Trust and Cybersecurity
Paul Timmers does a lot of thinking about our digital future. Many are worried about their future and the future of their children. Are they going to be squeezed in a world dominated by big money digital platforms and by geopolitical conflicts of the great powers, the USA and China? Or do we keep trust in keeping a say about our future, in democracy, society, and economy? Our digital future is all about our strategic autonomy and sovereignty. Paul is a former EU policymaker, an academic, and an entrepreneur.
EU and Cybersecurity
Paul: “Historically in the European Commission, topics like cybersecurity were more technical topics in the sense that European policy was about investing in research and innovation and then developing new technologies. But that kind of technical view has really shifted to a very, very political view. And the reason for that is I think that digital is now pervasive in society and economy and democracy everywhere. And that is also what comes with it, some of the threats, like cybersecurity-related or data protection, have become very political. They touch the foundations of our economy, society, and democracy. And so you see that trust and cybersecurity have risen to the top of the agenda as the Germans would say it’s a “Chefsache”.”
And you have to be aware that you’re starting to do this in an ever more complex environment. So we go to 5G. What they call the attack surface is increasing massively because with 5G, you can connect everything and the network will be managed by partners that are less experienced in security. So you are expanding your vulnerability landscape and therefore Zero Trust is not a one-off type of thing. I also need to say ultimately in Zero Trust, there are still elements that you do need to trust. So let’s take again the SolarWinds example. The NSA has recommended that after that, the only way to ultimately deal with the supply chain attacks is if you use hardware security modules and these are trusted pieces of hardware. And there it’s kind of you have to trust your supplier. So the ones that are building the hardware security modules, you better know really very well which companies these are, because these are the ones that you need to trust, perhaps without you being able to inspect everything. So Zero Trust, great principle, very important because it’s an approach for security by design. Be aware it also has its challenges and its cost.
Paul: “There is a volunteers organization in the Netherlands called the DIVD, and they found a weakness in software from a company called Kaseya. And while they were finding this and sorting out what the vulnerability was, there was in the meantime, there were hackers that started to attack. So they were actually very careful, these people of DIVD not to start shouting, crying wolf too soon. But in the meantime, the hacker started to attack. So your information sharing is absolutely essential. But the real world goes very fast, and to make it a bit sharper, some of the attacks we can only follow with the help of artificial intelligence because they go so fast that we need artificial intelligence to follow the pattern of attacks and how they are shifting. And so we will have artificial intelligence talking to artificial intelligence somewhere else, telling, you know, it looks like there is an attack going on here. So we are starting to put our autonomy in the hands of artificial intelligence.”
“So you need to think about how do you deal with getting your bits and pieces from all across the world? And basically, I study this topic a lot, there are basically three approaches to that. You can kind of do your best. It’s a risk management approach. You muddle through and you keep your fingers crossed that it goes well. And this is actually probably 90 percent of the time what we do. Then you can say I only work with those parties that really trust my like-minded parties, and you could build coalitions in that, and that’s increasingly popular. And then you could say, Well, but perhaps this problem of these attacks is such a problem that we need to collectively, at a global scale, deal with it, take the stability of the core of the internet. The internet is of everybody. Perhaps we have to jointly manage the domain name system as we do internationally. We do that and Icann. So that is a core issue of trust, and we did find some way with all its pitfalls, but it works to manage the stability of the internet as a global system, as really in a global collaboration with the private and public sector. So we need to think about the approach that you follow, risk management, strategic partnerships, or doing it as a global common good and you need to also think about it where would you then do that?”
In the interview, famous cyberattacks are discussed, like SolarWinds and ransomware WannaCry.
Other subjects covered in the interview: cyberattacks on SolarWinds, Kaseya, and ransomware WannaCry, about the Digital Markets Act, 5G, Zero Trust, DVID, the Dutch Institute for Vulnerability Disclosure, Debunking Strategic Autonomy, and a lot more.
For the full podcast, listen on the TrustTalk podcast channel or go to your favorite podcast platform, like All podcasts are being audio-edited by Job Dijk of Steigerstudios in Veenendaal, The Netherlands