Belgium’s Top Cybersecurity Authority on How To Make the Internet a Safer Place
In 2017, Belgian cybersecurity officials launched a campaign aimed at one the country’s most pervasive digital threats: phishing attacks. Citizens were taught how to spot potentially malicious emails and were instructed to forward them to an address administered by the Centre for Cyber Security Belgium, the country’s central authority for cybersecurity.
At first only a trickle of emails came in, said CCB Managing Director Miguel De Bruycker. But the campaign continued and expanded over the last three years—by the end of 2020, about 10,000 suspicious emails a day were forwarded to the address, double the amount from a year prior.
“That’s a lot from such a small country,” said De Bruycker, who previously served as the head of cyberdefense for Belgium’s military. “And this gives us great visibility into new phishing campaigns—we see it in a matter of minutes instead of days.”
As the head of the CCB, which manages Belgium’s Computer Emergency Response Team (CERT) and is under the authority of the country’s Prime Minister, De Bruycker has his sights on more ambitious projects aimed at making the internet more secure. He talked to The Record recently about the future of digital identity and how governments must gain trust to implement strong cybersecurity policies. The conversation below has been lightly edited for space and clarity.
The Record: What does it take to defend a country from cyberattacks?
Miguel De Bruycker: Well, there is no silver bullet—there’s not one big solution that solves it all. There are different elements that are all quite important. And to start with one of these, I think you need a strong central authority, to be honest. It’s like driving a car: You need one person that’s holding the steering wheel. If you want to have a strong cybersecurity posture, you need one central entity in your country with official authority and trust.
Now, it’s important that the central authority has the necessary means to coordinate a national strategy with all the other entities involved. One of the biggest issues with cybersecurity is that it’s everywhere. You have the police, justice officials, foreign affairs, internal affairs, intelligence agencies, security agencies… everybody is involved. So I think it’s important to have one clear authority that is guiding the whole strategy throughout your government with respect and trust from all the others. But they need to make sure that decisions are in fact being made and being respected. The authority must also be trusted by the population and enterprises—that’s a really important element. In this domain, you need a government that’s trusted, trustworthy, and competent.
Cybersecurity in a lot of ways is owned by the private sector… there’s very little public space in cyberspace. Right now I’m in a car and the road is public space, which means security is being managed by the government. An enterprise has its own private network that is being connected to an internet service or internet access provider, which itself is a private company. That means there’s nothing like a public space, and it also means that if you’re a government that wants to make a difference in cybersecurity, you must be trusted.
The Record: How strong should this central authority be? When it comes to something like information sharing, should they encourage it or compel companies to share information about breaches and other threats?
De Bruycker: I think all of what you’re saying has to be done. But not all of it has to be done by one entity. There must be orchestration. For each of those elements, it must be clear who is in charge, who is responsible, and how it is coordinated. If you can do it from one central orchestration point, that’s great. In our country, we are trying to play that role, and it’s not something you can get just by laws. You need a lot of trust, a lot of competence, and you need to coordinate a lot. So it’s something that also takes time, it can’t be forced easily and just by law.
Also, it’s a give-and-take. It’s clear you need all those elements but you don’t necessarily have to pull them to that one central point. I think it’s important to have central orchestration of all your different capabilities and services you deliver. If you collect information, it must be clear who is collecting what kinds of information and how do you bring it together to make sure it’s actionable.
The Record: How do you use policy to accomplish these goals?
De Bruycker: We have different legal frameworks—we have the national implementation of the EU directive that is written into Belgian law. It assigns the national authority on cybersecurity but also gives the ability to identify cyberthreats to the country, to investigate, analyze, and notify users and owners of those systems.
The Record: Are there any cybersecurity policies that you think can do more harm than good?
De Bruycker: That’s more in the domain of the intelligence services rather than the real cybersecurity authorities.
The Record: What about new policies—can you think of a law, policy, treaty, or proposal, either domestic or international, that would help keep your country secure?
De Bruycker: The answer first of all is yes. Just to give an example, if we get information that a specific IP address in Belgium is under attack, if we want to notify the owner of that system by law, we need the Justice Department to intervene. If you have thousands of these kinds of notifications a day, you can’t write thousands of court orders every day and send them out. It’s simply not feasible.
I think one of the elements we could add to laws, and this is just an idea that we need to discuss… Every IP address is assigned to an autonomous system, and I think by law it would be interesting if we obliged each owner of an IP range under a specific autonomous system number to notify owners of specific vulnerabilities when they are made aware of it. I’m not talking about identifying the owners. If the government gets information that a specific IP address is infected with malware at a specific point in time, it’s not important that I know who the owner of that system is. The important thing for me is that they’re being notified and are capable of handling the infection or vulnerability. So if we could have a legal framework that says if you’re an owner of an ASN and you’re notified by a national authority of a cybersecurity issue with a specific IP address within your ASN range, then I think you should notify the owner.
Another element is that I think we should build additional security layers on top of the internet. For instance, digital identity in the future will play a key role in cybersecurity. I think we should still be able to use all the wonderful features and possibilities of working openly and anonymously in a free internet—that’s very important. But I think it will be as important to be able to send messages to someone and the receiver knows there’s a known digital identity linked to that message, and that I can see the difference between a message that is sent with and without a digital identity attached to it. The technology is available to do so, but those mechanisms aren’t very easy to use and are not really being used at the moment.
In Belgium we have a system called “itsme.” If you want to log onto a government website or service, you can do that with this centralized system linked to your digital identity card and is interfaced with a smartphone app. If I want to log onto a portal for paying my taxes, I click on the itsme icon, I confirm that I am who I say I am with my phone camera, and I log onto that portal. Imagine if you can log onto your email with itsme, and in the EU there are multiple countries that have similar apps, and in your inbox you can immediately see the difference between a signed and unsigned message. The technologies do exist right now, but they’re not easy to use.
Another idea is to work with organization or extended validation certificates on websites. If you connect to a website in your browser, you’ll see the lock—it means there’s a certificate on the website and the communication is encrypted. The highest level is extended validation certificate. To get that is not cheap, and it takes a lot of phone calls, paperwork, and emails to get it and maintain it. Underneath that is organization validation certificates, and underneath that is domain signed etc. If you have the higher-level certificates, you’re more or less sure about the legal entity that’s responsible for that website. For criminals it’s not difficult to get a certificate—there are so many providers that have them for free, and only require an email address. To get an extended validation certificate as a criminal is very difficult, because you need an identity that is known. So why shouldn’t we as a government for all entities that are registered in our national database, why shouldn’t we deliver the extended validation certificates? We know who is behind that organization, we know it’s a company or non-profit organization, and we know who asked for it because you have to use your digital identity to get into that database. So why shouldn’t we deliver the extended validation certificates for those domains? And we can do this not just in the country but on the EU level.
If you combine these two ideas, phishing emails will get a bit more difficult—you get a phishing email that’s not signed, when more than 90% of your messages are signed, and you’ll already be more careful. And then the link to the website has no extended validation while the government gives those out for free, so you don’t click on it. The technology is there.
The Record: Why doesn’t the EU do this already? Are there any proposals?
De Bruycker: I’m trying to propose it! It sounds easy, but to be honest it’s not always that easy. It means government will have to intervene in that process of an open and free internet. If you’re talking about digital identities, those are delivered by government. That’s why I keep mentioning why you need a government that is trusted and trustworthy and competent. That’s very, very important—otherwise these projects have no chance of success.
The Record: It sounds like what Estonia has done, where citizens can use a digital identity to vote and perform a wide range of government services online.
De Bruycker: I think honestly that digital identity will be a very important element in the future of cybersecurity. As long as the basis is an open and free internet where you have no identity and no idea who is sending you a message, it’s very difficult to defend in cyberspace…
And you have a lot of mechanisms you can build on that to solve problems. It’s not like the Holy Grail, but still, if you’re a hacker and you need an extended validation certificate and need to sign your messages, good luck. It will take away like 99% of current cyberthreats. These are the kinds of things that we should at least try to do as a government.
About two years ago we created the mail address [email protected] and had an awareness campaign warning the population about phishing emails, describing how to recognize suspicious emails, and what to do if you receive one. We decided to ask them to forward them to us, and we would handle it. In the beginning we didn’t get much, but for a few years we repeated that message and we have three partners that handle about 10,000 emails we receive each day. That’s a lot from such a small country. And this gives us great visibility into new phishing campaigns—we see it in a matter of minutes instead of days. We have outreach to Google and Microsoft and ask them to block about 2,000 URLs a day and identify more or less 50 rogue domains per day and identify unknown malware.
It signals we’re in this fight together and that we can trust you and you can trust us.
The Record: About your background in cybersecurity—your previous role was as head of cyberdefense for the Belgian military. What have been the biggest differences?
De Bruycker: I won’t talk from the point of the position I was in six years ago, when I was in military intelligence, but I can talk from the position I’m in now. I think governments should be careful developing offensive cyber capabilities, in the sense that there is a high risk that they will be misused by somebody else, potentially against your own economy, government, or population. We have a few examples of that, and I don’t have to name them. If you develop those capabilities—it can be technical, organizational, conceptual, or even human—it’s quite challenging to maintain control. If you develop a fighter airplane, you own it and nobody can use it just like that. If you maintain a non-disclosed vulnerability in specific systems or develop malicious code, you are never sure… It can quite easily be used by somebody else. Knowledge about a vulnerability can be lost, sold, or discovered by someone else. My experience is that you must be really aware of what you’re doing and how to protect that capability when you develop it.
If you have counterparts that do develop these capabilities, the question becomes don’t you want to have the tools to retaliate in that domain? I think you must be very careful.
The Record: I’ve been thinking about that a lot with the SolarWinds incident—what should retaliation look like? Is it using similar tools and technology, or should it be diplomatic?
De Bruycker: If I want to respond from my position and responsibilities, I would have to say that luckily it’s not up to me to decide or determine. It’s more of a political decision, and they have to go through a lot of options. From my perspective, the moment you leave the defensive side and go over to retaliation and response, you hand it off to other agencies and departments.
The Record: In your current role, what are some initiatives that you’re particularly proud of?
De Bruycker: The anti-phishing shield that we are building that started with [email protected] is a big one. The fact that we’ve been able to build up trust in our country between all the different security and intelligence services is another. We’ve developed platforms for collaboration and cooperation. Next week we will sit together with all the intelligence and security services and then the day after with all the sectorial authorities—we’ll be talking about energy, transport, the medical sector. And we coordinate that and try bit by bit to implement the national strategy to make sure there’s clear policies. Step by step we’re getting there.
The Record: What are some of the biggest challenges?
De Bruycker: Making sure that we remain credible in what we’re saying and what we’re doing. I think the cyberthreat has been going up very fast for the last few years. It’s very difficult to measure it and show it. So my main challenge is making sure that the investments we’re doing in cybersecurity is following that evolution of the threat. If we shout too loud that’s going it up and we’re facing a cyber Armageddon, I may lose that credibility. In times of coronavirus, where we have enormous health and economic challenges, it can be difficult trying to convince others that there is a need for more cybersecurity. The main threats to cyberspace I think are the facts that cyber incidents and cybercrime might go up so strongly that people lose trust in the environment.
Security is often more of a perception than a fact. In 2016, we had the terrorist attacks. Before that, people felt quite secure because nothing ever really happened. After that, we had all sorts of security measures go up dramatically, and people felt less secure. They see military in the train stations, police in the streets, concrete blockades in front of government buildings. That security is much more visible, and it strangely enough gives more perception of the threat even though you’re more secure. My fear is that as it gets more and more visible, people start losing trust in the environment.
The Record: What other cybersecurity lessons can be learned from the terrorist attacks?
De Bruycker: If you look at the terrorist attacks and the COVID-19 pandemic, it’s the Black Swan theory, you shouldn’t be blind to the threats that you don’t see. You must always be prepared to respond to the unexpected, and that’s also true in cyberspace.
We have an internet service provider think tank with the five most important internet service providers in the country to help think of these events. It’s starting up. These are the things we should do—thinking about what can go wrong, are we capable of responding, in what way, how fast, and who will do it.
The Record: What can you tell me about the think tank?
De Bruycker: Not much! But we’re meeting regularly. We set it up a few years ago and are setting up some interesting projects that I can’t really talk about because the think tank is a closed community built on trust. Again, it’s all about trust.
The Record: What’s the secret for establishing trust?
De Bruycker: Being competent, showing that you’re trustworthy, and time. It takes time to build trust. And if you don’t manage the risks well, you will lose the trust because things will go wrong. Connecting people is also really important, and that’s a pity with the COVID-19 pandemic—we meet through online tools but you can’t meet face-to-face and have coffee breaks or lunch. All those international meetings, the fact that all those people are meeting and getting to know each other I think is sometimes more important than the projects themselves.