Home / Our news and views / As the Commission prepares to unveil new cyber strategy by year-end, it will imply big changes in attitude and practices at national level

As the Commission prepares to unveil new cyber strategy by year-end, it will imply big changes in attitude and practices at national level


The EU’s forthcoming cyber strategy should be taken as a living document that covers not only emerging threats but opportunities to improve the uses of existing technologies and specifically information and communication technologies, (ICT), according to officials at the European Network and Information Security Agency.

Due to be unveiled before the end of 2012, the European Commissions’ cyber-strategy must be “a living document capable of keeping up with the ever-changing nature of cyber security,” Steve Purser, head of ENISA’s technical department, told the 23-24 October industry event here known as the Information Security Solutions Conference. He presented ENISA’s analysis of the future cyber strategy document and offered recommendations for its implementation.

Broadly defined, he said the proposal will call for “improvement in cross-border coordination and early warnings, as well as ensuring a strong EU response to cyber crime”. In doing so, it will also require support for R&D investments in cyber technologies and a strengthening of the EU’s security industry.

He said the strategy will acknowledge the cross-border cyber security implications of “people, processes, and technologies” by addressing each of these via coordination of national policies and approaches. This cross-border perspective must be developed to deal with the borderless nature of cyber crime.

Moreover, it will lay down a definition of responsibilities both at national and European levels to ensure that different stakeholder communities have clear goals and responsibilities, thus avoiding duplication.

According to Purser, the new cyber strategy emphasizes that current information sharing structures across Europe are inadequate and must be improved to boost cyber security. Standard operating procedures and other cross-border mechanisms such as universal mandatory incident reporting (see other article) must be agreed and implemented.

Furthermore, technology security solutions must be able to operate across borders to ensure functionality between countries. Otherwise, they will not be used or, worse, will threaten cyber security if applied in a cross-border situation.

Some auxiliary European legislation is already in the works to address certain technology issues such as the EU’s draft regulation for “electronic identification and trust services for electronic transactions in the internal market” (COM/2012/238). Adopted in June, it aims to achieve mutual recognition of electronic identification (eID) and trust services across the EU27, Andrea Servida told the conference. Servida is head of the legislation’s task force within the Commission’s policy department for communications networks, content and technology (DG-CONNECT).

While the eID proposal requires the member states to recognise each other’s notified eID schemes, it does not compel them to have an eID scheme, nor will they be obliged to notify their eID schemes. Despite this somewhat contradictory array of conditions, Servida said the new eID draft regulation “should create confidence in electronic trust services” while promoting more eID use.

For Purser, “similar pieces of legislation are necessary to ensure the cross-border functionality of existing and emerging technologies” to support am effective European approach to cyber-security. Referring to the current lack of minimum cyber security standards among the member states, he said their establishment “would ensure continuity of response and a baseline assurance of security when it comes to cross-border cyber incidents.”

The forthcoming security strategy is expected to call for EU-wide application of the principle of “defence-in-depth” to create resiliency (i.e., fall-back redundancy of systems) in the event of system failures or attacks. This principle is currently in different ways and levels across the EU27.

     THE UPSHOT: According to Purser, the EU’s forthcoming cyber strategy implies a number of accompanying initiatives and changes of attitude at national level. These include: the creation and constant updating of national cyber security strategies and action plans; input from all key stakeholders; close collaboration between the member states and the Commission for the coherent handling of cross-border and international threats; avoiding duplication of effort; and ensuring that the EU strategy aligns with the cyber security goals of the international community
Of the above, duplication of effort may be the most obvious, but it is probably the one that carries the highest risk. While coordination efforts by ENISA and EU work groups can go a long way toward avoiding this across Europe’s public sector, it is the nations’ cyber-security “interface” with business where the thing could spin out of control.
Europe’s large array of cyber-security companies, which grow by the hour, is vying to sell their competing systems as the latest miracle solution. Diverse proprietary software is the rule – and unless all the bridging software that will connect all these systems together is certified as airtight, the “cyber-chinks” in Europe’s armour will continue to provide cyber-attack opportunities.

About Brooks Tigner

Brooks Tigner is editor & chief policy analyst at SECURITY EUROPE. He can be reached at: bt@securityeurope.info

Check Also

The EP pushes for international ban on the use of killer robots

BRUSSELS – Members of the European Parliament (MEPs) are demanding a ban on weapons that have no “meaningful human control”.The resolution, passed overwhelmingly on 12 September by a majority of the MEPs (566)  is non-binding, however, on the 28 member states but is supported by Federica Mogherini, the EU’s policy chief for security and defence policy. She has already begun an international dialogue to try and bring the world into consensus as to the direction of autonomous warfare. The resolution notes that lethal autonomous weapons (LAWs) are machines without the ability or capacity to make human decisions and, as such, remote operators must take responsibility for life or death decisions. Much like drones, these weapons bring up strong ethical and moral dilemma regarding...