Eastern Frontline
The Eastern Frontline podcast is hosted in the European Parliament by the Eastern Frontline Group (EFG), an alliance of 43 MEPs from 13 EU countries. Each episode, policymakers and experts discuss Europe’s most urgent security challenges, as well as the social, psychological, and human dimensions of resilience. .The podcast is produced in partnership with The Parliament Magazine.
Eastern Frontline
Europe Under Cyber Attack: The New Frontline of Security
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Cyber attacks are happening every day across Europe — often thousands of times per minute. But how serious is the threat? And how prepared is Europe to deal with it?
In this episode of Eastern Frontline, Latvian MEP Reinis Pozņaks and Estonian MEP Jaak Madison are joined by Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity (ENISA).
They discuss how cyber threats are evolving, why artificial intelligence is making attacks more sophisticated, and why Europe’s digital economy was never designed with security in mind.
The conversation explores the growing role of state-backed cyber actors, the vulnerabilities in global technology supply chains, and the challenge of building resilience across Europe’s critical infrastructure, from energy networks to hospitals.
They also examine what governments, businesses and citizens can do to protect themselves in an era where cyber attacks are no longer exceptional events, but part of everyday geopolitical competition.
So hello everybody. My name is Ryan Spozniaks. I'm the member from European uh for European Parliament from Latvia, and I'm surrounded by two Estonians today. One is also my colleague, Jak Mardison, and uh Juhan Lepasar, the executive director of NISA. What is that?
SPEAKER_01It's the uh EU cybersecurity agency. We've been around for 22 years now, and we're trying to help member states to build their cyber resilience, uh, understand better the threats, uh what the risks are and how to tackle them.
SPEAKER_00And uh how is the situation with cybersecurity is another thing everybody's talking about. But I assume that uh this is the thing we cannot like observe what's what's really going on. So, how is it?
SPEAKER_01I I always like to talk at what do we see today and uh what do we see coming potentially, but also talk about uh what's haunting us from the past. So it's looking from this angle. Um what we see today is of course quite worrisome, but that's not something new. Um so we have uh uh ever-increasing amount of cyber attacks, we have ever-increasing sophistication of cyber attacks, and I think what is the new element there is that uh the cyber threats are really enabled by the new technologies as well. So uh the large language models that everybody likes to use, uh please help me, ChatGPT. The threat actors, by the way, use them use them as well. Uh and increasingly they use it very, very in a sophisticated way. So, one of the big uh issues in Europe is of course uh cyber criminals trying to uh um yeah uh blackmail people out of their money, uh sending you messages. Please push this link, please push that link, trying to uh impersonate that they're your bank. Um, and of course, this kind of phishing we call it in cyber. So this kind of phishing gets more and more uh sophisticated because 80% of phishing is AI enabled. It's your neighbor calling you, it's your daughter calling you to get help and please send me your PIN codes. So, I mean, and of course, this happens on the individual level, but it also happened at the structural level. So we see threat actors um like Russia, China employing more AI models to do very sophisticated cyber attacks. We see uh also different threat actors collaborating, cooperating, uh exchanging technologies, procedures, methods, and that's very worrisome. So that today is already very difficult. Tomorrow will be probably even more difficult. And part of it is enabled by the fact that we built this internal market that we have in Europe uh uh across many years, and and and now a lot of products are they have digital components. But guess what? This software that uh they all use is pretty crappy, it's riddled with vulnerabilities. And and so the fact that the threat actors can do what they do is partially the fact that, well, internet wasn't built for security, and digital economy wasn't built for security either, and they are now misusing it massively.
SPEAKER_03Yeah, I'm just always like figure trying to figure out you know that there have been like very many cases in Estonia where especially the elderly people like who are 60 plus have given uh like maybe 30, 40, 50,000 euros. And I'm always figuring out where they are keeping this money, how it's possible. But somehow, of course, the the phone calls are you know that we are calling from the police. Uh, we are trying to help you. There are some uh thieves who are trying to rob your bank account. Now, please give your pin codes, you know. Like we have the system like where you have to put the smart pin codes, pin one, pin two, and then you can have like the bank transfers. Put those uh please put those pin codes on this link, and then we can secure money is uh in safe. And so I think the one side is that yes, there are always like the people has always been who are trying to rob you and uh trying to get your money. But on the other hand, I think there's a huge problem with uh with uh average people who are not very clever and who are just believing and trusting everything on the other side of the phone call. So I've also had several phone calls, uh, mainly in Russian language. And I'm just uh I've said like in Russian language some good words that I'm not repeating that it here and say that uh Kovari Postonsky in Huey and uh and then it's over.
SPEAKER_00Yeah, true. But but obviously there is like more areas, it's it's like crimes, thieves, trying to get money, but there is also like attacks to critical infrastructure and all that kind of stuff. So you're also working with that, right?
SPEAKER_01Yes, indeed. And that I think is that's the main mission of the agency to help member states kind of tackle these kind of things. So when we talk about threat actors, yes, they're cyber criminals, but then what we have now is we categorize them, let's say, state actors or state-enabled actors. Uh and the most active ones in Europe are Russia and China. Um, and what they do is cyber espionage, uh, especially when it comes to uh Chinese-related threat actors. Uh, they are trying to get the Europe's intellectual property, get a kind of a bridgehead in our critical infrastructure, um and to be there, observe what is going on. Oftentimes it's not about trying to uh destruct or destroy or disrupt something, it's really kind of a forward positioning, it's called. Uh, when it comes to China, it's it's very much you know economic interest uh-based, uh, at least that's what we see now. When it comes to Russia link threat actors, it's very strongly linked with uh the political narrative of Russia, the political aims of the Russian state. Um and uh that also means that a lot of the uh Russia link uh actors are focusing on public administration, trying to penetrate, uh get the secrets out of the European governments, um, but also uh critical infrastructure, critical sectors which they see as linked with Europe's strong support for Ukraine. So transport, uh, energy, infrastructure. And there the the aim, of course, is not only just to observe what is going on, but oftentimes to hinder, destroy uh, and uh disrupt operations in Europe. Um, there is another part which is more hybrid related, and which is also related to misinformation, disinformation campaigns. Often these lines are pretty blurry. Um what is cyber, what is hybrid? You know, we've seen also, you know, currently cyber attacks using hybrid means. Um so that it's it's not easy. We put it all in the same basket, more or less, and say, well, there is one threat actor, they have different toolboxes, they use whatever they can in order to send the same kind of a signal. And sometimes the signal is listen, Europe, your democracy is not working, look what we can do. So this kind of uh undermining our values, undermining our systems, that's also part of their operations. And then the the the third group that we see is, of course, we call them hacktivists. So they're politically motivated private sector actors, sometimes affiliated with state sector actors, sometimes not. Um their means of uh, let's say disturbing us is the classical DD DOS uh denial of service attacks. So they just overwhelm, they use botnets which overwhelm our uh you know uh public-facing uh digital infrastructure, oftentimes web pages of critical service providers, like ticketing of uh a railway company, or you know, uh it could be a public broadcaster in Italy, uh, something that they can attack and bring down for a couple of moments, and uh then they claim victory. Um, it is a nuisance in cyber terms because the the disruption is not really visible. Uh most of these types of attacks, uh uh our member states are pretty resilient of handling them. But it depends very much on the sector and the in the infrastructure that we are talking about. And one of the things that we have observed over the past years is that they get also more sophisticated, they get more help from the state actors, the level of intensity and the way that they are pretty agile in you know changing their attack vectors. They still use the same methodology, but they are much more sophisticated in doing it, and of course, that makes it much more complicated for the defenders to do their job.
SPEAKER_00But basically, we are just to understand we are talking about thousands of attacks on a daily basis. Yes, right? So it's not just time by time, but like constant uh battle every day because we're in Riga airport and they said they have a couple of hundreds day.
SPEAKER_01Like basically if you look at the European scale, there are we don't know the number because it's and the numbers are so massive that it doesn't say you anything. Uh uh thousands of attacks by minute. Um, you know, it depends what you're looking at. Um what is important is that uh, and I think that's something that also Europe can be quite proud of, that uh despite this massive amount, only very few attacks um are successful. Uh so the amount is super uh super super big, but there are more and more significant attacks as well, where there is a breach. So the success rate is not only about whether we get breached, everybody gets breached sometimes. Security in cybersecurity sphere is never absolute, it's relative. But the issue there is resilience. How resilient we are. Can we, you know, everybody stumbles, but can we get up very quickly? So it doesn't matter. Do we have backup systems? So it doesn't matter if your encrypted data is stolen if you have another trove where you actually have the same data encrypted, but it's segregated from the one that would have been stolen. So of course in the long run it does matter. So better not to get stolen, anything. Uh be resilient. So uh do you have systems in place, uh redundancies? Um, and and when we talk about redundancies, then we talk about investments, money. So that's the thing where always when we say cybersecurity is about time and resources. Time always works against you. And if you want to build redundancies, if you want to build resilience, that's the time that attackers are already using to penetrate your systems, to come to your critical infrastructure to uh to make sure that your healthcare system doesn't work, to make sure that the trains are not running, to make sure that the energy uh company can't send you bills, which means that they can't sell you energy because they don't know anymore, you know, how much they have uh given the energy to these uh customers and not. Um so time is one critical factor, and the other one to have the resources to actually do what is necessary. Uh and sometimes the resource means people. Mostly it's about having the people. And in Europe we have a shortage of 300,000 skilled cybersecurity personnel. Uh so one thing, of course, that companies oftentimes do, like when I'm gonna say companies, it's like hospitals, uh railway companies, banks, they use technologies. So they use service providers. Um, I don't have an army of cybersecurity specialists, so let's put a nice little software there. Well, guess what? Sometimes this software is not trusted. And that's also part that Europe can do. It can make sense of what kind of systems, what kind of technology is trustworthy, what kind of technology you can rely upon, what kind of service providers you can rely upon. So that's something that if we put this to the every critical uh entity, I mean, a hospital's main aim is to cure people, not to do cybersecurity. So there needs to be somebody out there who says, listen, hospital, if you put some money there, this is okay. If you put money there, not okay in terms of cybersecurity. The fact that hospitals already think about cybersecurity is a good step forwards because they didn't used to do that. Um but it also goes to it's not only hospitals, it's now utility providers, I mean wastewater, water management. Uh it's it's a lot of it's a lot of, it's it's it's a big part of Europe's economy that needs to be protected uh in terms of cyber. And we are doing an increasingly good job at it, uh, but we are still playing catch up. And why we are playing catch up, we never have enough money and we never have enough time. Can I ask?
SPEAKER_03Actually, I will ask. Actually, I think you have a pretty good overview about the situation in the different European countries. We know it in Estonia, okay, how we are dealing. But what is your in your opinion like uh uh which European countries are doing the best? Of course, we are like Estonia, Latvia, we know it we are next next to the Russian border. But uh, how is the understanding generally? I mean, like in Malta, Portugal, Spain, Italy, how is the understanding of the risks, how much they are actually investing for the protection? And uh what I mean, like what is the like the general understanding in the on the European level is the first thing. And secondly, uh, like we are in the European Parliament, of course, there are some legal work here, but also in the national parliaments. Do you see any kind of the legal problems when we are protecting ourselves, especially uh against the cyber attacks? Like do we have some kind of lack of the uh lack of the laws? Where uh is there any kind of the problems that actually you have a capacity actually to protect us uh against those attacks, but uh you can't use some tools because of that? I don't know, this private law is saying this, and that's why we can't use uh effectively some things like well are there any kind of legal problems also?
SPEAKER_00I will just add to this and is there like difference with intensity of those threats in different regions, like it's more in eastern flank or or or it's the same all over the euro.
SPEAKER_01Yeah. So um I have a management board and every single member state sits there. And I'm sure they are now listening. It's like, okay, what will this guy say? And I don't want to get sacked. So I'm not going to say who are the laggards, who are the but what what we well I can say at the European level, the picture is we actually do measure cybersecurity per member states, but that's not disclosed publicly. And then what we do as well, we look at okay, what is the overall level of cybersecurity in Europe? I mean, I actually I have a number, great, uh 62.65. 0 to 100, Europe is 62.65. Is it good or bad? That's the question. I think it's okay, but we can do better. And my answer to your question, which member states are good, which every member state has strengths. Every single member state has strengths, and every single member state has weaknesses, but they are different.
SPEAKER_03You're absolutely like very good politically correct.
SPEAKER_01Thank you. You're welcome. But the point is it what makes Europe stronger in the sense that we have a common vision. And that links, I think, with what your second question is, you know, are we missing something legally? I mean, you can always tinkle around, and I think we can still build a bit our vision so that it's more comprehensive. But uh the parliament has done a good job and put together kind of the main building blocks of cybersecurity, um, which really help to understand, okay, that's the common vision. And why is it so important? Because in cybersecurity, we are in the same boat. And um the problem is that if you are the weakest link, it's not only you who is targeted, through you, it's the others as well. So we are so integrated, our supply chains are so mashed up together that if one of us does not do the homework, all of us will suffer. So, and that's why I think collaboration, coordination, and cooperation in European cybersecurity is super important. And that's why I'm very grateful that I have all the national cybersecurity agencies in my board because we do it daily to see okay, what can we do to help not only the strongest but also the weakest. And the the you know, when I when your question is like, okay, do we see a different differentiation between threat active behavior towards the member states? Yes, we do. And there it's it's pretty simplistic. So cyber criminals who are driven by greed, money, uh, they always attack and tend to uh let's say look more on the markets where there is more money. So if you look uh uh GDP per capita, you know, these countries are always uh on top of the list also of uh of of um uh ransomware attacks, uh cyber criminal attacks, etc. Then if you look at uh, for example, Russia-link threat actors or activists which are motivated by Russian political interests, then obviously the countries in Europe that are very vocal and uh support Ukraine, uh they are on their attack list. And there is a very strong correlation um with which we've looked in 2025, also in our threat landscape reports, is whenever there are either uh discussions, political discussions in in a member state that are linked with should we support Ukraine more or less? Always. There is a there is a wave of activist campaigns, but also Russia-linked threat actors targeting this member state on this particular moment. So, yes, definitely the frontline states are very much on the front line in these terms, also in cybersecurity.
SPEAKER_00Okay. So then I have a question about China. There were some cases, I think, with the buses and and also with the cars that they found out that basically buses and also cars. Like they have like five SIM cards sending no one knows what exactly, no one knows exactly where they send the data, but basically the fact that they are like collecting and sending data. And all those cars and buses have cameras, microphones, and also surveillance cameras, you know, uh in in in all of Europe from China. Do we somehow what's going on with this like electronic field, you know? Because there's people who say that every iron from China is sending data uh somewhere. So do we do something about that or it's just yeah?
SPEAKER_01Uh so uh thanks for the question. That actually helps me to tackle one of the big issues in in cybersecurity, which is supply chain security. What we see is that that is a main risk. Uh it's an emerging risk, but it's also present risk. Uh, that more and more uh also when we look, when we think about like say I'm a transport company, I want to protect myself from cybersecurity uh threats. What should I do? Okay, protect your perimeter, know your assets, you know, kind of this uh basic stuff. Okay, I'll do that. But then you have a contractor or a subsupplier, um, and the you know they don't do it, so immediately you're exposed still. Uh so it's very important that also the the whole supply chain is is uh uh is securitized. Now in cybersecurity we know that absolute security is impossible, it's very difficult to achieve. So the we we talk about we are we are pretty relativistic about it. So what is the level of risk? Uh so you know I buy a uh Chinese consumer goods, uh uh supposedly, let's say it sends uh data back to uh to China. So what what's the risk? There might be situations where it is a risk, and there might be situations where it isn't a risk. So there I think what what what we have started to do in Europe is really to understand in what kind of situations we we can't allow these kind of potential threats to emerge. And where does it really matter, and where doesn't matter so much and take the appropriate measures then. So it's never about closing totally the market or or but it but it's really looking at the most high-risk areas and understanding there as well: do we have sufficient controls in place, or could one of the controls be that you really need to um uh have a clear overview about your providers, and some of the providers you can only trust if you have full control over it, which is normally in in any kind of a political environment. So the it's the ownership control, it's the fact that your laws apply to them. Uh one of the one one of a European service provider once told me, and listen, in the end of the day, it's about whether the American CIOs or CEOs or you know their bosses are willing to go to jail in the States to protect our values. Do you think that they are willing to do that? If you think that they're willing to do that. Then the risk goes down. But if you think that realistically they probably don't care, then you need to do something about it. So the and that's why uh this understanding of what what what elements uh in our our digital market uh are such a high constitute such a high risk that we need to put more controls in place is very very important. And I think we we've only started this debate in Europe. Uh and again I I from my point of view that does not uh constitute everything. So it's impossible that you securitize everything in in in your life. It's you know nobody wants that and and it's not even feasible. Um but but in in in some areas you need to do this.
SPEAKER_00Because I I think we have one example, it was uh after the Huey scandal, this uh 5G act or how it's called, basically in communications. But should we do uh the same in in more areas, like energy? Because a lot of energy depends on on China's technologies, and and you can like with with uh we had the cases, you know, the blackouts, which you can basically do with very simple uh manipulations, like uh if if you have control over it. So, do you think we should uh do the same, for example, in energy as we did in communications?
SPEAKER_01Well, um uh the agency, of course, is a implementer, so we implement whatever you say that uh please do this, and then we say yes, boss, we do it. Uh so 5G is a good example because here we are the implementer or we are part of uh supporting the member states who are actually the implementers there, and it's also important uh to recognize this. But we build the toolbox, the risk assessment. It has it has been there for eight years now, but only a handful of member states have actually implemented it. And you you ask why. And it we go back to the same two things time and money. First is in order to get rid of certain technology and then replace it, it it's a massive investment. And you ask private companies, please, you know, you just invested billions in this technology. Now sorry, get rid of it and um put another uh technology in place, similar, by the way. Um why should I do that? I don't have the money to do that. Uh first and secondly, I don't have the time to do that. So again, you run into the same problem. So I think we we we need to look uh how we can help also the private sector at the European level, um, but also how to help member states to better understand uh the time frames and what is necessary to do now and what can be done in the future. And there I think this kind of common understanding and expertise really helps. Should we do something in energy? I think every single critical sector should have their own risk assessments and say, okay, these are our critical things, these are the things that we need to protect. These are this is the layer that where the risk is very high, and we we really need to do something similar that we did in 5G. So, but I can't say what it should be because that's really uh something that every sector needs to drive itself. And by the way, situations are in member states might be also very different. Uh so you know we we talk about railway, railway being now uh in terms of criticality, the criticality of railway sector has risen because it's part of the logistics of the of the let's say the European effort to support uh Ukraine. Yeah. Well, but you know, Malta doesn't have any railways, so probably they're quite out of this.
SPEAKER_03I was just thinking about the different things. Uh uh Rainis, which car do you have? You are driving with which car? New car? Yeah. Uh not Chinese. BMW, O D. German, yes. German car. So and and you have probably you have also this uh you know the direct connection to the SOS if something happens. Yes. So technically your car is hackable. Yes, of course. Uh absolutely. So you can listen what you are doing in your car, what you are talking, which uh with which girl you are there, what you are doing with your girl, uh everything. So probably you are also like uh like But it's the same Exactly, exactly. So finally the point is that I feel like the main point is is it the Chinese or North Koreans or Russians? But generally it could be also like some kind of you know the European country uh who will have a new government who's saying that actually it's for our security that we have to know what Reinish Borzak is doing in his uh German car at night with his girlfriend, right? Yes. And then for the next elections, uh Rainis, are you voting now in favor of Ukraine still? Or think twice, or you're voting against for this resolution because otherwise, tomorrow in the media there will be some kind of, you know, the nice stories, and your wife will be very happy. So it means that technically it's the I think that the problem with the mentality of the people is that we want to have everything very advanced. We want to have the newest smartphone, we want to have the new social media channels, we will love TikTok because you can have a funny uh cat uh videos there. Uh and then the people are forgetting that uh but shit, actually, you're giving away all your privacy. And when you have a really privacy problem, then the people are screaming, no, I can't use, I don't know, like uh digital euro because it will uh take away my privacy. Jesus Christ, you have given your privacy away with everything, with your new chairman car and with your mobile mobile phone, so everything is happenable. So finally, but like I mean, like the point is that where to find a balance and where to tell to the people in the public that forget the dream that you can always advance in the life, you can always have more and more and more uh technical because finally you don't want to have the life where you even your I don't know your laundry machine is uh electronical and controllable uh by the security service uh from China.
SPEAKER_00So I mean like the final you have to that's true, but I think the thing is I I feel much calmer if Germany company collects my data. No, I mean but it's acquainted anyway.
SPEAKER_02It's using Wi-Fi, right? It's using Wi-Fi, internet connection, so it means like you have like a good guy who's sucking your uh car and done.
SPEAKER_03It doesn't matter like which uh uh which uh German car it is. Uh so I like also German guards but I mean like uh of course Germans are fine, but probably like Chinese or Russians are smart enough.
SPEAKER_01But I would agree, I mean, it's it's it's also about having the appropriate uh uh controls and mitigating measures in place. Uh so most communication in the digital era is encrypted. So even if data is stolen, can you decrypt it? That's that's another question. So uh and that's why ensuring strong encryption is very important. Um also we need to look, okay, what about the post-quantum era where where encryption becomes a bit of a cost? Yes. But there are systems already in place and there are roadmaps and methodologies that you can use in order to um mitigate that risk as well. So uh it is doable, but the important thing there is knowing the risk and also accepting it, that indeed there is a balance out there. And I'm not advocating return to the kind of a pre-digital era. I think nobody wants that. I think that there is a knowledge of the risks. Yes, the knowledge of the risk is important. Exactly. Um commenting on this, but uh, I think I think the the balance there is very important, and that's why we need also politicians to to kind of struck the balance, right? Where where where is it where where should it be?
SPEAKER_03Um yeah, but I think also the one thing is that we are talking like always, we're talking in Europe about how to protect ourselves. The Russians are hacking, Chinese are doing, but I think we are never talking enough. And of course, this is the thing, like where even if you know it, you can't say it probably uh very honestly. But the main thing is like, how do we realize our capacity and possibilities to uh counterattack? I mean, like I I would be also very very interested to see like which kind of files they have in the defense ministry in Moscow, just for fun. You never know, or uh or what's the deputy minister is doing at night, maybe he's gay, so we can have nice things to you know to provoke them. Hey guys, like you want to or uh probably of course in this case the guy will fall down from the balcony next day. Uh button is that often, you know. I mean, like uh are we investing, okay, uh to ask it politically correct. Are we investing in the European countries enough to also to organize counterattacks just for the protection to protect ourselves? It's like I mean, like, you know, we are pushing them back to their side on the border. Not we are not not we shouldn't talk only about how to protect ourselves and how to be smart enough, but they're still continuing.
SPEAKER_01So I'm a civilian agency, so my my my baseline is to protect the internal market. And that's where I help the member states as well. Um, offensive capabilities have been member state with sovereign decisions. So uh Europe has not dealt with this, but of course, we can help member states. And of course, there is this saying if you want peace, prepare for war. And in cybersecurity, what you know, if you translate this cybersecurity, then it's like if you want resilience, yeah, know your risks and then tackle them. And that's I think where we can help. We can exercise, and that's what we are doing as well. As in the agency, we organize big cybersecurity exercises, cross-borders, multi-sector exercise. This year in June, we will have the Cyber Europe, uh, which is the biggest uh cybersecurity exercise in Europe, where we have martime and rail sector. There is a hybrid component. What we are actually essentially doing, it's you know, there is a lot of attacks coming in, some of them are hybrid attacks. Some of the systems that you have you're unable to use because some of the things that you normally use are not existing in digital environments anymore. Uh, the the threat actors have been able to disable them. How do you act? What do you do? Yeah, these kind of things. Uh and why we do that is to build resilience so that you know, first of all, uh damn, I have vulnerabilities there. I should build redundancies there. Uh actually, uh my neighbor has a similar problem, so maybe we can do it together. Uh so and there I think we we uh we we help member states and we help uh sectors to to understand better the risks so that they can be more resilient. The other thing is that we actually do now, uh it's called EU cybersecurity reserve. It started when the when the Russian War of Aggression uh started in Ukraine, is uh there is a fund in place. Uh and uh member states can request in ISA, my agency, to to come and help them in in when when there is a cyber incident. So we we help them uh with that. Or if they don't use it, if you know they they have their own capabilities, they can transfer some of this fund to building their resilience. So, for example, for the nine member states that are more on the front line, we've used uh given over a hundred uh service provisions, which is like 60% essentially. We we we use trusted private sector actors to hey guys go and penet try to penetrate their systems. So we pay somebody to be a hacker. Um and we then the ones, and of course it's uh only ever done when when when the beneficiary knows it and and and and they agree with this, and of course the member states need to request it first from us. Uh but why do we do it? Essentially, it's like yeah, it's it's a real war situation now. Can you defend yourself? Uh so we're not looking really on the offensive part, but we are doing the defensive parts, and and um and we are doing it increasingly well. Um so I'm I'm I'm I'm I'm very happy. And definitely when I look at sectors, uh so where where do member states request us uh to uh provide these kind of services? It's public administration first. Public administration, so obviously they are trying to uh make sure that these uh uh the data and our governments are secure. Uh it's energy, uh it's health, it's transport.
SPEAKER_00So these are the critical ones that but are there somehow uh some big attacks predictable? Because you know when you have a military attack, you can see that the collecting personnel and um armored vehicles and then they're gonna attack is uh in cyber world, it's it's like always a big surprise, or or or you can predict that something is is uh going on.
SPEAKER_01Yeah, the environment is very uh much uh agile and fluctuating. So um what you can predict is um and what what what what we do for the member states as well is to understand better the techniques, the technologies, the procedures and the methodologies uh that uh threat actors are using. So this, you know, if you know what they are doing normally, you can also see okay, if they do that, can I protect myself? Um so this part is predictable. But the weigh-in always changes, uh and why it changes is like what I said in the beginning, we we use services, products which are uh software enabled. This software has vulnerabilities. Last year, more than 40,000, 4000 vulnerabilities were registered, new vulnerabilities. 40,000 in the vulnerability registry. And why is it important? Because normally when you have a vulnerability, the first is is it critical? Uh do I need to do something about it? Because there are a lot of vulnerabilities, but they don't matter. I mean, you you have a your own garden, this garden is surrounded by a fence. This fence has a hole. Well, but it's a very small hole, nobody can get through. So it doesn't matter. Well, you have a bit of a bigger hole. Okay, a dog can go through. Maybe a dog carries a bomb. Okay, I need to patch it. That the same kind of a logic applies in cybersecurity. So we need to assess whether these critical these vulnerabilities need to be patched or not, patched, quickly or not quickly. And then something needs to be done by this, by the transport sector service providers, by the energy sector service providers that use this software. Um, the problem there is that threat actors are acting increasingly quickly. So it used to be the fact that it took them 30 days to figure out how to exploit this vulnerability. Now it's about one or two days. And when I say, so how long does it take to patch these things? Unfortunately, the metric is months. Months. So it is very much about resilience. You are already assume that you are already attacked, assume that they're already inside your system. Now, what you need to do. I mean, and that's why I say, you know, offensive for what they're already there. You need resilience, you need redundancies, you need to be able to quickly rise up and move forward. And I think that's the metric in cybersecurity that really matters. Okay. Have some questions?
SPEAKER_03Uh maybe like the five just a final question for me myself. I think like as in in the traditional military, you know, we are always like telling in the public that be prepared. Always check that you have for seven days you have some water enough and food, and uh, and if you can join with a defense league to go to the military exercises on a free time, you know, prepare all the time for the problems. But as also the cyber world is also one of the parts of the military world, actually. Just it's just on the other level. And but do we have enough, or like if if you will give some kind of advice for the average person who's sitting now on the couch and listening and watching you, and saying, okay, it's a nice thing, but it's very far away somewhere in the other worlds. I don't know how it's working. What's the average person on the couch now? Like what he or she should do, how he or she should I know, like uh what he or she can do really to be prepared if something happens. Is it like uh what will be the main advice? I mean, because all the protection starts actually from the society, from from each person, like uh can give themselves some kind of you know uh things to make it safe for everyone uh in the state or in the in the whole EU. So what what I mean like what you are doing yourself or what you are teaching to your kids, like uh how to be safe on the on the cyberboard.
SPEAKER_01My daughter is already 17, so I have uh very little influence over the she's literally uh but you're right there that uh cyber awareness is uh is critical. And I think we we we tend to neglect that. Uh I mean I remember when I went to school um in my first year, there was a class uh where a policeman came in and uh and taught us how to operate safely in the city environment, how to cross the streets and etc. etc. We are in the digital society now, and we need something similar so that people know how to operate safely. There are always risks out there. You you don't uh block yourself in your own home and never go out because you know that there are cars and you know dangerous things that might hit you. In the same way, in the digital space, you you know you're forced to interact with it. So you know you need to be aware that there are risks there and act appropriately. And and that's always the case, that there is no safe space. You exit your home, there are risks. You go to the internet, there are risks. Now that's the first kind of principle, which also means that um trust is something that you should not automatically give in the digital environment. If possible, always use two-factor identification and both as a consumer and as a service provider. That way you protect yourself and you protect your client. It will be harder for the threat actors to just, you know, breach and still steal your one password. Well, it doesn't matter if one password is stolen, but there needs to be a two-factor identification, so I'm more safer. On the other hand, that also means that whenever somebody tries to make you feel that you are in a crisis and you need to give out information, that's wrong. Whenever you feel a pressure, now is the time to give out your PIN codes. Now is the time that you need to take a picture and send us uh your identity card, that's wrong. Stop. Yeah, and I think this kind of an ability to stop yourself, not to react to stimuli outside. It's very much a kind of a Zen approach now, but but that's that's important in the digital space, and that's how you can protect yourself. Think, breathe in thr thrice, and uh think that you can you still do that. And finally, in the end of the day, it's it's the same thing, you know, build redundancy, have backups. Um, yes, it is. Uh I wouldn't say it's a military thing, it's it's more a security part. That's uh you need to have redundancy, you need to have backup so that you know that even if something happens with this part of your property or valuables, and in digital world, this means data oftentimes, uh, you have this other place where you keep either a copy, identical type of information, or better still, some of the stuff you never should put online.
SPEAKER_00Okay, I think that's a great conclusion. Take quite care of yourself, don't trust anyone, and make backups. So, okay, thank you very much, and uh yeah, take care of our internet. Thank you.
SPEAKER_01Thanks for uniting me.