For enterprises operating in Europe, the European Commission’s December 2020 EU Cybersecurity Strategy may dictate how you go about improving cyber resilience.
The 2020 EU Cybersecurity Strategy underlines the important role of cybersecurity for a growing EU economy and reinforcing user confidence in digital tools. The publication goes beyond cybersecurity policy and compliance aspects to cover three key areas: resilience and technological sovereignty; the ability to prevent, deter and respond to attacks; and increased teamwork.
Two recent documents, one which is part of the new EU Cybersecurity Strategy and one that is a proposal for a revised Directive on Security of Network and Information Systems (NIS2), will greatly influence the way groups doing business in Europe or working with European governments or entities can work.
Read on to learn what’s new, where the future of cybersecurity in the EU is headed and how businesses can prepare for these changes now.
Cyber Resilience Starts With the NIS2 Directive
One of the most noteworthy parts of this proposal is to reform the EU’s existing NIS Directive. This directive, adopted in 2016, sets a range of security benchmarks that apply to operators of essential services and digital service providers. The commission highlighted a few shortcomings in this directive:
- A too-limited scope in terms of sectors covered and an ineffective oversight and enforcement regime;
- Major differences in rollout that created burdens for groups running in more than one member state;
- Uneven cyber resilience across member states and sectors and a lack of sharing information.
This reform is not a surprise in itself. The NIS Directive has reform built in, with regular review. The surprise is that the proposal includes the option to work toward a new directive, instead of amending or changing the existing one. This requires more effort but will likely be more efficient and effective. In addition, the scope is extended with new sectors. Public administration, postal and courier services, manufacturing and food production and more will now be subject to this directive.
Prevention, detection and response are key throughout. Under the directive, EU entities must have risk management with a list of security elements. Those include security policies, incident handling and the use of cryptography and encryption. Other key aspects are streamlined reporting, more stringent oversight, common vulnerability disclosure, a European vulnerability registry and addressing risks in supply chain and vendor partnerships.
Cyber Resilience Challenges for 5G and IoT
To address the growing attack surface of 5G mobile networks, the commission plans to implement the EU 5G Toolbox. Although many member states are on track, a lot of work still needs to be done. In particular, member states have a long way to go to reduce how much they depend on high-risk suppliers. The growth of these networks will also very much contribute to a further expansion of the Internet of things (IoT). More IoT devices mean a higher risk of attacks.
Companies that make connected products should keep an eye on this. The commission expects to put in place a regulation that requires them to have a duty of care to address software vulnerabilities. This includes keeping up with security updates as well as ensuring deletion of personal data at the end of life.
A New Approach to DNS
One of the key players to strengthen the EU’s overall presence in the digital world will be the Cybersecurity Industrial, Technology and Research Competence Centre and Network of Coordination Centres (CCCN). Its goal is to use industry and academic input to place the EU at the forefront of cybersecurity. One element of this plan is an alternative European service for accessing the internet, called DNS4EU.
In addition, the commission proposes a backup plan to counter attacks on the global domain name system (DNS) root system, with a focus on the two EU DNS root server operators. Keep an eye on how this is run, given that DNS, by nature, already relies on a distributed and redundant model. In addition, both EU root server operators support anycast and are widely distributed, including servers outside Europe.
European Cyber Shield
With all these changes, one could overlook the basics of cybersecurity: early detection and swift responses to attacks. Nowadays, organizations have come to rely on security operations centers (SOCs) to handle this task. Unfortunately, many of these centers operate as islands. They do not always have the means to work together or share information. To support this teamwork, the commission will improve those that already exist or establish new ones. Its goal is to build a network of SOCs that act as watchtowers and can pick up early signals of cyberattacks.
Prevention and Response: Introducing the Joint Cyber Unit
While the network of SOCs provides situational awareness for authorities, there is still a gap when it comes to how to jointly respond to these threats. To resolve this weakness and improve cyber resilience, the commission called for a joint cyber unit to share threat information and respond to incidents. This unit is not a standalone body, but more a safeguard where groups can use one another’s support and expertise. Its goal is to ensure preparedness, provide situational awareness via information sharing and reinforce response and recovery across groups.
Developing such a body, or a collaboration platform, will not happen overnight. A lot of hurdles remain to be overcome, not the least of which is making sure the skills and mandates of all groups involved are respected. The Computer Emergency Response Team for the EU, The European Union Agency for Cybersecurity (ENISA) and the European Union Agency for Law Enforcement Cooperation (Europol) have a lot of work ahead of them as they come together on this project.
Tackling Crime for Greater Cyber Resilience
Doubtless, this unit will play a major role in the fight against cybercrime. But it is not the only ace the commission can play. ENISA and Europol already work together. The Commission wants to see this continue. It laid out an action plan to enhance the digital capacity of law enforcement by foreseeing the skills and tools they’ll need. Europol will play a crucial role in this plan.
Also noteworthy is the commission’s plan to create and provide lawful access to an accurate database of domain name registration data. This database can be a valuable instrument in the fight against cybercrime.
Where Diplomacy and Defense Meet Cyber Crime
Cyber threats are not limited to crime. Some threat actors target member states or the EU as a whole. To this end, the cyber diplomacy toolbox for the EU can be used to prevent and discourage these actions. In its EU Cybersecurity Strategy, the commission supports the creation of teamwork mechanisms and diplomatic responses. This diplomacy toolbox is also to be integrated into crisis mechanisms to counter disinformation and foreign interference.
Helping Groups Work Together
The commission also envisions improvements in the field of diplomacy through teamwork between nations. The EU will expand its dialogue with third-world countries and regional and international organizations. It will also create an informal EU Cyber Diplomacy Network. This third pillar also includes the following:
- Guidance on the application of human rights and fundamental freedoms online;
- Better protection of children against sexual abuse and exploitation;
- Setting objectives in international standardization processes.
What’s Next for Cyber Resilience?
The commission will implement this EU Cybersecurity Strategy in the coming months. From there, it will monitor progress based on reports from member entities, such as ENISA. Because the rollout involves public-private and cross-border cooperation, there will be plenty of chances to work in groups more and thereby increase overall cyber resilience in Europe.
There’s still time to get ready for the reformation of the NIS Directive. Be aware, though. Although it has to go through legal approval rounds before being put into national laws, and slight changes can still occur, the bulk of the proposal will likely remain as written. As such, you can take action now to get ready. Try the following:
- First, verify if your organization is part of the extended scope;
- Next, gear up your detection and notification processes;
- Review the security of your supply chain and vendor relationships;
- Lastly, ensure your risk management includes the basic principles of the directive.