Helmut Fallmann's introduction statement to the Fabasoft Breakout Session #18 "How the lack of IT and network security threatens the European digital economy“ at the European Forum Alpbach 2017
Ladies and gentlemen of the panel and the audience, dear moderator,
My company Fabasoft and I have been a partner of the European Forum Alpbach for several years. One of the main reasons for our partnership is my deep-felt regard for the digital and economic integration of Europe. Based on my experience in the security of today’s dominant ICT cross-sectional technology I am strongly involved in European forums and bodies. My aim is to contribute to the realisation of the digital single market within the European Union to secure the economic future of our continent.
Our participation in the Economic Symposium of the European Forum Alpbach gives me the opportunity to explore the most important topic of today’s European economic development together with the experts gathering at the podium of our “Breakout Session”: Information and network security as a prerequisite to a broad acceptance of the irreversible digital structures of our economy!
Digitisation concerns us all. Over the course of a few years only it has become a decisive factor in all of our value-added processes. The level of mastering the technologies involved determines how our industry as well as our small and medium-sized businesses can seize these market opportunities. The establishment of a universal network society with almost limitless access to knowledge and information as well as a marked increase in the liberalisation of the global economy has dramatically changed the rules applying to a successful market presence. Businesses must be able to grasp the complexity of digital economy if they want to continue having success. All the while, the pressure of transformation is gaining daily with every technological innovation. Economic operators are facing challenges never known before as a result of the speed of development in ICT which forms the basis of most scientific achievements of our post-industrial data economy.
New market potentials can only be realised through an up-to-date implementation of ICT in innovative business models. This approach modifies established business processes and frequently demands an enormous change of business cultures that have been successful for many years. However, ICT is also an indispensable driving force of social participation, the social, democratic and constitutional conception of our community.
ICT, a synonym of cyber security
In today’s Breakout Session, experts will be talking about the many dangers inherent in the global network labyrinth which we will need to ward off if we want to continue benefiting from the triumphs of the net. The digital mega trends from areas such as mobility, social platforms, Cloud Computing, Big Data, Industry 4.0 or the Internet of Things (IoT) can only exercise their economic power to the benefit of sustainable prosperity if we succeed in keeping the manifold and highly professional threat scenarios from the dark net at bay.
Considering the arsenals of cyber crime we need equal opportunities which in turn depend on a highly innovative, European-made information and network security. Today, virtual space knows almost all forms of delinquency which have previously only been an issue in the real world: They range from fraud, extortion, corporate espionage, money laundering or human, drug and weapons trafficking to conspiratorial arrangements on the planning of coups or terrorist attacks.
The global sources of conflict have moved into the net. We lag behind in this ominous development because IT and network security have not yet established themselves as a primary common property of society. In line with the key topic of this year’s European Forum Alpbach we now have to establish a consistent phalanx of science, economy, politics and culture which will have to deal with securing the most important assets of today – information and data. Extensive cooperation of all forward-thinking players is the only way to influence the strategic thrust of future network development and make it a place where an economy based on fair rules can evolve and become a fascinating place for everyone.
Despite this important vision we must not forget that real-life experiences in human communication are also of great significance. The worldwide net offers a sea of opportunities, but it cannot serve as an offline surrogate for real communication. Out of this realisation, civil society must assume responsibility for balancing the virtual and the real world. Activities in the net are particularly successful if they lead to accompanying initiatives and relationships outside the cyber world.
Living and acting by European values in the net
Cyber protection holds all the qualities it takes to make this reconciliation succeed. States, businesses and people who defend European values will also do so in their net landscapes. In this respect, information and network security amount to more than the ability which arises from a concerted technological capacity to protect data, intellectual property and accumulated know-how from unauthorised access.
Cyber security can therefore become the enabler of a unique European culture largely protected against overall harm. This culture will also prove its capacity to battle the socially undesirable in the net.
It is of great importance that information and network security should become a categorical imperative in these dynamic years of striving towards the fulfilment of the digital single market. On the basis of national innovation clusters we must strengthen the cooperation between science & research and the manufacturing industry to achieve software and hardware solutions for data protection and network security, taking start-ups as well as small and medium-sized businesses on board. Training curricula on cyber protection need to be refined and adapted to the latest threats. As IT entrepreneurs we have to build awareness as well as create offers to securely handle digital data and the resulting European technological developments in their entire breadth of today’s challenges in society.
IT baseline protection should already be a reality at every single company. Even though there is no lack of information on how to implement IT security strategies, sensitivity towards the right approach of IT systems on the most basic hazards such as dubious email attachments has not yet prevailed, even less still on the level required today across all components and resources applied by IT. The number of SMEs battling such vulnerabilities as password-protected access to the company network, antivirus protection, data backups, patch management or encryption is still much too high, to say nothing of their implementing fully compliant IT. In the age of Advanced Persistent Threats (APTs), phishing, account hijacking by men-in-the-middle attacks, CEO fraud or ransomware, botnets and DDoS, a firewall alone is not enough in terms of cyber protection. With the advent of BYOD (Bring Your Own Device), a shadow IT has emerged. Over the past few years the resulting insider dangers have led to a considerable increase in the fragility of badly protected company networks. Few of the large corporations have well-conceived concepts for MDM (Mobile Device Management) with structurally defined access rights for documents and company resources that are based on the requirements of the respective job profiles. The emergence of many new appliances resulting from linking IT such as industrial control systems with sensor technology applications with CPS (cyber-physical systems) will lead to a further growth of the dangers in data theft and data misuse. Businesses of any size need to understand that they now have to raise their profile on IT baseline protection quickly and comprehensively unless they want to miss out on the benefits of entering digital economy.
The standards on IT baseline protection issued by the German Federal Office for Information Security (BSI) provide information on the construction of an effective information security management system. They draw upon the IT baseline protection catalogues developed by the Federal Office over the years and allow to set up basic security concepts for typical processes, applications and components in IT. They are divided into five modules according to a layer model:
- Comprehensive aspects of information security, e.g. staff, data storage, outsourcing
- Security of the infrastructure
- Security of the IT systems, e.g. clients, servers, telephones, laptops or mobile phones
- Security in networks, e.g. WiFi, VoIP, network and system management
- Security in appliances, e.g. email, web servers and databases
These descriptions contain an overview of the relevant threat scenarios and the recommended standard safeguards. Broadly speaking, an IT security strategy must be developed by following the individual steps of structural analysis, risk analysis, implementation and consolidation of the evaluated security measures, quality control and certification as well as on top of this the development of an emergency/failure concept (recovery plan).
Many SMEs would probably rather capitulate in view of the complexity of these challenges, put digitisation off for fear of cyber dangers or scrape by on their limited IT security while simply hoping that they will not be attacked. I can reassure them: There is a great number of experienced service providers who can help them with their information and network security. At Fabasoft, for example, we have already implemented the requirements of effective cyber protection into all of our solutions “by default” and “by design”. Our industry has always perceived itself as a custodian of the customer data that has been entrusted with us, and can therefore offer customer solutions comprising all of the required security features based on the tradition of security-oriented software engineering. A business that decides to outsource its data to the safe environment of a high-security Cloud ecosystem is making a good investment into its future.
In the final year before GDPR will come into effect we are particularly focused on mobilising SMEs in terms of cyber protection. On the basis of the NIS Directive, network and information security for the EU’s critical infrastructures has been realised at a very high level which in turn leads to many new accountabilities of data processing services and infrastructure providers.
From our perspective, the obligations arising from Art. 32 and 35 of GDPR are particularly relevant since they deal with the security of processing personal data or rather the mandatory assessment that data protection is ensured at the outset of particular risks. With availability, resilience, reliability and integrity, security of processing aims at the intersection of data protection requirements and information security. The implementation of both legal obligations is based on keeping a production register which needs to provide the name of the procedure, the purpose of processing, the interested parties as well as the responsible party.
By including the interested parties, legislation is addressing the manifold connections in the processing and forwarding of personal data. At Fabasoft, we have always been following this approach in the development of our software systems that are based on a central B2B Content Management. In terms of managing, processing and transmitting the data our customers have entrusted with us we are therefore perfectly prepared for the new legal requirements. Within the framework of GDPR, the rights and freedoms of natural persons always apply to the entire network of the processing parties.
The national implementation of the NIS Directive requires that by next year, all providers of critical infrastructures affected by the regulations (e.g. telecommunications, energy suppliers, etc.) must be named. In view of the fact that new forms of outsourced network functionalities such as SDN (Software Defined Network) or NFV (Network Function Virtualisation) are emerging in the Cloud environment, Fabasoft has been campaigning to include Cloud providers or, on the basis of evaluation, powerful OTT (Over the Top) providers such as platform operators with monopoly-like interfaces, wide coverage and high numbers of customers as critical infrastructures within the meaning of NIS.
I would like to close my statements on the universal significance of continuous and sustainable information and network security with a call I have already made several times this year to the Austrian and European IT security economy: Our country and our continent must consolidate their extraordinary scientific and economic resources and use them on making Europe a global model of cyber security in the years to come. In the spirit of Alpbach, we need a new and deepened cooperation of the brightest minds from computer science and the network industry to make Europe a top player in emerging trends such as quantum physical encryption, keyless data storage through “Secret Sharing“, the use of artificial intelligence and machine learning in big data analyses and the identification of anomalies, or blockchain technology for information and network security as well as a massive development of robust fibre-optic networks at the height of security.