Is Europe Cyber Ready?

Posted on 23rd November 2018

On 16 November, POLITICO gathered policy-makers, experts, regulators and industry leaders at the Résidence Palace in Brussels to debate whether Europe is ‘cyber ready’. The short answer? No.

But, they decided, we are getting there.

The EU has made good progress in tackling digital threats, with the adoption of the Directive on Security of Network and Information Systems (NIS) earlier this year and voting on the Cybersecurity Act expected this winter. Nevertheless, there’s still a lot of work to be done, as confirmed by the opening interview with European Commissioner for Security Union Julian King, who discussed the cyber-risks to democracy.

According to King, there are at least three cybersecurity fronts which require immediate attention: securing systems, tackling online misinformation, and protecting personal data. With the GDPR becoming the de facto global standard, Europe leads on the data protection front — but it is lagging on cybersecurity, particularly compared to the US. Testing Europe is perhaps the biggest upcoming cyber threat; the 2019 European elections, which will affect more than 300 million potential voters in 27 countries.

There’s little regulation on how to respond to threats and attacks during elections. King believes that, although elections are a national responsibility, the EU should support the deployment of legislation by bringing stakeholders together and developing and sharing best practice. For online misinformation, a less defined but as dangerous threat to elections, the EU has agreed to work with social media platforms to define objectives for dealing with fake news, with monthly progress reports.

For illegal content (such as terrorist propaganda), the EU is going beyond voluntary cooperation. “We are not shy of going the extra step to enforce legislation,” said King, who also praised the evolving policy and practical cooperation between the EU and NATO.

Next up, a panel on Europe’s tools, innovation and sovereignty in cybersecurity. Despina Spanou, Director for Digital Society, Trust and Cybersecurity, hailed Europe’s internal market approach as a strength for bringing public and private stakeholders together where “every voice is heard.” Like King, she flagged the importance of the NIS Directive in strengthening cybersecurity in the EU, as well as providers’ responsibilities in reporting breaches and ensuring good security.

Despite the focus on the NIS Directive, other EU initiatives mentioned by the EU include the proposal for a European Cybersecurity Competence Network and Centre, which aims to create a network of National Coordination Centres to develop the cybersecurity technological and industrial capacities necessary to secure its Digital Single Market.

These initiatives are being backed up by strong private-sector involvement, as Luigi Rebuffi, Secretary-General and Founder of European Cybersecurity Organisation (ECSO) pointed out. For every Euro invested in cybersecurity by the public sector, he said, the private sector is investing five —  but this is still ten times less than the US (though US funds include defence). Steffan Truvé, Co-founder and CTO of Recorded Future, argued that European research and development of cybersecurity tools is going strong with a lot of interest from US investors, but the market is still around three years behind in awareness and adoption.

The biggest challenge, according to Truvé, is the shortage of skilled employees to run cybersecurity within other departments. The panel concluded with the areas for prioritisation around investment in cybersecurity, which included investment in AI to counter AI (such as automated phishing emails), protecting IoT devices, and creating a certification framework.

Outside this arena, panellists argued whether the situation is getting better or worse for diplomacy in cyberspace. According to Carmen Gonsalves, Head of International Cyber Policy in the Dutch Ministry of Foreign Affairs, a lot of work needs to be done on a national level to combat state hacks. Cyber norms are going in the right direction, she said, but there’s a need for more consensus. Chris Painter, Commissioner on Stability of Cyberspace, agreed with her cautious view, adding that norms are only valuable if there’s accountability. Antonio Missirolli, Assistant Secretary General for Cybersecurity at NATO, held a slightly more optimistic view on the grounds that the cyber conversation is now going beyond governments, with initiatives like the Paris Call for Trust in Cyberspace.

But panellists wondered if there’d be any real follow up from the Call. Patryk Pawlak, Brussels Executive Officer of the EU Institute for Security Studies (EUISS) flagged that these multilateral agreements in the cyberspace are a double-edged sword, since they risk hijacking the discussion with interstate relations and depriving us of a proper multistakeholder approach.

The panel ended with a debate on attribution for cyber-attacks. Antonio Missiroli suggested carefully building evidence before accusing states, while being mindful of retribution. However, Chris Painter, a former US prosecutor, called for a more direct approach, implying that full disclosure of evidence is not possible: “If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.”

The event ended with a discussion on making the European elections cyber-ready. Uku Särekanno, Director of Cyber Security at the Estonian Information System Authority, was possibly the most experienced person to comment thanks to Estonian enthusiasm for electronic voting.  He shared three recommendations for election security: understand the technical element, prepare a risk analysis, and pay attention to perception (fake news around vulnerabilities). It’s indeed easier to claim that someone has hacked the systems, he said, than to actually do so — but it can be as damaging. John Graham Cumming, CTO of Cloudflare concluded that it’s important to think about the range of things that can be attacked. Often attacks are not sophisticated or complicated, but based on weak links in the system like poor passwords or human decisions.

 

Author: Ivan Ivanov, Marketing Manager, Access Partnership

Back to document archive