Beyond Big Cities: Understanding Cybersecurity in Mid-Sized Communities | Secure Talk with Lars Kruse

Justin Beals:  Hello everyone and welcome to SecureTalk. I'm your host, Justin Beals. Before we get started on our episode, I just wanted to alert you to an offer from the StrikeGraph team. One of the big changes in compliance requirements in the United States is the rollout of the Cybersecurity Maturity Model Certification, CMMC. That's easier to say. This is, of course affecting those suppliers for the federal government, specifically the DoD.

And it's a big lift to hit some of these outcomes. We're currently offering a free level two self-assessment on our platform. And if you're interested in that type of solution, please a link will be in our comments and you can take a look at what we're offering. Now let's get on with our episode. I live in a rural area of Washington state. And when I think about cybersecurity, I usually think about major metropolitan centers, Seattle, San Francisco, London.

The big cities with massive IT budgets, specialized security teams, and direct access to consultants and expertise. But that's only part of the story. In Germany, for example, there are just 80 cities with populations over 100,000. There are more than 600 towns between 20,000 and 100,000 citizens. That's where most people actually live and work. And those communities face cybersecurity challenges that look very different from what we see in the urban centers. 

A few years ago, a ransomware group called Akira successfully attacked Sudwestfallen IT, a specialized IT provider serving municipalities in Germany. Within hours, 72 towns had lost access to their complete IT infrastructure. Citizens couldn't access government services, staff couldn't process documents, and everything simply stopped.

The attack vector wasn't sophisticated. It was guessable passwords and inadequate VPN access controls, basic security fundamentals that failed at the operational level. It took thousands of hours to recover. And these were exactly the kinds of communities that could least afford the disruption. This represents a pattern we're seeing across Europe and beyond as nation-states implement increasingly complex cybersecurity regulations.

The gap between what regulators expect and what smaller municipalities can actually deliver keeps widening. The European Union has released multiple major cybersecurity directives in just the past five years. NIST 2, the Cybersecurity Act, the Cyber Resilience Act, and DORA for financial entities. Each one adds a layer of compliance requirements. 

For a large city with dedicated cybersecurity staff and substantial budgets, implementing these frameworks is challenging but manageable. For a town of 40,000 people in a rural area, the challenge becomes exponential. These communities operate with slim budgets, limited access to trained personnel, and IT infrastructures that are often historically grown rather than strategically designed. Regulations themselves create additional complexity.

Many EU cybersecurity requirements are directives rather than direct regulations. That means each member state must translate them into national law, which takes time and often includes implementation variations. A town administrator trying to understand their actual compliance requirements has to navigate European-level requirements, national law, and the practical reality of limited resources. 

By the time one framework is partially implemented, the next regulation has already been released. This creates a data science problem that fascinates me. For years, I've heard people talk about harmonizing compliance frameworks. The idea that somehow, NIST 2, ISO 27001, and NIST CSF, and dozens of others, standards will eventually align into one coherent system that will map frameworks across frameworks, and everything will become simpler.

I know that's a fantasy. I tried to do this in the enterprise education space when No Child Left Behind drove grade schools education in the United States to develop thousands of different standardized testing frameworks with minor differences between each framework. Our security frameworks don't just coexist, they compete. Different regulatory bodies have different priorities, different jurisdictions, different political pressures.

And I'm not even touching on commercial ventures like PCI DSS, SOC 2, and High Trust. Each new framework adds requirements that overlap with existing ones, but never quite match, especially when meeting them is a high stakes endeavor. The complexity compounds rather than resolves. And I'm here to tell you that I don't think it will ever stop. The challenge is fundamentally about data ontologies.

When NIST 2 requires incident response capabilities and ISO 27001 requires incident management procedures and NIST CSF requires response planning, are those the same requirement? Similar? Am I going to pass my audit? How do I prove compliance with all three without implementing three separate processes? Traditional approaches treat each framework as a separate compliance project. You implement NIST 2.

then separately implement ISO 27001, then separately implement whatever comes next. You end up with redundant controls, duplicated documentation, and an exponentially increased operational burden. Then vendors codify that in their software or their consulting practices. The only practical way forward is through natural language processing innovations.

that can understand semantic relationships between framework requirements and the operational characteristics that we use day to day. Systems and software that recognize when different frameworks are asking for fundamentally similar capabilities even when they use different terminology. Systems that can map controls and evidences to multiple framework requirements simultaneously and with high rigor.

This is exactly the type of multi-framework solution that is the core at the Strikecraft platform. We've had to incorporate decades of NLP innovations to succeed. We don't try to harmonize the frameworks themselves, which is impossible, but create intelligent systems that help organizations harmonize multiple frameworks with existing or needed operational characteristics, solving the redundancy nightmare.

That's why Lars's research really caught my attention. He's not just documenting the compliance burden these municipalities face, he's quantifying it. He's breaking down cybersecurity requirements into discrete capability categories that can be analyzed, compared, and mapped across different regulatory sources. That kind of structured analysis is exactly what you need to build effective NLP systems for compliance management.

Academic research is catching up to the reality. Between 2020 and 2024, publications on municipal cybersecurity nearly tripled, with 2024 alone representing one-third of all relevant research. Scholars are beginning to recognize that smart city concepts designed for highly populated urban centers simply don't translate to mid-sized towns with different resource constraints.

Our guest today conducted research specifically focused on those overlooked communities. His work examined how EU cybersecurity regulations affect public sector organizations in digital towns. What capabilities these municipalities actually need to achieve compliance and where the gaps exist between regulatory expectations and operational reality. What he discovered through validation interviews with consultants

and municipal administrators was both expected and surprising. Expected because resource scarcity creates predictable challenges. Surprising because even after 25 years of internet-dependent infrastructure, fundamental security issues like weak password practices remain prevalent. His analysis identified 12 distinct capability categories that municipalities need to address for cyber resilience.

The top ranked categories, training and awareness, followed by detection and response capabilities, then technology infrastructure. Interestingly, financial capabilities don't rank highly, not because they're unimportant, but because these regulations themselves focus primarily on operational and technical requirements. The research matters because it highlights a systemic vulnerability. When we think about critical infrastructure,

We often focus on power grids, telecommunication, and major financial institutions. But public administration at the municipal level is also critical infrastructure. These organizations hold sensitive citizen data, manage essential services, and serve as potential entry points for broader attacks on government systems. The sued West Fallon IT incident demonstrated how interconnected these vulnerabilities have become. When municipalities outsource their IT infrastructure to centralized providers, which makes perfect sense for resource efficiency, a single successful attack can cascade across dozens of communities simultaneously. The path forward requires innovation, but not necessarily in the form we usually imagine. These towns don't need bleeding edge security technologies.

They need practical frameworks for maintaining basic security hygiene, access to affordable expertise, and mechanisms for keeping pace with evolving regulatory requirements without drowning in complexity. Some solutions could come from the European level. The EU's new Cyber Solidarity Act is beginning to build capacities that could provide support in the worst-case-incident scenarios. But those efforts currently focus on larger critical infrastructure entities.

The question remains how to extend meaningful support to smaller municipalities that could use the help but often can't afford external consultants. Today's conversation explores these challenges from someone who has studied them rigorously. We'll discuss why compliance on paper doesn't always translate to security in practice and how the pace of regulatory change creates compounding challenges for resource constrained organizations and what capabilities matter most.

When you're trying to build cyber resilience without unlimited budgets. We'll also examine why political will matters as much as technical expertise, how the concept of digital towns differs from smart cities, and what role external support systems might play in helping smaller communities meet their cybersecurity obligations. Lars Kruse is a master's student in innovation, defense, and security at the Swedish Defense University.

He recently completed a double degree in International Business Administration at the University of Twente in the Netherlands and the University of Munster in Germany. 

His recent thesis focused on cyber resilience in the digital town of the future, exploring how European cybersecurity regulations affect the public sector and what capabilities municipalities need to ensure compliance. Before pursuing his academic path, Lars gained several years of professional experience in the banking industry, including further education at a German banking academy. Alongside his studies, Lars worked as a student assistant in IT consulting for the public sector and strategy consulting for the financial services industry. Please join me in welcoming Lars to SecureTalk today as we discuss the state of cyber resilience and regulatory compliance in the EU.


—---

Justin Beals: Lars, thanks for joining us today on SecureTalk. We're really grateful to have you on the program.

Lars Kruse: Thanks for having me, Justin, and thank you for your interest in my research.

Justin Beals: Of course, I am constantly looking at the latest research work, especially in the compliance space. Certainly there's a lot changing in Europe and the European Union. And so I saw some of the work you were doing. Your research is focused on something that I've read about, digital towns, rather than I think what we like to call it here in the United States, smart cities framework.

And I'm just really interested in how you became curious about the subject, mid-sized municipalities and how their cybersecurity challenges differ from a larger urban center.

Lars Kruse:  Right, yeah. So next to my studies, worked for some time in a software company in a consulting department basically, and they were working with the public sector. later when it came to my thesis during the studies, I had a professor who was working on the topic and very quickly stumbled upon the term of smart cities as well. And it seemed to be the popular thing. But yeah, I learned that this working group at the university where I studied was about the digital town and it was defined by population size, so 20,000 to 100,000 citizens and a few more aspects that come to play like resource scarcity and the location in a more rural area, it's a very difficult word for a German, so the non-urban area. right, so and smart city concepts, I think they're also look at sustainability aspects and other dimensions next to the digital aspect. So the digital town is really focused on the digital things to it and then cyber security comes into play for sure. And just the fact that we have think 80 cities above 100,000 citizens in Germany and more than 600 in this threshold. So that's a really high amount of towns you could look at actually. So it's maybe an overlooked topic.

Justin Beals: Yeah, this resonates. I live in a very rural area of Washington state in the Pacific Northwest of the United States. And it's almost more fragile in ways to cybersecurity issues and that we don't have large budgets or a large, you know, computing kind of industry surrounding us where we would see that in a much larger city.

Lars Kruse: Yeah, pretty much. Smart city concepts are designed for high populated cities that have the resources to actually apply these concepts and towns don't always have that. have a lack of trained personnel in this area where they are located. They have less financial means. it's something you have to take into account for sure. And research is catching up on that, I believe. So it was good thing to study that.

Justin Beals: Yeah. And part of your work here was conducting validation interviews. You talked with consultants and researchers during this thesis work. Were there any practical insights that surprised you about how towns or these mid-sized communities were implementing cybersecurity versus what regulators expected to see?

Lars Kruse: Yeah, I think it's a surprise but also not a surprise that when you have very scarce resources to implement these regulations that you maybe have compliance on paper, right? But what happens in reality is maybe different and it could start with something simple like very bad or weak passwords, something like that. So that was mentioned in the interviews that it's still a thing after 25 years that we depend on passwords and the internet, that this is still a weakness in the cybersecurity infrastructure of towns and the public administration. So yeah, that was still a surprise somehow, even though I know it myself that this is a thing still.

Justin Beals: Yeah, it must be intriguing to, you know, I think that the town probably also wants to hold on to some of its traditional way of working, you know, a little closer to, I think, especially the culture of the villages I live near, they love that it is, you know, slower paced and a little more change doesn't happen as quickly. But at the same time, change is happening around them and
I think at the nation state level, the regulators are changing things, it doesn't filter down all the way.

Lars Kruse: It takes time until it reaches the operational level of a sleepy town, let's say like that. yeah, you're pretty right that the public administration is maybe a slow mover and it is more historically grown, the structures, and it's not as quickly changed as the regulators would like it to be, I think.

Justin Beals: Did you feel like there was a fear in these towns of cost, whereas maybe it was just process? You know, it wasn't so much like I've found that some of these changes are more about, we need to change how we do things. That doesn't necessarily mean more cost in that you have to buy a lot of tooling or infrastructure.

Lars Kruse: Of course, if you have very slim budgets, then these new regulations could imply that you have increasing costs. have to maybe hire personnel, have to update technology and all these kinds of things. So there might be a fear of that. And so the starting point of all these endeavors of having better cybersecurity and public administration, I think, is really the political will also. that was a topic at the consulting firm at the software firm in the consulting department where I was that you have to convince the mayor or whoever who's in charge of the the budgets right to to make him aware that the regulations are not not there to annoy him but actually are there to to protect the town and administration and there have been cases was actually the introduction case of my work where an IT software and IT provider for public administration like a centralized provider, was attacked by cyber criminals and that led to a complete shutdown of the IT infrastructure of more than 70 municipalities. So I think the political will needs to be there in the first place to allocate resources and budgets.

Justin Beals: Yeah. Can I just say that I think that's true on the commercial side as well. You know, so often we talk to maybe a mid-sized business, and the CTO thinks that because they're going for a certain compliance or regulatory requirement that everything about their business is going to change. But then they oftentimes find up they're doing most of what is required, but just they need some amount of shift in the right direction. And it is to help them be safer. We talked to folks on the backside that are like actually feel better about our operations and that we've had some guidelines that we've implemented from professionals.

Lars Kruse: Absolutely. Yeah. This scenario, think also the outside help, like the external help is needed by whatever consultants, innovators and people who want to make this change happen.

Justin Beals: Yeah. One of the things I found really intriguing is that in your literature review, you showed that cybersecurity publications had nearly tripled between 2020 and 2024, with 2024 alone representing one third of relevant research. And certainly I've been reading a lot lately on cybersecurity publications in the academic space. You know, can you talk to us a little bit about what's happening in the academic environment? and kind of the growing attention to municipal cybersecurity.

Lars Kruse: Sure. So I specifically looked at cyber resilience, the concept of a digital town and the compliance perspective. So this combination was the research I did in the end and its publications came up during this research. I believe it makes perfect sense because in the past, let's say five years, so many major regulations and directives have been released by the European Union and it made everything a bit more complex.

So on the academia side, there's research being done on these regulations, but also on the threat of a more hostile environment everybody has to operate in these days because cyber attacks also increase. So it's a very normal reaction. I'd say that then the regulators come into play and then you have to do some academic work on the whole topic. So it's really like a chain reaction in a way.

Justin Beals: Yeah, I feel like, and maybe you can just give us your perspective as a citizen in the EU. You know, I think there's a more pragmatic approach to understanding the change and how research institutions are an important part of the larger commercial environment or the city infrastructure, the political environment maybe, of how to approach these changes.

Do feel like that's warmly received and that good research matters to EU citizens?

Lars Kruse: I believe good research matters for sure and also good regulation matters. That's a very interesting difference, I think, between the US and the European Union. I think from the outside perspective, other continents or countries would think that the EU is overregulated or it's regulating too rigidly. yeah, I believe it is quite useful also anticipating future threats. And so we cannot really talk about overregulation here.

And good research is very important. So you should be aware of potential threats. You should be aware of the general compliance situation. So research is really important for this business and also for European citizens, I believe.

Justin Beals: Yeah, I have to be honest. I wish we had a little bit more of that attitude here personally. That's my humble opinion. But I get how certainly as a business leader, in my experience, sometimes regulation can feel like a challenge. But oftentimes I tell people that these regulatory laws are about public trust. And if you're a business and you don't have trust with the public around you, you'll find it very hard to operate effectively.

Lars Kruse: Yeah, I agree.

Justin Beals: You did a systematic analysis of 73 different regulatory requirements and you showed that GDPR accounts for almost 64 % of concrete obligations for public administrators, while newer directives like NIST 2 contribute only 26%. Maybe talk to us a little bit about the balance of GDPR, NIST 2, and some of the emerging requirements that folks are dealing with.

Lars Kruse:
Right. First of all, I tried to find out what are the relevant regulations and directives for the public administration in Europe. So I divided the relevant ones into two groups, like more direct, impacting group of regulations and one indirect. So the direct one is directly addressing the public sector. So I was trying to look for the addressee who is being regulated here. And in the GDPR, of course, the public sector is included.

And then for example, in this too as well, but only partly. And on top of that, it's a directive. So we have the concept of regulation and regulation and the directive. And this directive needs to be translated into national law. So it's not directly applicable. So out of these directly applying acts is only the GDPR regulation. The rest needs to be translated into national law. that for me at least explains this.

64 % of obligations for the public administration. So because this is the only one that directly applies as a regulation and the rest is not really addressing the public sector directly.

Justin Beals: Yeah, now you may not be an expert on this Lars, so I want to hold out that I may be introducing a concept here, but I have understood that there is part of some of these new regulatory requirements that are becoming law. For instance, we've heard recently how Hungary specifically is making something like NIST 2 a legal requirement in that particular geo. So is that very typical that things become sort of a regulatory issue and then certain states may more strongly invest in that regulatory requirement legally inside their environment.

Lars Kruse: Yeah, that's a good thing. think that they can lift it to a new level and implement it maybe quicker or maybe more rigidly. I think that's helpful. But it also looks like in a way that the European Union is not yet regulating the national member, the EU member states strongly on the public sector, because I feel like it's a very personal thing for a nation to organize their own public administration.

And in contrast to that, the banking sector is strongly regulated and it should be like that because internationally the whole system depends on that, of course, but the public administration is yet more a national concern.

Justin Beals: Yeah, I think it is a characteristic of the EU of seeing some of these systems as shared infrastructure for the broader EU community. And that regulation sometimes is important for that service to be available to all, even if it's operated from a commercial interest perspective.

Justin Beals: So Lars, GDPR has been really a foundational privacy regulation for nearly a decade now. Certainly, I've worked a fair bit in it with support from a commercial perspective, a lot of customers around GDPR. And I really find it a great law. wish, you know, in the US, we have more of a patchwork with different states implementing and being inspired by GDPR in a lot of ways.

You know, based on your analysis, how well are the digital towns handling GDPR compliance and are there any persistent gaps that you're seeing that they struggle with?

Lars Kruse: I think in the European Union, everybody is kind of used to the GDPR by now. It's part of everyday business. And in public administrations, I think it's sometimes still the simple and small things, as I said earlier, like with passwords, for example, or a multifactor authentication standard. So these things maybe are not yet implemented in every small digital town, let's say, or maybe less digital sometimes.

So, yeah, this is a discrepancy. think we still see which are meant with compliance on paper. So everything is kind of set up. You have a data security chief officer in place. have all the necessary structures, but maybe not the digital infrastructure or training of the employees. yeah, having weak passwords or, I don't know, not yet implemented multi-factor authentication, that's really something that's maybe lacking behind.

Justin Beals: Yeah, it's having even taking some of my companies when we wanted to sell into the EU through GDPR compliance. It does. There was one thing to say we had the right policies in place. We had the right digital protection officer in place, but you're right. Like the team being able to operate the processes of having a record removed or being able to highlight a particular breach or issue that

I think even on the commercial level lacked. And so that sounds like, you know, while, they might've written a policy that, you know, talked about adhering the actual operational characteristics may have been missing or unexercised and therefore could, could cause challenges, right.

Lars Kruse: And that's, think, the most important level, the operational level. And that was also part of the conceptual model that I derived from the whole research that showed that the public administration depends on so-called strategic capabilities, such as financing or organization to some degree. But in the end, who's really providing the cyber resilience or the cybersecurity is the operational level. So people, technology, and certain policies that are guiding the two.

So that's really what it comes down and that requires of course of money and an effort. And if that's not given, I think we have no operational cyber resilience.

Justin Beals: Yeah, I deeply agree with you here that very often when we think about compliance, like we've written a couple of policies and we feel like we check the box. I just, I think as a person that's been more of a software developer or worked in application engineering, I always struggled with it because I agreed with the requirements of the activity.

But I didn't like that it was very performative as opposed to, this is how we operate day in, day out. We do this just the same way as we decide to sell or we decide to operate HR or we decide to function our IT. it's like we miss the best opportunity of some of these regulations, which is to build more resilient organizations fundamentally.

Now, your framework analysis, when you looked at GDPR, it did reveal that it contained the majority of concrete requirements. So I think that people reading it, especially public administrators, could really understand what was needed or required by it. But then there are certainly new directives like NIST 2 that remain a little vague. How did you think about navigating the ambiguity in some of these regulatory or requirements, especially when talking with folks that are public administrators and might not be used to those.

Lars Kruse: Yeah, so I mean, with NIST 2, it's a directive in the European Union and it has to be translated into national law and there's a deadline and it's not directly applicable. And also there are two main conditions to be an addressee of this directive or then later the national regulation. And the first is that the member state is given some leeway to decide on their own if they want to apply this regulation on a local public administration level.

And secondly, it depends on the size. know, normally if you're, think it was above 50 employees and bigger than 50 million turnover per year, that's the threshold and where it begins where you're automatically part of NIST 2. And I think for public administration who's only partly addressed by this directive, it's difficult. yeah, the first thing is you have to find out am I actually included or not? So does it apply to my administration, and then you should also, I think, general look a little bit left and right what regulations are there about this topic like cyber security. Be aware of other regulations of other industries maybe that could help me. And yeah, it's getting more complex for sure. And I think that's also something you're working on for sure with your company to make it more accessible. There's more complex compliance situation.

Justin Beals:  Yeah. you know, I have oftentimes thought of these compliance requirements more as a testing rubric and it's really hard to take a testing rubric and design practices out of it. It's kind of, you have to work backwards in a way and it requires a different kind of thinking. But I like that you mentioned that because if we can make what we expect to happen simple to understand, you know, and kind of playing in its practice that I do think that that is a well-designed security practice, whether it's cybersecurity or other, some other form of security. And, and of course, when they write the regulation, they're thinking of how to assess meeting the regulation, not how to implement the thing. tell folks all the time, like, you can't look at a standard like, well, one once we deal with the United States, it's like SOC 2 or even an EU ISO 27001, and it will tell you what to do. You have to figure out how what you do translates into what its outcomes are.

Lars Kruse: Should be very concrete in a way that you have a checklist basically that would be optimal and I think there could be some innovation used on the regulatory side that's just getting more complex with every regulation that is released and it could be a bit more easier I believe overall.

Justin Beals (22:53.534)
Yeah. Let's talk a little bit about DORA. I think DORA is one of the newer requirements that has rolled out. DORA is, you describe it as a blueprint for cyber resilience. It's mostly focused on financial services organizations, DORA is. Can you walk us through a little bit of your examples of how a municipality could adapt DORA's requirements for their cyber resilience strategy?

Lars Kruse: Of course, Amindora is focused on the financial sector, that's right, but it is so well made in a way that it could be used as a checklist basically and that's something a public administration could implement. there are so many good mechanisms you could use from this regulation. One to mention is for example the third party risk management. 

So that's especially interesting I believe for the public sector because they have such a fragmented supplier landscape of different kinds of software packages. Sometimes every single process has a single supplier with their own software and it could be outdated, it could be old. Yeah, it's interesting to map out your supplier landscape, the third-party service providers and assess the risk. So that's really not yet, I think, done in the public sector.
In Dora, Chapter 5 clearly states that you have full responsibility even if you outsource the service. So that's something that really helps. believe that when you're still responsible for what your supplier does, then you think twice. Do I want this supplier, or should I maybe change the contract a bit? So that's really important in my opinion, and just being aware of the risk, the map of suppliers, and it also includes pre-contract risk assessment.
So even before having a contract you should assess the risk of this future business partner in a sense. And what was also mandatory is to include an exit strategy. What if to, I don't know, however what the reason could be you can still exit this contract when the supplier is not trustworthy anymore or there's some certain scandal going on or a data leak or whatever reason, you can still quit that.

So that's something you could really look at. So Dora is really a blueprint, I believe, the public sector could implement and also about the financial requirements. the public sector, with a set digital town, not having enough resources financially, but also personnel. But financial aspect is interesting because that's quite novel in Dora, I believe, that it was regulated. So Dora expects the financial industry to allocate certain budget that matches the risk they have and it's something that's not yet used in a public sector regulation. I think it's needed because that's what you said also. Nobody tells them how to do it. It's just please do this, but you don't know how when you're missing the financial means.

Justin Beals:  Yeah, that is an innovation. Mean, we don't talk about compliance as an innovative space, but it's certainly changing, right, Lars? And new rules like Dora are introducing new concepts into how they're going to expect people to roll out cyber resilience. I think that it's great that they specify that you have to invest in this. Yeah.

Lars Kruse:  It should be innovative, yeah, it's still a bit vague, but that's okay. I believe they're not using hard numbers. It comes down to the whole regulation philosophy they're following. So the idea is that the allocated budget matches the exposure they have. So it depends on an individual profile and maybe their own supplier network. So that's something you can combine even and to see, okay, this is our risk. And then we allocate a certain budget, and then it's a regulated thing. It doesn't take much effort anymore to convince political leaders in these towns
because it is the law basically, and it's something you can still do in the European Union, I believe. I the nation states, they still want to have their own administration, of course. Yeah, but I believe it's really needed to regulate that in the future.

Justin Beals: Yeah, I also the third-party risk situation is it's just such a difficult problem, you know, I think to tackle in a more quantitative instead of qualitative way and and also it's probably an area of innovation. That's so much of that third-party risk is measured by self-attested questionnaires or what was in a contract. I do think that's an area of opportunity where

People could ask for more validated evidence of effective practices from their supply chain or a more common measurement tool for suppliers. Right now, it definitely feels like a real hodgepodge of ideas.

Lars Kruse:  Yeah, exactly. So Dora, as a blueprint, think that's helpful. That's what I meant by looking left and right to be aware of the other regulations and industries, especially if you're operating in the field that is not yet, at least on a European level, very regulated. So you depend on national laws more. it's a whole different field of study on its own, on a national level. I was really looking more on the European scale.

Justin Beals:  I'm curious, just having done this research work, this literature review, and I realized these are hard questions to answer sometimes, but if you were to make a prediction around where innovation, regulations, and financial investment requirements are going, you could see either a minimum or a percentage investment compared to revenue or some amount of dollar attributed to cyber resilience per spend. But that seems like if you were to get more quantitative with expectations, those are the types of levers that a regulatory body would have, right?

Lars Kruse:  I so.. What you mean is that, yeah, I agree that you have to allocate a budget and put the efforts there where they matter. Yeah, looking at the risk, for example, is helpful. Then you can more or less assess best what budget you need to allocate if you have awareness about your risk situation and your individual profile.

Justin Beals: Yeah. Okay. Let's talk a little bit about some of the analysis you did. So you did a framework analysis and you ranked the capabilities by the frequency of regulatory mentions. You know, like training capability at an organization scored the highest with 37 coded references while financial capabilities scored the lowest with just 19. Does this regulatory emphasis match what you observed in practice during validation interviews?

Lars Kruse: Partly, yeah. So, I mean, first of all, it really resonates the fact that the financial aspect is not regulated really. So that's why it's scored lowest, I believe. And the training capability that shows that, yeah, on an operational level, we still depend on humans a lot still. 
That could be reduced through, like, whatever automation or something. 

But yeah, the first few categories that were mentioned in this course were training technology and also organization and policy. So this kind of socio-technical system that you have, which is like guided by the right policies, is the whole operational level. 

And that's called the highest because that's the level that provides the cybersecurity. And that was also fully confirmed by the interviews. And so they also mentioned that training, for example, is cheaper than hiring somebody. So training of their own staff is important to increase their operational capability. For example, training the trainer, hiring individuals, and then training them and using them as multipliers. So that was mentioned as a practical example in the interviews and that aligns with this capability ranking. 

On the other hand, the financial aspect it was mentioned as almost a starting point. So first, you have to be convinced there needs to be the political will and the strategic direction, okay, I want to be more secure in the cyberspace in my administration. And then, already what you need is money, and that's not really aligned with this ranking. So it is very important, even though in a regulatory perspective, it's not really a topic, not yet.

Justin Beals:  Yeah. I do think across the board, when I talk to security leaders, the softest area, the easiest target is the human beings, you know, in your organization. I'm not surprised that training ranks highly and no one likes to spend more money. Not surprised that a financial rank lower, although to your point, it's a great measuring tool for is your

Lars Kruse: Yeah, exactly.

Justin Beals:
Is your investment in security matching the level of risk or what could be lost in an event? Yeah.

Lars Kruse: 
Yeah, yeah. So I think the approach was interesting to just look at the regulations, and I tried to code different capability categories and see, who's the address C, is this regarded to technology or people, and then the ranking came out. Yeah, I mean, you have to be honest and say that finance is not really a part in the regulation. So yeah, it makes sense that the ranking came out like this and the training is important.


Justin Beals: So your analysis shows that many EU cybersecurity requirements are directives requiring national implementation rather than direct regulations. How does this create challenges for the towns trying to understand their actual compliance obligations?


Lars Kruse: I think it increases complexity because you have regulations on European level already. Then you have directives, and they are translated into the national law of your country, respectively. That takes time. So there's a certain deadline the European Union provides to the member states until they have to implement it. And then there's oftentimes a certain amount of leeway in how they can do it. So you have to be really aware of what the directive expects, but also how your country is implementing that into the national law. And then of course, regulated area in the European Union is kind of fast-paced these days. 

So, the past five years, that's what I mentioned, is that they released new major regulations. And I believe in the future it could also happen that new regulations are released and the old one is not yet fully implemented. I think in indigenous towns, it could be increasingly 
challenging task to still oversee everything and to keep up with the So maybe external help is necessary. that's a way, but it requires budget again. Yeah, or you need something very innovative, something smart to get an overview and handle this challenging environment.

Justin Beals:  Yeah. I think what you're describing for me is, let's say, a town, you know, mean, not a, not a city size, but this midsize community, you know, they're trying to get one of these frameworks rolled out. The second one is now released. They're behind on the first one. It's compounded by the second one. You know, we would describe that as feeling like you're drowning essentially in, in new regulations. Yeah. And I think what you're what you're advocating here is almost an investment in these organizations, whether from themselves or in partnership with the larger nationality, and helping them get that rolled out. Some resourcing that can give them the assistance they need to be on top of the changing landscape.

Lars Kruse:  Yeah, pretty much. That could also happen on the European level. I think there are certain institutions put into place, but really more for international and bigger players. And with the new regulation, European Union, with the CSA, Cyber Solidarity Act, European Union is now trying to build up certain capacities that in the worst case, in the case of an incident, could be supplied to this institution and support, for example. 

So this is not yet to being discussed, believe, on this town level. So even though they could use external help, European Union, of course, use their efforts mainly for their critical infrastructure, which I believe the public administration is part of overall. But yeah, it's a smaller town, so think they need external help, but they cannot really afford it.

Justin Beals: Yeah. One of the, and as a matter of fact, one of the issues for these smaller towns and you talk about it in your work is the, I'm going to butcher this name, so I apologize, but the sued West Fallen IT ransomware attack, it affected 72 different municipalities. Can you give us a little background on the attack and the capability framework for the supply chain issue? Yeah.

Lars Kruse: Very good. Yes.

Yeah, so a few years back they were attacked by the cyber criminals called Akira. It's a group that basically the files were encrypted and the idea was, then we blackmail the IT provider and we ask for money to decrypt the files. And Südwestfalen IT or short SIT reacted quite quickly, shut down their systems, which could also happen in an automated way.

To be even faster, but here was humans responding. So this operational level, as I said, is really depending on humans still. here it worked out. the, not even probably, I think the final report of the incident concluded that it was a mix of human and technology that failed, but with a strong emphasis on the human operational component. So guessable passwords and certain VPN access allowed the intruders to encrypt these files and to press basically to blackmail SIT. So that's what happened. 72 municipalities were affected because they outsourced their IT to this SIT company. took thousands of hours to recover everything. And after a few days of complete shutdown, they were able to start working again. So that is also the case I opened my research with because it is such a simple thing to have strong passwords or updated software and multi-factor authentication, and these small things. Yeah, such a big incident happened, and it was really one of the larger ones in recent years.

Justin Beals: Yeah, first off, terrible that of course these are the probably the size of municipalities that can least afford this type of attack. And they do represent a large part of the population. And of course for cyber criminals, those ransomware things have been lucrative. And so we've seen more investment by cyber criminals in those types of crimes.

Lars, first off, drawing to a close here a little bit, I was very grateful for your research work in this space. I learned a lot being able to read it. so, on top of that, I'm kind of excited to hear about what you think about doing next in your work and what might be ahead for you. Yeah.

Lars Kruse: Yeah, first of all, thank you for the invitation. was a really interesting experience. It was a nice conversation, I believe. And yeah, in the future, I think I want to continue working on that topic. That's actually being discussed right now with the university I did this research at. So that could be something that I still work on this specific topic. Yeah, but also I started my master's degree now. I moved to Sweden for that. I left Germany and now I study here at the Swedish Defense University.

And I want to focus also on cybersecurity. So I think that's a really interesting field and it's going to be very important also if you look at the current geopolitical situation being already like in some way in a hybrid warfare situation where we have cyber attacks and they might originate from different nation states. yeah, I want to work in that field and I want to contribute to making Europe more secure for sure.

Justin Beals: That's amazing and already a really great contribution, a great kickoff to what I think will be a meaningful career Lars, yeah, and I think German for interesting is probably positive and this has been a wonderful conversation I really I'm really really grateful, and I just and I especially appreciate the kind of academic rigor of the research work, so we are grateful for you to be a guest with us today, Lars.

Lars Kruse: Thank you.