Day 2, Tuesday
Tuesday began with an early start to get ready. Up at 05:30, taxi booked for 7am, and SO much to do between the two. It’s difficult when separated from one’s full wardrobe for many days and with limited luggage space.
All part of the learning experience though.
Tuesday’s programme began with a keynote by Andrea Rigoni from Altirium; Reinventing cyber defence: from resilience to readiness.
Then a panel discussion Cyber resilience in wartime: Lessons learned from Ukraine with Serhii Prokopenko, Head of Operations at the Office of the National Security and Defence Council of Ukraine & NCSCC, the irrepressible & dynamic Chris Kubecka (author, founder & CEO of HypaSec UK), Francesca Spidalieri , Dan Cîmpean (Head of DNSC, România), Iulian Chifu (Centre for Conflict Prevention & EW, România).
Hearing directly from Serhii was rather special; here is someone right at the sharp end of receiving intensive state sponsored attacks, and where the risk is not merely monetary but existential.
I cannot possibly capture the discussion with any effectiveness, so I’ll just say this: you cannot pacify a bully. You cannot negotiate with a bully, because they will just be back for more. The aggresor putin is a man with Napoleon Complex; a small man with a vast need to prove himself – at catastrophic cost to others. I note that his name is reminicent of the Românian word puțin which literally mean small. We must not abandon Ukraine, even if for no other reason than critical self-interest.
A keynote by Cristina Carata (a researcher at Imperial College London and from humans.ai) addressed Trust and cybersecurity in the digital state: blockchain adoption among Romanian civil servants.
I admit that I am no great fan of blockchain (see my 2019 predictions!) It is a technology that has its uses, but outside of internet timestamping (where I first met the concepts a long long time ago before bitcoin was created) and cryptocurrency, it has limited uses which seem all to often to be swamped by the hype. However, I am open to being convinced, and Cristina’s points were better than most. She’s also the first speaker on the subject I’ve ever heard to admit that it’s not a particularly new technology. The internet timestamping service Stamper has been running since 1995-10-12, and the chain of timestamps is visible all the way back to then, for example, whereas the original Satoshi Nakamoto paper on bitcoin was not published until 2008-10-31. I remain sceptical, but will watch out for signs that I’m wrong.
An interesting event presented by Ana-Maria Busoniu (NCC) provided some insight into the results of the project Strengthening the capacities of the National Coordination Center (NCC). The objective was to disseminate the NCC’s contributions to the Cyber Resilience Act (CRA) implementation, looking at its impact on the European cybersecurity ecosystem. This is where we get to see some of the real early impact of the CRA, and where I’d frankly hope to see the UK’s NCSC stepping up to encourage understanding, at least, of the CRA in the UK. I’m not holding my breath on this any longer, however.
This was a two hour session, crammed with information which it’s going to take me a long time to fully digest. I’m not even going to attempt to summarise it here, but have included some images to give a flavour of the sheer range and scope of the projects relating to the CRA.
That was a lot to absorb, so a break was in order with a bit of networking.
Next up: A Cyber Threat Intelligence (CTI) Workshop led by Shawn Loveland (COO Resecurity). Very, very interesting. Great insights into just how deep the rabbit hole goes when it comes to the Dark Web, and how CTI organisations claiming to monitor the Dark Web need to be asked some difficult questions to assess just how deep they can get – because in most cases it is merely superficial.
Most unexpected element: that you need to involve your legal dept all the way through the any engatement on CTI – in fact, ideally (and for some very sound reasons), it should be done via your legal dept entirely.
Too much good stuff to share here. You really need to get yourself to events like this if you need this sort of information!
A change of venue was required for a roundtable that I particularly wanted to attend: Connected, Exposed, Essential: Rethinking Cyber Resilience in Healthcare. This is something I wrote about recently in this article: Do you think ransomware is scary? It will be. The workshop was extremely interesting, including information which I cannot onwardly share. But it didn’t fully address my concerns from that article.
Travelling back to the main venue was problematic, with very poor weather, and gridlocked traffic – giving the choice of getting there somewhat soaked, or not getting there. So somewhat soaked it was.
And to confirm that the weather was serious, in the main venue everyone’s phones went off with an “Extreme Threat Alert” about the weather.
Put a little bit of a dampner on the end of the day, and did impact the attendance at the following day’s events.
Save The Date!
BCC2026 will take place Tuesday 20th– Thursday 22nd October, 2026.
I hope to see you there.
Sophie Baskerville 