More resiliency to cyberattacks: What does the EU need?

There is a proposal for an EU Cybersecurity Agency to assist Member States in dealing with cyber-attacks, as well as a new European certification scheme that will ensure that products and services in the digital world are safe to use. How do you see this initiative, how can the Member States benefit from it? Read few comments.

Mariarosaria TaddeoResearch Ferllow, Oxford Internet Institute

The EU has recently given ENISA a permanent mandate. This was a long due step. ENISA will be able to assist Member State to implement the NIS directive, indicate essential service infrastructure, build capacities and best practices to improve their security and, in my opinion, even more importantly their resilience. The resilience of national information infrastructure and the possibility to ensure that at EU level is Essential to guarantee a minimum standard of cyber security across EU. The cybersecurity of the Union is equal to the one of its weakest link.  This is a step in the right direction, but it is a first step and more need to follow. A key, crucial, step will be to regulate EU Member States conduct in cyberspace, a few questions need to answered, such as should state disclose rather than store vulnerabilities? Should EU build a EU cyber capabilities, for example developing its own counter autonomy systems? The NSI provide a list of crucial informational infrastructures and a set if criteria to assess the damage of ‘cyber incidents’, no direction or indication is given about responding to cyber attacks involving a crucial infrastructure. How should a Member State respond if the attack can be attributed to another state? Would EU sanction Member State who attack crucial infrastructure of another Member State? In other words the NIS directive defines a set of so-called red-lines, ENISA will helps in ensure their resilience, but who will ensure that these infrastructures will not be targeted by other states?

The certification scheme is essential, especially as IoT devices are becoming increasing more popular. We cannot afford as individuals, as societies, as EU to deploy devices or services that are not secure. The certification scheme will prompt a better standards for providers and producers, will foster users awareness, cyber hygiene, education and eventually trust. Eventually it will be come a building block of a strategy to ensure a more resilient network of things and hence a more secure environment.

Piret Pernik, Research Fellow, International Centre for Defence and Security

I think that since some MS are lacking behind in cyber security and resilience it’s necessary to collectively assist them in preventing and responding to large-scale incidents that may impact several MS. Regarding certification – it’s hard to imagine that all inexpensive IoT devices would have mandatory certification, so it must be voluntary at this point, based on international standards; at the same time, in critical sectors (like defence, finance, etc.) it should be mandatory in the future, but there should be discussion with industry on how to implement mandatory scheme (for example, the US government has prohibited Kaspersky’s software, perhaps a “white list” of accredited IoT devices should be created in time). Voluntary certification is a first step, but in discussion with industry and IoT developers/producers should be continued in order to secure the key sectors better than that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: