Wednesday, 4 November 2015

EUROPE: Looking Inward: EU's Cybersecurity

When it comes to cyber protections, Europe is a patchwork: Passing only national laws and lacking in cooperation with the corporate sector, the EU members undermine their cybersecurity.

The Europe is currently on the cusp of renewing its Internal Security Strategy (ISS) for 2015-2019.Over the last four years, it has succeeded in tackling a number of issues in this field. These include addressing several challenges, such as the adoption of the EU Cybersecurity Strategy; the creation of the European Cybercrime Centre (EC3); the expansion of the Global Alliance against Child Sexual Abuse online; the funding of the national Cybercrime Centres of Excellence and child pornography. In addition, there has been a commitment to increasing cooperation with third countries, in order to increase capacity building and adopt shared legal framework for cybercrime legislation, based on the Budapest Convention. 

However, even with these accomplishments, one of the biggest concerns for the future for all stakeholders involved is the rapid pace with cybercrime and new cyber threats are developing., making it hard for policymakers to even attempt to keep up. Within this scenario, establishing veritable cybersecurity in Europe and tackling the plethora of emerging threats in this will require the EU to look inwardly.

Bolstering cybersecurity is a challenge facing boardrooms and government officials around the world. While technology is enabling us to be smarter about how we communicate, create, and solve problems, it has also introduced new risks which must be managed.
While the German Parliament has voted on a new IT security law, debates continue in Brussels to achieve consensus on a Network and Information Security (NIS) Directive aimed at harmonising cybersecurity laws across Europe. That is no small feat when negotiating among 28 countries. A recent report released by BSA charts just how big a task they have before them.
The ''BSA EU Cybersecurity Dashboard“ is a first-ever analysis of national cybersecurity laws and policies in the EU. It finds that an unhelpful patchwork exists in Europe when it comes to cyber protections. While some countries have strong cybersecurity legal frameworks – the UK, Germany and Estonia, for example – others still have much work to do. The report makes clear that considerable discrepancies exist between Member States’ laws and operational capabilities, resulting in gaps and fragmentation that could put the entire Single Market at risk.
Encouragingly, the report finds that most EU Member States recognise that cybersecurity should be a national priority, with a particular focus on ensuring the cyber resilience of critical infrastructure. Critical networks and infrastructure – transport, energy, banking – are where disruption would do the most harm.
Germany is a good example of a country that has done many things right, with a comprehensive cybersecurity strategy in place and a clear commitment to cybersecurity protections at the highest levels of government. However, purely national cybersecurity standards in Germany as outlined in the IT security law could also pose a hindrance to the coherence of cybersecurity rules across Europe. Cybersecurity does not stop at national borders; thus, industry-led, internationally-recognized technical standards play a vital role in delivering newer and more secure products to market, and enhancing the cyber resilience of governments, businesses, and citizens.
The report also highlights some key gaps in protections across Europe, such as a lack of cooperation between governments and the private sector on cybersecurity. In Europe, most infrastructure is owned by the private sector, making public-private cooperation essential – yet only five EU Member States have an established framework for public-private partnerships on cybersecurity.
The more communication and coordination is taking place between EU governments and the private sector, the more resilient Europe will be in the face of evolving cybersecurity threats. An important improvement that could be achieved by the Network and Information Security Directive would be the creation of platforms for dialogue between the public and private sector on cyber threat trends and developments and to promote EU-wide exchanges on industry and government cybersecurity best practices.
The EU Cybersecurity Dashboard outlines the fundamental elements of a strong legal cybersecurity framework – from establishing strong legal foundations, to engendering trust and working in partnership, to promoting cybersecurity education. These building blocks provide valuable insight for national governments who will ultimately implement cybersecurity rules and policies.
The report also provides guidance on what not to do, as some governments around the world are unfortunately using cybersecurity as justification for protectionist rules that reduce choice and undermine cyber protections. That includes avoiding country-specific cybersecurity standards, obligations to disclose sensitive information such as source code or encryption keys, data localisation requirements, or preferences for indigenous providers among other unhelpful policies.
Cybersecurity cannot happen in domestic silos and it is important to consider the European and global implications of any decisions made in Germany. The IT security law should not, deliberately or inadvertently, prevent international companies from participating in the German market.
The severe hacker attack on the German Bundestag proved the importance of strong and resilient IT systems. No country is going to achieve this goal on its own. Only if the state and the private sector join forces to stop criminal hackers from becoming 21st century highwaymen, we will be able to strengthen public trust in the digital highways of our time which is a crucial prerequisite for realizing the growth potential of the digital economy.

Even if the Europe manages to create a flawless culture of cybersecurity within its borders, an extremely lofty goal, it will by no means be immune to threat of cyber attack. When discussing Europe's preparedness in relation with cybersecurity issues, it is vital to keep in mind that the internet, as borderless environment, provides no protection for solely inward-looking entities. Today,a cyber attack on an European target is more likely to originate from outside of the Europe union, than from within it.

By Guylain Gustave Moke
Investigative Journalist
World Affairs Expert

Photo-Credit: Interpol Photo