Home / Our news and views / The EU’s new cyber security package already needs an upgrade

The EU’s new cyber security package already needs an upgrade

By PATRICK STEPHENSON, with BROOKS TIGNER

BRUSSELS – In June, a 13-year-old United Nations panel on cybersecurity abruptly and acrimoniously disbanded. The panel, known formally as the Group of Governmental Experts (GGE) in information and telecommunications, reportedly collapsed because participants could not agree on a ‘right to self-defence’ against cyber-attacks as ground in Article 51 of the United Nations Charter.

Russia and China opposed the formal declaration of such a right, fearful that self-declared victims could use their status as a pretext for sanctions or other actions.

With the UN paralyzed, the private sector is getting into the fray. Microsoft and other big tech companies, for example, continue to call for a “digital Geneva Convention”. This, they argue, would improve cyber-attack attribution, making it harder for governments or other actors to use the internet to violate international law.

It’s no wonder that the private sector is stepping up its game: private sector assets such as data centres and communications networks are the backbone of ‘critical information infrastructure’ that’s targeted when government-backed cyber-rogues go on the attack. Thus in this new kind of warfare one state does not physically attack another, but attacks its information and technology sector.

Is an inter-governmental saviour on the horizon?

On 13 September, the European Commission released its new ‘cybersecurity package’ which builds upon its now-outdated 2013 cyber security strategy. In his State of the Union address the same day, European Commission President Jean-Claude Juncker said “Europe is still not well-equipped when it comes to cyber-attacks.”

Among other measures in the package, the Commission proposes a new European Cybersecurity Agency to help cope with information warfare and criminality.

SECURITY EUROPE recently spoke with Microsoft’s Jan Neutze, director of cybersecurity policy for Europe, the Middle East and Africa, prior to the package’s release. He cautioned that the latter had “a big void” to fill in keeping up with cyber-developments. “Having a second strategy after five years is not that bad” for the Commission, he said. “But it is a long time in technology.”

In August, Neutze penned a blog anticipating the EU’s cybersecurity package that called for progress in four areas: protect, respond, collaborate and deter. The first means enforcing the EU’s Network Information Security (NIS) Directive, scheduled to come into full force in May 2018.

The second calls for governments to adopt more effective vulnerability disclosure policies. In particular, Neutze urged governments to adopt coordinated vulnerability disclosure (CVD) – a policy to notify private-sector actors promptly about suspected vulnerabilities in their software or infrastructure, as opposed to sitting on those vulnerabilities to use for one’s own purpose. For example, the WannaCry ransomware attacks in May 2017 were possible, in part, because hackers exploited vulnerabilities widely believed to have leaked out of the National Security Agency of the United States.

The third area – collaborate – refers to multilateral and bilateral frameworks where cyber-defenders could strategise against future threats, whereas the deter objective includes improving cyber-attack attribution or finding out who is launching what. Indeed, cyber-attacks work because no one can prove who launched them. But if an attacker – particularly a nation-state – were definitively exposed and subject to international censure, then other potential attackers might hesitate. Neutze believes that a digital Geneva Convention could help to set up such an attribution process.

But now that the package has been unveiled, does it fill in the blanks regarding his four ‘headline’? The short answer is: not really, particularly regarding CVD policies.

“We had hoped that the [package] would be an opportunity to raise the issue, and promise some guidance, or highlight the importance of the discussion,” Neutze said. But this opportunity was missed. The proposed regulation does not even mention the topic, while appearing to propose little that would directly improve cyber-attribution – crucial to deterring future cyber-attacks.

It does, however, plump for the new cybersecurity agency, which will build on and replace the European Network Information and Security Agency (ENISA). However, the bureaucracy pile-on continues with the package’s proposal for a European Cybersecurity Research and Competence Centre to “help develop and roll out the tools and technology needed to keep up with an ever-changing threat”. It also calls for an EU-wide cybersecurity certification scheme and, of course, ever-deeper cyber cooperation between the EU and NATO.

     THE UPSHOT: In the face of a dynamic and ever-changing threat, the EU appears to have adopted its go-to move: more (expensive) bums on seats. It’s a shame that the Commission could not place more emphasis on improving the attribution of cyber-attacks or on pushing vulnerability disclosure policies on its member-states. Even though the Commission will argue that the NIS directive takes care of Europe’s disclosure needs, the NIS was a very difficult birth – precisely because of industry’s inherent reluctance to reveal chinks in its cyber-armour. The more opportunity to push disclosure, the better…but the package glided around that opportunity
     The proposed new cyber entities might help to achieve these goals, but it’s tempting to say that if another bureaucratic entity was the solution, then ENISA or EU-LISA – the EU’s database management agency – would have nailed the issue long ago.
     The real problem remains that some member-states prefer to keep their cyber-defence strategies to themselves. Which is surely why private sector actors such as Microsoft see no choice but to take the political offensive, given that its their assets that are often under attack.

     ps@securityeurope.info
     bt@securityeurope.info

Check Also

The EP pushes for international ban on the use of killer robots

By BROOKS TIGNER, with KYLE ATTAR
BRUSSELS – Members of the European Parliament (MEPs) are demanding a ban on weapons that have no “meaningful human control”.The resolution, passed overwhelmingly on 12 September by a majority of the MEPs (566)  is non-binding, however, on the 28 member states but is supported by Federica Mogherini, the EU’s policy chief for security and defence policy. She has already begun an international dialogue to try and bring the world into consensus as to the direction of autonomous warfare. The resolution notes that lethal autonomous weapons (LAWs) are machines without the ability or capacity to make human decisions and, as such, remote operators must take responsibility for life or death decisions. Much like drones, these weapons bring up strong ethical and moral dilemma regarding...