According to recent estimates, in 2016 there were more than 4000 ransomware attacks per day in the EU. In some member states, 50 per cent of all crimes were cyber related, while 80 per cent of European companies said they had experienced at least one cyber incident last year. With figures like these, Julian King has his work cut out in ensuring Europe’s cybersecurity.
Recognising the growing threat, last September Commission President Jean-Claude Juncker in his annual state of the union speech admitted, “Europe is still not well equipped when it comes to cyberattacks.”
To equip Europe to defend itself, the European Commission proposed a new cybersecurity strategy. However, King, the EU’s Commissioner for security union, stresses, “We are not starting from scratch.” The new proposals build upon the EU’s 2013 policies to promote a ‘reliable, safe and open cyber ecosystem.’
But with cyber threats constantly evolving, King says “we need to keep pace, hence the latest Commission proposals based on building cyber resilience, effective cyber deterrence and strengthened cyber defence.
“Bold EU action is required to address cyber vulnerabilities and create the systems and structures to withstand and deter attacks in the future - the reason the Commission brought forward the new proposals on 19 September”, he adds.
The former diplomat - King was British ambassador to France - points out that nine out of ten Europeans now see cybercrime as an important security issue. Cyberattacks have a huge economic impact on citizens.
According to King, cybercrime has risen fivefold since 2013 and will further quadruple by 2019. In 2016, card fraud in the eurozone was more than €1.5bn, where card details were skimmed or phished online, and sold on the darknet.
Since 2016, more than 4000 ransomware attacks have occurred every day, with a 300 per cent increase compared to 2015. Last year also saw two billion data breaches affecting European citizens.
However, targets have not just been economic. “We have seen hacks and attacks for political reasons for over a decade,” says King, highlighting the cyberattack Estonia faced in 2007 when key websites belonging to the government, including the country’s parliament, banks, ministries, newspapers and broadcasters, were all hacked. More recently, during France’s presidential elections earlier this year, hackers targeted Emmanuel Macron’s political party-machine 36 hours before polling.
“Some of these ‘political’ attacks are focused on systems - to prevent voters from registering, or to obtain voter data. Others are based on manipulating voters’ behaviour and public opinion: through targeted hacks and leaks, or fake news.
“Another category still can use data analytics derived from a user’s online browsing to calibrate, amplify and target messages; something that may often take place outside the jurisdiction of national electoral laws and authorities.”
The Commissioner believes cybersecurity is key to unlocking the potential the digital single market’s potential, with the Internet of Things leading the digital transformation.
However, King points out that in the rush to get products onto the market, “producers often don’t make security a priority. This means devices never lose their easy-to-guess default passwords. It means the update policy for the device is unclear, or insufficient. It means encryption is not used when it could be. It means unnecessary ports, hardware, services and code that make the attack surface larger than it needs to be.”
Therefore, as part of the new package, a voluntary European cybersecurity certification framework has been proposed, which will be led by European Commissioner for digital economy and society, Mariya Gabriel.
“Within a European governance system, specific individual certification schemes for ICT products and services would be recognised in all member states. Vendors and providers of ICT products and services will go through one single process to obtain a European certificate valid in all member states - instead of multiple separate processes, each of which can currently cost hundreds of thousands of euros, and take many months.
“Meanwhile those buying goods - including ordinary consumers, but also for example the operators of essential services - will be able to make more informed decisions taking security into account”, explains King.
Key to the Commission’s strategy in making the EU more resilient to cyberattack will be more investment in the European Union Agency for Network and Information Security (ENISA). An additional €12m per year has been allocated to the agency, as well recruiting 41 new staff members.
But, King stresses, “This does not just depend on the European Commission, of course. We have indeed proposed the budget increase, but it is for the European Parliament and the Council to make the final decision.”
King also highlights that other EU law enforcement agencies like Europol and Eurojust will be expected to make a valuable contribution.
“The European Cybercrime Centre (EC3) set up by Europol in 2013 has strengthened the law enforcement response to cybercrime in the EU and continues to help protect European citizens, businesses and governments from online crime. It has been involved in high-profile operations and over 200 on-the-spot operational-support deployments resulting in hundreds of arrests.”
To help the EU become more effective in defending itself against attacks, King believes there’s a need for better cooperation between member states.
Flagging the 2016 directive on the security of network and information systems (NIS) as the first EU-wide legislation on cybersecurity, King argues, “Its legal measures boost the EU’s overall level of cybersecurity and are a major step forward in improving resilience.
“Companies in critical sectors for the first time have a legal obligation to put in place security measures and report serious incidents. It also puts in place a framework for cooperation response to cyberattacks, so that the EU has a clear plan in case of a large-scale cross-border cyberattack or crisis.”
To help fund large-scale investment in cybersecurity technology, products, processes and expertise, the EU plans to allocate €30.4bn through the Connecting Europe Facility funding instrument, which helps promote competitiveness through infrastructure investment.
The Commissioner also underlines how the EU’s public-private partnership on cybersecurity established in 2016 could help raise up to €1.8bnof investment by 2020.
“We want to build on that. By way of a pilot, we are injecting €50m to help bring national centres into a network of cybersecurity competence centres, with a European Centre at its heart: a sort of hub to pool and shape research. This network could also have a role in certification, secure encryption and more.”
With many cyberattacks coming from outside Europe’s borders King points to EU foreign policy chief Federica Mogherini’s work with external partners “to boost current international processes and step up cyber diplomacy in areas like defining and promoting cyber norms, defending the applicability of international law and confidence building measures.”
King adds, “The EU has also agreed on a joint framework for a diplomatic response to malicious cyber activities, which enables several countermeasures against aggressors, including sanctions.”
Given the borderless nature of the internet, King points out that a legislative framework already exists, provided by the Council of Europe’s Budapest Convention on cybercrime, which offers a good legal standard for national laws. “We call on all countries to design appropriate national legislation and cooperate within this framework. We will step up capacity building programmes in third countries to help judicial authorities and law enforcement to effectively fight cybercrime.”
King recognises that if Europe is to effectively defend itself, it is essential for the EU to build a strong cyber skills base. “Effective cybersecurity relies heavily on people. Cybersecurity education should be developed at all levels: with training for the regular workforce, ICT workers, and cybersecurity specialists.
“Academic competence centres could be established and draw on guidance from a European Cybersecurity Research and Competence Centre and ENISA. We can build on the work of the existing digital skills and jobs coalition.
“We also propose apprenticeship schemes in cybersecurity for small and medium enterprises. Cybersecurity will be included in the digital opportunity scheme and we will mobilise industry stakeholders so that they offer internships for students.”
He adds, “ENISA has for five years organised European Cybersecurity Month, an awareness campaign with over 300 activities for work and home, including cyber governance, privacy protection, and cyber skills.”
For King, international cooperation is vital for cybersecurity, particularly in the political and military fields which are vulnerable to cyberattacks.
In July at the Nato Warsaw summit, Juncker and EU Council President Donald Tusk signed a joint declaration with Nato. It outlined seven areas in which cooperation between the two bodies should be enhanced, including hybrid threats, cybersecurity and defence.
The EU and Nato have now set out 42 action points for how they can cooperate and deliver on cyber defence. Mogherini is currently taking the lead on working towards a new common set of proposals to be endorsed in December this year.
For King, with 22 common members, the EU and Nato have a shared interest in becoming more cyber resilient. “Coordinating on cybersecurity and defence will make it easier to protect the critical networks we depend on. The military needs to address growing cyber challenges, and must boost their cyber defences.”
Stressing duplication of work will not happen, King says, “Each organisation specialises in clearly identified areas to avoid duplication. For example, we can promote interoperability, research, or cooperation on training. We already cooperate in cyber exercises and crisis management.”