Since June 2021, the regulation establishing a new European Cybersecurity Competence Centre (ECCC), as well as a Network of National Coordination Centres (NCC), has entered into force. Together, they form Europe’s new framework for research, technology development, funding, and industrial policy in cybersecurity. While each member state will have a NCC, the ECCC will be based in Bucharest, Romania, following lengthy negotiations over the location between EU Member States.
According to indexes measuring cybersecurity preparedness and capacity, Romania has an above average score of +70 out of 100, positioning it on the 25th place in the National Cyber Security Index by Estonia-based NCSI, and on the 62nd place in the Global Cybersecurity Index 2020 by the International Telecommunication Union (ITU). Scores indicate that the country’s strengths lie in its legal foundation for cybersecurity, data protection, and critical infrastructure, as well as technical capabilities through national and specialized agencies, and cooperation between different stakeholders.
To further analyze the cybersecurity preparedness landscape in Romania, The Recursive talked to Eugen Popescu, Cybersecurity Expert at the Technical University of Cluj-Napoca. He is also Artificial Intelligence Consultant in the Romanian Council for Digital Transformation, and former Cyber Security Manager at the Romanian Civil Aeronautical Authority.
“Romania has a solid history in the field of cybersecurity, which is recognized and validated internationally by European partners and beyond. The local cybersecurity ecosystem enjoys a high quality of talent (and the process of training them), a top cybersecurity industry (e.g. Bitdefender), as well as consistent cyber diplomacy efforts.”
Key local cybersecurity market players
In terms of industry, Romania has a few home-brewed players driving innovation, knowledge, and capacity. Founded by Florin and Mariuca Talpes in 2001, Bitdefender was created as a subsidiary of Softwin, one of the first IT startups in post-communist Romania, to develop on the company’s antivirus solution. By 2007 it became a separate business entity and attracted its first external capital from Axxess Capital Investment Fund. Fast-forwarding 10 years later, British fund Vitruvian also invested in the company, driving the total valuation to more than $600 million. Today, the company counts more than 1,600 employees, customers from more than 170 countries, and is licensed by more than 150 global tech brands.
Another cybersecurity market player, Safetech launched in 2011. To fuel growth, the company led by CEO Victor Gansac carried out a private placement in 2020, through which it attracted ~€500K. Recently, the company became the first cybersecurity issuer on the Bucharest Stock Exchange, debuting on the AeRO market, and currently has a capitalization of €35.6M.
Read more: How to develop a problem-solving mindset with Niki Karali from Mantis Business Innovation
Back in 2017, CyberSwarm, a deep tech Romanian company specializing in tech for AI and cybersecurity applications, attracted $1 million from Tim Draper. CyberSwarm specializes in deception technology, which is meant to create software program imitations that deceive hackers, thus preventing attacks. The company now has a second headquarters in Delaware, Ohio.
The prospects of hosting the EU Cybersecurity Competence Center
What, on the contrary, differentiates the country from top cybersecurity performers, including many other European countries? According to ITU, organizational measures (national cybersecurity strategies and specialized agencies) and capacity development (R&D programs, cyber awareness initiatives) are the areas where more work is needed.
On the plus side, within the agenda of the upcoming ECCC as part of the EU Cybersecurity Strategy, strengthening technology and industrial cybersecurity capacities, as well as boosting research excellence are key priorities. With its newfound responsibilities, it’s also likely opportune for Romania to advance its cybersecurity strategy at a national level.
Cybersecurity expert Eugen Popescu further mentions what opportunities ECCC brings to the country in both the technical and diplomatic dimensions of cybersecurity:
- Accelerating the development of the overall cybersecurity ecosystem, both from the perspective of the technology manufacturing industry and also from the implementation of appropriate protection at the national level;
- Enhancing R&D and international partnerships in this field.
- Increasing Romania’s cyber diplomacy profile, and improving international relations;
- Supporting the regulatory process and facilitating the rapid operationalization of cybersecurity policies at the national level;
- Supporting national efforts to assimilate emerging technologies (and in optimal security conditions).
Freedom of movement and impeccable organization are driving cybercrime success
86% of organizations surveyed in a global study by CyberEdge suffered from a successful cyberattack in 2020. 57% of ransomware victims paid ransomware, but one-quarter of them did not recover their data. The average cost of a breach in 2021 was $4.24 million, the highest in 17 years. Meanwhile, the average time to identify and contain a breach was 280 days.
Behind this increasing threat, there is a simple, yet powerful truth: it is much simpler and more profitable to misuse technology than to use it strictly for the purposes for which it was created, Eugen Popescu says.
“Hackers have no limitation in implementing their thoughts and imagination. They are at risk of being held accountable, but until they are caught, which is an extremely low-probability event due to the difficulty of the cyberattack attribution, they move completely freely.”
And as we’ve seen with ransomware-as-a-service and other scalable cyberattack models, hackers are also very well organized.
On the other end, those who are responsible for the smooth running of society are not aware of these aspects, because they cannot see them with the naked eye. Everything happens in the virtual space. And even when they are aware, people do not know how to appreciate risk properly.
"In general, people's decision-making ability is more strongly influenced by the emotional background than by the rational one. Which makes the orientation of the decisions to be made on the basis of known, palpable, quantifiable aspects. It is difficult to convince a more conservative company manager that a certain risk - which he cannot see for himself - could directly affect his budget, business image, employees, material goods, etc. He will be tempted to make short-term savings much easier than to invest in cybersecurity equipment that would provide a certain level of long-term security."
Vigilance is achieved through extensive knowledge and ongoing training
What would be the first thing any state should do to improve cybersecurity? The answer lies within the human dimension, rather than the technical one, says Popescu.
“Every state needs to ensure that its decision-makers understand the phenomenology of technology and its importance for the future of society. Without the awareness of decision-makers, cybersecurity efforts are made with difficulty and with low yields, if not wasted, or even destroyed,” he explains.
A second mandatory measure is the proper development of education. In Romania, we have a history of technology-oriented education, making IT talent a competitive advantage.
In the past years, various specialization programs in cybersecurity have been developed, attracting students to this field. Nevertheless, these opportunities are not very well promoted.
What students on technical career paths need to grasp is the deep interrelatedness of cybersecurity and technology. Eugen Popescu highlights:
“In essence, technology has two fundamental aspects: functionality and security. We already live in a time when functionality without security cannot exist. So, young people need to understand that cybersecurity is not an ancillary field, but a fundamental part of technology.”
Moreover, students need to know the financial opportunities offered by the field. Demand is growing, not only in Romania but worldwide. And the pay is often higher compared to other established technology areas, Popescu adds.
Finally, the educational system needs to be constantly adapted to the needs of the current society and prepared for the requirements of the future. Popescu further mentions three areas we all need to focus on to prepare for the future:
- To understand the technology, at a practical level, and to use it for personal efficiency;
- To organize and control the macro-societal balance (managing the influences brought by technology on man and nature);
- To explore individual creativity, to make the most of their personal uniqueness and authenticity.
“An attempt of fraud, social engineering, and phishing are relatively easily observable by the watchful eye. But vigilance is created through ongoing training and extensive knowledge of the phenomena around us,” he adds.
In “Dynamics of Cybersecurity”, Eugen Popescu discusses at length the technical aspects of cybersecurity, as well as the influence of technology on man and nature, and the prospects of technology evolution for anyone interested in the topic.
Protecting the endpoint: the new requirement of remote working
As we switch more and more to hybrid and remote working models, cyberattacks also switch focus to endpoint devices, rather than centralized networks. These are often less protected than office workstations. To protect against the associated threat, Popescu further highlights the importance of having:
- Awareness of decision-making on the importance of having and deploying cybersecurity capabilities;
- Organizational policies and technical controls implemented uniformly at all endpoint devices;
- Secure communication lines (e.g. via own VPN) between endpoints and the core network;
- Optimal cybersecurity architecture applied to the core network;
- Awareness of users related to cybersecurity risks and measures.
Finally, achieving this goal also requires adaptation to local / particular needs, and creation of a human-centric cyber policy. No proper climate of cybersecurity can be maintained without ensuring that people behind the endpoints are aware and committed. One trap to be aware of – especially while working from home – is getting into a mental zone of comfort and carelessness, since it can lead to costly mistakes easily exploitable by the hackers.
