Prepare for the unexpected, through pseudonimization and crypto agility
Cybersecurity and privacy are major challenges Kristof Verslype takes at heart since many years. As a cryptographer and researcher at Smals he continues to innovate, develop and publish. He helps public institutions in Belgium to exchange information in safe and future-proof ways. He was shortlisted by the Cybersecurity Coalition as Privacy professional of the Year 2024. So what answers can we give today to tomorrow’s cyber challenges?
What are the most pressing cybersecurity threats today?
While most organizations, including Smals, are ramping up their cybersecurity efforts to comply with the new NIS2 regulations, we also need to look further ahead. As an association of public institutions in social security services, healthcare and other domains, Smals offers shared ICT services to its members. We treat highly sensitive data, including Belgian citizens’ medical records, so we need to properly protect them.
Given the long retention period of medical data and their particularly sensitive nature, we need to introduce additional layers of protection. There’s the emerging threat of really powerful Quantum computers making the current generation of cryptographic protection obsolete at some point in the future. We don’t know when, yet we can’t just wait and see. We need to be proactive now and become crypto agile to facilitate future cryptographic migrations.
Regarding more common threats like hacking and data leaks we need to protect personal information even better. Advanced cryptographic techniques have the potential to play a crucial role in this.
What cybersecurity trends are shaping the industry?
At Smals, we recognize the importance of pseudonymization as a key technique for protecting sensitive data. By replacing personal identifiers with pseudonyms, currently for specific eHealth applications, we ensure privacy and compliance with regulations like GDPR through layered security.
I’ve been pioneering to introduce advanced cryptographic pseudonymization as an additional protection layer in new eHealth applications. Hence, if medical records are leaked, the identity of the patient would still be protected. The eHealth-platform’s ‘blinded’ pseudonymization service is currently live. We are also introducing format-preserving pseudonymisation as well as a novel, distributed protocol to join and pseudonymize data originating from different sources.
These techniques allow to improve data security at rest, in transit and in use, for primary purposes – such as in medical applications, allowing better patient treatment – and also for so called secondary purposes, for example evidence based medical research.
How does your organization address cybersecurity challenges and opportunities?
Smals is always looking for practical ways to improve the security and reliability of e-government applications. Regarding the challenge to switch to post-Quantum cryptography we take a pragmatic and generic approach. We advise organizations to make an inventory of all cryptography currently in use across their application portfolio.
A second step is to evaluate the effort it would take to migrate current generation of cryptography to something else. Probably more than once. The first Post-Quantum crypto standards were already published by NIST last year. Yet this is only the beginning of a long story.
Being able to identify and change your current crypto standards is what we call crypto agility. I’ll share some more details in two presentations at Cybersec Europe on Wednesday May 21st.
Why is Cybersec Europe an essential industry event?
Cybersec Europe is a meeting place. Academia meets the professional world – both commercial players and non-commercial end-user organizations like Smals. We’re also open to meet job seekers, as we’re hiring over 200 new colleagues every year.
The event also marks the position of Belgium at the crossroads of ICT and cybersecurity expertise in Europe. In our e-government ecosystem everyone benefits from sharing expertise and best practices. At Cybersec Europe we find a similar mindset: open to share and learn from others.
Kristof Verslype, cryptographer, Smals Research: “Evaluate the effort it would take to migrate current generation of cryptography to something else. Probably more than once.”
