The head of Luxembourg’s new private sector cyber-risk protection agency has defended the grand duchy’s approach against suggestions that it’s too fragmented and that it’s difficult to know who’s in charge. On the contrary, Luxembourg’s decentralised approach is finding a following elsewhere in Europe, starting with France. “It’s a heterogeneous way of working. It is by design.”
Pascal Steichen, CEO of the Luxembourg House of Cybersecurity that was launched earlier this month, told Investment Officer that Luxembourg specifically avoided setting up a single, centralised approach to cybersecurity. He said the country chose to set up “not too many” entities “that would concentrate on specific aspects, areas and audiences, and then build the coordination around it.”
Earlier, some cybersecurity specialists had suggested that Luxembourg’s approach lacked horizontal integration that is needed to successfully stave off cyber attacks. This view was expressed during an interview on Luxembourg’s cybersecurity response by PwC Luxembourg’s Koen Maris. Maris, a partner at PwC Luxembourg, said about Luxembourg’s cybersecurity response: “They are doing what they can, … the landscape is very fragmented, for some people it’s even impossible to understand who’s doing what within the government.”
Different approach
Steichen took issue with this characterisation. “I would not say it’s fragmentation, it’s more of a heterogeneous way of working,” he said. “And this is by design.”
Maris, speaking prior to the creation of the cybersecurity house, had pointed to what he saw as a proliferation of initiatives and organisations in Luxembourg. “There is no central point addressing all of these issues,” he said. “That would definitely help from a country or a governmental perspective to provide some centralisation in order that everybody could know where to go.”
Steichen explained that on the public side, coordination between the public entities is “working quite well” and an international strategy has been defined. But he conceded, “still I understand that to the outside, it might still look a bit complicated.”
Three years ago, he explained, the national cybersecurity brand Cybersecurity Luxembourg was created with the idea of setting up a single website: cybersecurity.lu. Here “everything can be found”. Behind this website, there are various players, various aspects, he explained “but still there is one entry point.”
He said that the creation of the cybersecurity house is the next step towards giving a clear sense of who to go to. “The idea is to make it easier, to make it more straightforward.”
French admiration
Steichen said he’s confident that this approach is working, adding that other countries are following the same approach. He pointed to France, whom he said is “looking into pushing more heterogeneity in their way of working”, noting that France traditionally follows a “very centralised” way of working.
Steichen said the French have expressed admiration for the private sector protection focus of the Luxembourg House of Cybersecurity. He said the French Agence Nationale de la Sécurité des Systèmes d’Information cyber-defence organisation told him it could not protect small companies and the private sector even if they doubled their capacity.
“It’s interesting to have this responsibility put into different entities so that you can have a more global protection,” said Steichen. “So that’s why it’s by design. It has its advantages. It has also its disadvantages in that it needs more, more communication, more ecosystem work, as we like to call it.”
‘Many challenges’ for investment firms
Steichen explained that the renaming cybersecurity.lu was done to raise awareness, “to make sure that this quite complex topic of cybersecurity gets better understood,” he said. He added that this is also hoped to raise the visibility, “so that more people know that such a public service exists and what are the services that are available,” he said.
Steichen is glad to see that awareness of cyber risks is improving, especially at the highest level of companies. But he is quick to add that he sees “many challenges” when it comes to smaller companies, by which he specifically included many investment firms. “Even if awareness is there, they lack capacity, they often don’t know where to start, what to do.” He described helping such firms as the core of house’s activity.
Despite the high profile nature of the summer attack by a Russia-linked ransomware group BlackCat ALPHV on energy firm Encevo, “everything is in place to make sure that such cases are dealt with quickly, efficiently and in a timely fashion.” He pointed out that Luxembourg records about 800-900 such cases per year, and the level has been stable. He pointed out that, “It is clear that it cannot be 100% prevented.”
Work is being done on the EU level to identify the critical sectors and entities, he said, and “really be in close contact with them all day all year long, so that when there is an attack, the reaction can be fast because the entities know each other, the people know each other and everybody knows what to do in such a situation.”
Meanwhile the steady drumbeat of global cyber-crime continues, with the latest headline-grabbing incident involving Australia’s largest private health insurer, Medibank, where hackers had access to the personal data of nearly four million customers. Significant amounts of health information was also compromised according to news reports.