The European Union (EU) has unveiled a new cybersecurity strategy as the bloc steps up its efforts to combat a growing number and increasing severity of threats.
A network of security operations centres using artificial intelligence (AI) – aimed at constituting a ‘cybersecurity shield’ for the 27-nation bloc – is among a swathe of initiatives jointly announced by the European Commission and Europe’s high representative for foreign affairs and security policy.
A ‘joint cyber unit’ to bolster co-operation between EU bodies and member state authorities responsible for preventing and responding to cyber-attacks is also in the works, as well as proposals to address both cyber and physical resilience of critical entities and networks.
The Commission and high representative unveiled ‘The EU’s Cybersecurity Strategy for the Digital Decade’ as concerns mount worldwide about the threat posed by cyber criminals. The annual cost of cybercrime to the global economy is estimated at €5.5 trillion (about $6.6 trillion) by the end of 2020, double 2015’s figure, according to the 29-page document.
The issue hit international headlines less than a fortnight ago when the European Medicines Agency (EMA) – which is in charge of authorising Covid-19 vaccines across the EU – confirmed that it had been the subject of a cyberattack. The Amsterdam-headquartered agency is currently investigating what happened in co-operation with law enforcement and other relevant entities, according to a short statement on the EMA’s website.
‘Solid mesh of watchtowers’
The EU’s strategy document describes the proposed network of AI-enabled security operations centres as a ‘solid mesh of watchtowers, able to detect potential threats before they can cause large-scale damage’. EU support will be made available to improve incident detection, analysis and response speeds through ‘state-of-the-art’ AI and machine-learning capabilities and complemented by supercomputing infrastructure, it says.
The process and timeline for defining, deploying and expanding the Joint Cyber Unit will be presented by February.
The Commission and high representative also propose an update of the EU’s network and information services (NIS) directive – the first EU-wide law on cybersecurity, which came into force in 2016 – to become ‘NIS2’; and propose a new critical entities resilience (CER) directive.
NIS2’s intention would be to increase the level of cyber-resilience of critical infrastructure such as hospitals, energy grids, railways, but also data centres, public administrations, research labs and manufacturing of critical medical devices and medicines. It would cover medium and large entities from more sectors ‘based on their criticality for the economy and society’; and would also bolster security requirements imposed on the companies, addresses security of supply chains and introduces more stringent supervisory measures for national authorities, among other aims.
The proposed CER directive, meanwhile, expands both the scope and depth of the 2008 European critical infrastructure directive.
The next step is for the European Parliament and Council to examine and adopt the proposed directives. Once the proposals are agreed and consequently adopted, member states would have to transpose them within 18 months of their entry into force.
In terms of funding, the new cybersecurity strategy will draw on the next long-term EU budget (2021-2027), notably Horizon Europe, Digital Europe programme, as well as the post-Covid ‘Recovery Plan for Europe’. The objective is to reach up to €4.5bn ($5.41bn) of combined investment from the EU, member states and the private sector.
Malware is greatest threat
Two months ago the EU Agency for Cybersecurity (ENISA) – which was set up more than 15 years ago – warned that the bloc has a ‘long road ahead’ to reach a more secure digital environment, saying that changes in working and infrastructure patterns caused by Covid-19 have weakened cybersecurity measures. According to its 8th annual ENISA Threat Landscape (ETL) 2020 report, the most common cyber threat is malware (short for ‘malicious software’), followed by web-based attacks, phishing, web-application attacks and spam.
ENISA has welcomed the EU’s cybersecurity plans. The executive director of the Greece-headquartered agency, Juhan Lepassaar, said: “The security of cyberspace has been tested globally in recent times therefore the new cybersecurity strategy is very timely.
The agency released a report on 11 December saying that NIS2 addresses various challenges with implementation of the original directive.
As part of its new strategy, the also EU plans to boost cyber capacity-building efforts beyond its borders by developing what it describes as an ‘EU External Cyber Capacity Building Agenda’; and by setting up an ‘EU Cyber Diplomacy Network’ around the world to promote its cyberspace vision.
“International security and stability depends more than ever on a global, open, stable and secure cyberspace where the rule of law, human rights, freedoms and democracy are respected,” said high representative, Josep Borrell. “With [this] strategy the EU is stepping up to protect its governments, citizens and businesses from global cyber threats, and to provide leadership in cyberspace.”
Separately, the EU has also this month announced that a new ‘Cybersecurity Competence Centre’ – or, to give it its full name, the European Cybersecurity Industrial, Technology and Research Competence Centre – is to be located in the Romanian capital Bucharest.