The European Union (EU) has detailed how it intends to improve its cyber defences in the face of rising ransomware attacks, cyber-crime and online meddling by other nations.
“With the recent ransomware attacks, a dramatic rise in cyber-criminal activity, state actors increasingly using cyber tools to meet their geopolitical goals and the diversification of cybersecurity incidents, the EU needs to be more resilient to cyber-attacks and create effective cyber deterrence,” said the European Commission in a State of the Union 2017 – Cybersecurity statement.
The EU’s plans include a ‘Blueprint’ to implement in the event of a large-scale cyber attack, a stronger EU Cybersecurity Agency with greater resources, a new security certification scheme and more investment in European security research.
The Commission wants a plan in place to combat any large-scale cross-border cyber-attack or crisis: this would set out how member states and EU institutions should respond to these incidents. The plan will be tested regularly in cyber and other crisis management exercises, it said.
“Large-scale cyber-attacks affect many countries both within and outside the EU, as was the case for the WannaCry and the (non)Petya attacks. The purpose of the Blueprint is for the EU to set up a well-rehearsed plan in order to react to a cyber-incident or crisis which involves cooperation at European and international level.”
For the first time in 2017 and 2018, NATO and the EU will carry out parallel and coordinated exercises in response to a hybrid warfare scenario, said the Commission.
Investment in cybersecurity
The EU needs large-scale investment in cybersecurity technologies, products, processes and expertise to achieve what the Commission calls “cybersecurity technological autonomy” for the region, as well as to protect its digital economy, society and democracy. The Commission said it will invest €50m in funding for security research.
The Commission also wants to introduce an EU cybersecurity certification framework for ICT products and services. At the moment there are a number of different national security certification schemes, which leads to duplication. For example, smart meters currently have to undergo separate certification processes in France, the UK and Germany.
Certification can be expensive: according to the Commission, the BSI Smart Meter Gateway certification costs more than €1 million (this covers not only one product but the whole infrastructure around it as well), while the cost for smart meter certification in the UK and France is about €150,000. Rolling out a new voluntary scheme could make it easier for businesses to trade across borders and for buyers to understand the security features of products or services.
Europe also wants to get tougher on would-be cyber criminals and attackers.
“As long as the perpetrators of cyber-attacks — by both state and non-state actors — have nothing to fear besides failure, they will have little incentive to stop trying,” said the Commission, which plans to expand the scope of the offences related to information systems to all payment transactions — including transactions through virtual currencies — and set a minimum level for the highest penalties EU member states can impose.
Cyber-defence has taken on added urgency in Europe following Russia’s alleged meddling in last year’s US presidential election. European defence ministers recently took place in a cyberwar exercise aimed at responding to a major digital attack, for example. However, the EU depends on the capabilities of its member states, and while some are taking cyber-defence seriously, for others it remains a low priority.