Cyber-security in the European Union after EU Cyber Security Conference and Tallinn Digital Summit
The second half of the year 2017 has been marked by the Estonian presidency in the Council of the European Union. During this time, digitalization and cyber-security has been put forward as the main priority. In the EU it has begun the first phase of 4.0 economy, thanks to which the digitalization and robotization are to become the new pillars of development. However, as we have seen during the last few years, the increase in digitalization efforts comes with the increase in the number of cyber-attacks across Europe.
In this regard, the EU Cyber Security Conferences, titled Digital Single Market, Common Digital Security 2017 and Tallinn Digital Summit can be seen as a part of the reaction to the increasing amount of cyber-attacks and security gaps accompanied by fragmentation of approaches towards cyber security and can be highlighted as important events during connected with the Estonian presidency.The main purposes of these events were to discuss key issues within cyber sector, to highlight the most efficient ways of its protection, and to debate possible future developments and innovations.
One of the key topics was the cooperation between the European Union and the Western world, which is essential for securing the cyber and digital environment and to help countries without CERT (Computer Emergency Response team) to build their own capabilities, strategies and approaches to maintain cyber-security and cooperation with other well-developed countries.
To unify strategies and capacities at least within the EU, European Commission adapted a cyber-security package which was presented during the EU Cyber Security Conference. Main points highlighted by panelists were:
- increasing youth capacities to face current cyber challenges
- the need of cybersecurity emergency fund for rapid response needs
- creation of the European center integrating national centers of cybersecurity excellence
- creation of an EU certification framework for all member states
This package includes Union’s system of certification of cyber security. Furthermore, new agency should be established on the basis of ENISA (European Network and Information Security Agency), which should serve all member states, EU institutions and entrepreneurs to deal with cyber-attacks and to overcome possible crisis situations. Member states must implement strategy of cyber security on the national level, and until December 2018 decide on who is the main provider of the service.
Commission’s proposal for strengthening cyber-security within the EU alsoincludes a plan for a reaction towards high-impact cyber-attacks, establishment of research center for cyber security which would be interconnected with the network of similar centers present in member states, law enforcements with emphasis on fraudulent cashless payments and strengthening of the global stability through international cooperation. It is indeed possible to achieve these goals, however, the process of the implementation as such can be more complicated than it appears. Each member state has different threats, different perception of the situation and therefore some issues can occur during the unifying process of the integration. Member states are supposed to support cyber defense projects and to include cyber security in the PESCO (Framework of Permanent Structured Cooperation). In 2018, the European Union is supposed to create specific platform for cyber defense dimension of trainings and education.
One of the key points discussed not only during the conferences is global cooperation and the need of global leadership in cyber-security. The necessity to “act now” was stressed mainly because of 2.5 billion internet users that are located outside of Europe and Western World, in countries which have not implemented legislation for cyber-crime.
As mentioned before, the importance was given also to operational measures within the EU. It was clearly pointed out that it is essential to bring competent, skilled people together and to clearly set up main goals, and to avoid fragmentation of opinions and positions. Formal cooperation network of national CSIRT in EU was created and it was pointed out that important steps which must be done are to make this network functional, to find common language (technical area and policy) and, most importantly, to involve every member state in this cooperation.
However, the cyber-security should not be seen only through the prism of technologies. It was discussed that cyber domain is primarily a political domain and cyber-enabled hybrid influence will be increased in future, especially through the influence cyber-space can have on the national elections. Awareness of cyber-security should be raised among office workers and a regular communication between IT specialists and administration should be improved.
As these threats represent a very difficult area of operation, new Center of Excellence for Countering Hybrid Threats was established and came into force in July 2017 with appointed head of the center Matti Saarelainen, Doctor of Social Science. As Jori Aryonen, Chair of the Steering Board of the Centre says, hybrid threats have become an important part of the European security environment, and the purpose of the center is to respond properly to this situation. In September 2017, 12 participating countries, the EU and NATO took part in a seminar while defining the main strategy for this year. It was followed by an official inauguration of the center in October 2017.
However, cyber security is not only about protection of information. It is also essential to manage the appropriate flow of information. To do so, EU institutions, national entities and NATO need to use the right type of language through which they can discuss and inform experts as well as public and to make the information understandable across different social structures. Through small steps cyber experts and institutions can gain credibility, not through huge steps that are overestimated or misperceived. It must be done step by step to ensure properness of the decisions.
EU and NATO cooperation
Cyber security is also necessary in order to maintain and protect military and defense capabilities, soldiers and military technologies. Abuse of the information and data on these matters can cause unpredictable and very critical damage with a high impact throughout the whole society.
The other sphere where cyber security plays important role is public transport and telecommunication. Two important questions were raised several times during the conferences: whether the public transport is resistant against these attacks to withstand them? What are the main gaps? It was emphasized that telecommunication networks and public transport must be analyzed and tested for a potential vulnerability to cyber-attacks. Furthermore, cyber-attacks represent a crucial danger also in terms of medical devices and hospitals.
As already mentioned, cyber security and protection of society and cyber environment against any form of attack is not only about strategies, capabilities, but also about research and innovation. This area represents one of the most crucial parts of cyber security. Experts, national entities and institutions must consider the fact that it is needed to “build bridges” across different communities, from IT, politicians to military communities and individuals. European institutions and state authorities must ensure that there is a proper harmonization of norms and rules, trainings and cooperation to limit any gaps or misperceptions.
Furthermore, mutual recognition and cooperation between EU and NATO playsa very important role in securing the cyber sector. However, it should focus not only on European or state level. The cyber security should come from the bottom up processes. Everyone must be aware of how to protect their devices to eliminate any chance of a cyber-attack. NATO Centre of Excellence for cyber threats represents a place where this approach is analyzed and implicated. It provides education for leaders and specialist from NATO and partner states, service for a proper development, improvements for unifying standards or research. In Tallinn, the European Cyber-security Research and Competence Centre is a next step towards greater cooperation. The main purpose is to develop tools and technology needed to keep up with still changing environment and cyber security as such.
During several years we have seen how easy it is to attack and hack individuals’ e-mail accounts or bank accounts. It is caused by the increase of digitalization of society, making all spheres of one’s life online and easily accessible. Even though this digitalization has had several benefits and advantages, one risk is obvious – anyone can attack anytime and anywhere.
Cyber space is quickly transforming and being flexible is crucial to keep up with both allies and enemies. Cyber conferences, cyber exercises and newly adopted strategies that are being initiated by member states of the EU are clear signs that cyber threats have been taken seriously. Once theory will be put into practice, we will be able to discuss successes and failures in this area. For now, we can only say that European Union is taking promising steps in the cyber security sector.
In particular, the Czech Republic has been one of three countries which implemented specific law related to cyber-security,and established The National Cyber and Information Security Agency and other related institutions. From the legislative and institutional perspective, the Czech Republic is ready to secure the cyberspace, with the key process being the implementation of norms and measures within the public sector, but also in the business sphere. Up to day experience have shown that private sector is better prepared for a potential cyber-attack than institutions in public sector.
Written by Tereza Novotná and Tímea Miková