- il y a 2 jours
Cyber Resilience Building Secure Societies
Catégorie
🤖
TechnologieTranscription
00:08Sous-titrage Société Radio-Canada
00:30A lecturer at the School of Economic Warfare and an expert on all things cyber.
00:36And in this first discussion, he's going to be interviewing Andres Sutt,
00:40who's the current MP and former Minister of Entrepreneurship and IT in Estonia.
00:45And the topic will be Cyber Resilience, Building Secure Societies.
00:50Let's give them a warm welcome.
01:17Good afternoon, Andres, and good afternoon, VIA Tech.
01:21Good afternoon.
01:22Delighted to be here together to speak actually about quite an important subject,
01:28which is the possibility to build cyber resilience.
01:33And we do mention it's an important topic in the backdrop of some terrible events
01:39still happening today at the far eastern part of our continent in Europe and Ukraine.
01:44And again, delighted to have you here.
01:48So to get directly into the topic, which is cyber crime resilience
01:54and how we can build better, secure societies,
01:58you come from a small but very tough and determined country, Estonia,
02:04which somehow has always been tested by quite the same aggressive neighbor
02:10as in front of Ukraine right now.
02:12So as a historical backdrop to all that,
02:16can you tell us a bit about some past and perhaps recent Russian test
02:21of your cyber resilience and how Estonia reacted?
02:25And that could be actually a great introduction to this important topic.
02:29Thank you very much, Guy Philippe.
02:31And hello, everybody.
02:32So I'm not a tech guy.
02:35I'm just one of a few billion users,
02:38but I have learned some things on the way.
02:41So as you rightly said, we were really tested heavily.
02:46But not only us.
02:48It was entire worlds.
02:50You see enormous amount of TDoS attacks, phishing, ransomware, and so on.
02:57But perhaps just to give you a bit of context of a magnitude,
03:02how much things did change.
03:04You may know that in 2007, Estonia was the first country
03:09who was taken by a serious cyber attack coming from Russia.
03:15And back at the time, we really struggled.
03:18We had to use some very kind of tough ways to basically close our cyberspace.
03:29This year, or actually 2022,
03:33the magnitude of attacks was more than hundredfold of what we faced in 2007.
03:43when we in the parliament passed the declaration declaring Russian regime as a terrorist,
03:51we got a traffic to a website of a parliament in one single day,
04:00equivalent to normal traffic to our website in seven and a half years.
04:07So you're just sort of, it gives you an impression that,
04:10and we are not the sort of lowest tech country.
04:14We are actually pretty tech.
04:16So it's not that nobody visits parliament's website,
04:19but this is how it really played out.
04:22For most people and users,
04:26and it was banks, government offices,
04:30president's office, everybody across the world,
04:32in most cases, users didn't really feel it
04:36because we were able to invest in additional layers
04:41of sophisticated but commercially available software
04:46to divert away the DDoS attacks.
04:50Last year was really the year of DDoS.
04:53Quite stunning, this example of a hundred times more
04:56than things that you already experienced,
04:58and quite a statement indeed that Estonia was managed to withstand that shock.
05:04So we talked a lot about, and you just mentioned that,
05:06the ability to find new components, new software and so forth,
05:10but I would, when we discussed and prepared,
05:12we also mentioned a lot the element of the people component,
05:16which is, I believe, you tell me,
05:19quite important one with regards to building residents.
05:22So can you tell us a little more about
05:23about how this has been developed in Estonia
05:26and how the threat awareness
05:29has been actually developed and educated
05:34all through the different layers of Estonian society?
05:37I had a very steep learning curve
05:40when I became a minister.
05:41I thought cyber is taking care of IT guys.
05:47and when you discover that now,
05:52it actually is the top of organization
05:55what has to understand it.
05:57And that, I think, is the most important
06:03leadership skill or focus what you have to develop
06:06because we spoke earlier also a little bit about
06:10the AI you are not going to go into here,
06:13but the fact remains that we globally
06:16will be increasingly dependent on technology
06:19and technology does many good things
06:21for as long as it is safely handled.
06:26And for any, like, if you take it from a corporate perspective,
06:31you want to increase into solutions
06:34which generate the revenue,
06:36but cyber is an expense line,
06:38so that is something that you can always
06:40kind of kick the can down the road
06:43until you really hit the wall.
06:45So that was something what we pushed
06:47at the level of government agencies
06:50and also for all critical infrastructure providers,
06:55that it has to be a topic
06:57at the C level discussed regularly.
07:00So what's the resilience of our organization
07:02in terms of cyber?
07:04If you can't get there,
07:06then you will certainly fail.
07:08And then, obviously, it goes down to each individual
07:11because it's not the computer
07:13who clicks on the wrong link.
07:16It's always a human.
07:17And these awareness campaigns,
07:19I think, are equally important.
07:21So C level, but also the employees,
07:24it's a whole of a nation effort to some extent.
07:26And it is, and it was actually quite positive
07:32to see that there was a survey made
07:35that back in 2019,
07:39it was about 60, I think,
07:433 or 4% of people,
07:44which I guess is not too low,
07:47who were using, for example, passwords,
07:50not at a minimally required level,
07:52but a step or a few higher.
07:55This percentage by 2022 had increased to 72,
08:01which, I mean, it's still not 100,
08:03and it, I guess, never gets 100,
08:06but at least you see a steady progress.
08:08And we had many campaigns specifically
08:10dedicated to educate people
08:14to understand that they need to check
08:17what is the email address
08:20of a mail what comes in,
08:23or they need to not use
08:26all these, like, basic hygiene things,
08:29how you create a password,
08:30how you separate your private
08:32and professional stuff.
08:34Basic things,
08:35but these basic things
08:36actually make a massive difference
08:38at the end.
08:38And reaching out to 72%, right?
08:41That's pretty, pretty, pretty good.
08:43That begets actually another question,
08:45because, okay, we understand
08:46you must invest in campaigns,
08:49for example,
08:50for human component element,
08:52but then in a larger scheme of things,
08:54how much should nations invest
08:57in cyber resilience,
08:58and do you have any ideas
09:00of how we can break that down,
09:01this way to invest in cyber resilience?
09:03And this was also something
09:05what I discovered
09:09that we actually don't have
09:10that good commonly agreed methodology
09:13and also benchmarking,
09:14because my background
09:15is also from financial regulation.
09:18So you regulate the banks,
09:20they take certain risks,
09:21you say, okay, fine,
09:22you can take the risk,
09:23but you need to allocate
09:24certain amount of capital
09:25if things go wrong.
09:27So it's sort of, in my mind,
09:29it was kind of a similar approach,
09:31that if you invest,
09:32if you have an IT budget,
09:33then a certain percentage of it
09:36needs to be allocated
09:37to the cyber.
09:39But it's not only money,
09:41software,
09:42but equally it's for people,
09:44because you need to have your own,
09:46depending on the size
09:47of the organization,
09:48but you need to have
09:49your internal capabilities,
09:52and this is what you need
09:54to develop.
09:55So I think a human side
09:58is really important,
10:00but that goes back
10:00to the C-level thing.
10:02If a C-level says that,
10:03look, cyber is irrelevant,
10:05I mean, nobody at the level below
10:07is going to push for it.
10:08Perhaps the IT,
10:10pure IT guy,
10:12but that doesn't alone help.
10:15So maybe we have discussed
10:17perhaps 10% of the IT budget.
10:1910% of the IT budget,
10:20at minimum.
10:21Could be something
10:22what is a good benchmark.
10:24You can always do more,
10:26but then I think
10:26there is also a fair point
10:28to assess that
10:29you shouldn't overinvest either.
10:31You shouldn't build
10:32something huge
10:33if you are not facing
10:35that big risks.
10:36Okay, I stress the 10%
10:38because after that
10:39we'll talk about cyber figures,
10:40so at least we have
10:41one first figure here.
10:43So we talk a lot
10:44about the people component.
10:46There are also elements
10:47of additional redundant
10:50capabilities
10:51when things gets down,
10:53how you can have
10:54other capabilities
10:55that can still work.
10:57And there's actually
10:58one fascinating example
10:59in Estonia
11:00with the development
11:02of what is called
11:03the digital embassy.
11:05And I know this is a program
11:07which also had
11:07different iterations,
11:09so we're very interested
11:10if you could tell us a bit
11:11about why this digital embassy,
11:14what's the purpose,
11:15and how this program
11:16has evolved over time.
11:19We are still probably
11:21the only country
11:21who has a digital embassy
11:23in another country,
11:24and the other country
11:25in our case is Luxembourg.
11:27But the idea basically
11:29came very much
11:30out of the cyber attacks
11:32we had in 2007,
11:35but also the history
11:37we have with our neighbor
11:38in the east,
11:39and it's not only neighbor
11:40for us,
11:41but also many other countries,
11:43a close neighbor.
11:44But in terms of the world,
11:47it's a neighbor
11:47for everybody.
11:48So,
11:49and that was the idea
11:51that we should always
11:53be able
11:54to restore
11:57the most recent
11:59information
12:00about
12:01the business register,
12:04the people's registry,
12:06the real estate registry,
12:08your health records,
12:09because we have
12:10also the health system
12:11digitalized,
12:12so that it's not,
12:13nobody can really damage it
12:15if something happens
12:17in Estonia.
12:18It could also be
12:18a natural disaster,
12:19but I think
12:20with a natural disaster,
12:21the risk is a bit
12:23it's a bit different,
12:25but we all know
12:27what has happened
12:28in Ukraine,
12:29what Russia has done,
12:30and that I think
12:31is a very good
12:35argument
12:36to really think,
12:38and maybe
12:39you could put it
12:41sort of
12:42in a more
12:42conventional way,
12:44so what I do
12:46to ensure
12:47my business continuity
12:48as a sovereign,
12:50because in a corporate world,
12:51it's pretty
12:52straightforward stuff,
12:54I mean,
12:54you need to
12:55set up
12:55your backup sites,
12:59test them,
13:00run different scenarios,
13:02but it's not obvious
13:03for a sovereign
13:04to have a similar
13:06sort of mindset,
13:07that if
13:07we cannot
13:08run it,
13:09we cannot run it
13:10from our own country,
13:12can we still be able
13:12to do it
13:13from somewhere else,
13:14and then you could
13:14also think
13:15being further out,
13:17or in the cloud,
13:18or, I mean,
13:19it's something
13:20that are different
13:22solutions,
13:23what we also now
13:24develop this concept
13:25forward,
13:26but I think
13:27the sovereign
13:28needs to think
13:29in the same terms
13:30as a corporation,
13:31what I do
13:32in order to ensure
13:33my business continuity.
13:35Right,
13:36and vice versa also,
13:37right,
13:38like so many companies
13:39still also need
13:40to think about that,
13:41and perhaps take an example
13:42on what Estonia
13:43has done with
13:44Digital Embassy,
13:44and develop
13:45their backups,
13:46and make sure
13:46that actually
13:47the backups
13:47are actually
13:48always on,
13:50and cannot be poisoned,
13:51and all those elements.
13:52Yeah, absolutely,
13:53absolutely,
13:54but also at the
13:54individual's level,
13:55I mean,
13:56at the end,
13:57your own personal
13:58files,
13:59photos,
14:00whatever you have,
14:01I mean,
14:02you don't want
14:03these things
14:03to get
14:05just disappearing
14:06because,
14:07well,
14:07sorry,
14:08I forgot to make
14:08a backup.
14:10Okay,
14:11so the people component,
14:12the backups,
14:13because we're still
14:14in resilience,
14:15we have a shock,
14:16and it's not
14:17that we're going
14:17to protect ourselves
14:18against the shock,
14:19but we're going
14:20to rebound,
14:21and, you know,
14:22survive a shock.
14:24Now,
14:24something that
14:25only nations can do,
14:27I don't know
14:27about companies,
14:29but a critical element
14:31we discussed
14:32when we were thinking
14:33about this exchange
14:34is developing reserves,
14:36and that actually
14:37brings us back
14:38to the element
14:39of human factor.
14:40So, again,
14:43what should
14:44shapes and forms
14:44is Tonya
14:45thought about
14:46developing reserves,
14:47developing reserves
14:48for the cyber domain,
14:51and what are
14:52the different ways
14:53it can be done,
14:54and perhaps
14:54also for companies?
14:57It seems
14:58that size matters,
15:00and as we are small,
15:02we can't
15:04always afford
15:07big numbers,
15:08or at least
15:09in terms of
15:09headcount.
15:10so we need
15:12to be creative
15:14in discovering
15:15how we can
15:17pull different
15:18resources together,
15:19and what we did
15:21last year,
15:23or initiated
15:23last year,
15:25as in
15:26every advanced
15:28country,
15:29you have
15:30your
15:31CERT,
15:32is it
15:32CERT-E,
15:33like in our case,
15:34or CERT-FR
15:36in France
15:37here,
15:38but what happens
15:39if there is
15:41a major
15:41cyber incident,
15:43and you just
15:43lack people
15:44in the CERT,
15:46so is there
15:47a way
15:47how you can
15:48pull in
15:49somebody else
15:50who is available,
15:51but actually
15:52employed in
15:53another sector,
15:54so because
15:55we have
15:56all the
15:57public services
15:58also digitalized,
15:59we have
16:01five,
16:02six IT
16:03houses,
16:03which basically
16:05run the
16:05government
16:05systems,
16:07so that
16:07was the
16:08second,
16:08like a
16:09layer of
16:09reserve,
16:11if CERT
16:12is not
16:12capable,
16:14then they
16:15can pull
16:15in the
16:15people
16:16from
16:17government
16:18IT
16:18houses,
16:19in order
16:20to manage
16:20the incident,
16:21and recovery,
16:22and all
16:23what is
16:23needed,
16:24and if
16:24it then
16:25turns out
16:25that it's
16:27still too
16:28big to
16:28handle
16:29for
16:29these
16:29two
16:30layers
16:30of
16:30people,
16:31then we
16:32have
16:32also
16:32something
16:32what is
16:33like
16:33a
16:33paramilitary
16:35cyber
16:36unit
16:36in a
16:37defense
16:37league,
16:38which is
16:39also
16:39trained
16:41on a
16:41subject,
16:42and then
16:42they could
16:43also be
16:43pulled
16:43in,
16:44so it's
16:44basically
16:45a very
16:45simple
16:46exercise
16:46of pooling
16:47your
16:47resources,
16:48what you
16:49do because
16:50of a
16:51necessity
16:51that you
16:52just
16:53don't have
16:53enough
16:54people
16:55to
16:55man
16:56or
16:57to
16:57stuff
16:58sufficiently
16:59or
17:00for
17:00any
17:00case
17:01any
17:01organization
17:02but
17:03as
17:04probably
17:04everybody
17:05here
17:06also
17:06well
17:06knows
17:07there
17:07is
17:07a
17:08very
17:08stiff
17:09competition
17:09for
17:10cyber
17:10talent
17:11anyway
17:11so
17:12you
17:12probably
17:13would
17:13be
17:13dreaming
17:14out
17:15and
17:15wide
17:16if you
17:16think
17:16that the
17:16government
17:17is the
17:17most
17:17attractive
17:18and
17:18best
17:18employer
17:19so
17:20that
17:20you
17:20can
17:20build
17:21up
17:21a
17:21huge
17:21team
17:21so
17:22teaming
17:22up
17:22this
17:22is
17:23I
17:24think
17:24very
17:24important
17:24and
17:25then
17:25and
17:26that's
17:26sort
17:26of
17:26my
17:27own
17:27thought
17:27at
17:27the
17:28moment
17:28one
17:28could
17:29also
17:29think
17:29the
17:30private
17:30sector
17:30operators
17:31because
17:32you
17:32have
17:32telcos
17:33you
17:33have
17:33banks
17:33and
17:34these
17:34are
17:34also
17:35trained
17:35but
17:35then
17:36obviously
17:36making
17:37the teams
17:37to work
17:38together
17:38having
17:38joint
17:39exercises
17:39is
17:40very
17:40important
17:41if
17:42I
17:43just
17:43want
17:44to
17:44focus
17:44a
17:44little
17:44bit
17:44on
17:45this
17:45issue
17:45of
17:45reserves
17:45because
17:46reserves
17:46are
17:47critical
17:47for
17:48resilience
17:48for
17:48what
17:49you
17:49said
17:49not
17:50to
17:50have
17:50the
17:50ability
17:51to
17:52be
17:52overwhelmed
17:53by
17:53the
17:53situation
17:54compared
17:56to
17:56the
17:57people
17:57who
17:57are
17:58actually
17:58doing
17:58the
17:58job
17:59day
17:59to
17:59day
17:59how
18:00much
18:00more
18:00people
18:01we
18:01need
18:01to
18:01have
18:01a
18:02sense
18:02of
18:02how
18:03much
18:03people
18:03should
18:03be
18:04in
18:04what
18:04is
18:05we
18:05still
18:06looking
18:07about
18:07figures
18:09now
18:11the
18:11size
18:11comes
18:12again
18:12into
18:12play
18:12with
18:13all
18:14these
18:14three
18:14layers
18:14we
18:15have
18:15about
18:15100
18:16people
18:16then
18:16some
18:16of
18:17you
18:17could
18:17say
18:17look
18:17100
18:17people
18:18is
18:18nothing
18:18you
18:19can't
18:19do
18:19anything
18:19with
18:20it
18:20but
18:22now
18:23I have
18:23to be
18:23honest
18:24I
18:24can't
18:25tell
18:26you
18:26I
18:26think
18:26at
18:27best
18:27maybe
18:2830
18:28of
18:30it
18:31I
18:31need
18:31to
18:31double
18:32check
18:32it
18:32because
18:32otherwise
18:33this
18:33is
18:33a
18:33wild
18:34speculation
18:35but
18:35it's
18:36certainly
18:36a
18:36very
18:37leveraged
18:39structure
18:39if
18:40we
18:40can
18:40pull
18:41other
18:42people
18:43in
18:43so
18:44at
18:45leverage
18:45in
18:46finance
18:47it
18:48works
18:49if
18:49you
18:49do
18:49it
18:49right
18:50way
18:51okay
18:51well
18:52so
18:52things
18:53for
18:53thought
18:53but
18:54I
18:54will
18:54drop
18:54you
18:54a
18:54line
18:55on
18:55that
18:55so
18:55that
18:55you
18:56can
18:57yeah
18:58exactly
18:59that
19:00goes
19:00back
19:00actually
19:01to
19:01another
19:01element
19:02you
19:02just
19:02mentioned
19:02when
19:03you
19:03were
19:03talking
19:03about
19:03exercise
19:04the
19:04element
19:04of
19:05training
19:07so
19:08how
19:09do
19:09you
19:09train
19:09people
19:10how
19:10do
19:10you
19:10actually
19:11train
19:11the
19:11people
19:11in
19:12the
19:12field
19:12perhaps
19:13people
19:13in
19:14reserves
19:14perhaps
19:15people
19:15for
19:16awareness
19:16what
19:16are
19:17all
19:17the
19:17different
19:17elements
19:17of
19:18training
19:18which
19:18are
19:18important
19:19because
19:19otherwise
19:20there
19:20is
19:21no
19:21this
19:21element
19:21of
19:21resilience
19:24cyber
19:24cyber
19:25battles
19:25are
19:25really
19:26in
19:27my
19:27opinion
19:27one
19:28of
19:28the
19:28best
19:29ways
19:29to
19:30train
19:30and
19:30also
19:31in
19:31state
19:32information
19:33system
19:34authority
19:35which
19:36is in
19:37charge
19:37for
19:37a
19:38cyber
19:41security
19:42or
19:43ensuring
19:43the
19:44cyber
19:44security
19:44they
19:45also
19:46do
19:46red
19:47teaming
19:48tests
19:48on
19:50a
19:50continuous
19:51basis
19:51all
19:52these
19:52kind
19:52of
19:53I
19:53don't
19:54think
19:54we
19:54do
19:54anything
19:54rocket
19:55science
19:55in
19:55Estonia
19:56but
19:58it
19:58turns
19:58out
19:59that
19:59we
19:59do
19:59at
19:59least
20:00most
20:00of
20:00the
20:00things
20:00in
20:01the
20:01right
20:01way
20:02and
20:03most
20:03of
20:04the
20:04right
20:04things
20:04in
20:04the
20:04right
20:05way
20:05you
20:05may
20:06do
20:06wrong
20:06things
20:07in
20:07the
20:07right
20:07way
20:08and
20:08that
20:08doesn't
20:08really
20:08help
20:09you
20:09but
20:09these
20:10war
20:11games
20:11or
20:12cyber
20:12battles
20:13I have
20:13found
20:14very
20:14useful
20:15and
20:15also
20:16there
20:16have
20:16been
20:16number
20:17of
20:17events
20:18including
20:19international
20:19ones
20:20which
20:21have
20:21been
20:21made
20:22for
20:23a
20:23youth
20:23but
20:24that
20:24I
20:24think
20:25is
20:25also
20:25very
20:25important
20:26that
20:26you
20:26make
20:28young
20:30enthusiastic
20:30people
20:32competing
20:32against
20:33each
20:33other
20:33in
20:34the
20:34cyber
20:34field
20:34and
20:35these
20:36young
20:36kids
20:36are
20:37really
20:37amazing
20:38how
20:38they
20:39work
20:40and
20:40deliver
20:41so
20:41that
20:41I
20:42think
20:42is
20:42also
20:42important
20:42element
20:43fantastic
20:44we're
20:44about
20:44finished
20:45but
20:45do
20:45you
20:45have
20:45any
20:46final
20:46thoughts
20:46I
20:46mean
20:47we've
20:47been
20:47quite
20:47exhaustive
20:48I
20:48believe
20:48for
20:49laying out
20:49the
20:50foundations
20:50of
20:50resilience
20:51any
20:52final
20:53comments
20:55it's
20:55all about
20:55people
20:56and
20:56leadership
20:56now
20:57we
20:58have
20:58it
20:58thanks
20:58a
20:59lot
20:59thank
20:59you
20:59Andres
21:00thank
21:01you
21:01thanks
21:02a
21:02lot
21:02thank
21:03you
21:03and
21:03do
21:04stay
21:04here
21:05because
21:05right
21:06now
21:06I
21:06think
21:06in
21:07a
21:07couple
21:07of
21:07minutes
21:07from
21:07now
21:08we'll
21:08have
21:08another
21:09great
21:10fireside
21:10chat
21:11on
21:11cyber
21:12figures
21:12and
21:13the
21:13situation
21:13in
21:13cyber
21:13today
21:14thank
21:14you
21:33I
21:33and
21:33I
21:33I
Commentaires