Good evening. Thanks a lot for that kind introduction. So coordinator, actually I am of Cybersec for Europe, which is one of the four prototypes for the cybersecurity competence that we're, and going to see actually that we're going and to see at the same time at Frankfurt University at a professorship for mobile business and multi-let security, which means that the nature of this talk has to be somehow ordered, otherwise I'll have a problem. And this is basically the the agenda that we like to get through. I like to get Soons the next 17 and a half minutes.
It's a bit about these EC initiatives and then especially about CYBERSEC for Europe. The reason is that cybersec for Europe being one of these four pilots, it is designed according to the original idea of the European Commission as in for blueprint of this European cybersecurity competence centers.
As there was a long list of things that and we should bid for when we were bidding for this project. And that is pretty much reflected in the regulation for the ECC or an wise worser. And so I'm going to introduce a bit of that and that should maybe give you an idea on what may happen in future.
Even though of course nobody of us knows what's going to happen in future, that in the end I'll have a summary outlook with some personal comments because if I don't have a summary in an outlook as a German professor, I'll lose my pension. And if you would've looked into the web of the European Commission some years ago, you would've seen this slide. That was basically when the European Commission made this proposal for the center. That was back in 2018. And that was shortly after the bidding process for the bidding process for these pilot projects was closing.
So May, 2018, the pilot projects bidding process closed and the idea was that the pilots would start working end of 2018 and would then possibly and would then possibly get their work done and and select it sometime in October. Meanwhile, the commission was starting this proposal already, which is interesting because the pilots he would see later he should work on the governance of this new things.
So in principle we were supposed to influence this kind of regulation and before it was coming out from the commission reason for that as as rumors say, was that there was fear that the next European parliament, so the ones that we have elected a few years and a few years later would actually have so many populous parties in it at a European center would never be possible And that's why they wanted to start a bit earlier. So that's why they started earlier.
This is rather now and what is starting earlier meant for us and we will see what you see from this picture is that easy webpage of this in ECC and you see that something has happened. You see that it's in Booker arrest which already and was mentioned here while quite a few other places were bidding. And at this moment in time you may wonder actually why is A U E C and when there is already ZA as a European networking information for UT agency. And that was a question that many people asked and some people said, well maybe Iza is a bit too far away from the center of the European Commission.
It is in Greece, it is some parts even in Queen. Maybe the next one will be in, this one will be in Brus, Luxembourg on Paris. But some were, some were closer in the end the member states decided to have it to Romania because they decide about that.
And some people say that since, since some of the enthusiasm of S hold and exercise has a bit gone away. But meanwhile easy center is there, it has met and forced time now with its governing boards at other member states, representatives.
And when you click further on the website, you will not see very much further activity except that there wasn't bit for the, a bit closing for the executive director and that was closed in September. And you may want to guess when you, when the bid is closing in September, 2022 when you things in new and executive director will be in place as an optimistic guess 1st of January, 2020. Sue who would bid for that 1st of March, 1st of May, 1st of July, 1st of September, 1st of November, 2020 3, 20 24. Okay.
Either you don't want to make a bit or you are really more pessimistic than the people in and people in the commission or somewhere around they say that September 23, originally I understood 23, September 23 at 21st of sep, 23rd of September or something.
But then I didn't know that the bit was going out again.
Anyway, what we have as a situation is we have this board and we have this board, we have the center and we have a few things on the website. We don't have very much on activity yet. And and that comes now to the point where maybe useful and maybe your crash has invited this talk and said well maybe you can tell us about the plans that were happening. And the plans were imper to all of this activity to have pilot projects to try things out.
Actually four of them and sometimes altogether called cyber competence network like Echo, Concordia, Sparta and then Cybersec for Europe, which is the one that we in f are coordinating. And the whole idea, let's say official statement was to say, okay everything in in cybersecurity in Europe as well as are fragmented and it should be better synchronized and better harmonized.
And that's of course is a good reason for the European Union to issue money. And that's why it was planned to be to be like that.
And of course what we do see is we see that in European cybersecurity innovation research but also implementation is relatively fragmented and when it comes to investing big money, then very often big investors from other parts of the world are coming in and catching the, and promising and catching the promising entities. So that is the, let's say that is the official plan, let's do something else here and that as you see it's a slide from my chair that I thought I bring in and let's see where we are and where we could and would need to be.
So you see three questions that from time to time we have been, we have been asked like is cybersecurity understood as a core of transformation and as the European systems secure and do we need to improve on cyber security?
And of course you with yes and no, you can make some really easy answers and and then you can maybe create a major press and press echo or something like that by claiming nothing is working. So this is more the the list of what to do. Like when you're asking a professor, you never get the yes or no but you get homework. So the homework list is what you have here.
So and and that's something also that we try to fulfill with Cybersec for Europe. So obviously we need to beef up on cybersecurity on quite a few things, but we need to make sure that cybersecurity doesn't eat us all and that's why and classic, classic and European civilization values are important. That means we shouldn't like collect everything just because we need it for cybersecurity Also then are we actually sec are we, do we have an a secure scenario in the current reality?
Well probably there's always something insecure but what we definitely think we need, we need to better understand what's going on. So that was another idea that you will see in Cyber six for Europe then and more European collaboration. Okay and do we need to improve?
Yes, but how, and one thing indeed was get a better transfer from knowledge to action or more consistent regulation. None of that is an official statement or anything like that. But I saw that may be useful as my personal comment to integrate it here. So what is CYBERSEC for Europe? It's one of these projects a bit larger than usual like all of these four pilots about 40, 40 plus partners in 22 European countries.
The idea was to indeed all of the and all of the European Union as much as possible at least and work together, SMEs, larger organizations and universities, all kind of different and all kind of different organizations.
And this is a project architecture with four pillars that you've seen in the agenda. And the idea now is to go through that a bit and to check where we actually check where we are with regard to this.
So these four pillars are supposed to supposed and to solve some of the issues and deal with with work and they are actually pretty much taken out of the original call from the commission. So reflecting what the commission said, we would like this ECC to do so and governance and design and pilot. So basically the question is how do you organize such a thing? It's European-wide, it should have some national branches, it should be inclusive. We'll see later what it what it means research from research and innovation to industry. Obviously we want to get this innovation cycle faster and better.
So that's why you have that pillar education certification and standardization was coming in with a lot of capacity building here, especially education certification was mentioned and we will see something on it even though it was not necessarily meant to be the first line of things.
Because while all of this was announced, you may remember Inza was in reform also and was said Inza is going to be the certification agency in future.
So some certification but maybe not so much for the other new new entity and then communication and community building because indeed it was understood that this needs to be something that people need to do jointly together. And that translates into some of these work packages and basically each of these boxes and a work package, if you know how European union projects work and then they're doing something and so let's ghost with these pillars and see what we've done and what we're recommending.
And the first thing is in this governance design and pilot, which translates for us into a work package two. And now wherever you find something with a deed that isn't deliverable on this to be and downloaded from the cyber sector for your websites because a indeed we have produced quite a few of them and I think most of them, if not all of them are actually quite interesting to read.
So what we've been doing in this one is, and if you're still interested, you're welcome to talk to our colleagues from Trent University, try to find viewpoints from people, interview them, get stakeholder involved. Big discussion was is this a top down or a bottom up activity or how can be actually and combined and how could such a governance structure in Europe work to make sure that was our idea to have candid reports on what is really happening to reach decision makers.
Because what let's say what you could pretty easily see is you see very often is people saying, well we know something is wrong here but if we tell we get punished basically for what we're going to report and we're going to say so we will never say that in the open. Maybe you want to say that. And of course governance structure that is not overcoming this kind of problem is not a proper governance structure.
And what turned out is that in many regions of Europe there are local communities that are working nicely. Not all of them are recognized by the specific centers in the, in the country.
Germany is a federated state. There are the regions are actually well fully strong but in many other parts of Europe you see that that isn't really happening.
And so it turns out that let's say the pilot idea on how to organize something bottom up was actually around this so-called community hub of expertise and cybersecurity knowledge, this kind of check and the an implementation of that we tried in a few things, especially inter lose because obviously in France decentralization is still quite a bit of a task but also other in parties and and people who were involved with that and learning on recommendation out of that is the following.
If you want to get that synergy from top down and bottom up, it turns pretty soon us and up to us that the bottom as the bottom and top down is somehow going to work because all of administrations are prepared to do top down.
But enabling the bottom up will be the important issue and two key elements we had of feeling are important for that and that you find with key elements of trust into an organization and that is secure participation.
That means basically when there are boards, advisory groups or whatever they should be not just be invited, I'd ho for once meeting and if somebody tells the truth in the meeting is that doesn't fit to whatever policies they can ever get invited again, you need to have some consistency and constants in the boards so that people can indeed follow up on discussions even if they report something which is maybe not a nice message and organizational transparency that comes down to this point of I'm going to report something. Maybe I'm telling about my own weaknesses.
Do I understand who's going to learn about that and how do I make sure that the truth that I'm going to tell that maybe weakening myself is not going too far out and and getting me into trouble that because that is the only way how you can get people to something, something candid.
So next place, and again where we fast on these ones and this kind of innovation cycle for that innovation cycle we said we should have three work packages working together and saying usually of course you have security research, great, that's nice and but very often it is not applied.
You've seen many of these examples. So we thought maybe we should have these three work pictures was one was doing research, one doing applications and that is an application areas, the blue ones that you actually see here and who may or may not have very much experience in in cyber security. And we should have the application areas collect their requirements and their experiences and confront that with the research results and either overviews on new developments and wise versa also.
And then two results can come out there may be matches and matches are nice because let's say low hanging food and you can build some demonstrators and be and show how they, how they look or there may be non matches and they should actually go into a research strategy to make sure that in future these areas are actually being addressed.
And that's how we did it. So you have these seven blue blue areas and no, don't worry, I'm not going to tell you about all of these variations, but you see some software assets around these blue areas.
So these were things that were matching and if you're interested, I'll come later on that one you can see some of the prototypes on the website and also also elsewhere. That's an issue in solving some of the issues in these seven application areas, starting from open banking and going as far as medical data exchange with smart cities somewhere and in between The other next thing is what was not a match or what was where was something left over and that we actually did together with the other pilots.
That's why you see this now in green and we brought some things in and this is let's say the statement of the pilots on what should be actually a future research do and should consider things.
And you see that and shaped into something like disruptive and emerging developments which need to be taken care of starting from quantum go to AI and personalized privacy protection, seeing a kind of architecture idea that people had in terms of trustworthy ecosystems of systems because that is important ecosystems of systems and trust building blocks like elements that need to be made secure that they can be used to other elements and there is further research maybe to harvest it from that.
And on the left side then all of the governance and capacity building things that we and that we see here. So that was basically something that we delivered as pilots delivered into the first meetings of the governance board of the ECCs that meanwhile was coming at some kind of shaping the and first working groups that they have eventually I think some of them will be published.
So so much for this and for this cycle again we can come back but I see I have already found and four minutes of 45 minutes. Yes. So next one and skills capability, capability building and tools.
So there was, let's take first the education educational things.
One thing was take stock of where do we stand with education And the other thing was try our innovative ways, how to get things done and and for the innovative ways there are a number of flagship exercises that we've tried out and the typical thing here is these flagship exercises that you may have seen elsewhere were not necessarily so technically driven as existing ones, but there were more or application oriented or finished partners who were organizing that were very much into try to get this closer to people and that people talk and see how they learn about it.
So there could be some interesting experiences from that. And when it came to the assessment of existing education, there was basically let's say structures that were produced for example, like which areas and knowledge areas exist and how do they actually, how does education as it is actually is going to fit into job profiles and does all of that fit with what we have as academic programs or as in schooling programs? And that's what you see here.
And you can see that academia, top three education areas and industries, top three education areas or training areas are actually not fully, not fully matching. Those of them consider data security to be some kind of important. But when you see in a, you will see much more in system and connection security. While in industry you see more societal security and software security. What interestingly you don't see an I let's say of the favorite things is an human security in terms of including social engineering.
We've talked the whole day if people were talking about click weights and social engineering and so on, still nobody considered that to be a major skill in in thing. So from that point of view, that is an interesting outcome. And few other ones, again, if you like to see an overview of what programs exist, you find that also if you see an analysis in a, in a nutshell, typical classic crypto education exists. Meanwhile application oriented education for specific sectors like for example the seven areas that we have that where we often doesn't exist except for few, let's say privileged sectors.
Next thing was to say to have tools, sandbox and sandbox creators have been developed, especially by our colleagues in Bruno. So to try out new things in the sandbox for testing that has, that has happened and is implemented. And some of that is in Gito just as an idea.
Another thing we've been talking about certification and validation and what turned out to be a major issue.
And so we were trying to address that is transparency about certificates because there's so many entities that are issuing certificates for this and that and for quite a few other things and how can you try to get some order and this and sectors example may show you something, something about that. And what you see is you see as sources for certificates, you see the NVD vulnerability database from this. You see common criteria with the certificates, you see this FIP for crypto modules.
All of that is creating a certificate landscape that some people or many people actually have difficulties to try to, to understand what's going on. So the idea of this thing is actually to get us all together and have some kind of integrated view on all of these certificates.
And that turns out to be interesting because you may remember that have a certified products like the an IHAs card and Austria that an was working with a chip and that was already at the same time used in the E I D and it was a certified chip and nobody knew about that until the eing came came up.
Now the idea of this one is if you see a certificate and if you can combine that and have that in a, at least see semiautomatic way combined with and combined with reports on vulnerabilities that should help you. And this is actually the one for this EID thing and it's not the worst one here you see more of them.
So, and standardization basically keep up with most European, European standard and and advance that we have there. That gets us to outreach and community building. A number of events have been happening and I should mention this one because it is the summit conference of cyber for Europe first and 2nd of December in Brussels online.
And you need to register but you don't need to need to pay if you, if you like. And we have a number of people also to discuss of some of the ECC people like for example zeki or and QAR pogon yak dealing with these kind of of messages.
So some weird outlook I would say is as a project I think we have done quite a few things. We have beyond the work plan also implemented principles and practice in terms of let's say use digital ity and open songs in terms how you, how you do your, your conference and and work program and execution and how do you communicate. So we had a GDPR compliant, EU hosted open source web conferencing activity going on there, which was not in any work plan but which was happened to be important then when we worked.
And so that's nice where we are with regard to this, I would say, say we have contributed in all of these areas. Something that was beyond, let's say our abilities to lose and something we can also maybe use as an organized European Union regulation, E I D wallet regulation is important. Trying to strengthen devices, chat control regulation is trying to weaken devices, put in break crypto, reduce crypto break and defenses of smartphones and that kind of thing still needs to be sorted out. That is something that was beyond what we could and do as a pilot. Thanks a lot.
And I think there is time for questions and comments.
Yeah. Well that brings us more or less to time, but if there is a burning question in the audience, is there anyone wanting to, to ask Professor Berg a question? Yes. No.
Well, while you think about that, the one thing that I wanted to ask you is that you have now an audience of cybersecurity leaders. What's your call to action to them besides joining the conference, you know, what would you like them to, to take away today and how would you like them to get involved and participate in this whole process?
Well, one thing is I think this whole digital ity thing is not convenient, but I think it's a core element for cybersecurity and it can mean, and from that point of view that greening is an example. It is not convenient. So most convenient way to organize your IT infrastructure. For example, for web influencing, you can do it with three clicks. All you can do is we're setting up a strategy and say we want to look for, provide for providers that are small and not bigger than ourselves and and organize it yourself and doing things yourself.
And in let's say doing this extra work is an essential, is an essential investment, but it can pay and can pay off. And the other thing of course as well, seeing cybersecurity while you're digitalizing this interaction between cybersecurity people and application people prove to be very helpful.
Okay, there's your homework from the professor, off you go.