Focus: Belgium

It plays host to more cyber policy-making bodies than any other European state, but Belgium still faces infosecurity challenges.

THE CLUSTER OF CYBER SECURITY INDUSTRY BODIES HEADQUARTERED WITHIN ITS BORDERS – AND MOST SPECIFICALLY, its capital city, Brussels, make Belgium an epicentre of European cyber crime counteraction agencies. Influential agencies like ENISA, ECSO, the Cyber Security Coalition, and the European Organisation for Security, are each based in Brussels, alongside the country’s own state cyber security body, the Centre for Cybersecurity Belgium (CCB); the Leuven Institute of Criminology is located nearby. As the de facto ‘capital’ of the European Union (EU), Brussels also hosts some of the highest profile targets for cyber attackers; they include the Council of the European Union and the European Parliament. Belgium is proving to be the place where much pan-European cyber crime policy is debated into legislation, and the place where intelligence gathered by cyber security agencies in EU members states pooled and collated.

It comes as somewhat of a surprise, then, that according to some recent comparative studies, Belgium has elsewhere a mixed record when it comes to cyber security readiness and best practice, and has been relatively slow to impose some of the legislative safeguards to ensure that its own economy – and citizens – are as well-protected against the ravages of cyber crimes as they could be. The EC reportedly even threatened to take the federal Government of Belgium (headed since 2014 by Prime Minister Charles

Michel) to court for being slow to transpose the Network and Information Systems (NIS) directive into national law.

In common with its European nation-state neighbours, the cyber crime phenomenon has received growing media attention and provoked concern in Belgium over the last five years. To allay these concerns and protect its citizens, businesses, and other organisations, the government established the Centre for Cybersecurity Belgium in 2015, and successive administrations have designated cyber crime counteraction as a top priority in the country’s longterm national security plan, called the ‘Kadernota Integrale Veiligheid [Integrated Security Framework] 2016-2019’. Despite this, as the influential Leuven Institute of Criminology’s 2017 Impact of Cybercrime on Belgian Businesses report notes, to date, ‘little empirical data is available to investigate the experiences of Belgium-based businesses with cyber crime, or the impact cyber crime has had on these businesses’.

As also noted by the report, with cyber crime, one of the main challenges all EU member states have had to deal with is a lack of commonly-agreed definitions that they can base EU-wide legislation around. Whereas the Council of Europe does not define cyber crime in a generic context, the EC has attempted a definition in its 2013 ‘Cybersecurity Strategy of the European Union’, as ‘a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target’.

Cyber crime comprises traditional offences (e.g. fraud, forgery, and identity theft), content-related offences (e.g., online distribution of unlawful pornography or incitement to racial hatred) and offences unique to computers and information systems (e.g., attacks against information systems, denial of service and malware)’. This definition (as well as the whole strategy) are, however, non-binding for the EU Member States. Fifty-three per cent of Belgian respondents to PwC’s Global Economic Crime & Fraud Survey (2018) deemed cyber crime ‘the most common economic crime in Belgium’ believe that cyber crime will continue to be the most disruptive in the next 12 months, outperforming other types of crime.

The survey also found that the known consequences of cyber crime in Belgium are that 31% of cyber crime attacks caused disruption in business processes; in 28% of those cases, data assets were misappropriated; however, theft of Intellectual Property (IP) was reported by just 2% of respondents. At the same time, 20% of the Belgian respondents the PwC’s poll indicated that they ‘do not know what the exact consequences [of a cyber incident] are’. This means that in many cases, companies might not know if there were (or were not) serious consequences, which, PwC suggests, is all then more alarming because there might have been loss or theft of critical data and/or IP. Another finding of the PwC survey was the low levels of uptake of more advanced technologies that could be used in cyber threat defence, protection and counteraction: it found that still a large part of the Belgian respondents has not yet fully adopted the technologies like Artificial Intelligence, data analysis, pattern detection or communications monitoring, as deployed in support of defensive cyber security counteractions.

MIXED PICTURE OF NATIONAL CYBER SECURITY TRENDS

According to a review by the Leuven Institute of Criminology and KU Leuven Centre for IT and IP Law, little empirical data is available to investigate the experiences of Belgium-based businesses with cyber crime. However, selected analysis of available research and studies can provide insights into how that country fares among its continental neighbours in dealing with cyber crime and cyber security challenges.

DLA Piper’s 2019 GDPR Data Breach Survey reveals Belgium occupies a mid-ranking among its European neighbours in terms of number of data breaches per 100,000 people (figures right; graph does not include EU states with fewer breaches-per-100K). Belgium’s DPA reports a ‘remarkable’ increase in the number of data breach notifications, complaints and requests received since GDPR effectuation. (Per capita values here calculated by dividing the number of data breaches reported by the total population of the relevant country multiplied by 100,000.)

Another PwC study, Global Economic Crime & Fraud Survey 2018, revealed that at least 65% of the study’s Belgian respondents experienced economic crime in the previous two years (2017-2018), compared to 45% in 2016. Some 30% of Belgian organisations hit estimated the financial impact sustained to be between €89,550 ($100,000) and €896,740 ($1,000,000), the survey reports. Furthermore, 27% of economic crime is perpetrated by internal actors (i.e., people located within Belgium’s borders). In terms of attack methods, 66% of cyber crime within the country is the result of phishing attacks. The results underline the greater awareness and understanding in Belgium of the types of fraud, perpetrators, the role of technology, and fraud’s potential impacts and costs for a business. “We cannot equate the higher levels of reported crime with higher levels of actual crime,” explains Rudy Hoskens, Forensics Leader & Partner at PwC Belgium.

“What the 2018 survey shows is that [now within Belgium] there is far more understanding of what fraud is and where it is taking place. It is particularly true of cyber crime, where there is a greater understanding of the issues, and greater investment in [defensive] controls and prevention.” The percentage of companies that perform an overall risk assessment is rather low, according to PwC. Its survey indicates, however, that entities in Belgium respond to the increased risk of cyber crime with increased attention for cyber attack responsibility (61%) compared to its global assessment figures (46%).

The three most high-profile cyber incidents to affect Belgium in recent times illustrate the diversity of the attack landscape and of the organisations in the firing line. In December 2018 the New York Times reported that hackers had infiltrated the EU’s diplomatic communications network for some years, and had downloaded thousands of diplomatic cables that revealed EU concerns about the Trump administration, struggles to deal with Russia and China, and the risk that Iran would revive its nuclear program. Belgian multi-metals business Nyrstar was attacked in January 2019. Nyrstar’s Metals Processing and Mining operations are not impacted by the cyber attack issue, but the company’s administrative operations were affected. Several of Nyrstar’s IT systems, including email correspondence, were shut down to help contain the issue. In March 2016 a teenager based in the US launched a cyber attack on Brussels Airport’s IT systems following Isis suicide bombings that killed more than 30 people. The Belgian federal public prosecutor’s office said the suspect aimed to take down the Brussels Airport Company website and infiltrate its computer systems on the evening of 22 March 2016 following the terrorist attacks, but was not successful. According to media reports, Belgian cyber investigators traced the hack source to Pennsylvania, and passed the information to authorities in the US.

20% of the Belgian respondents to PwC’s poll indicated that they ‘do not know what the consequences of a cyber incident are’.

Cyber crime has become the most prevalent type of economic crime in Belgium (53%), which is in second place globally (31%), behind asset misappropriation (45%). Asset misappropriation is rated in second place in Belgium, reportedly experienced by at least 30% of PwC’s Global Economic Crime & Fraud Survey respondents. “A sizable percentage of the ‘external’ perpetrators – and 70% of cases are external for our Belgian respondents) is made-up of third-parties with whom companies have regular relationships,” says PwC’s Rudy Hoskens. “[For instance,] Agents, vendors, shared service providers, customers and more. In other words, people and entities with who one would expect a certain degree of mutual trust, may actually be stealing from the company.” So, how are Belgian firms being attacked? While cyber crime and asset misappropriation remain the top two types of economic crime experienced in Belgium, rates for these crimes decreased, as compared to results of PwC’S 2016 Global Economic Crime & Fraud Survey.

Indeed, almost all types of economic crime were seen less over the last two years, than the two years prior. Importantly, 62% of Belgian respondents believe that cyber crime will continue to be ‘the most disruptive economic crime’ over the next 24 months into the 2020s, ‘outperforming’ other crime types. The most common techniques used by cyber criminals on Belgian targets reported here are phishing (66%), malware (56%), and network scanning (16%). The greatest impact of cyber crime was disruption to business processes (31%), closely followed by asset misappropriation (28%). Just 2% of respondents reported IP theft. Still, some 20% of Belgian respondents indicated that they do not know what the exact consequences are, which is concerning, PwC’s analysis suggests, because there might have been theft of sensitive data loss or intellectual property. Also of concern is that although 66% of Belgian respondents worked on cyber security programmes over the last 24 months, and such programmes were installed by 55% of respondents (up from 37% in 2016), only 35% indicated they carried-out an assessment of their plan to find out how well it is working.

PwC’s Hoskens, meanwhile, acknowledges that the broadening definition of ‘cyber crime’ does cause big picture analysis to become skewed, especially if computer-enabled fraud is factored into its scope. “Fraud is the product of a complex mix of conditions and motivations, only some of which can be tackled by machines and technology,” comments Hoskens. “The funds allocated to crime detection and prevention – in terms of both technology and corporate cultural – are increasing, and that has a multiplier effect in terms of understanding and detection of fraud.”

The Belgian Data Protection Authority (DPA) issued its first status update since GDPR became applicable in December 2018. The statistics show a ‘remarkable’ increase in the number of data breach notifications, complaints and requests received, according to market-watcher Lexology. Specifically, since 25 May 2018, 317 data breaches have been notified to the DPA. This is a major increase compared to the previous year (i.e., 2017), when only 13 data breaches were formally reported. This increase is obviously due to the fact that there was no obligation to report prior to 25 May (except for the country’s telecommunications companies or financial services providers). The top Belgian verticals reporting data breaches are healthcare, insurance, public sector and defence, telecoms, financial services. In addition, the DPA reports to have received 148 GDPR-related complaints in the six months that followed GDPR effectuation, which comes down to almost one complaint per-day. This amount is, however, negligible compared to Belgium’s neighbouring countries. On this point, Belgium’s DPA is running a bit behind its national neighbours, who have started their first GDPR systematic inspections already and who have already imposed a large number of warnings and sanctions, and in some cases (Austria, Germany, Portugal, the UK), financial penalties.

ACCREDITATION Words | Edmund Burr Photography | Shutterstock