Analytics, Cybernetics, EU – Baltic States, Modern EU, Security

Impact of cybersecurity incidents could cause major economic damage of hundreds of billions of euros each year to European businesses and the economy at large. Such incidents undermine trust in the digital society as well. Theft of commercial trade secrets, business information and personal data breaches, disruption of services and of infrastructure result in economic losses of hundreds of billions of euros each year.

According to a recent survey, at least 80% of companies in Europe have experienced at least one cybersecurity incident over the last year and the number of security incidents across all industries worldwide rose by 38% in 2015, compared to 2014.

 Commission decided to strengthen cybersecurity. Since the adoption of the EU Cybersecurity Strategy in 2013, the European Commission has stepped up its efforts to better protect Europeans online. It has adopted a set of legislative proposals, in particular on network and information security, earmarked more than €600 million of EU investment for research and innovation in cybersecurity projects during the 2014-20, and fostered cybersecurity cooperation within EU states and globally.

But the increasing number and complexity of cyber-threats is still a problem: this is why the Commission proposed a new series of measures to reinforce cooperation to secure Europe's digital economy and society, and to help develop innovative and secure technologies, products and services throughout the EU.

Urgent Commission’s measures

 The Commission’s measures to further strengthen Europe’s cyber resilience and its cybersecurity industry will include:

·         Step up cooperation across Europe: Commission encourages EU states to use cooperation mechanisms under the forthcoming Network and Information Security (NIS) Directive and to improve the way in which they work together to prepare for a large-scale cyber-incident. This includes more work on education, training and cybersecurity exercises (such as ENISA's Cyber Europe exercises).

·          

·         Support the emerging single market for cybersecurity products and services in the EU: for example, the Commission will explore the possibility of creating a framework for certification of relevant ICT products and services, complemented by a voluntary and light weight labelling scheme for the security of ICT products; the Commission suggests also possible measures to scale up cybersecurity investment in Europe and to support SMEs active in the market.

·         Establish a contractual public-private partnership (PPP) with industry to nurture cybersecurity industrial capabilities and innovation in the EU.

Modern security agenda

Three main issues combine the modern EU cybersecurity agenda: stepping up cooperation among EU states, creating EU’s cybersecurity single market and cybersecurity public private partnership.

I. Cybersecurity cooperation. The Commission has already proposed steps on cybersecurity cooperation: e.g. EU Cybersecurity Strategy and the forthcoming NIS Directive lay the groundwork for improved EU-level cooperation and cyber resilience. However, the threat level is constantly evolving and handling a large-scale cyber incident involving several EU states simultaneously will be challenging. EU level cooperation is therefore essential for dealing with both a possible large-scale cyber-attack in several EU states and smaller-scale but potentially more frequent cyber incidents.

Thus, a blueprint for a coordinated reaction, based on cross-border exchange of information, will be needed to address such incidents in the most efficient way. Cybersecurity has to be integrated into existing crisis management mechanisms and procedures. It also requires better cooperation and more rapid information-sharing mechanisms between sectors and among EU states to respond to, and contain, such incidents.

The forthcoming NIS Directive establishes two coordination mechanisms:

·         the Cooperation Group which supports strategic cooperation and exchange of relevant information related to cyber incidents among EU states, and

·         the Network of Computer Security Incident Response Teams (so-called CSIRT network), which promotes swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.

Given the nature and multitude of cyber threats, the Commission encourages EU states to use these mechanisms and to enhance cross-border cooperation related to possible cyber incident.

The Commission proposed enhanced cooperation against a pan-European cyber attack. Thus, in the first half of 2017, the Commission will present a "blueprint", which outlines a coordinated approach to crisis cooperation in case of a large-scale cyber incident. The plan will include active role for EU bodies such as the EU Agency for Network and Information Security (ENISA), the EU Computer Emergency Response Team (CERT-EU) and the European Cyber-crime Centre (EC3) at Europol, and use tools developed in the context of the network of Computer Security Incident Response Teams. The approach presented in this blueprint should then be regularly tested in crisis management exercises.

 Information hub & information exchange

Currently knowledge and expertise on cybersecurity is available in a dispersed and unstructured way. To support the NIS cooperation mechanisms, the aim of an information hub is to pool this information and make it more easily available on request to all EU states. This hub would become a central resource allowing efficient information exchange among EU institutions and the states. The Commission, supported by ENISA, CERT-EU and with the expertise of its Joint Research Centre, will facilitate the creation and ensure the ongoing sustainability of the hub.

The Commission also proposed the cybersecurity training: according to different estimates the demand for the cybersecurity workforce will rise to 6 million globally by 2019, with a projected shortfall of 1-1.5 million workers.

Europeans need to have the right skills and training both to prevent cybersecurity incidents and to deal with them when they arise. It is necessary, for example, to develop civil-military cooperation and look at ways in which both areas can learn from each other on training and exercise, so as to increase resilience and incident-response capabilities. The Commission, in cooperation with the EU states, the European External Action Service, ENISA and other relevant EU bodies will establish a cybersecurity education, exercise and training platforms.  

The Commission is also looking into additional rules and/or guidance on cyber risk preparedness for critical sectors. A severe cyber incident in one sector or in one state may directly or indirectly have an effect on other sectors, or across borders. A necessary pre-requisite for addressing cross-sectoral risks is the ability of each individual sector to identify, prepare for and respond to cyber incidents. This is why the Commission will assess the risk resulting from cyber incidents in highly interdependent sectors within and across national borders, in particular on the sectors covered by the NIS Directive such as energy, transport, health or banking. Following this assessment, the Commission will consider if there is a need for further specific rules and/or guidance on cyber risk-preparedness for such critical sectors.

Checking key public network infrastructures

Public authorities have a role to play in verifying the integrity of key public network infrastructures such as telecoms or energy smart grids, to detect issues, inform the party responsible for these networks and, if needed, provide assistance in fixing known vulnerabilities.

National regulatory authorities could use the capacities of CSIRTs to conduct regular scans of public network infrastructures. Based on this, they could encourage operators to remedy gaps or address vulnerabilities that such scans could identify. This activity could substantially contribute to the security of key internet infrastructures.

The Commission will therefore examine the necessary legal and organisational conditions in order to allow national regulatory authorities (in cooperation with national cybersecurity authorities) to request CSIRTs to conduct regular vulnerability checks of public network infrastructures.

With these ideas, the role of ENISA will be increased and its mandate changed. Since its establishment in 2004 ENISA has been contributing to the overall goal of ensuring a high level of network and information security in the EU.

The Agency works closely together with the states, EU institutions and the private sector to address, respond to and especially to prevent NIS problems. This includes, among the others, managing pan-European cybersecurity exercises, providing key information on NIS issues, such as the yearly cyber threat landscape report, and training.

The Commission is required to evaluate ENISA by 20 June 2018 in order to assess the possible need to extend or review its mandate, which currently expires in 2020. In view of the current cybersecurity landscape, in particular the increasing number and complexity of cyber-threats and the forthcoming adoption of the Network and Information Security Directive, the Commission aims to advance the evaluation and, subject to its results, present a proposal as soon as possible. The Commission will launch the evaluation by the end of 2016.

II. Cybersecurity single market. The European Commission proposes market measures related to cybersecurity, as Europe needs high-quality, affordable and interoperable cybersecurity products and solutions. However, the supply of ICT security products and services within the single market remains very fragmented geographically. On the one hand, this makes it difficult for European companies to compete on the national, European and global level; on the other, it reduces the choice of viable and usable cybersecurity technologies that citizens and businesses have access to. No single EU country alone can overcome this fragmentation to help the industry achieve the economies of scale on a European level.

Therefore it is relevant to have an EU certification framework for ICT security products as certification plays an important role in increasing trust and security in products and services. National initiatives are emerging to set high-level cybersecurity requirements for ICT components on traditional infrastructure, including certification requirements.

As soon the importance of certification is recognised, these bear the risk of creating fragmentation in the single market and of creating interoperability issues. Only in a few EU states are there effective security certification schemes for ICT products. An ICT vendor might therefore need to undergo several certification processes in order to sell in several EU states. It is possible that an ICT product or service designed to fulfil cybersecurity requirements in one state would not be considered to fulfil similar requirements in another. This is why the Commission will consider options for an EU ICT security certification framework. 

In this regard, labeling might be a useful tool to help users understand the level of cybersecurity of commercial products and increase their competitiveness in the single market and globally. National initiatives have started to emerge in this respect. Therefore, in addition to certification, the Commission will also explore the creation of a European, commercially oriented, voluntary and lightweight labelling scheme for the security of ICT products.

Investment in cybersecurity & SMEs  

The cybersecurity sector depends a lot on innovative SMEs, and the problems affecting investment in this area weigh heavily on the capacity to develop the European cybersecurity industry. The innovative SMEs in the field are often unable to scale up their operations because of a lack of easily available funding to support them in the early phases of development. Companies also have limited access to venture capital in Europe and their available budget for marketing to improve their visibility, or to deal with different sets of standardisation and compliance requirements, is inadequate. About 75% of respondents to the recent public consultation on cybersecurity felt they lacked sufficient access to financial resources to finance cybersecurity projects and initiatives.

In order to ease access to finance and support the emergence of globally competitive cybersecurity clusters and centres of excellence, the Commission intends to:

·         improve awareness among the cybersecurity community of financing opportunities at European, national and regional level (related to both horizontal instruments and specific calls) by using existing instruments and channels e.g. the Enterprise Europe Network.

·         explore with the European Investment Bank (EIB) and the European Investment Fund (EIF) ways of easing access to finance. This can be in the form of equity and quasi-equity investments, loans, guarantees to projects or counter-guarantees to intermediaries, e.g. through the European Fund for Strategic Investment.

·         look into developing with interested Member States and regions a Cybersecurity Smart Specialisation Platform to help coordinate and plan cybersecurity strategies and set up a strategic collaboration of interested parties in regional ecosystems.

III. Cybersecurity Public Private Partnership. Establishing a Public-Private Partnership (PPP) on cybersecurity in the area of technologies and solutions for online network security is one of the 16 initiatives put forward in the Commission's Digital Single Market strategy. Specific gaps persist in the fast-moving area of technologies and solutions for online network security and a more joined-up approach can help step up the supply of more secure solutions by industry in Europe and stimulate their take-up by enterprises, public authorities, and citizens.

The Commission's experience with the existing digital Public-Private Partnerships shows that they enable the partners to develop a long-term, strategic approach to research and innovation and reduce uncertainties by allowing for long-term commitments. The cybersecurity PPP will gather industrial and public resources to deliver excellence in research and innovation and maximise the use of available funds through greater coordination with EU states and regions. The goal is to help Europe's cybersecurity industry take advantage of the booming global cybersecurity market (estimated at $65.9 billion in 2013 and expected to grow to $80-120 billion by 2018).

Source: https://ec.europa.eu/digital-single-market/en/news/commission-staff-working-document-cppp-and-accompanying-measures.

The PPP on cybersecurity will:

·         build trust among Member States and industrial actors by fostering cooperation on early-stage research;

·         align the demand and supply sectors for cybersecurity products and services by allowing the industry to understand better the requirements of end-users and customers of cybersecurity solutions (e.g. energy, health, transport, finance).

·          

·         develop common, sector-neutral and replicable building blocks such as encrypted storage and processing or secured communication. These should help ensure compatibility of solutions across borders, while allowing flexibility for products to be further adapted to the needs of specific markets or customers.

The Partnership’s operation. The PPP is a partnership between the European Commission and cybersecurity market players, represented by the European Cyber Security Organisation (ECSO); it will also include members from national, regional and local public administrations, research centres and academia.

The European Cyber Security Organisation (ECSO) was launched on 13 June 2016 in Brussels. ECSO is a fully self-financed non-for-profit association (ASBL) under Belgian law. It is industry-led, with members including large European companies, SMEs and startups, research centres, universities, clusters and associations as well as local, regional and national administrations from the EU and European Economic Area (EEA) and the European Free Trade Association (EFTA) and Horizon 2020 associated countries. The founding members are the European Organisation of Security, Alliance pour la Confiance Numérique, Guardtime acting for the Estonian Association of ICT, and Teletrust. The partnership agreement is signed today in Strasbourg. Further information about the association will be made available at http://www.ecs-org.eu/.

The contract between the EU represented by the European Commission and ECSO representing the cybersecurity industry is signed on 5 July 2016 in Strasbourg; thus the PPP begins its activities. The first calls for proposals related to the PPP under Horizon 2020 are envisaged in the first quarter of 2017.

The EU will invest €450 million in calls for proposal related to this partnership, under its research and innovation programme Horizon 2020(Leadership in Enabling and Industrial Technologies (LEIT-ICT) and Societal Challenge Secure Societies - SC7).

Cybersecurity market players, represented by ECSO, are expected to invest three times more. The Commission expects the industry to complement the public funding with a strong leverage from private investment, including the financing of related research and innovation and market activities.

The PPP will advise the European Commission on cybersecurity parts of the future Work Programmes under Horizon 2020. The PPP will also be a platform for discussions between the supply and demand sides of cybersecurity products and solutions. This will help stakeholders to develop a common set of requirements for different sectors. Projects related to the PPP will be awarded through calls for proposals, which follow the rules and regulations of Horizon 2020. These calls will be described in the Horizon 2020 Work Programme, which is agreed by the Commission and Member States. As a general rule, these calls are open to all eligible and interested parties – companies, universities, research organisations established in the EU and Horizon 2020 associated countries.

The industry has prepared a Strategic Research and Innovation Agenda, which identifies the following PPP’s technical priorities:

·         Assurance and security / privacy by design

·         Identity, access and trust management (e.g. identity and access management, trust management)

·         Data security (e.g. data protection techniques, privacy-aware big data analytics, secure data processing, secure storage; user empowerment, operations on encrypted data)

·         Protection of the ICT Infrastructure (cyber threats management, network security, system security, cloud security, trusted hardware/end point security/mobile security)

·         Cybersecurity services (e.g. auditing, compliance and certification, risk management, cybersecurity operation, security training services)

It also mentions a number of non-technical areas where action is needed: = Education, training, skills development; = Fostering innovation in cybersecurity through standardisation, regulation and certification; = Development of a cybersecurity ecosystem; = Defining the cybersecurity value chain; = Boosting SMEs and cybersecurity innovation.

The Commission will take this input into consideration when defining the next Horizon 2020 Work Programmes.

Consultations while creating the PPP. The Commission launched a public consultation on 18 December 2015 to seek views on the forthcoming cybersecurity PPP. The consultation collected the views and expectations of enterprises, public organisations and citizens with respect to innovation in cybersecurity and the functioning of the European single market in the field of cybersecurity products and services. It was accompanied by a roadmap for a public-private partnership on cybersecurity. The Commission and the ENISA organised various workshops with stakeholders. See the background on the consultation process.

Reference: Commission fact-sheet “Commission boosts cybersecurity industry and steps-up efforts to tackle cyber-threats”, 5.07.2016, in: