What happens when summer is over? EU Cybersec 2.0!

Image Source: Max Pixel

As the summer wraps up, we’re looking ahead to the European Commission’s cybersecurity platform, the success of which will be measured by its capacity to keep us safe and secure through sound, fact-based, rights-respecting policy on issues such as the Internet of Things, encryption, government hacking, and cross-border protection of data. So far, the signs look good for a strategy that builds on current strengths.

If you’re interested in the EU’s European Agenda on Security or loosely follow what happens in Brussels, you may have come across the news that by September 2017, the EU Commission will review the EU Cybersecurity Strategy as well as the mandate of the European Union Agency for Network and Information Security (ENISA). This is exciting because the current strategy, drafted in 2013, was not ambitious enough (more on that below), and because ENISA remains the only EU agency without a stable and permanent mandate.

The current strategy is centered on the EU’s legislation on security of networks and information systems (NIS Directive) that was passed last year, with other elements generally falling in the “throw money at the problem until it goes away” category. Under its framework, the EU invests heavily in the security of small and medium-size companies, capacity building, and tackling botnet attacks (15 million Euro is cited for this item explicitly). What is missing, however, is an evaluation or progress report on the impact or efficacy of these components, which we should have prior drafting a second iteration of the EU’s cybersecurity strategy. In fact, the devastation we experienced via Wannacry and Petya points to systemic failures that the Commission should address. As we have long argued, the EU, like many other governments globally, needs to focus intensively on cyber defense, versus offense or any form of security theatre.

What does CyberSec 2.0 look like? We have some indicators

At the end of June, EU Commission Vice President Andrus Ansip, who is responsible for cybersecurity in the EU, delivered a speech at the Chatham House annual cyber conference, where he outlined what we can expect from the EU Cybersecurity 2.0 Strategy. His observations are in line with the first iteration, building on some of its initial framing.

In brief, we should see developments on the following issues:

  • Cybercrime and the dark web: The Commission’s emphasis is on the risks to our society emerging from the murky depths of the dark web, and it appears that this will continue to determine their approach. Ansip indicates that the Commission will attempt to protect us from the place of “no borders, no laws, no limits,” presumably by pressuring the Council of Europe to speed up the drafting of a Budapest Convention additional protocol. The Budapest Convention is a binding international agreement under the Council of Europe framework (which encompasses many more states beyond the EU) though member countries can elect whether or not they sign up to it, or onto a new protocol, and implement it nationally. The existing EU strategy already places emphasis on the Convention.
  • Infrastructure: To complement the NIS Directive (which the EU states are currently implementing), the Commission will continue to push for stronger protection of our infrastructure, especially of in the energy and transport sectors. It is important for the Commission to include the Information and Communications Technology (ICT) sector, which could be accomplished by increasing the focus on the e-Privacy reform, a complement to the protections envisaged under the General Data Protection Regulation (GDPR), to guarantee the confidentiality of our communications. This is a vital component of effective cybersecurity.
  • Vulnerability disclosure: The Commission already recognises that there is an issue with the lack of coordination across EU borders on many levels, but vulnerability disclosure is especially ripe area for more effective collaboration. Ansip did not refer to vulnerability disclosure in his speech, but it is likely to be covered in the new strategy since it is part of the current strategy. ENISA has repeatedly urged coordinated vulnerability disclosure and an expert report for the Commission by the Scientific Advice Mechanism (SAM) has recommendations for the 2.0 strategy that hint at a “duty of care” strategy of disclosure among industry actors to complement coordinated action across EU states.
  • National-level cybersecurity: Without being implemented domestically, a strategy is just a strategy, which has left people in EU countries at variable levels of protection, much to the frustration of the Commission. As a result, the Commission may attempt to harmonise or standardise individual approaches, hopefully through more than only cooperation and trainings.
  • Internet of Things: The Commission is already working on certification and labelling as a way forward because existing internet-connected devices are not sufficiently secure, and this could have potentially disastrous effects if thing do not change. While it is necessary to increase the security and privacy of our “things” in the interconnected world, Ansip focused on the potential for the IoT to enhance “productivity” and “lifestyles” which suggests the Commission could still embrace the false narrative of innovation at the expense of privacy.
  • Encryption: Yay! Ansip is a strong supporter of encryption, and once more reiterated his support, stating unequivocally, “I am against any backdoors, or weakening of encryption technology.” He even went on to say that strong encryption is a cornerstone of an effective cyber-defence. Sweet. If you’d like to learn more about the importance of encryption for our security, take a look at our Crypto Summit outcomes report.
  • Government hacking: Even as security experts stress the importance of shoring up our cybersecurity, law enforcement whittles out a different approach. The Commission seeks to renew the rules for access to e-evidence, and in Ansip’s speech, he hints that law enforcement authorities can find “better ways” to investigate crime and terrorism than undermining crypto (read: hacking). Access Now has argued for a global ban on government hacking, and in the rare instances when it can be justified, for the operation to adhere strictly with international human rights standards, detailed in our paper, A Human Rights Response to Government Hacking.
  • Training, education, and awareness: As always, the Commission will be allocating more money for outreach efforts. These efforts must be taken seriously, lest this become a way to throw money at a problem.
  • International cooperation: Ansip’s speech indicates that on top of the need for a strong framework within the Council of Europe members, the Commission sees a need for “active cooperation” across the globe, with multiple stakeholders. This could mean a step-up in EU leadership on cybersecurity globally.

ENISA gets a new frock too

Since the beginning of the year, ENISA has been undergoing a review of its performance and role. In the past, we have seen recognition, in the cybersec strategy as well as various EU documents, of the need for ENISA to have a stronger and more well-defined mandate. This goal may finally be realized, since the preliminary findings of the review indicate that individuals and organizations throughout the EU value ENISA’s services and outputs, in particular the “guidelines, recommendations and reports” that Access Now has often cited in our blog and documents.

Key areas for expanding ENISA’s mandate include:

  • Giving ENISA a permanent mandate, like all the other specialist bodies of the EU.
  • Facilitating cooperation between member state cybersecurity strategies and activities. This would be a continuation of ENISA’s work, as they have previously carried out mapping and evaluation of member state approaches.
  • Leadership in training and capacity building across levels.
  • Increasing ENISA’s role in research and evidence-based policy making. Prioritising this could be especially vital, since ENISA’s technologically savvy positions have not been proper integrated into policy in the past.

We are looking forward to seeing how the EU’s new cybersec strategy and ENISA’s extended mandate will take shape, as both will have broad impact on the safety and security of users at risk in the EU and beyond. The current direction seems to build on the existing strategy in a necessary and valuable way, but only the autumn will tell us more. As always, we remain optimistic.