Last month, in his annual State of the Union Address, European Commission President Jean-Claude Juncker announced a new pan-European cybersecurity agency, a new European certification scheme to ensure the safety of digital products and services, and some other related cybercrime measures.
With this significant announcement, the EU admitted that to date, it has not been ready to address cyberattacks. The EU reported that last year there were more than 4,000 ransomware attacks per day, and 80 percent of European companies experienced at least one cybersecurity incident. The economic impact of cybercrime has risen fivefold over the past four years alone and could further rise by a factor of four by 2019. A vast majority of Europeans regard cybercrime as an important challenge to the EU’s internal security, significantly more important than privacy, for which the EU ostensibly created the General Data Protection Regulation (GDPR).
Of laudable note is that the new agency builds on the work of the European Agency for Network Security and Information (ENISA). I have frequently described the important work and role of ENISA, most notably in my most recent paper on the GDPR.
ENISA now receives a permanent mandate to assist EU member states in preventing and responding to cyberattacks. This includes conducting pan-European cybersecurity exercises, sharing threat intelligence and knowledge, and facilitating reporting of cybersecurity incidents to national authorities. The EU Cybersecurity Agency would also help put in place and implement the EU-wide framework to certify the security of digital products and services.
The announcement also calls for a more effective law-enforcement response focusing on detection, traceability, and the prosecution of cybercriminals. The European Commission proposes to combat fraud and the counterfeiting of noncash means of payment by strengthening the ability of national law enforcement authorities to combat cybercrime through online payments and virtual currencies. The law will also introduce common rules on the level of penalties and clarify the scope of member states’ jurisdiction in such offences.
To step up effective investigation and prosecution of cyber-enabled crime, the Commission will also present proposals to facilitate cross-border access to electronic evidence in the beginning of 2018. In addition, the Commission will present its reflections on the role of encryption in criminal investigations by October 2018.
While the cybersecurity agency could be a positive development, it could also create bureaucracy. The EU already has 28 cybersecurity agencies across its member states, but if the new agency can successfully implement new and streamlined standards, it could be a worthwhile effort.
Certification is a different story. It seems that enterprises would already seek certification if such standards were known. If government has some special knowledge today, why aren’t they already using it to defend enterprises? And the EU itself admits that it has not been where it needs to be on the issue. On the other hand, if enterprises have no clue about cybersecurity, perhaps the regime creates helpful minimum standards. Cyber insurance could be an effective and preferable way for enterprises to manage risk — the EU could simply require insurance, rather than try to be the actuary. It seems that the EU could be creating a liability for itself by making the standards itself.
Notably, and similar to the extensive GDPR requirements, the measures do not appear to hold governments to account for their cybersecurity vulnerabilities, and this seems to be a major gap, as government data are increasingly targeted by cyberattacks.
In any case, we should commend the EU’s recognition of the importance of cybersecurity and the need for an integrated, holistic approach.