EU finalising plans for pan European cybersecurity centre

The EU is close to finalising plans for the European Cybersecurity Industrial, Technology and Research Competence Centre, including choosing its location and agreeing how much member states will contribute.

With the last negotiation on terms imminent, EU policymakers are still discussing whether the member states should make payments voluntarily and deciding the voting rights on the centre’s decisions.

“We also need to ensure, of course, the centre will not just end up being a centre where money will be distributed for cybersecurity projects in member states, but that there will be added European value,” rapporteur for the centre Rasmus Andresen MEP told the European Parliament.

The centre’s mission is to distribute funds for cybersecurity projects from the EU’s research and digital programmes, Horizon Europe and Digital Europe, and help coordinate a network of national coordination centres, linking the cybersecurity community around Europe.

The European Commission first announced plans for the centre in 2018, funding pilot projects to test how such a centre and network would operate.

Kai Rannenberg, coordinator of one of the pilots, CyberSec4Europe, who holds the chair of Mobile Business and Multilateral Security at Goethe University Frankfurt, said the focus was real world cybersecurity applications and demonstration projects.

This is an area where a lack of collaboration between academia and industry is leaving a gap. Research findings are often not translated into real world solutions, and it is hoped the new centre could help address this.

The issue is also visible in education, according to Rannenberg. An analysis found that traditional areas of cybersecurity, such as cryptology, are well covered, with 98 per cent of programmes tackling the subject. However, operational security and applied solutions are often neglected, with less than 20 per cent of programmes offering classes on the subject.

The new cybersecurity competence centre and the network should help fill these gaps, while encouraging bottom-up and decentralised research and governance structures. “We are trying out these models, and we hope in the end European legislation will enable these models,” said Rannenberg.

Kęstutis Driaunys, dean of the Kaunas faculty of Vilnius University, hopes the centre will help tackle key cybersecurity threats and distribute EU resources more effectively. Cybersecurity is a developing discipline whose tentacles reach into almost all fields of science and industry, yet often lacks high level experts. “It is becoming very important to strategically refine key problems and to effectively distribute resources to address them. And this is what we all expect from this centre,“ said Driaunys.

Technology sovereignty

In August, web browser developer Mozilla ditched its open source browser engine project, Servo, after the COVID-19 crisis hit the company’s finances. This left Chromium, Google’s browser engine, as the only project generating the open source code that now underpins Google Chrome, Microsoft Edge and other browsers. Two weeks ago, Servo was taken over by the Linux Foundation, the non profit body behind the Linux open source operating system. However, for a while, Chromium held a monopoly in the field.

For Rannenberg, this raises the question of how Europe should prepare for such situations. In summer 2020, no one was prepared to take over the project. However, in principle, he says, the cybersecurity competence centre could have monitored the situation and, when needed, found or triggered public funding, allowing another organisation to step in to fund further development of Servo, keeping the development team together.

Pinpointing pressure points and stepping in to guide development of key technologies could be a key function of the new centre, Rannenberg believes. “Digitalisation has a tendency towards monopolisation, with lowering of services if you don’t regulate,” he told Science|Business. “All of these ICT infrastructures are super important to keep us going. So, the sooner we step in, the better.”

Seen from this perspective, the centre could become key player in Europe’s push for technology sovereignty. “Europe has a number of values and a democratic system,” said Rannenberg. “That is something that needs to be preserved in cybersecurity, because traditionally security technology can easily trend to top-down structures.”

Miguel García-Menéndez, vice chair of the Atlantic Arc, Cybersecurity and Digital Environment, a Spanish non profit that aims to create an R&D ecosystem for cybersecurity, says EU-level intervention is essential to ensure smooth running of Europe’s digital infrastructures, which are much weaker than we like to believe.

“We now live in digital fragility. Everyone is talking about digital transformation, but few people talk about digital fragility. Every time we build a new digital infrastructure, most of the time companies don’t realise they are building a giant with a fragile fit. They can easily fall in cyber dangers,” said García-Menéndez.

In the end, it is not about becoming a world leader in cybersecurity but about protecting Europe’s digital resources. García-Menéndez is convinced public authorities must step in to improve Europe’s cybersecurity capacities, and the new centre could serve as a tool for this.

Location, location, location

One of the key remaining questions is where the centre will be located. Seven countries have expressed their wish to host it, and EU ambassadors are set to vote on the proposals on 9 December.

One of the key criteria set by the EU Council is the presence of an active cybersecurity ecosystem in the host city.

García-Menéndez believes Leon, Spain, one of the candidates, offers the right environment for the centre. Leon is the seat of the Spanish Cybersecurity Agency, one of the country’s several cybersecurity organisations, around which an ecosystem of start-ups and multinationals has emerged.

The whole country is cybersecurity conscious and could lead others by example, adds Miguel. Spain took to protecting its infrastructure after the release of the first European directive on critical infrastructure, realising the importance of cybersecurity. This allowed companies to flourish around the country, growing Spain’s cybersecurity industry. “The candidacy of Leon complies with the business side of the proposal,” said Miguel.

Another requirement is the presence of excellent IT facilities in terms of connectivity, security and interoperability. For this reason, Driaunys believes Vilnius, Lithuania is a good candidate.

The country holds the fourth place globally in the International Telecommunication Union’s cybersecurity index and has some of the best internet infrastructure in the world. “Leadership in this field amongst all the countries that have submitted proposals for the centre is, in my view, an important accent,” said Driaunys.

The centre would also benefit the country, which is facing constant cyber threats from neighbouring Russia, providing more stability when it comes to dealing with attacks, said Driaunys.

However, Rannenberg says that the centre should be well-connected with the rest of the EU bodies. “It does make sense if it is reasonably close to Brussels, because it has an advisory function,” he said.