The European Union response to cyber threats
THE THREAT LEVEL 2017: Wake up call on cyber threat: Wannacry et NonPetya. Wannacry attacks: 150 countries and 230 000 systèmes. 50 billions of connected objects by 2020: opportunities but risks 80% of firms in the EU have had at least one cyber-attack in the last 12 months. Cybersecurity incidents have increased by 38% in one year. Ransomware is the most frequent attack. It increased by 300% since 2015. A new cyber attack could cost more than 100 billion euros to the world economy. Not Petya costs were evaluated at one billion euros already.
The EU’s response: A NEW CYBER-STRATEGY In September 2017, the EU adopted a revised cyber –strategy based on three pillars: Resilience Deterrence International cooperation and defence
The EU’s response: A NEW CYBER-STRATEGY Establishing a stronger European Union Cybersecurity Agency built on the Agency for Network and Information Security (ENISA) to assist Member States in dealing with cyber-attacks. Creating an EU-wide cybersecurity certification scheme that will increase the cybersecurity of products and services in the digital world. A Blueprint for how to respond quickly, operationally and in unison when a large scale cyber-attack strikes
The missions of the EU CYBER SECURITY AGENCY Policy development and implementation: to strengthen support to the Commission and Member States in the development, implementation and review of general cybersecurity policy and in key strategic sectors identified by the NIS directive e.g. energy, transport and finance. Operational cooperation: to contribute to cooperation in the network of Computer Security Incident Response Teams (CSIRTs) at EU level and provide assistance on request to Member States to handle incidents. Capacity building: to reinforce support to Member States in order to improve capabilities and expertise, for instance on the prevention of and response to incidents. Knowledge and information: to provide analyses and advice and to raise awareness, to become the one-stop shop (InfoHub) for cybersecurity information from the EU Institutions and bodies. Market-related tasks within the Cybersecurity Certification Framework prepare candidate European cybersecurity certification schemes, with the expert assistance and close cooperation of national certification authorities. Schemes would be adopted by the Commission.
THE EU CERTIFICATION FRAMEWORK At the moment: a number of different security certification schemes for ICT products exist in the EU : increasing risk of fragmentation and barriers in the single market. The EU-wide certification framework will create a comprehensive set of rules, technical requirements, standards and procedures to agree each scheme. This certificate will attest that ICT products and services that have been certified comply with specified cybersecurity requirements. The resulting certificate will be recognized in all Member States, making it easier for businesses to trade across borders and for purchasers to understand the security features of the product or service. The use of certification schemes will be voluntary unless future EU legislation prescribes an EU certificate as a mandatory requirement to satisfy a specific cybersecurity need.
THE DIRECTIVE ON SECURITY OF NETWORK AND INFORMATION SYSTEMS (nIS) Adopted in 2016 The NIS Directive represent the first ever EU-wide law on cybersecurity. The Directive will increase the security of network and information systems within the EU. The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring: Member States' preparedness : via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority, cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. And a CSIRT Network, in order to promote operational cooperation on specific cybersecurity incidents and sharing information about risks a culture of security across sectors energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses identified as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.
THE NETWORK OF CYBERSECURITY COMPETENCE CENTRES and A NEW EUROPEAN CYBERSECURITY COMPETENCE CENTRE The European Commission proposed in September 2018 the creation of a Network of Cybersecurity Competence Centres and a new European Cybersecurity Industrial, Technology and Research Competence Centre to invest in stronger and pioneering cybersecurity capacity in the EU. A wealth of expertise already exists in Europe - there are more than 660 cybersecurity competence centres spread across the EU.
THE NETWORK OF CYBERSECURITY COMPETENCE CENTRES and A NEW EUROPEAN CYBERSECURITY COMPETENCE CENTRE The European Competence Centre: Will coordinate the use of the funds foreseen for cybersecurity under the next long- term EU budget for years 2021-2027 under the Digital Europe and Horizon Europe programmes. The centre will support the Network and Community to drive the cybersecurity research and innovation. It will organise joint investments by the EU, Member States, and industry. For example, under the Digital Europe programme €2 billion will be invested in safeguarding the EU’s digital economy, society and democracies by boosting the EU’s cybersecurity industry and financing state-of-the-art cybersecurity equipment and infrastructure.
THE NETWORK OF CYBERSECURITY COMPETENCE CENTRES and A NEW EUROPEAN CYBERSECURITY COMPETENCE CENTRE Network of National Coordination Centres: Each Member State will nominate one national coordination centre to lead the network, which will engage in the development of new cybersecurity capabilities and broader competence building. The network will help to identify and support the most relevant cybersecurity projects in the Member States. Competence Community: A large, open and diverse group of cybersecurity stakeholders from research and the private and public sectors, including both civilian and defence authorities.
WHAT ABOUT CYBER-CRIME? - Operational and technical support: EUROPOL set up a specialized centre: the EC3 Center. Supports MS and third countries in investigating cyber-crimes, including with relevant tools and techniques (e.g encryption). CEPOL also supports third countries regarding training on cyber issues. - legislative action: proposal made by the European Commission on e-evidence in April 2017. To ensure easier and faster access to electronic evidence: direct request to service provider by a Member State jurisdiction.
The international dimension - Strong cooperation with NATO: July 2019 EU-NATO Declaration includes cooperation on countering hybrid and cyber threats - In November, EU and NATO completed the 2nd parallel and coordinated exercise (PACE) based on a cyber scenario. Testing and improving our response. - Capacity building and support to third countries: EU External Cyber Capacity Building Network to mobilise the collective expertise of EU Member States for EU- funded external cyber capacity building programmes