By BROOKS TIGNER
The EU’s forthcoming cyber strategy should be taken as a living document that covers not only emerging threats but opportunities to improve the uses of existing technologies and specifically information and communication technologies, (ICT), according to officials at the European Network and Information Security Agency.
Due to be unveiled before the end of 2012, the European Commissions’ cyber-strategy must be “a living document capable of keeping up with the ever-changing nature of cyber security,” Steve Purser, head of ENISA’s technical department, told the 23-24 October industry event here known as the Information Security Solutions Conference. He presented ENISA’s analysis of the future cyber strategy document and offered recommendations for its implementation.
Broadly defined, he said the proposal will call for “improvement in cross-border coordination and early warnings, as well as ensuring a strong EU response to cyber crime”. In doing so, it will also require support for R&D investments in cyber technologies and a strengthening of the EU’s security industry.
He said the strategy will acknowledge the cross-border cyber security implications of “people, processes, and technologies” by addressing each of these via coordination of national policies and approaches. This cross-border perspective must be developed to deal with the borderless nature of cyber crime.
Moreover, it will lay down a definition of responsibilities both at national and European levels to ensure that different stakeholder communities have clear goals and responsibilities, thus avoiding duplication.
According to Purser, the new cyber strategy emphasizes that current information sharing structures across Europe are inadequate and must be improved to boost cyber security. Standard operating procedures and other cross-border mechanisms such as universal mandatory incident reporting (see other article) must be agreed and implemented.
Furthermore, technology security solutions must be able to operate across borders to ensure functionality between countries. Otherwise, they will not be used or, worse, will threaten cyber security if applied in a cross-border situation.
Some auxiliary European legislation is already in the works to address certain technology issues such as the EU’s draft regulation for “electronic identification and trust services for electronic transactions in the internal market” (COM/2012/238). Adopted in June, it aims to achieve mutual recognition of electronic identification (eID) and trust services across the EU27, Andrea Servida told the conference. Servida is head of the legislation’s task force within the Commission’s policy department for communications networks, content and technology (DG-CONNECT).
While the eID proposal requires the member states to recognise each other’s notified eID schemes, it does not compel them to have an eID scheme, nor will they be obliged to notify their eID schemes. Despite this somewhat contradictory array of conditions, Servida said the new eID draft regulation “should create confidence in electronic trust services” while promoting more eID use.
For Purser, “similar pieces of legislation are necessary to ensure the cross-border functionality of existing and emerging technologies” to support am effective European approach to cyber-security. Referring to the current lack of minimum cyber security standards among the member states, he said their establishment “would ensure continuity of response and a baseline assurance of security when it comes to cross-border cyber incidents.”
The forthcoming security strategy is expected to call for EU-wide application of the principle of “defence-in-depth” to create resiliency (i.e., fall-back redundancy of systems) in the event of system failures or attacks. This principle is currently in different ways and levels across the EU27.
Of the above, duplication of effort may be the most obvious, but it is probably the one that carries the highest risk. While coordination efforts by ENISA and EU work groups can go a long way toward avoiding this across Europe’s public sector, it is the nations’ cyber-security “interface” with business where the thing could spin out of control.
Europe’s large array of cyber-security companies, which grow by the hour, is vying to sell their competing systems as the latest miracle solution. Diverse proprietary software is the rule – and unless all the bridging software that will connect all these systems together is certified as airtight, the “cyber-chinks” in Europe’s armour will continue to provide cyber-attack opportunities.