The European Commission extends EU response to cyberattacksEditorial
On 13th September, President Jean-Claude Juncker, in their annual State of the Union address, said: "In the last three years, we have made progress in keeping Europeans safe online. This is why today the Commission proposes new tools, including a European Cybersecurity Agency, to help us defend ourselves against such attacks". Europeans place great trust in digital technologies. They open new opportunities for the general public to connect, facilitate the dissemination of information and form the backbone of the European economy. However, they have also created new risks as non-state and state agents increasingly attempt to steal data, commit fraud or even destabilize governments.
Last year, there were more than 4,000 ransomware attacks per day and 80% of European companies suffered at least one cybersecurity incident. The economic impact of cybercrime has increased fivefold in the past four years alone.
To equip Europe with the appropriate tools to deal with cyberattacks, the European Commission and the High Representative propose a comprehensive set of measures to build strong cybersecurity in the EU. This includes a proposal by an EU Cybersecurity Agency to help Member States address cyberattacks, as well as a new European certification scheme that will ensure that products and services in the digital world are safe to use.
Federica Mogherini, High Representative of the Union for Foreign Affairs and Security Policy, said:
"The EU will pursue an international cybernetic policy that promotes open, free and secure cyberspace, as well as supporting efforts to develop standards of responsible state behaviour, international law and confidence-building measures in cybersecurity".
Andrus Ansip, Vice President of the Digital Single Market, said: "No country alone can meet the challenges of cybersecurity". Our initiatives strengthen cooperation so that EU countries can address these challenges together. innovation and promote cyberhygiene ".
Julian King, Commissioner for Security Union, said: "We need to work together to develop our resilience, drive technological innovation, drive deterrence, strengthen traceability and accountability, and build on international cooperation to promote our collective cybersecurity".
Mariya Gabriel, Commissioner for the Digital Economy and Society, said: "We need to build on the trust of the general public and businesses in the digital world, particularly at a time when large-scale cyberattacks are becoming more common; high standards of cybersecurity become the new competitive advantage of our companies".
With the ransomware attacks, a dramatic increase in cybercrime, the increasing use of cybernetic tools by state agents to meet their geopolitical objectives and the diversification of cybersecurity incidents, the EU needs to build greater resistance to cyberattacks and to provide an effective cybercrime and criminal law response to better protect the general public, businesses and public institutions in Europe. This is today's cybersecurity package.
DEVELOPING EU RESILIENCE: THE EU CYBERSECURITY AGENCY
Based on the European Network and Information Security Agency (ENISA), the Agency will have a permanent mandate to assist Member States in preventing and responding effectively to cyberattacks. It will improve the preparedness of the EU to react by organizing annual pan-European cybersecurity exercises and ensure a better exchange of intelligence and knowledge about threats through the creation of clearing-house and analysis centres. It will help to implement the Directive on the security of networks and information systems incorporating reporting obligations to national authorities in the event of serious incidents.
The Cyber Security Agency would also help to establish and implement the EU-wide certification framework that the Commission proposes to ensure that products and services are cyber-safe.
Just as consumers can rely on what they eat thanks to EU food labels, new European cybersecurity certificates will ensure the reliability of the billions of devices ("Internet of Things") that drive today's critical infrastructures, such as energy and transport networks, but also consumer devices such as connected cars. Cybersecurity certificates will be recognized in all Member States, thus reducing the administrative burden and costs for companies.
INCREASING EU CYBERSECURITY CAPACITY
The EU's strategic interest is to ensure that the cybersecurity technological tools of are grown in such a way as to enable the digital economy to flourish while protecting our security, society and democracy. This includes critical hardware and software protection. To strengthen the EU's cybersecurity capacity, the Commission and the High Representative propose:
A European Centre for Research and Competence in Cybersecurity (pilot to be established during 2018). Working with Member States, it will help develop and deploy the necessary tools and technology to keep up with a constantly-changing threat and ensure that our defences are as advanced as the weapons used by cybercriminals. It will complement capacity-building efforts in this area at national and EU level.
A blueprint for how Europe and Member States can respond quickly, operationally and in unison when large-scale cyberattacks occur. The proposed procedure is set out in a Recommendation adopted last week. The Recommendation also calls on Member States and EU institutions to set up an EU cybersecurity crisis response framework to implement the operational plan. This will be regularly tested on cyber and other crisis management exercises.
More solidarity: in the future, the possibility of a new Cybersecurity Emergency Response Fund could be taken into consideration for Member States that have responsibly implemented all cybersecurity measures required by EU legislation. The Fund could provide emergency assistance to help Member States, just as the EU Civil Protection Mechanism is used to help in cases of forest fires or natural disasters.
Increased cyber-defence capability. Member States are encouraged to include cyberdefence in the framework of permanent structured cooperation (PESCO) and the European Defence Fund to support cyberdefence projects. The European Centre for Research and Competition in Cybersecurity could also be further developed with a cyber-defence dimension. To address the cyberdefence skills gap, the EU will create a cyberdefence education and training platform in 2018. The EU and NATO will jointly promote cyberdefence research and innovation cooperation. Cooperation with NATO will be further developed, including participation in parallel and coordinated exercises.
Enhanced international cooperation: the EU will strengthen its response to cyberattacks by implementing the framework for a joint EU diplomatic response to malicious cyberactivities, supporting a strategic framework for conflict prevention and cyberspace stability. This will be combined with new cybersecurity efforts to help third countries address cyberthreats.
CREATING AN EFFECTIVE CRIMINAL LAW RESPONSE
A more effective response by law enforcement agencies, focused on the detection, traceability and prosecution of cybercriminals is essential to create an effective disincentive to commit such crimes.
The Commission therefore proposes to increase deterrence by means of new measures to combat fraud and counterfeiting of non-cash means of payment.
The proposed Directive will strengthen the capacity of law enforcement authorities to deal with this form of crime by extending the scope of information system crimes to all payment transactions, including transactions through virtual currencies. The law will also introduce common standards on the level of penalties and clarify the scope of the jurisdiction of the Member States in such offenses.
To intensify the effective investigation and prosecution of cybercrime, the Commission will also submit proposals to facilitate cross-border access to electronic evidence in early 2018. In addition, the Commission will present its thoughts on the role of Encryption in criminal research in October.
Recent figures show that digital threats evolve rapidly and that cybercrime is perceived by the general public as a serious threat.
While ransomware attacks have increased by 300% since 2015, the economic impact of cybercrime increased fivefold between 2013 and 2017. This could continue to increase by a factor of four by 2019, studies suggest. 87% of Europeans consider cybercrime as a major challenge for the internal security of the EU.
The European Security agenda and the mid-term review of the Single Digital Market Strategy guide the Commission's work in this area and outline the main actions to boost cybersecurity. The measures proposed today complement existing standards and fill the gaps where the threat landscape has evolved since the adoption of the EU's 2013 Cybersecurity Strategy, fulfilling the key priority of helping Member States to ensure internal security in virtue of the Bratislava Declaration and Road Map.