Reporter: What is your opinion on cyber security in Romania?
Ionel Niţu: First of all, we are in luck - if we are allowed to use that word, because what it actually means is that Romania is far behind in its development - that we do not have a high level of interconnection of databases and of network coverage (for example, in the rural areas).
We are doing well when it comes to specialists and also when it comes to the layer called national security. We are even security providers on a regional level (I am referring to the project for Ukraine's cybersecurity).
We are not doing as well when we look at things more closely. We are doing pretty badly when it comes to data security in some institutions and companies, especially in the state owned ones (which the state is a shareholder in). We are not doing well at all when it comes to SMEs, and that is caused by the low level of interest and knowledge of cyberthreats.
We are doing very badly when it comes to teenagers. Parents need to understand the fact that their role isn't just to buy them tablets and smartphones, but to also teach them the minimal security rules. The Y Generation has been born with such technologies in the home, but they install all kinds of garbage when it comes to mobile applications, they keep their wireless and GPS always on, unaware that in doing so, they become vulnerable, sometimes even targets for all kinds of ill-intentioned individuals. Furthermore, they are also making their home systems vulnerable, wireless networks or laptops and, implicitly the parents who don't understand that in the future their children can be the victims of abuse coming predominantly from the virtual environment.
Reporter: How can we protect ourselves from cybernetic attacks?
Ionel Niţu: Aside from the standard measures such as updating licenses, antiviruses and firewalls, security policies and standards, it takes a higher degree of education. I don't know how many managers understand the fact that investing in the security of their own company, of their business, of the employees, especially in protective measures is just as important as investing in computers, headquarters and cars.
You will find plenty of specialized books concerning protective measures.
But most often, we are carried away by the day-to-day emergencies, by deliverables and deadlines and we forget to pay just as much attention to security.
We are all error-prone, we are the victims of the vulnerabilities of cybernetic systems, and if we also get unlucky enough to infect our networks with a virus or with spyware, then our business is in danger.
Not having 100% functional IT systems nowadays amounts to not having access to the basic services: water, heating, electricity, sewer. Today's world simply can't function without computers and the internet.
For most managers, cyber seems like a very remote thing, something that is in the realm of science-fiction, even though they, their companies, their partners, are bombarded daily by malicious applications, and the biggest threat is that their systems have already been penetrated/compromised, and they don't even know that. They just suddenly find that confidential information pops up online or that they lose customers or calls for tenders and they don't know how that happened.
Most often, the vulnerabilities are unknown and the risk of information leaks is not acknowledged until it is too late. Most of the time, customers I've worked with have come to me when it was already too late.
Reporter: How would you describe the legislation in the field compared to that in other countries? What about the EU legislation in the field?
Ionel Niţu: Romania's legislation is first of all incomplete and second of all controversial. I won't comment on why the draft law was declared unconstitutional, but the feeling of collective intrusive surveillance, the feeling of privacy invasion is increasingly present among the public.
It is no less true that we give away our personal information with an incredible degree of naiveté (for example to Google, Facebook, Yahoo or to at the very least shady mobile applications), but we do not agree to offer it to the Romanian state, which has the mission to protect us. National security is a concept that includes companies' and citizens' security.
We need a legislative framework which ensures protection first of all, because that is where we are the most lagging. Our personal, intellectual and commercial life - and I am referring here to over 10 million internet users in Romania - is moving online. Since the Internet is increasingly becoming a private space, operating rules and protection rules are needed.
On a European level, the recent debates concern the creation of a unified digital market and less a unified framework for cybernetic security. Like in every other debate in a European community format, the issue of security tends to be left more up to the nations, rather than being assumed by the EU (of course there will be recommendations, there are cooperation forums, but not necessarily a clear regulatory framework).
Reporter: How do you view the collaboration between the public authorities and the business sector in the field of cybernetic security?
Ionel Niţu: Even though it is mentioned in every conference, the Public-Private partnership remains more of a wish.
Institutions in the field of national security need to open up more and to do outsourcing, because specialists in the field are massively migrating towards the private field, where they are better paid.
In Romania - unlike in the US - government institutions do not invest in innovation and technology and they have to exceed the paradigm of self- sufficiency and the temptation of internalizing new responsibilities.
Just like the Internet itself, Quantum computer is an innovative project financially backed by American government institutions. In-Q-Tel is a non-profit investment fund of the American intelligence services that invests in innovation, because that grants the US a strategic advantage.
What strategic advantages does Romania have?
In Romania there is an imbalance, an obvious asymmetry between capabilities (human resources, propensity for promotion) and results, and the Romanian government should take on the initiative and overcome its barriers, routines, the complacency and organizational customs and become the moral sponsor of innovation in IT&C and implicitly in cybersecurity.
Out of the 3-4 major areas in which Romania can become a regional pole for growth, a hub, a veritable regional supplier (security, energy, agriculture, IT&C), the latter is the one in which the gap between potential and reality is the biggest.
Reporter: We are increasingly dependent on computerized devices, connected to the internet, which leads to the appearance of risks pertaining to the cybernetic environment. What is your opinion on this reliance in terms of information security?
Ionel Niţu: We are and we will continue to be increasingly dependent. Prevention must become the keyword in when it comes to risk management, and prioritizing the areas/objectives that had to be protected must have a logic in terms of the potential impact of the attacks. Cyberwar will precede, accompany or even replace a standard war (military, commercial etc.). Thus, we must first protect the rescuers, and then the strategic areas and institutions, critical infrastructures. The problem is that there are no more resources left for us citizens, entrepreneurs, ONGs etc. Or sometimes, for me, trade secrets are just as important as state secrets. In order to better protect ourselves, we need to associate ourselves, to share information and best practices, to resort to professional services like CERT and private SOC.
That is the trend in the US, and in Europe.
You can't handle cybernetic threats alone.
Reporter: Cybernetic attacks are increasingly frequent in Romania. It seems that Romanian authorities are successful in annihilating them. How do you think that cybernetic attacks will evolve, in the context of several threats, including the Russia-Ukraine conflict and the ISIS terrorist faction?
Ionel Niţu: They will be on the rise, increasingly diversified, longer lasting, and subtle.
That is is precisely the problem, when it comes to security: any weapon has a counter-weapon, but the delay in making the counter-weapon is essential. Since there is a new virus every second and five years ago the first cybernetic weapon (Stuxnet) appeared, investments in security have to match the threat.
Counter-weapons and security specialists have to change their inertial logic, response, reactive logic and have to be one step ahead of the enemy, to be increasingly pro-active.
For now, Romania is doing well, but things will have to change as cybernetic specialists leave or decide to work for foreign companies, which pay them a lot better, databases will become increasingly interconnected, and Romania might become a potential target, due to its international and NATO/EU commitments.
The secret in security is not to become a target. When you start becoming one, then you need to start investing in protective Security systems, thoroughly and in an organized manner. I hope the political agreement for increasing the defense allocations to 2% of the GDP will cover the cybernetic sector as well, if not for the fact that in the US, cybersecurity is already considered a new area of defense, together with the classical weapons (aerial, terrestrial, naval).
Reporter: Romania will be kind of a "cyber-leader" for NATO in the conflict with Russia and Ukraine. What are the complex threats in the cybernetic sector?
Ionel Niţu: It is a very good context for Romania and I hope it will be exploited, including by creating an excellence center in the cyber sector (on both sides: cybersecurity and cybercrime), the growth of the local industry and the tapping of the excellent human resources.
Unfortunately, I think that currently, we are more of insecurity exporters, (due to our hackers, that are already notorious all over the world). And in that regard it's again the Romanian government that needs to create that normative, financial and commercial framework, that would allow a conversion from black hat to white hat.
The biggest challenges today come from the technological area, and that is another interesting chapter to discuss (perhaps another time) about how Romania, which is currently an importer and captive user of foreign technology, should change its strategic approach. It is unimaginable, in the medium and long term, how a competitive country that is an important regional player becoming dependent on technology controlled by someone else pushing the buttons.
We need to learn to make the transition from smart/safe nation to competitive nation, from smart/safe city to competitive city.
The virtual space has to become a space of competition, not just confrontation.
Reporter: Thank you!