Hugh Elliott: "In the wrong hands, technology can be used to undermine democracies"

The Nebrija University hosted the third edition of the UK-Spain Cybersecurity Conference, under the auspices of the British Embassy in Madrid and in collaboration with the Spanish Department of Homeland Security (DHS). Diplomats and experts noted the strategic relevance of cyberspace and the challenges that need to be addressed: the increasing number and danger of cyber-attacks, the illicit and malicious use of cyberspace, technological dependency and growing geopolitical tension.

In his welcoming remarks to the international conference, the UK Ambassador to Spain and Andorra, Hugh Elliott, said that "in the wrong hands, technology can be used by malicious actors to disable critical infrastructure and services and to undermine democracies". He said governments, industry and civil society "must work together to build collective defences". Elliott thanked the organisation of this type of meeting and "especially the Department of Homeland Security for its close collaboration over the past few years". 

The ambassador explained that, in this area, the UK's strategies are aimed at "strengthening our capabilities in all key technologies and limiting our dependence on suppliers and technologies developed under states that do not share our values".

On the war in Ukraine, the ambassador reiterated that the UK government remains committed to the support programme with the Ukrainian government. "What Putin has managed to create is a fantastic unity of allies, although we must never get used to war," he said.

Along these lines, General Miguel Ángel Ballesteros, Director of the Department of National Security (DSN), affirmed that Spain "is with the allies in this illegal and unjust war that moves on three levels: military, economic and technological". In this last section, cybersecurity appears as a "key" element that requires more professionals. In Europe over the next five years," he said, "more than 30,000 cybersecurity specialists will be needed; the shortage is such that companies are stealing these experts and the Administration loses out because it is the worst paid. 

Cybersecurity, "a concern for national security and for guaranteeing the proper functioning of democratic institutions", translates into data such as those compiled by the National Cryptologic Centre. In Spain in 2022, more than 55,000 cyber-attacks against public administrations were recorded, which represents a decrease compared to last year, but an increase in the severity of these attacks. 74 cyber-incidents were classified as critical, of which 9 were directed at the state administration, 24 at regional administrations and 41 at local administrations. The DSN reveals that the severity of attacks will increase in 2023 and that the Russian invasion will continue to condition the mobilisation of activists and criminals associated with states.

"Silent" cyberespionage, in which networks with important information are intruded into for months at a time and these accesses are then sold to criminal groups that encrypt files and obtain financial gain, is another of the growing trends pointed out by Ballesteros. In the current international panorama, the control of data "is a more important aspect than the control of oil, because by controlling data you can control the activity of a country". 

Furthermore, the DSN director contextualised the fact that in 2023 "we have two elections coming up, which is an opportunity for cybersecurity and interference".  

After the rector José Muñiz, who said that the holding of this conference on cybersecurity and the establishment of an "ad hoc" degree and postgraduate course confirmed that Nebrija University is "very sensitive" to this issue, the conference featured two debates on the latest trends in cyber-attacks, the defence priorities of the British and Spanish governments and the digital security opportunities associated with new technological advances. Jordi Regi, director of the Master's Degree in Access to the Legal Profession (distance learning) and coordinator of International and EU Law at Nebrija University; and Luis García, director of the Master's Degree in Data Protection and Security at Nebrija University, moderated the panels.

According to the 2021 Annual National Security Report, in Spain ransomware (data kidnapping) continues to be the greatest threat to systems and information, while crimes related to computer fraud are increasing significantly and steadily. In addition, administrations must make progress in the use of artificial intelligence to improve prevention, detection, defence and investigation mechanisms. Spain ranks fourth in the Global Cybersecurity Index published by the International Telecommunications Union, behind only the US, the UK, Saudi Arabia and Estonia, and on a par with South Korea and Singapore. 

At the first round table, Carla Redondo, Secretary General of the National Institute of Cybersecurity (INCIBE), recalled that "digital invades our lives". In order to guarantee cybersecurity in the face of increasing risks and to generate public confidence, it is "essential" to adopt European regulations such as Directive 2022/2555, known as NIS2, or the Digital Operations Resilience Act (DORA). Redondo listed the essential points of the cybersecurity strategy in Spain: promoting the security and resilience of essential communication and information systems, creating a secure and reliable environment and use of cyberspace, protecting the business and social ecosystem, strengthening the Spanish cybersecurity industry and converging in cybersecurity at the international level.

INCIBE, which will release its 2022 data in the coming days, responded to more than 110,000 incidents in 2021, of which 90,000 affected citizens and companies. Among the organisation's lines of action, Carla Redondo mentioned the "Protect your company" programme, the Internet Security Office (OSI) and the Safer Internet Center Spain project to raise awareness among children, parents, teachers and other professionals. INCIBE also wants the experience of the 017 free cybersecurity helpline to be extended to the whole of Europe.

For his part, Álvaro de Lossada, head of the Cybersecurity Coordination Office (OCC), said that cybersecurity strategies must take into account disruptive technologies such as artificial intelligence and 5G, which "multiply the vulnerability" of systems. In this regard, the OCC works in three interrelated areas: the fight against attacks on the heart of national security, the secure use of the internet and technical coordination between the State Security Forces and Corps, the State Prosecutor's Office and the cybersecurity centres of reference.

According to OCC data, cybercrime has quadrupled from 2016 to 2022, accounting for 16 % of the volume of crimes in 2022. 90% of this cybercrime revolves around fraud, which is proof of the "high" level of cyberactivism. 

According to data from the UK's National Cyber Security Centre, the UK has the third highest number of cyber attacks, behind only the US and Ukraine. Ransomware remains the most serious threat facing UK businesses and organisations. Official figures revealed that there were 2.7 million cyber frauds between March 2021 and March 2022.

The most profound change in the cyber security landscape in the last 12 months came with Russia's invasion of Ukraine. The UK is seeking to ensure that UK organisations, critical infrastructure and society as a whole are as resilient as possible. Nick Bridal, head of the UK's Foreign, Commonwealth & Development Office (FCODO) cyber-attack department from Russia, set domestic resilience as "key" to deterring cyber-attacks. Since the 2017 attack on the National Health Service (NHS), the approach to repelling cyber-attacks, in his view, must be geared towards the long term. "In these five years we have made progress; the intelligence services and the policy community are collaborating with our international partners," he said.

Although the threats are "less clear and the attribution of threats is increasingly diffuse, we want Russia and other states to know that if they attack the UK or other allied countries we have the tools and capabilities to respond".

Bridal, in the face of this uncertain outlook, also wanted to give "good news". The Russian operations "have not had the intended effect because the consequences have been mitigated and the people of Ukraine have been resilient to these attacks because we have mobilised support to repel the cyber-attacks". 

During the second panel, Emily Alexander, Head of Technology Threats at the UK's FCDO, urged citizens and schools to understand and prepare for threats in the virtual world: "The UK is trying to mitigate these threats by coordinating national and international teams at a time when we are increasingly aware of the threats and risks".

His Spanish counterpart, Carlos Abad, head of the Warning Systems and Incident Management Area of the National Cryptologic Centre (CCN), linked the threat to the evolution of digital transformation, which "makes no sense without cybersecurity".  

Mónica Mateos, head of technology at the Joint Cyberspace Command (MCCE), emphasised the cyber-defence nature of her organisation in an "increasingly complex environment with ever more disruptive emerging technologies". Stressing the importance of human capital, Mateos recalled that the MCCE has recently created the Military School of Cyber Operations.

Alfonso López de la Osa, Dean of the Faculty of Law and International Relations, closed the UK-Spain 2023 Cybersecurity Conference with an explanatory speech and a summary of the general lines presented at the conference.