[PIO] Address by the Deputy Minister of Research, Innovation and Digital Policy Dr Nicodemus Damianou at the World Cybersecurity Summit, in Nicosia

Good morning everyone. First of all, I would like to convey the greetings of the President of the Republic, Mr. Nikos Christodoulides, who, due to other commitments, was unable to attend today's Conference. Cybersecurity is a top priority for the Government. It is a necessary and critical component of the plans for the digital modernization of the state, the economy and the society of the country, and part of the Government's Policy for Completing and Strengthening the Digital Ecosystem of our country.

It is, therefore, a great pleasure to be with you today, but also a challenge. In addition to the fact that many experts in a very specialized field have gathered here today, we also have Genetic AI, with ChatGPT - which is both a blessing and a curse, as it turns out in some cases. Whatever one says or writes today, it must be original enough to 'beat' ChatGPT. Otherwise, the recipients who read or listen to what you have to say can easily say that you are attributing a text lifted from ChatGPT or any similar tool - lest I be accused of promoting a particular company.

Anyway, speaking of Open AI, it exceeded even the expectations of many experts the speed with which the company announced about a month ago the new platform or better AI Model, Soros, that creates not just photos but photo-realistic video from simple text.

So in this environment of advanced deepfakes, fake or synthetic photos and videos, the incredible evolution in the capabilities of AI and in particular machine learning that can analyze and extract conclusions and directions from very large volumes of even unstructured data, we are called to consider an area more topical and more important than ever, cyber security and resilience. A parameter essential if businesses are to derive maximum benefit from digital evolution and states are to build a resilient and competitive digital economy. In other words, cybersecurity is a prerequisite for our digital policy and we see it as such.

We are therefore living in an era where technology and its potential often outstrip our ability to plan and develop our business plans. Businesses and organizations often end up not looking at technology solutions to meet their challenges and execute their strategy, but looking at the applications of cutting-edge technologies and how others are leveraging them to determine the products, direction and strategy to pursue. These rapid technological developments and our dependence on technology make the need to protect our data, systems and digital infrastructure urgent and pressing.

As the digital footprint of organisations, states and citizens increases, so does the risk and need to implement measures to protect against cyber-attacks. Whichever source of statistical data one follows, one will find a significant increase in the number of cyber-attacks, with a large proportion of these directed against government infrastructure - the European Union Agency for Cybersecurity (ENISA) records a figure of 19% of incidents against governments and public infrastructure.

A similar escalation of threats was observed at the national level where, according to a Digital Security Authority survey conducted between October and December 2023, one in two businesses in Cyprus (49%) had suffered some kind of attack in the previous 12 months, with an average of one attack per week and an increase from around 3 attacks per month compared to the previous year. A similar percentage of citizens - namely 53% - were attacked during the period in question.

I should note that, I am one of those who believe that it is not ethical or wise to talk in detail about what we are doing as a government and where we are in the area of Cybersecurity. This is not to diminish its importance but rather to emphasise how seriously we take and treat this issue. Cybersecurity has become a matter of national security for States, a matter of State sovereignty, and we treat it as such, both we and Europe.

In cooperation with the Digital Security Authority, we are developing a cross-cutting programme that includes both shielding the state's critical infrastructure through an integrated plan to identify, assess and respond to cybersecurity threats and incidents, as well as pushing to strengthen cybersecurity in private organisations and to raise awareness and protect society more broadly. With regard to the cybersecurity compliance and management framework in our country, a number of actions have already been implemented, including, inter alia:

1. the establishment of the National CSIRT, the immediate response body to cybersecurity incidents which now operates on a 24/7 basis, and
2. the formulation of the framework of minimum network and information security measures for harmonization with the European NIS Directive
3. the establishment of the National Cybersecurity Coordination Centre, whose mission is to provide knowledge and facilitate access to expertise on industrial, technological and research cybersecurity issues
4. the establishment of the National Cybersecurity Certification Authority, and
5. the installation of sensors in critical infrastructure, as a level of prevention and response to the phenomenon of cyber-attacks.

Security is also a key parameter in terms of the design and implementation of the technological projects implemented by the Ministry of State within the framework of the digital transformation of the state machine, where we are starting to apply a security by design approach. At the same time, we attach particular importance to the development of business continuity structures and processes that ensure, to the maximum extent possible, the uninterrupted, reliable and efficient provision of services to the citizens and businesses of the country. I urge every business to invest and evaluate the cybersecurity issue and take immediate measures to protect against malicious attacks, while taking advantage of the funding opportunities available at both the European and national level. Just recently the Digital Security Authority, in cooperation with the Research and Innovation Foundation, had offered funding to enhance the level of security and ensure optimal protection of the infrastructure, systems and information of Cypriot SMEs. Such programmes will be examined below.

A big bet, of course, is to strengthen specialisation in the field of cybersecurity, where, admittedly, both in our country and in Europe in general, there is a great shortage of professionals. To this end, and within the framework of the National Action Plan for Digital Skills and Employment, further actions have already been implemented and are under consideration, aimed at training public and private sector workers in this specialised field.

Friends,

Before I close, I would like to return to the relationship between artificial intelligence and cybersecurity, which is the main topic of today's debate. It is a technology with capabilities that further increase the complexity of cyber-attacks and make them particularly difficult to detect and respond to. When malware can evolve/adapt to attack an infrastructure in a technology-specific manner, identifying patterns and mechanisms that defence systems apply to dynamically bypass them - then things get really complex.

At the same time, of course, the use of artificial intelligence in cyber defence systems and tools is the other side of the coin, and - as has been the case since I was at university studying systems security - it becomes a race between good and evil in terms of the application of the technology. And there are cyber defence tools today that incorporate artificial intelligence. It is for this reason that at the end of the day, it becomes more important that we are able to monitor, recognize and respond to cyber attack incidents, keeping the level of education and awareness of our people as high as possible.

As a final point, I want to touch on the fact that AI makes the distinction between Cybersecurity and Digital Trust less distinct.

- Consider those cases where the use of AI with its existing weaknesses and risks, such as for example the risk of algorithm bias (AI Bias) or AI hallucinations, leads to wrong conclusions, actions and decisions. What if this concerns critical applications or systems of an organisation.

- Consider those attacks that detect an organization's use of AI applications, and take care to influence the database from which the organization's AI systems and models derive information to lead the models to incorrect, misleading decisions about the organization.

Where does this category of events fall? Can it lead to cyber attacks? And how do we manage them? This is where the importance of the Artificial Intelligence Act (AI Act), passed by the European Parliament on 13 March 2024, lies, and is the first comprehensive piece of global legislation that attempts to regulate the ethical, human-centric and trustworthy development and use of AI. At the end of the day, it also raises the question of how AI itself can be harnessed to address them? And this is what brings us back to the race of good and evil.

I close with these thoughts - I would like to thank everyone for being here and extend my warmest congratulations to the organizers of the conference. Such initiatives are an important opportunity to exchange views and expertise on a subject so critical to the evolution and progress of the economy and society.

I wish you an interesting, reflective day.

Thank you.

(MK)

Contents of this article including associated images are owned by PIO
Views & opinions expressed are those of the author and/or PIO
Source