The state of cybersecurity is better than ever, even if it may not seem so. In fact, the level of digital security has increased immensely in recent years, but that does not mean that we are safe. The threat is increasingly coming from other sources, and Europe is not prepared for it.

“When I look at where we are today, it’s clear. Security is in a better state than ever before.” Mikko Hyppönen (pictured above), CRO of WithSecurity, paints a positive picture of the cybersecurity world during the Sphere conference in Helsinki.

The Finn is known for always carrying a floppy disk to remind himself where we came from, but during the conference he goes even further to the source. “In the meantime, I’ll take punch cards with me so I can make arrangements better.”

Chilled past

A broader look at the current state of cybersecurity, taking the past into account, immediately shows why Hyppönen is optimistic. “See where we were ten years ago? Then we talked about Flash exploits. We were surfing the Internet with a browser that simply executed code directly from the web. Flash was still mainstream in 2014 and you could get infected just by browsing an infected website. Google didn’t get rid of Flash until 2015.”

“I see a night and day difference between now and ten years ago,” says Hyppönen. “Today we no longer see malware simply getting onto our computers from the Internet.”

Nowadays, we no longer experience malware that simply gets onto our computers from the Internet.

Mikko Hyppönen, CRO WithSecurity

Hyppönen sees several reasons for this shift. On the one hand, security has simply improved, and on the other hand, we work with very different devices. “A Windows PC and a Mac are actually legacy devices from another time. They are real computers for which you can write code and then run the code.”

Fewer rights, but more security

“These days, most people access the Internet via a smartphone or tablet. These things look like a computer, but they aren’t. They are closed systems and they are more secure. It’s a question of rights: we give away rights and get security in return.”

“We are really in better shape than ever,” concludes Hyppönen. “But I’m not saying we’ll win. The attackers aren’t standing still.”

From gangs to regimes

We also hear this more pessimistic tone from Toomas Hendrik Ilves, President of Estonia between 2006 and 2016. In 2007, Estonia was the victim of a large-scale DDoS attack that brought the country’s digital infrastructure to its knees. Since this wake-up call, Estonia has had a well-thought-out digital policy and Ilves has been fighting for better digital European cooperation.

“Commercial solutions today protect us well against acute threats,” says Ilves. “Such protection protects organizations from individual criminals or even gangs. However, things become more complex when governments intervene.”

Ilves sees more and more threats coming from nation states. According to him, countries such as Russia, Iran, China and North Korea have sophisticated departments that deal with the digital world both defensively and offensively.

Hardly any cooperation

“We in Europe lack the interdisciplinary cooperation that is necessary to adequately protect ourselves against this threat. An attack like NotPetya affects companies and governments in all countries simultaneously, but the EU and NATO do not communicate sufficiently with the victims.” The importance of cooperation was also discussed during Cybersec in Belgium, around the same time as Ilves’ keynote.

“We have national silos,” he complains. “Almost no national authority shares security information with another. NATO has only recently recognized the importance of the digital domain, but in reality has no clout whatsoever.”

The situation has improved somewhat, the former president admits. “When we discovered a worm in our military network in 2011 and informed NATO, the response was: ‘Ah, you too.'”

Nevertheless, Ilves notes that Europe and the West in general lack any operational capacity in the area of ​​cybersecurity. “ENISA exists, but it lacks the weight, capacity and personnel to respond adequately.”

bean counter

“In addition, EU regulations completely lack a security dimension,” he believes. “European politicians are bean-counters and do not understand the digital world. They still regulate with a 20th century mindset and do not realise how geopolitical technology is today. Cybersecurity experts need a broader role.”

There is a complete lack of a security dimension in EU regulation.

Toomas Hendrik Ilves, former President of Estonia

In this way, Ilves nuances Hyppönen’s optimistic vision. Where the business world has caught up in security, an important geopolitical cyber dimension has emerged. Security companies like WithSecure have made it their mission to protect clients large and small from rampant threats. But in reality, a coordinated European response capacity is also needed.

“We are in bigger trouble than we think,” Ilves concludes. Only when we realise that we have to do something can we do something.” The expertise is already there in the Sphere room, but unfortunately we have not met many politicians.