An interview with the European Union Agency for Cybersecurity

Why do we go to work? A simple question at face value, yet one that is particularly thought provoking in today’s world due to the diverse array of possible responses.

Employment is no longer just a necessity or a means to an end. For many, the purpose of work has evolved, expanded and mutated into a whole lot more. Be it personal progression, the development of human relationships, mental stimulation or the pursuit of success (however that may be perceived), careers provide a major source of satisfaction for billions of people around the world.

“Why did I get involved in cybersecurity?” – I asked Apostolos Malatras this very same question. 

“For me, it’s a lively, vibrant, dynamic field where you see things happening every day,” he responds. “It’s always changing and there’s a visible tangible impact in the work that you do. Cybersecurity helps to protect people, build trust, build resilience, systems and products. 

“It’s a profession with real influence and real usefulness.”

For Malatras, the love of work stems from a drive to make a difference, this pursuit seeing him become a Network and Information Security Expert at the European Union Agency for Cybersecurity (ENISA). In this role, he helps support improvements in the digital landscape through positive contributions in the sphere of security.

“It is a landscape that is fluid, always changing,” Malatras states.

“In the past five to 10 years alone, we have seen the advent of many new technologies such as the internet of things and artificial intelligence, which have created much looser lines between the cyber world and the physical world.

“There were far fewer ways of accessing the internet 10 years ago. But today, advancements in devices such as smartphones and infrastructure with 3G, 4G and now 5G mean people’s entire lives have become connected, resulting in the rapid expansion of the global digital ecosystem.

“With this has come an increase in the complexity and scalability of cybersecurity, and there are threats in areas we’d never even thought about before.”

"In the past five to 10 years alone, we have seen the advent of many new technologies such as the internet of things and artificial intelligence, which have created much looser lines between the cyber world and the physical world"

Apostolos Malatras, Network and Information Security Expert, ENISA
Case study: automotive security

The automotive industry is one such area that has obtained a new wave of security-centric consciousness.

In the past, vehicles were purely physical assets, but owing to an influx of innovations, spanning everything from infotainment connectivity to remote software updates, they have become highly connected devices faced with potential exposure to hackers and intruders.

“A car is no longer just a car. A car is now the internet of things on wheels,” explains Malatras.

“Today’s vehicles come with hundreds of millions of lines of code, yet when ENISA first engaged with the sector in 2017 we identified a distinct lack of maturity from a security mindset. Why? Because 20 years ago, people would never even think that a car would need or could need protecting in a digital sense.”

Three years on, and this mindset has shifted, not least because of the efforts of ENISA through the release of its Good Practices for Security of Smart Cars in November 2019. 

And that shift has been necessary. Technologically savvy automakers have already successfully developed and implemented Level 2 automated driving on our roads with assisted steering, braking and acceleration support, and it won’t be too long before Level 4 or 5 cars capable of driving themselves take to the road.

“These even more advanced vehicles will probably be one of the first applications of artificial intelligence that we will see in terms of decisions being made completely autonomously by algorithms,” Malatras explains. “Of course, given the ability of cars to cause road accidents and harm there are ethical concerns about how they will work. But as long as the appropriate attention, consideration, measures and integration are paid to security, there is every reason to trust that even fully autonomous vehicles will be secure upon rollout.

“It’s like any other technology. How do I know that my mobile phone charger will charge my phone without an issue? If it’s been designed properly and tested rigorously, it will work as intended.”

Collaboration is critical

Talk of the future turns attention to ENISA’s own role in the cybersecurity ecosystem, the organisation assisting its development in multiple ways.

In the public sector it supports the implementation of legislation via the Network and Information Security (NIS) directive, part of the EU Cybersecurity Strategy. Here, critical sectors are identified and security roadmaps created in line with industry progress.

And in the private sector, the organisation plays a similarly important role.

ENISA Threat Landscape and Good Practices for Security of Smart Cars are just two of numerous reports it has published – studies built on engagement with industry stakeholders, creating a collaborative ecosystem comprising all entities.

“We pull together manufacturers, tier one and tier two suppliers, cloud providers, telecommunications specialists, and other entities that have a role to play in the connectivity ecosystem,” Malatras comments. “In doing so we’re able to provide the platform from which any consensus and/or agreement may be formulated looking at what security needs to look like, automotive or otherwise. 

“It creates stakeholder alignment in the view of what needs to be done moving forward.”

Indeed, maintaining an advisory role in this evolving landscape is not without its challenges. Yet ENISA will continue to take a proactive approach, ensuring it moves in sync with the markets that it assists in order to stay ahead of the curve.

“When we work on a specific project, it is important that we leverage the knowhow and expertise in each sector and gain an understanding from them as to why they are making certain decisions,” the Network and Information Security Expert states. 

“In doing so, we gain foresight into potential developments and can analyse any associated security risks.

“To bring it back to the automotive, it’s not just about the vehicle anymore. It’s about how the vehicle interacts with connectivity, with smart cities, with infrastructure. In other industries and sectors the same message resonates – that we ultimately need to start looking at cybersecurity together from a broader perspective.”