJ Volume 9 (2023) Issue 1). However, there are some significant gaps.
Specifically, the European Union Agency for Cybersecurity (ENISA) could, and should play a key role in informing EU policy that influences both Europe-wide legislation and national laws, to be more accommodating towards good faith vulnerability research.
ENISA has two great strengths that build on its good reputation in the industry – it has a strong track record in issuing good practices guidance (my favorite example of this is the excellent ISAC in a Box toolkit), and it is the best placed organization in Europe to coordinate and encourage public-private cooperation to help secure European digital society and institutions. It also provides occasional original vulnerability research. The agency has a reasonable track record of supporting and working with private sector work such as the EU ISACs, but like many EU institutions (speaking as a committed Europhile), it could do more to strengthen and share proven techniques and initiatives.
CVD tools and materials are a great example of where I believe ENISA should and could provide much more active leadership, as well as maturing and disseminating good practices. There are some materials that provide a decent start to this, but all are in need of updates.
The Good Practice Guide on Vulnerability Disclosure dates all the way back to 2015 – especially given ENISA’s recently announced and highly welcome closer cooperation with CISA, it would make sense to revisit this guide and ensure it’s up to date. The State of Vulnerabilities report dates from 2018/19, and while the methodologies and recommendations described in the paper remain valid, it does not take into account the massive spate of supply chain vulnerabilities and attacks experienced globally in 2020/21, such as SolarWinds, Accellion, the four zeroday CVEs lay at the root of the 2021 Microsoft Exchange server breach, and others. The overview of Coordinated Vulnerability Disclosure Policies in the EU is reasonably complete and up to date, as of April 2022. However, it does not mention e.g. the Belgian cybersecurity legal reform of February 2023, a major milestone for EU member countries.
None of these papers mention the OECD digital economy working party’s recommendations; this is a major gap, considering three key EU member countries plus the EU itself are members of the G-20. Furthermore, given the need for ethical researchers and firms alike to have access to up-to-date information about what laws apply to them right now, it would make sense for an entity like ENISA to provide more up-to-date guidance of national laws, similarly to Global Legal Group’s list of national cybersecurity laws.
In my view, the biggest issue is the lack of a direct, easily accessible path to the correct vulnerability disclosure policy or process. Security bug hunting is a highly technical process, requiring a great deal of skill, time, and dedication. ENISA, like so many other organizations providing (mostly) correct and thorough information, falls into the trap of “all the information is there”. Yes, it is. However, like many national cybersecurity agencies’ good practices offerings for small businesses, there has to be more of a balance between correctness/thoroughness and usability/accessibility – especially for non-subject matter experts and people less experienced or familiar with process documentation, or non native English speakers.
ENISA is not an operational body, meaning that even though it conducts some original technical research, it does not perform incident response or vulnerability management functions. Even though it is closely connected to CERT-EU with whom it collaborates on the publication of some cyber-threats and -vulnerabilities, the scope of that body itself is limited to EU institutions and agencies. As a result, it is unfair to expect ENISA to provide a Europe-wide CVD process…or is it?
In my anecdotal experience, there are significant cybersecurity gaps among European institutions between the admittedly excellent guidance that agencies like ENISA provide, and the often lackluster operational capabilities of member states and national agencies. I am fully aware of the challenges of European multistakeholder politics, and the need to strictly respect boundaries established by European rules, such as the European Cybersecurity Act. However, given the fast-moving nature of cybersecurity attacks, and the ongoing risks from critical vulnerabilities, bureaucratic niceties should not limit industry and society’s ability to quickly respond to evolving threats.
The inflexible nature of this rules-based, formal approach to collaborative cybersecurity was perfectly illustrated in an industry working group discussion of mandatory incident notification under the NIS2 Directive, chaired by ENISA representatives a few years ago. The EU approach to critical incident reporting is very tidy, incorporating national competent authorities and some to-be-defined central repository. Nobody was able to satisfactorily answer questions about what would actually be done with such incident reports (e.g. used to create playbooks for TIBER-EU or exercise scenarios so others can learn from them?) or how they would be securely stored.
Especially given the lack of CVD policies or ethical hacking-friendly laws in many countries (see again the Coordinated Vulnerability Disclosure Policies paper mentioned earlier), it would make enormous sense for the agency to
a) provide an easy way for a researcher to find and navigate to the correct way to report a new, critical flaw, and
b) if such a channel does not exist (for example due to lack of a national capability), to provide it, and to funnel the information to the right place.
Furthermore, ENISA already chairs the EU CSIRTs network. Unlike FIRST.org, this group pointedly excludes all but “official” CSIRTs and CERTs appointed by member states, and CERT-EU. Absent many national CVD reporting mechanisms and rules, it would be beneficial for ENISA to take a more flexible approach to non-member state CERTs/CSIRTs and other trusted operational cybersecurity entities. There is already precedent for this, in the form of ENISA’s engagement with the EU ISACs community, even though its rules about whether or not a member ISAC must be “European” are somewhat confusing. In this way, the agency would have even more reach to communicate reported vulnerability information to the correct body.
EU institutions move slowly, and unless multiple critical industry actors (such as large firms in the many economic sectors defined by the NIS2 Directive) collectively exert pressure via ENISA-chaired working groups or via their national authorities, the situation is unlikely to change soon. We can only hope that, while more and more governments adopt legal reform to protect ethical hackers, and cybersecurity agencies develop and implement CVD policies and processes, European industry itself can work together to ensure fast, unbureaucratic access to emerging cybersecurity vulnerability information, so we can fix bugs as quickly as possible.
Introduction: The integration of Artificial Intelligence (AI) in our digital world has profound implications, especially for professionals in cybersecurity, privacy, and data security. The Australian Government’s “Safe and Responsible AI in Australia consultation” interim response offers pivotal guidance in this realm. This article explores these …
Join James Briscoe and John Salomon for our new conversation series on “cyber warfare” and all it entails. In our new playlist, part of CyAN’s Secure-in-Mind media series, we address many of the challenging and fascinating issues surrounding disinformation, national and regional cyberdefence policy, threat …
As 2023 comes to a close, it’s essential to look back at the major cybersecurity events of the year and extract crucial learnings and takeaways. This year has been marked by significant incidents that have reshaped our understanding of digital security, privacy, and cyber resilience.
Some statistics for reference:
Number of incidents in 2023: 1,404*
Number of breached records in 2023: 5,951,612,884*
(*) as of this writing.
The year saw a dramatic increase in ransomware attacks targeting both private and public sector organisations. Notable among them was the attack on MGM Resorts, which resulted in substantial financial losses and highlighted the need for better ransomware preparedness and response strategies.
Numerous data breaches occurred, exposing the personal information of millions. The 23andMe breach was particularly alarming due to the sensitivity of the data involved. This event underscored the ongoing challenges in protecting personal information in the digital age.
Geopolitical tensions led to an uptick in state-sponsored cyber activities. Kyivstar, Ukraine’s largest mobile network operator, suffered a cyber-attack, one of the highest-impact disruptive cyber-attacks on Ukrainian networks since the start of Russia’s full-scale invasion. The cyber-attack also reportedly disrupted air raid sirens, some banks, ATMs, and point-of-sale terminals. signalling a new era of digital warfare.
The misuse of AI technologies, especially deepfakes, posed new threats. The somewhat ease of deepfake use as a social engineering tool raises concerns about the potential use of AI for misinformation and manipulation, especially coming into the US Presidential Elections in 2024.
Enhancing Cyber Resilience
The events of 2023 have shown that cyber resilience is not just about preventing attacks but also about having robust recovery and response plans. Organizations need to invest in both preventive measures and recovery strategies.
The Importance of Cyber Hygiene
Basic cyber hygiene practices, like regular software updates, strong passwords, and multi-factor authentication, remain vital. Many of the year’s breaches could have been mitigated or avoided with better hygiene practices.
Need for Greater Collaboration
Cybersecurity is no longer a solitary endeavour. The year highlighted the importance of collaboration between private companies, government agencies, and international bodies to combat cyber threats effectively.
AI and Cybersecurity
With the rise of AI-powered threats, there’s an urgent need for AI-centric security solutions. Organizations must understand and prepare for the unique challenges posed by AI in the cybersecurity domain.
Privacy and Data Protection Laws
The data breaches of 2023 have prompted calls for stronger privacy and data protection laws. There is a growing need for legislation that keeps pace with the evolving digital landscape.
Focusing on Human Factors
Human error continues to be a significant factor in cybersecurity incidents. Training and awareness programs are crucial in mitigating this risk.
As we move into 2024, the lessons learned in 2023 will undoubtedly shape our approach to cybersecurity. The key is to adapt and evolve continuously in the face of emerging threats and challenges. Building a cyber-resilient future requires vigilance, innovation, and collective effort.
The blog “The Tale of Two Approaches to Artificial Intelligence – EU AI Act & U.S. Executive Order on Safe, Secure, and Trustworthy AI” was a balanced look at the similarities and difference in approaches to AI. The divergence of approach is a manifestation of …
CyAN’s mentorship programme, launched in April 2023, has just completed.
As part of CyAN’s mission to support maturity and trust in the global cybersecurity ecosystem, the board of directors decided in spring 2023 to leverage our members’ experience, knowledge, and networks to help promising academics improve their ties to the industry.
Our 6 initial candidates, supported by 5 member mentors, have national origins and academic backgrounds from around the world, focusing on a wide variety of topics. All participants were asked to provide a final contribution as part of the programme, such as a podcast/video interview, blog post, article, or other work relevant to their research and information security-related interests:
| Candidate | Affiliation | Role | Final Output | Mentor |
| Nils Eiling | FAU Erlangen-Nürnberg (DE) | MSc Candidate / Graduate | CyAN Mentorship Programme Report | Boris Taratine |
| Florian Hantke | CISPA Helmholtz (DE) | PhD Candidate / Graduate | Florian Hantke – pen tester, vulnerability researcher, cybersecurity doctoral candidate | John Salomon |
| Étienne Bryan Botog | École High-Tech (MA) | Master’s Candidate / Graduate | Explorons les Tendances Actuelles des Menaces Cybernétiques et Comment s’en Protéger | Pierre Noel |
| Jillian Kwong | Cybersecurity at MIT Sloan (CAMS) (US) | Research Scientist | Jillian Kwong – Cybersecurity Challenges in Small to Medium Enterprises (SME) | John Salomon |
| Aliasgar Erinpurwala | EM Lyon Business School (FR) | MSc Candidate / Graduate | The Growing Threat of Quantum Supremacy in The Era Of Digital Civilization | Matthieu Camus |
| Hugo Tarrida | King’s College London (UK) | MA Candidate / Graduate | Hugo Tarrida on Cyberdefence and Information Warfare | Ricardo Gonçalves |
All participants will be automatically inducted into the CyAN community, with membership fees waived for the coming year.
While logistically challenging, the mentorship pilot was a strong and rewarding success for all participants, paving the way for the deployment of a standing programme with the help of CyAN members and our friends throughout the industry. All mentors were highly impressed by the calibre and enthusiasm of the scholars they worked with.
We sincerely hope that we can inspire other organisations – whether commercial firms, NGOs, or public-private partnerships, to look into starting talent development programmes of their own, and to support existing initiatives. Cybersecurity is a tough field to enter, despite frequent reports of a supposed vast number of unfilled vacancies. Society and industry can only flourish with a steady pipeline of talented, motivated, and smart new experts; these do not come from nowhere. Please consider mentoring career aspirants, thus helping us assure that there will always be both professional opportunities, and good people to fill them.
