The EU’s new cyber security package already needs an upgrade

By PATRICK STEPHENSON, with BROOKS TIGNER

BRUSSELS – In June, a 13-year-old United Nations panel on cybersecurity abruptly and acrimoniously disbanded. The panel, known formally as the Group of Governmental Experts (GGE) in information and telecommunications, reportedly collapsed because participants could not agree on a ‘right to self-defence’ against cyber-attacks as ground in Article 51 of the United Nations Charter.

Russia and China opposed the formal declaration of such a right, fearful that self-declared victims could use their status as a pretext for sanctions or other actions.

With the UN paralyzed, the private sector is getting into the fray. Microsoft and other big tech companies, for example, continue to call for a “digital Geneva Convention”. This, they argue, would improve cyber-attack attribution, making it harder for governments or other actors to use the internet to violate international law.

It’s no wonder that the private sector is stepping up its game: private sector assets such as data centres and communications networks are the backbone of ‘critical information infrastructure’ that’s targeted when government-backed cyber-rogues go on the attack. Thus in this new kind of warfare one state does not physically attack another, but attacks its information and technology sector.

Is an inter-governmental saviour on the horizon?

On 13 September, the European Commission released its new ‘cybersecurity package’ which builds upon its now-outdated 2013 cyber security strategy. In his State of the Union address the same day, European Commission President Jean-Claude Juncker said “Europe is still not well-equipped when it comes to cyber-attacks.”

Among other measures in the package, the Commission proposes a new European Cybersecurity Agency to help cope with information warfare and criminality.

SECURITY EUROPE recently spoke with Microsoft’s Jan Neutze, director of cybersecurity policy for Europe, the Middle East and Africa, prior to the package’s release. He cautioned that the latter had “a big void” to fill in keeping up with cyber-developments. “Having a second strategy after five years is not that bad” for the Commission, he said. “But it is a long time in technology.”

In August, Neutze penned a blog anticipating the EU’s cybersecurity package that called for progress in four areas: protect, respond, collaborate and deter. The first means enforcing the EU’s Network Information Security (NIS) Directive, scheduled to come into full force in May 2018.

The second calls for governments to adopt more effective vulnerability disclosure policies. In particular, Neutze urged governments to adopt coordinated vulnerability disclosure (CVD) – a policy to notify private-sector actors promptly about suspected vulnerabilities in their software or infrastructure, as opposed to sitting on those vulnerabilities to use for one’s own purpose. For example, the WannaCry ransomware attacks in May 2017 were possible, in part, because hackers exploited vulnerabilities widely believed to have leaked out of the National Security Agency of the United States.

The third area – collaborate – refers to multilateral and bilateral frameworks where cyber-defenders could strategise against future threats, whereas the deter objective includes improving cyber-attack attribution or finding out who is launching what. Indeed, cyber-attacks work because no one can prove who launched them. But if an attacker – particularly a nation-state – were definitively exposed and subject to international censure, then other potential attackers might hesitate. Neutze believes that a digital Geneva Convention could help to set up such an attribution process.

But now that the package has been unveiled, does it fill in the blanks regarding his four ‘headline’? The short answer is: not really, particularly regarding CVD policies.

“We had hoped that the [package] would be an opportunity to raise the issue, and promise some guidance, or highlight the importance of the discussion,” Neutze said. But this opportunity was missed. The proposed regulation does not even mention the topic, while appearing to propose little that would directly improve cyber-attribution – crucial to deterring future cyber-attacks.

It does, however, plump for the new cybersecurity agency, which will build on and replace the European Network Information and Security Agency (ENISA). However, the bureaucracy pile-on continues with the package’s proposal for a European Cybersecurity Research and Competence Centre to “help develop and roll out the tools and technology needed to keep up with an ever-changing threat”. It also calls for an EU-wide cybersecurity certification scheme and, of course, ever-deeper cyber cooperation between the EU and NATO.