 and thanks a lot for having me. So let me just pull up the slides. Can you just, if you don't mind, confirm that you see them so that we are all good to go. Yeah, oh great, thanks Charles. Thanks a lot. So I'm really happy to launch that new season of the webinar series, especially on a topic that is discussing law and ethics in digital environment. And I'm hoping that as part of this talk you will be able to grab and see why cybersecurity kind of relates to probably both aspects and because indeed lawyers do cybersecurity and cybersecurity has in itself, let's say, some form of ethical aspect that we might be discussing today. Before starting and getting to the heads and the needy greedy of the dog, I think it's just very important to remind or sell that, as you mentioned, who really information and communication technologies and their really fast development are really fascinating and really are offering a wide range of new potential applications and certainly in the area like the one that you described, so in digital environment, those development on the ICT side can really be seen as enablers of offering new possibilities. So before we jump into really all about cybersecurity, I just want to play a short video that hopefully will play nicely, but that is just providing some background on those possibilities and why cyber, let's say, is so critical in the society. So let's just give that a try. So hopefully you have grasped some of that and it's really about the great work that Rachel is doing as a meteorologist, but you can really see that apparently for her to do her job properly, ICT and technology plays an integral part and really my purpose for today is to try to answer that question, which is, so is EU cybersecurity the missing piece to a sustainable environment? And to do that, I think we need probably to go through a couple of elements to try to help getting an answer to that question. What I'm suggesting is to go through some iteration and also to go through a set of, of course, bias or truncated assumption. The iteration are the following. If we want to answer the questions properly, I think we should do probably four things, which is one, help everyone to understand what is cyber security, what it exactly covers. Then second important aspect is what are the key cyber challenges raised by a digital environment. So the application we just saw with that meteorologies, but more broadly, going then to looking at the EU cyber security frameworks and of course, probably even more importantly, trying to see if those existing sets of both prescriptive legal rules that are applicable and guidelines made available by EU agencies are adequately addressing those challenges. As I said, I will be using as well a set of very truncated assumption. The one, the first one is probably not so disputable and goes around the fact that cyber security should be seen as a foundation principle, allowing the trust of the technology because you can probably quickly determine and agree that absent of cyber security and depending on the vulnerabilities that might affect all of the technology, you might really get to have an outcome that really impede, let's say, trust. So if you really want to have trust with users in the community, you really need to have cyber security as a foundation principle. The second assumption, which of course, a couple of months following Brexit might be a bit more of a biased one, is to say that for all purposes today, we will say that EU is the world or at least that the EU framework, as it is, is the gold plate, let's say, for the legislative framework. I should say that, of course, that can probably be disputed, but the good thing to some extent is that on the UK side, you have left the EU not so long ago, so most of the EU rules that we have known are already implemented on the UK side, so even if it's a biased assumption, there are some value attached to it. So let me start with the first piece, which is trying to see what is EU cyber security. As you probably know, lawyers have that tendency to try to have everything fitting in little boxes and definitions, so we'll just give that a try very quickly to see what we are talking about. I'm fortunate to have an eight-year-old son, so I can already or still avoid a kind of dose and discussion here, and probably the bad thing for my son at least is that he will have a father who is doing cybersecurity, so hopefully I will be able to tell him something that he might eventually not know, but that's, I think, still a relevant element, which is we are surrounded by a digital native, or kids are probably more versed than we will ever be in that environment, and they probably realize as we do that the security aspect of it is key and important. But if we move to some real definition, let's say so to speak, we can find a definition of cybersecurity back in the 2013 EU cybersecurity strategy, and what the contemplated definition is, it's basically saying that cybersecurity refers to safeguards and action that can be used to protect the cyber domain. Interestingly, it's quoting both civilian and military fields, and it protects those against threats that are associated with or may harm the interdependent networks and information infrastructure. Cybersecurity strives to preserve the availability and integrity of the network and the confidentiality of the information contained therein, so I think that's a very nice and broad definition that very easily helps to understand what is the overall objective of cybersecurity. It's really about protecting all of those measures, protecting the availability and confidentiality of the digital infrastructure. We have a more narrow definition provided by the EU cybersecurity agency NISA, which is really down to the core of it, so which is the protection of information, information system infrastructure and the application that runs on top of those against the threats that are associated with a global and connected environment. And that's frankly a definition that is also relevant to consider because we can really see that we are living in a more and more connected world and associate with that or next to that. That means also an increased amount of potential vulnerabilities. Cybersecurity, it's an area that also comes with a national level definition. You can hardly read anything about the that might fit in the slide, but that's not really the most important piece. What is important to realize based on that is that each and every member's data has its own definition of cybersecurity, which frankly is not always helpful to try to have an harmonized view as to what we are speaking about. And conscious of that, the GRC, which is a research service for the commission, tried to game out back in December 2019, which was called an EU level cybersecurity taxonomy. So really to try to define what we are speaking about. And out of the 15 points that they identified as relevant in the taxonomy, legal risk slash issues is only one of them. I would say the good thing is that it's already one of them. So that probably gives me a valid reason to speak to you today about the topic. So that was really setting the scene as to what is cybersecurity from a legal point of view. Then I think it's important to move on and try to see what are the key cyber challenges associated to the digital environment or more broadly in the supply chain. When we speak about digital environment, as Boku mentioned, we have a number of different things that are coming into play. It range from the satellite that we saw that for meteorological use, but very often it's down to a little sensor. And of course, you can directly see two things with that example. One is that you have a very broad supply chain that really spam across networks and the value sets of hardware and application. And also that depending on the tools you are using, you will be able to apply a very different technique to protect those assets because you might be able to introduce protection against vulnerabilities on a satellite, but on a really little teeny sensors, it's very complicated to protect that sensors against vulnerabilities. And that's really one of the first challenges associated with the world we are in now, is that supply chain management and trying to preserve and protect the security of the supply chain is really complex simply because of the because the chain itself, let's say, is complex. A second challenge that needs to be addressed is the vulnerability of those little elements. As I just mentioned, you can try to attack a satellite, but you can also try to hack a little sensors, and both things are doable and are happening in real life. And it's not only just about cyber criminals or criminal activities, it's also linked to the nature of the piece of hardware you are using. If you have a sensor, it's very hard, for example, to patch or update the sensor so you know that the lifespan of that sensor is certainly not infinite, and that will affect, at one point or another, the reliability of the information that you will get through that sensor. So that is also a kind of key challenge that you need to keep in mind because, as I said in the introduction, if you don't meet those challenges properly, the outcome that you will get eventually out of the piece of research you will do using technology will be impacted. A third very important challenge that we need to flag is liabilities because when something goes wrong and something goes wrong, you have different potential for failure, let's say, whether it's a wrong result being displayed or whether some of the data that you are gathering are just compromised because the system is compromised, or if you are using a sensor and it's not providing the right level of information, when something goes wrong, it always comes along with liabilities, and that's really the third key component that should be addressed and kept in mind. So that was the kind of second iterations we saw. What is cyber? Second, what are the key challenges? Then moving on to the next two pieces, which is what are the EU framework to try to address those challenges and are those rules that we have properly addressing those challenges? What are we going to do here is really focusing on the digital environment piece and really trying to see if the framework we have is fit for the purposes of a digital environment type of application. That one is probably also quite uneasy to go through, but if you manage to look at some of the picture on the slide, I think it's done pretty nicely. It's a document published by the European Commission who is trying to help citizens to understand why and how EU cybersecurity frameworks applies in their day-to-day life. Of course, all purpose today is a bit different than that, so I will not go to that in detail, but I think it's a nice way of realizing, let's say, that there are various pieces of legislation that are dealing with the issue. If we take for one minute, let's say an institutional kind of hat, and we look at what it is to regulate in cybersecurity space on the EU side, we should remind ourselves that all of what is related to national security still is in the responsibility of the member states, and that typically the EU is lacking an express legal competence or in relation to cybersecurity. There are some proposals to change that to see how best we will react to cyber attack at EU level and the likes, but that's generally the context. However, with that context, everyone realized that there is a need to develop a coordinated approach, and what people have been really good at is trying to see within the toolbox that we have what kind of legal basis can be used to issue either prescriptive rules or issue guidelines or kind of soft law that will have an impact on governing cybersecurity. On identify other legal basis, the most used so far have been around the internal market or around common foreign policy and common security and defense policy, and I will briefly touch on two instruments that we have or that the EU has been developing around those areas. So just to give you an example. So let's go to those prescriptive rules and let's focus first on the framework and around NIS, so the network and information system directive. What is NIS? So it's kind of an old piece of legislation. It was adopted back in July 2016 and entered into force also in August 2016 with the obligation and requirements to have those laws the directive implemented in member states laws by May 2018. Why is NIS so important and relevant? Because it's the first piece of EY legislation on cybersecurity providing for a minimum level of harmonization. So really setting the minimum standards that member states should implement locally, leaving two member states to write and the possibility to have stricter rules in their domestic law. What it's all about? So it's provide a set of rules or measures to boost the overall level of cybersecurity in the EU and it's taking one fundamental assumption is that if you want to have cybersecurity right, you need to look at major actors in critical sectors. One thing that you should note, even if that will be less relevant for the UK, is that NIS is currently being revised with some change in approach but I'll come to that in a second. So what NIS is trying to do is basically three things or it had three components. One is making sure that EU member states realize what is EU cybersecurity and build up capacity to understand and be able to help let's say in the area. It also established some cross-border collaboration at EU level, primarily between a member state representative but what is more relevant for us is that it requires a national supervision of what is called the NIS, the sets of critical sectors. And if you look at the list of critical sectors, you can see that you have energy, transport, water distribution, health and finance and you don't see there anything related to environment. You have next to those critical sectors, you have another category aiming at what is called digital service providers but there as well you will hardly let's say find anything which is very relevant for the purposes. What are the measures that NIS is contemplating? It's really sets of requirements around governance, protection and defense and resilience against cyber attack. So all of those things that would be probably very relevant in our context but that as I mentioned wouldn't really apply simply because the sector that are under the scope of NIS are unrelated to our area. So what are we left with? So if we don't have a set of prescriptive rules and requirements that apply or that may be called upon, you need to go and find something else and something else according to G20 will be sets of guidelines or eventually some certification standards. The good news is that on the EU front we have progressed quite extensively let's say in developing a common framework of certification regime and that has been really the basis for what is called the cyber security act and I'll just briefly explain and describe what the act is all about. So the cyber security act is a regulation so a piece of primary EU loader is applicable by itself let's say across all of the EU member states that was adopted back in March 2019. It's doing two things one is giving more power to the European agency for cyber security for NISA and secondly it's creating for the first time a new wide cyber security framework for ICT services, product and processes. So really the the idea is to build and develop using existing standard and schemes so like ISO and a couple of others and trying to build up certification schemes that will be applicable throughout the European Union. Most of them are voluntary so it's schemes that will be proposed by the EU when manufacturer or user of ICT product services or processes will be able to apply let's say unless those are made mandatory by EU or national law. One of the benefits as I said is that it's EU wide scheme so they will be valid across all of the European Union and they are based on existing standard or technical specification. Is that good for us or for the purpose of today? It's almost good because if you look at what the agency has currently been working on we have schemes developed for SOGIS so that's a kind of procurement law for public authorities so it's not really helpful for us. We have a scheme that is being developed for cloud providers which of course is an important piece of the infrastructure but not really targeted specifically to the environment and we just have since earlier on earlier on this year sorry a call for a scheme targeting a 5G network and application. We will have soon a rolling program adopted by the EU that will list those topics and elements that the EU are identifying as the next important topics for the for upcoming certification. There is no sign that anything related to climate change or our environment will find its way there. So we need to keep going and last set of prescriptive rules that we have is much more on the kind of defense side and it's what is called the EU Council decision and regulation on restrictive measures against cyber attackers so what I'll try to see here is if at least if we don't have prescriptive rules allowing us to impose a high threshold for the application that we are contemplating for all purposes at least will we be able to punish those that will target attack on things like digital environment application that's really it. So what is RMAC so the acronym so it's also a tool so part of the tool but the tool box sorry adopted back in May 2019 and it's aiming at imposing targeted restrictive measures to those that are really constituting external threats to the EU or the member states and it's our within the scope let's say cyber attack against member states against the wide EU or even against a third state third state or international organization that are relevant or partner of the EU. We can sanction under those regimes those who are responsible for cyber attack or attempted cyber attack those that provide financial or technical or might have supports to the attack or anyone that is involved in another way the kind of measures that you will have against those people are kind of very export control or trade sanctioned type measures so it's around asset freeze or banning people to travel which in COVID time probably doesn't mean anything because we cannot travel anyway but most importantly it's unlikely and at least we haven't yet seen any application of those measures in the context that we are discussing today so you see some measures and sanctions for hackers against hospital you don't see yet sanctions being decided for people attacking satellites or sensors so that's still something that is not 100% for purposes. Next to those hard law we then need to see whether we have at least soft flow or recommendation or guidelines that might be useful and there as I said since the adoption of NIS the key agency to look at on the EU front is NISA they have done a great job in publishing a number of recommendation and guidelines in the IoT context but nothing that is really specific to a digital environment and around the different guidelines and of course I will not discuss all of them in any great details but what is important to and I really encourage and recommend the reading of some of those and some of those publications it's really set the scene as to what people should be doing to try to protect their infrastructure against some of the vulnerabilities we discussed earlier so either against a lack of security by design to some extent so simply because you don't patch your your hardware or you are just using how hardware that by design are not secure enough or against really criminal activities and hacking and the like but for all purposes it's not let's say a fully satisfactory so if we get back to the question I raised initially so which is is EU cybersecurity the missing piece of a sustainable digital environment I hope that by now you have some of the elements to provide some answers to that I reserve my answer but I'm happy to share my views but I really encourage you know everyone to step in and ask any question you have or provide your own answer to that question thank you very much thanks very much it was very interesting and inside so inside full talk I would like to open a Q&A session for this and perhaps I could start with if I may my question when you mentioned that you know the EU's role in this area and kind of the EU is ruling the world in the cyberspace and it's not addressing environment on its own as one of the key policies I was wondering whether you would like to elaborate on these issues further so on that front so really I think what is important to realize and keep in mind is that the EU has for a long time decided let's say to be a frontrunner in imposing prescriptive roles in the cyber context that's the approach the EU has been taking and it had started let's say a bit narrowly so as I quickly mentioned so it used a number of critical sectors that are probably those that are at least on the in the eyes of the regulators those that are the most at risk if subject to an attack okay or those that where the consequence let's say are directly the most adverse to a wider population that's the approach and really I think what we are seeing now is further development of that frameworks to go for a wider scope of application and even more let's say or more importantly actual sanctions or higher penalties for non-compliance and that I think is something that is very very relevant it's not yet down to or let's say scope of application that we discussed today but I think gently it's really widening and I hope let's say that at one point someone will knock on the EU door and say okay this is a sector that is as critical as energy water supplies and couple of others and we need to have on board high threshold requirement and prescriptive rules to make sure that everyone that is dealing with those issues is dealing with them diligently the next question concerns kind of ethical considerations what of the role of ethical considerations with respect to environmental applications citizens and impacts of climate change for example and how might cyber security measure address this that's an interesting question of course it's it's supposed that we have a common understanding of what those ethical issues could be and I'm not sure I have the answers to that but at least let's say one side of the answer is that if you consider and you accept my assumption around the fact that cyber security is really an essential building block for trust in the in the digital environment but let's say in the digital world more broadly I think that if you you accept that assumption you of course you really take that as a as a building block and foundation principle and even if it's low it's almost kind of of really linked to to ethics because you need them to build up a system that will be able to quote and address the the applications that are being developed so and have a sustainable and robust system is probably a very key and important foundation because I would say so so so it's an imperfect answer but but I think that's that would be my my initial comments on that thanks very much and it was noted that it was an interesting point that sensors are both vulnerable and that the law is undeveloped in this area for example protection of data and this this must be an area being rapidly addressed now with the growth of IoT internal things would you like to give some perspectives on that yes so it would really be surprised to see how easy it is to hack sensors so so and of course I'm not a hacker I'm just I'm just a lawyer but but we are attending some of the NISA conferences and and events as legal expert means that you have the benefit and privilege of meeting those white hackers and and and ethical hackers and the like and you you will be fascinating to to see how easy it is to hack sensors and as I said initially those sensors are critical for the application you are contemplating but they are probably the most vulnerable piece simply because of their nature so a sensor is just a sensor and of course it's one of its primary goal is not to be the size of a football pitch so so you you really need to have a small little piece of hardware meaning that it's very complicated to protect that adequately against bows attacks but also against just the vulnerability by the lapse of time because it's very complicated to patch those sensors and it's not directly related to an environment but if you take some of the sensor application on the digital data or health data kind of things it has been demonstrated that hackers can easily hack for example an insulin pump and just make that pump functioning completely randomly eventually killing a patient you can imagine to have exactly the same around I don't know a sensor that is looking at some of the evolution of temperatures for example if you manage to hack the sensors and and and and provide or feed data that are completely irrelevant you you you just truncated all of the foundation since since the very hard of it so so that's I think it's something that people should realize that the technology offers great opportunities but in itself let's say is bringing a linearity I think you are on mute the vote sorry yeah I think it's very interesting your your your we want that and in the EU maybe it's the there might be more effective mechanisms because of the the nature of the union but when we you know think about the international context are there any effective mechanisms in dealing with this kind of attacks or do you think it's possible to you know implement this kind of mechanisms yeah and you can really see that gently and slowly here as well you you start having what looks like a consensus about the fact that first it's an issue which is good everyone realize that it's an issue and also second that there is a need for some form of harmonization of the actual response what that will be actually looking like I think it will not be for tomorrow or after tomorrow that we will be able to have a wide range of internationally recognized prescriptive roles that will apply all across but what I think hopefully we should be able to develop in relatively short slash medium term is a set of guiding principle that at least set the scenes let's say an expectation on what it is to have a resilient and robust digital network or or environment and and that I think is something that we could hope or dream for and and certainly if you take two big blocks of the world so if you take North America and the European Union and of course perfectly conscious that that is only it's two big blocks but it's only a piece of the piece of the world but but if you take those two blocks we are sharing already a kind of similar foundation because even if the approach on the US side is far less prescriptive than the one we have on the EU side they are also let's the guiding principle that if you look at NIST for example they are really developing things that looks very similar to some of the some of EU approach so I think we will be seeing hopefully a kind of international or almost international agreements on what those key foundation principles should be then how those will be enforced and and and whether or not it's possible by just issuing principle to have things changed that yeah that's of course we're busy right now thanks very much and we have sorry Burkus one participant has raised their hand and so just unmute the Nicholas if you'd like to ask the their question to Charles Nicholas thank you very much thank you yes thank you very much for your presentation I just heard what you said about regulations and and and progress towards maybe more initiatives but I'm French teaching energy policy in Scotland and I was interested in maybe having your opinion on potential steps that would either push towards more sectoral regulations from the EU on cyber security like for energy for critical infrastructures and I'm of course thinking about the health sector as well your soft law suggestions are also very interesting so do you see any progress on specific sectors coming from the EU because of the need to be precisely more and more industry specific yeah thanks Nicholas and that's a very very important and valid point that you make really I think on the EU side it's fair to say that the approach is exactly a step by step approach we probably couldn't find a better word and you can really see the evolution and and and almost the kind of direction of trouble so if you take NIS directive as its inception as I said it covered only major actors in a relatively limited number of sectors those were the ones that were directly subject to the prescriptive rules and requirements of course by contract and by the very natures of the interdependencies those requirements were pushed down the supply chain and you had a kind of a good spreading effect with if you have I don't know a nuclear plant that is supposed to adopt very high threshold that will of course apply to their suppliers the providers etc etc but really that was kind of phase one of EU frameworks identifying major actors in a limited number of sectors if you look at what the EU is currently working on if you look at the prospect of NIS 2 NIS 2 makes at least in its current shape let's say is trying to do two things it's broadening the sectors and that it will be applicable to with for some of the public authorities for example being subject to the rules as well and it's broadening the base with not only those major actors identified by member state being called by the rules but applying that almost to everyone within that sector so you can really see that you are already kind of one step further and then and I'm not sure that it's it's a positive sign but you can probably see that as a way of doing to promote efficiency you have more and more really almost instrument specific cyber requirements and if you take another upcoming regulation in the financial sector so which is called Dora it seeks to as well there impose strict resilience requirements in the entire financial sector so really going even broader than the initial scope of NIS so I think that's really the the direction of travel on the EU side and whether or not that will prove to be effective remains to be seen and whether or not imposing sanctions for non-compliance is the way to go also remain to be seen but at least that's the intention and and that's how the EU is trying to raise the bar there thank you very much thank you um perhaps maybe one or two questions we can take before we close the session it would be interesting to ask how legal frameworks keep in step with technological developments in the area of cyber security is one of our attendees comment on for example blockchain approach offer promise for ensuring data integrity from sensors or does the law and technology align in time yeah so I think there it's fair to say that law is always behind but we try to catch up so and and and frankly it's it's just a kind of very normal statement because it can it's difficult for that to be to be different so so you can probably only start regulating by the time you you you realize some of the good or the bad things that technological development is is getting is getting to you and in the cyber security space it's even worse frankly to some extent because the bad guys are always ahead of the good guys so so if you try to um uh quote and build um a resilient network you will always do that by reaction to attacks that you have already been receiving and and and it's no different than in many other contexts but here is it's just um it's just it's just the way it goes and that um the fact that those attacks are really getting more and more severe more and more global and and and and all of those bad consequences that you're hearing I just at one point triggering on the political side the need to come up with new rules no requirements to try to improve and increase resilience knowing that it's a kind of lost cause in any event because as we know it's not really a question of uh if you can protect absolutely against an attack it's much more as how you will react by the time you will be attacked so so that's um that's the way it is yeah thanks chers and um one of the questions relates to cost element cyber security can be expensive I wonder whether you could comment on the trade-off or measuring more or measuring better and protecting better the few measurements we have yeah and that's um frankly that's um that's something that you you really have to fight let's say constantly uh at least in private practice to try to indeed strike the balance between the cost of cyber security versus the benefit and it's a bit of the same like in the um in the data world uh you have start-up who are really willing to develop great technologies and who are running to develop the better product like forgetting a bit about the fact that they need to be conscious about what data they gathered and how it's it's going to work later on and really cyber security is a bit the kind of same thing so um by the time engineers have great ideas about new application they don't really care so much about whether or not it will be hackable not hackable the kind of a resilience tool that needs to be building into the into the technology and that's why let's say at least some of the new initiatives should be commanded because by the time you impose to have kind of cyber security by design to some extent so if you really need to show and demonstrate that you have taken steps for that little piece of software to be built the most resilient way possible at least you have achieved something but it's true it's a cost and it's um I suspect that more and more it will be an a kind of cost of doing business so so if you don't take the cost you will be out of you will be out of business thanks very much for this very interesting and enjoyable talk and before we close would you like to answer your own question question re-raised is there is cyber security use cyber security missing is the sustainable digital environment yeah thanks so so I think that um my answer to that uh and probably no surprise is that I think it's um it's a key foundation block and it really needs to address the challenge and frankly I would really be advocating for um a digital environment application to uh voice even more if they're concerned let's say they are to to make sure that they are it's recognized as as critical let's say as water energy health or or a couple of hours so and that would be my uh my uh expectation and and an answer to that question thanks very much and it was a great privilege and pleasure for us to launch our series low and ethicism digital environment with your talk today and thanks very much for joining us today and thanks very much everyone for their contributions and questions and we hope to see everyone again for our next seminar on the 18th of march and we will welcome professor Abib Brown from the University of Aberdeen who will speak to us on balancing the rights and regimes relevant to the digital environment so I think uh this is the end of this session thanks very much for joining us yeah thank you very much Charles that's a really great talk