A broad package of initiatives includes €50M for a pilot of a new European Cybersecurity Research and Competence Centre to train specialists and an EU-wide cyber security certification scheme
The European Commission has unveiled plans to bolster cyber security by setting up a dedicated training centre, strengthening its intelligence sharing agency, hosting cyber war games and introducing stricter consumer safeguards.
An increase in web-based exploitation attacks, or ransomware, such as this year’s WannaCry worm that locked up more than 200,000 computers around the world, plus growing concerns over election hacking by foreign states, convinced the Commission of the need to increase its investment in cyber resilience, said EU Security Commissioner Julian Kind, announcing the plan.
A new European Cybersecurity Research and Competence Centre will be set up to train and recruit specialists. The centre, essentially a network of member state cyber research organisations and labs, will not launch fully until after 2020, but the Commission has proposed providing €50 million for a pilot under Horizon 2020.
In addition, the European Union Agency for Network and Information Security (ENISA), which at present works as an advice service is to be given new operational duties and renamed the EU Cyber Security Agency.
New responsibilities will include organising annual cyber drills to help EU and national public authorities improve their cyber security capabilities.
The agency will also gain a new role of advising the Commission on cyber research. “There’s a lot more we can do,” said Udo Helmbrecht, head of ENISA. “For example, we need to look more at hacking technology such as quantum key distribution, something which China is leading on. It needs a business case.”
Agency staff numbers will increase from 84 to 125 and the budget will double to €23 million a year.
High cost of cyber attacks
The incidence of hacking is rising fast, with the Commission estimating that more than 4,000 ransomware attacks occurred worldwide every day since 2016, a 300 per cent increase on 2015. Last year 80 per cent of European companies experienced at least one cyber incursion. Cybercrime costs €265 billion a year and that could quadruple by 2019.
“There are two types of company, those which have been attacked, and those which don’t know they have been attacked,” was the warning from Commission vice-president for the digital single market Andrus Ansip.
The WannaCry worm exposed cyber vulnerabilities in May when it brought down hospital IT systems in the UK, railway ticket machines in Germany and parts of the FedEx network in the US.
The gang behind the attack was after money, in the form of the virtual currency Bitcoin. The Commission says that new laws and penalties are needed for committing cybercrime and is proposing there should be a jail term of two to five years for fraud using online currencies.
The cyber security proposals will need to be approved by the European Parliament and EU states before becoming law.
New technical standards
It is also proposed that ENISA create a voluntary scheme to certify the cyber security level of products and services.
Cyber security researchers have highlighted vulnerabilities in everything from cameras to cars, robots to refrigerators. The certification scheme will validate compliance with cyber security standards of the billions of devices connected to the internet, in the same way that EU labelling aids trustworthiness around food.
“You use EU-wide quality seals for cars, planes and food, so now why not the internet of things too,” said Helmbrecht. “We need quality assurance and liability for all these items.”
New safety labels should save businesses some money. Currently, the UK and France have national schemes, but the costs are high. To get a certificate for an internet connected smart meter, for example, costs about €150,000. The Commission is promising that the new certificates will be recognised across the EU, cutting administrative burdens and costs.
There has been a mixed reaction to this proposal. The Software Alliance, a lobby group which represents companies including Apple, IBM, Microsoft and Siemens, warned that if Europe opts for regional standards, "it will not effectively address the shortcomings and vulnerabilities of a fragmented approach to cyber threats."
It would make more sense if devices had to be fitted with a “best-by date”, with manufacturers required to provide software updates in a timely manner, to ensure protection is maintained, said Julia Reda and Jan Philipp Albrecht, both Members of the European Parliament.
“Updates are the most important tool to ensure the sustained security and integrity of systems and networks we use,” the MEPs said. “Last year, massive internet outage was caused when software vulnerabilities in legacy Wi-Fi routers, and other devices connected to the internet, were exploited.”
Calls to relocate cyber agency
ENISA, which was set up in 2004, has offices in Athens and Heraklion, a town on the island of Crete.
A UK House of Lords investigation said its location has led to problems in recruiting and retaining staff. The double location has also been criticised by the European Court of Auditors and the EU Parliament.
There have been calls to re-locate the agency when its current mandate expires in 2020. However, the Commission says it will not intervene on the issue. “The question of where the new agency goes will be taken by member states,” said Mariya Gabriel, Commissioner for the Digital Economy and Society.