Friday, 10 February 2017

E.U.: EU's Cyber-Security Preparedness

US Intelligence agencies are working with European governments to prevent the kind of Russian cyber attacks that were allegedly carried out to influence the 2016 US Presidential election. Several European countries, including France, Germany, Norway and the Netherlands, are scheduled to hold elections in 2017.

The US Intelligence has shared with European countries the classified version of their report on what they believe was a Russian plot to help Donald Trump defeat Hillary Clinton. Key American lawmakers say such an intelligence exchange is vital because Russia reportedly plans to carry out similar cyber-attacks in Europe to influence elections in a way that serves Moscow's interests. 

European countries strongly believe that Moscow wants to expand Russian political influence in Europe, by propping up populists, to break the competence in democracies around Europe and to undermine the perceived validity of the democratic model, in order to suggest that an authoritarian model is equally valid. 

However, Europe needs to do more than sharing information with US on Russian alleged hacking. When it comes to cyber protections, Europe is a patchwork: Passing only national laws and lacking in cooperation with the corporate sector, the Europe Union members undermine their cyber-security.

The Europe is currently on the cusp of renewing its Internal Security Strategy (ISS) for 2015-2019. Over the last five years, it has succeeded in tackling a number of issues in this field. These include addressing several challenges, such as the adoption of the EU Cyber-security Strategy; the creation of the European Cyber-crime Centre (EC3); the expansion of the Global Alliance against Child Sexual Abuse online; the funding of the national Cyber-crime Centres of Excellence and child pornography. 

In addition, there has been a commitment to increasing cooperation with third countries, in order to increase capacity building and adopt shared legal framework for cyber-crime legislation, based on the Budapest Convention. 

However, even with these accomplishments, one of the biggest concerns for the future for all stakeholders involved is the rapid pace with cyber-crime and new cyber threats are developing, making it hard for policy-makers to even attempt to keep up. Within this scenario, establishing veritable cyber-security in Europe and tackling the plethora of emerging threats in this will require the European Union to look inwardly.

Bolstering cyber-security is a challenge facing boardrooms and government officials around the world. While technology is enabling us to be smarter about how we communicate, create, and solve problems, it has also introduced new risks which must be managed.

While the German Parliament voted on a new IT security law, debates continue in Brussels to achieve consensus on a Network and Information Security (NIS) Directive aimed at harmonising cyber-security laws across Europe. That is no small feat when negotiating among 28 countries. A recent report released by BSA charts just how big a task they have before them.

The ''BSA EU Cyber-security Dashboard“ is a first-ever analysis of national cyber-security laws and policies in the EU. It finds that an unhelpful patchwork exists in Europe when it comes to cyber protections. While some countries have strong cyber-security legal frameworks – the United Kingdom, Germany and Estonia, for example – others still have much work to do. The report makes clear that considerable discrepancies exist between Member States’ laws and operational capabilities, resulting in gaps and fragmentation that could put the entire Single Market at risk.

Encouragingly, the report finds that most European Union Member States recognise that cyber-security should be a national priority, with a particular focus on ensuring the cyber resilience of critical infrastructure. Critical networks and infrastructure – transport, energy, banking – are where disruption would do the most harm.

Germany is a good example of a country that has done many things right, with a comprehensive cyber-security strategy in place and a clear commitment to cyber-security protections at the highest levels of government. However, purely national cyber-security standards in Germany as outlined in the IT security law could also pose a hindrance to the coherence of cyber-security rules across Europe. Cyber-security does not stop at national borders; thus, industry-led, internationally-recognized technical standards play a vital role in delivering newer and more secure products to market, and enhancing the cyber resilience of governments, businesses, and citizens.

The report also highlights some key gaps in protections across Europe, such as a lack of cooperation between governments and the private sector on cyber-security. In Europe, most infrastructure is owned by the private sector, making public-private cooperation essential – yet only five European Union member States have an established framework for public-private partnerships on cyber-security.

The more communication and coordination is taking place between European Union governments and the private sector, the more resilient Europe will be in the face of evolving cyber-security threats. An important improvement that could be achieved by the Network and Information Security Directive would be the creation of platforms for dialogue between the public and private sector on cyber threat trends and developments and to promote European Union-wide exchanges on industry and government cyber-security best practices.

The European Union Cyber-security Dashboard outlines the fundamental elements of a strong legal cyber-security framework – from establishing strong legal foundations, to engendering trust and working in partnership, to promoting cyber-security education. These building blocks provide valuable insight for national governments who will ultimately implement cyber-security rules and policies.

The report also provides guidance on what not to do, as some governments around the world are unfortunately using cyber-security as justification for protectionist rules that reduce choice and undermine cyber protections. That includes avoiding country-specific cyber-security standards, obligations to disclose sensitive information such as source code or encryption keys, data localisation requirements, or preferences for indigenous providers among other unhelpful policies.

Cyber-security cannot happen in domestic silos and it is important to consider the European and global implications of any decisions made in Germany. The IT security law should not, deliberately or inadvertently, prevent international companies from participating in the German market.

The severe Russian hacking attack on the Democratic Party, in United States, proved the importance of strong and resilient IT systems around the globe. No European country is going to achieve this goal on its own. Only if the state and the private sector join forces to stop criminal hackers from becoming 21st century highwaymen, we will be able to strengthen public trust in the digital highways of our time which is a crucial prerequisite for realizing the growth potential of the digital economy.

Even if the Europe manages to create a flawless culture of cyber-security within its borders, an extremely lofty goal, it will by no means be immune to threat of cyber attack. When discussing Europe's preparedness in relation with cyber-security issues, it is vital to keep in mind that the internet, as borderless environment, provides no protection for solely inward-looking entities. 

Today,a cyber attack on an European target is more likely to originate from outside of the Europe union, than from within it.

By Guylain Gustave Moke
Political Analyst
International Affairs Expert

Photo-Credit: Interpol Photo