Despina Spanou, Director for Digital, Society, Trust, and Cybersecurity at the European Commission’s DG CONNECT, discusses how the Commission is working to enhance cybersecurity across Europe.
According to the European Commission, securing network and information systems in the European Union is essential to keep the online economy running and to ensure prosperity. The European Union works on a number of fronts to promote cyber resilience across the European Union.
In view of a dynamically evolving threat landscape and building on the review of the 2013 EU cybersecurity strategy, tackling the cybersecurity perils together was one of the three challenges identified in the mid-term review of the Digital Single Market.
In September 2017, the Commission adopted a cybersecurity package which builds upon existing instruments and presents new initiatives to further improve EU cyber resilience and response.
In an interview with SciTech Europa Quarterly, Despina Spanou, Director for Digital, Society, Trust, and Cybersecurity at the European Commission’s DG CONNECT, discussed how the Commission is working to enhance cybersecurity across Europe.
How effective are the objectives stated within the Directive on security of network and information systems (the so-called ‘NIS Directive’) for those who manage services such as transport, health, financial services, energy, and so on to notify the authorities if they suffer from security problems? Has there been any resistance?
The NIS Directive developed a new cybersecurity culture in the EU. Thanks to the NIS Directive, EU Member States exchange information about cybersecurity incidents and share best cybersecurity practices; they co-operate and they are better co-ordinated. And we have noticed that this co-operation is getting stronger. The NIS Co-operation Group, which was created by the NIS directive, had a tremendous role to play in developing this new cybersecurity culture in the European Union (EU). This group supports and facilitates the strategic co-operation and the exchange of information among EU Member States. The NIS Co-operation group has already delivered some great results for a better cybersecurity for Europe.
We have always believed that by advancing the co-operation and the exchange of information not only between EU Member States but also between all the key cybersecurity players, as well as by learning by the advanced or experienced ones, we will strengthen our cybersecurity. For instance, the banking sector has been the number one target for cyberattacks for decades, and as a result they now have some of the most cultivated cybersecurity systems in operation. Under the NIS Directive operators of essential services (e.g. banks, telecom companies, energy providers, hospitals, etc.) are obliged to inform the national authorities when they are affected by serious cybersecurity incidents. The Directive defines what kind of incidents should be notified by the operators of essential services.
By notifying the authorities about attacks they are helping others, including the authorities, to learn about the nature of the attacks and how to deal with them.
Nowadays, we need more than ever before the co-operation and exchange of information as well as the pooling of different skills and experts as cybersecurity incidents are becoming more sophisticated and our economy and society more digital and interconnected. For example, hybrid threats, which can range from cyberattacks on critical information systems to the disruption of critical services such as energy supplies or financial services could result in undermining the trust of citizens in government institutions and impact on our democracy. These challenges oblige us all to understand that we need to be united and take all the necessary actions to increase our cybersecurity preparedness and resilience. At the same time, we believe that it is important to tackle these challenges in a way that doesn’t impede the EU’s digital transformation.
Are the objectives of the NIS Directive efficient?
I would say that the objectives of the NIS Directive and more broadly our overall EU cybersecurity policy and research initiatives are efficiently assisting the EU in stepping up its cybersecurity capacity and resilience. And I would add that they are very relevant for all operators of essential services, EU Member States, our economy, and EU’s citizens. Indeed, since we made the first big cybersecurity step in Europe, which was the adoption of the NIS Directive, the EU has moved forward very quickly.
Today, the political commitment for better cybersecurity for the EU is clearer than ever before. Since the very beginning of this European Commission President Junker has been very determined to help enhance the EU’s security, and cybersecurity had to be part of it. Then, we also saw a strong will and commitment from EU leaders to move forward quite quickly as well. For example, at the Digital Summit 2017 in Estonia, the heads of all the EU countries discussed the digital world of Europe. It was at this summit that they agreed that cybersecurity should be managed with urgency.
Cybersecurity, of course, was one of the three challenges outlined in the mid-term review of the Digital Single Market. What do you feel are the biggest hurdles and opportunities for Europe, and how will the European Commission work to help industry and citizens to meet them?
Cybersecurity is a challenging topic for the whole world. It is also essential for the functioning of our digital economy and society. In Europe, we have great cybersecurity experts including the EU agency for cybersecurity (ENISA). In addition, we have very good cybersecurity research centres across the European Union. According to a recent survey that we conducted, we have 660 cybersecurity expertise centres in the EU. But the European cybersecurity ecosystem remains very fragmented. This is a hurdle that we need to overcome. Nevertheless, I believe that we can turn this challenge into an opportunity for Europe.
In Europe, we have a unique opportunity to invest in more co-operation and co-ordination amongst EU Member States as well as the EU’s key cybersecurity stakeholders (e.g. operators of essential services, cybersecurity industry) and become stronger in cybersecurity. By co-operating, pooling together the EU’s cybersecurity expertise, and developing a common European Cybersecurity research and innovation (R&I) roadmap and an industrial European cybersecurity strategy, Europe can help the cybersecurity industry and the ecosystem to grow, also resulting in stepping up the EU’s cybersecurity capacity.
It is necessary to have the whole cybersecurity ecosystem on board because we need them to invest in the domain and to provide input in order all together, the public and the private sector, to advance the EU’s cybersecurity capacity and resilience. This is why, in 2016, the European Commission signed with the European Cyber Security Organisation (ECSO) a contractual Public-Private Partnership (cPPP). The cPPP is instrumental in structuring and co-ordinating digital security industrial resources in Europe.
It includes a wide range of actors, from innovative SMEs to producers of components and equipment, operators of essential services and research institutes, brought together under the umbrella of ECSO. The EU has committed to invest up to €450m in this partnership, under its research and innovation programme Horizon 2020 in return, the industry has to invest three times as much in the same areas. As a next ambitious step, in September 2018 we proposed a new Regulation establishing a Network of National Cybersecurity Coordination Centres and the new European Cybersecurity Industrial, Technology and Research Competence Centre. This proposal is currently being discussed by the EU co-legislators.
Another challenge for Europe is the ‘cybersecurity expertise shortage’. We need more people with cybersecurity knowledge and skills in the market, both in the private and public sector, to hunt down and respond to cyber threats. As many studies and reports show, Europe lacks skilled ICT specialists and especially cybersecurity experts to fill the growing number of job vacancies in this domain. It is crucial for us to address this skills deficit. Again, here our proposal for the creation of the European Cybersecurity Industrial, Technology and Research Competence Centre will have an important role to play.
Finally, we also need EU citizens on board; we want the citizens to be aware of the cybersecurity threats and must learn the basics to protect themselves in a digital world. Our Vice-president for Digital Single Market, Mr Andrus Ansip, being the ex-Prime Minister of Estonia, a highly digitised country, places a lot of emphasis on what we call ‘cyber hygiene’. Just as an individual engages in certain personal hygiene practices to maintain good health and well-being, similarly cyber hygiene practices and precautions can keep a user better protected against cyber-attacks and data breaches. Users can play an important role in securing our digital society by raising their awareness and by practicing ‘cyber hygiene’. The skilled and trained cybersecurity professionals and enterprises need to collaborate and raise users’ cybersecurity awareness. We, the EU, are committed in raising cybersecurity awareness, and for this reason fully support ENISA’s initiative, the European Cyber Security Month (ECSM), the EU’s annual cybersecurity awareness campaign which takes place every October across Europe.
What do you hope the creation of a Network of Cybersecurity Competence Centres and a new European Cybersecurity Industrial, Technology and Research Competence Centre will achieve here?
As I highlighted earlier, we started with the idea of creating a Network of National Cybersecurity Co-ordination Centres and the new European Cybersecurity Industrial, Technology and Research Competence Centre as a way to tackle the fragmentation of Europe’s cybersecurity ecosystem, to address the lack of cybersecurity skills and expertise, to pool our European resources and to co-ordinate our efforts in strengthening the EU’s cybersecurity capabilities and enable the EU industries to develop worldwide competitive products and services.
Overall, we believe that the European Cybersecurity Competence Centre and the Network will allow us to develop a European cybersecurity agenda for research and innovation, which will pave the way for a secure digital Europe, addressing all upcoming cybersecurity challenges arising from the emerging technologies (e.g. IoT, artificial intelligence, quantum, HPCs, blockchain) and used in critical sectors (e.g. transport, energy, health, financial, manufacturing, defence). It will also shape and implement the appropriate investments in cybersecurity for the next EU Multiannual Financial Framework Programme (MFF).
We seek to have the Network of National Cybersecurity Co-ordination Centres and the new European Cybersecurity Industrial, Technology and Research Competence Centre in place by 2021, when the EU will start implementing the next Multiannual Financial Framework programme (2021-2027). We have already advanced our efforts. On the morning of 13 March, the Council’s Permanent Representatives Committee granted the Romanian presidency a mandate to start talks with the European Parliament on the proposal. The same day in the afternoon, the European Parliament adopted the report of European Parliament Committee on Industry, Research and Energy (ITRE) on the proposal, allowing us to enter into the interinstitutional negotiations with the European Parliament and the Council for the adoption of the EU legislation. A few hours later, the first negotiations also took place in Strasbourg.
To lay the groundwork for pooling Europe’s cybersecurity expertise and preparing the European cybersecurity landscape in order to efficiently implement our vision for a more secure digital Europe, we have launched four cybersecurity pilot projects. The four pilots, CONCORDIA, ECHO, SPARTA and CyberSec4Europe, are tasked with contributing to a common European Cybersecurity Research & Innovation Roadmap and a European cybersecurity strategy for industry. In addition, they will assist the EU in defining and testing the governance model of a European Cybersecurity Competence Network of cybersecurity centres of excellence.
What progress is being made to ensure the EU’s cybersecurity market is being adequately supported – the cybersecurity certification scheme, and the contractual Public-Private Partnership (cPPP) on cybersecurity, for instance? What more needs to be done?
We have already taken some important policy measures to advance the EU’s cybersecurity capacity and resilience, which will also have a positive impact on the EU’s cybersecurity market. We talked earlier about the NIS Directive, the European Cybersecurity Act, and the EU Regulation establishing a European Network of National Cybersecurity Co-ordination Centres and a new European Cybersecurity Industrial, Technology and Research Competence Centre. Via all these policy initiatives we try to build the appropriate regulatory environment which is essential not only for the cybersecurity industry but also for the entrepreneurs or potential investors.
For example, the European Cybersecurity Act envisages the creation of a cybersecurity certification framework for ICT products and services. Such a certificate will provide responsible operators, vendors, and providers of digital products and services – including European SMEs and start-ups – a competitive edge. It will allow them to be more trustworthy at global level. At the same time, it will increase the trust of citizens in such products and services, resulting in them buying more products and using more innovative services.
In addition to these policy actions, the EU has undertaken cybersecurity operational actions such as the creation of the Computer Security Incident Response Teams (CSIRT) network, carrying out cybersecurity exercises organised e.g. CyberEurope carried out by ENISA, PACE and setting a European cybersecurity blueprint, an EU wide plan in case of a large scale cross-border cybersecurity crisis. All these actions aim at enhancing the cybersecurity of the EU entities and enterprises.
The EU also invests funds in supporting research and innovation to develop new cybersecurity solutions and technologies. By 2020, the EU will have invested close to €1bn in cybersecurity and digital privacy projects. Close to half of this will have been within the framework of the contractual public-private partnership on cybersecurity for the period 2017-2020. And for the period 2021-2027 (the next EU Multiannual Financial Framework Programme) the European Commission has proposed to increase the EU investment in cybersecurity under the new Digital Europe programme. However, at the same time we expect that EU Member States and European industry will also invest more in this domain.
We will continue our efforts to further enhance cybersecurity capacity, resilience and innovation in Europe. It is likely that European businesses and citizens will see more policy initiatives proposed by the European Commission in the cybersecurity field in the years to come.
Director for Digital, Society, Trust, and Cybersecurity