President of the European Commission: „Europe is still not well equipped when it comes to cyber-attacks”

Last year, there were more than 4,000 ransomware attacks per day and 80% of European companies experienced at least one cybersecurity incident. The economic impact of cyber-crime has risen five-fold over the past four years alone.

To equip Europe with the right tools to deal with cyber-attacks, the European Commission and the High Representative are proposing a wide-ranging set of measures to build strong cybersecurity in the EU. This includes a proposal for an EU Cybersecurity Agency to assist Member States in dealing with cyber-attacks, as well as a new European certification scheme that will ensure that products and services in the digital world are safe to use.

On 13 September, in his annual State of the Union Address, president Jean-Claude Juncker (photo) stated: „In the past three years, we have made progress in keeping Europeans safe online. But Europe is still not well equipped when it comes to cyber-attacks. (…) Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks. […] Cyber-attacks know no borders and no one is immune. This is why, today, the Commission is proposing new tools, including a European Cybersecurity Agency, to help defend us against such attacks.”

Building EU resilience: A strong EU Cybersecurity Agency

An EU Cybersecurity Agency: Building on the existing European Agency for Network and Information Security (ENISA), the Agency will be given a permanent mandate to assist Member States in effectively preventing and responding to cyber-attacks. It will improve the EU’s preparedness to react by organising yearly pan-European cybersecurity exercises and by ensuring better sharing of threat intelligence and knowledge through the setting up of Information Sharing and Analyses Centres. It will help implement the Directive on the Security of Network and Information Systems which contains reporting obligations to national authorities in case of serious incidents.

The Cybersecurity Agency would also help put in place and implement the EU-wide certification framework that the Commission is proposing to ensure that products and services are cyber secure. Just as consumers can trust what they eat thanks to EU food labels, new European cybersecurity certificates will ensure the trustworthiness of the billions of devices („Internet of Things”) which drive today’s critical infrastructures, such as energy and transport networks, but also new consumer devices, such as connected cars. Cybersecurity certificates will be recognised across Member States, thereby cutting down on the administrative burden and costs for companies.

Stepping up the EU’s cybersecurity capacity

It is in the EU’s strategic interest to ensure that the technological tools of cybersecurity are developed in a way that allows the digital economy to flourish, while also protecting our security, society and democracy. This includes the protection of critical hardware and software. To reinforce the EU’s cybersecurity capacity, the Commission and the High Representative are proposing:

• A European Cybersecurity Research and Competence Centre (pilot to be set up in the course of 2018). Working with Member States, it will help develop and roll out the tools and technology needed to keep up with an ever-changing threat and make sure our defences are as state-of-the-art as the weapons that cyber-criminals use. It will complement capacity-building efforts in this area at EU and national level.
• A Blueprint for how Europe and Member States can respond quickly, operationally and in unison when a large-scale cyber-attack strikes. The proposed procedure is laid down in a Recommendation adopted last week. The Recommendation also asks Member States and EU institutions to establish an EU Cybersecurity Crisis Response Framework to make the Blueprint operational. It will regularly be tested in cyber and other crisis management exercises.
• More solidarity: In the future, the possibility of a new Cybersecurity Emergency Response Fund could be considered for those Member States that have responsibly implemented all the cybersecurity measures required under EU law. The Fund could provide emergency support to help Member States – just as the EU’s Civil Protection Mechanism is used to help with cases of forest fires or natural disasters.
• Stronger cyber defence capabilities: Member States are encouraged to include cyber defence within the Framework of Permanent Structured Cooperation (PESCO) and the European Defence Fund to support cyber defence projects. The European Cybersecurity Research and Competence Centre could also be further developed with a cyber defence dimension. To address the skills gap in cyber defence, the EU will create a cyber defence training and education platform in 2018. The EU and NATO will together foster cyber defence research and innovation cooperation. Cooperation with NATO, including participation in parallel and coordinated exercises, will be deepened.
• Enhanced international cooperation: The EU will strengthen its response to cyber-attacks by implementing the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities, supporting a strategic framework for conflict prevention and stability in cyberspace. This will be coupled with new cyber capacity building efforts to assist third countries to address cyber threats.

Creating an effective criminal law response

A more effective law enforcement response focusing on detection, traceability and the prosecution of cyber criminals is central to building an effective disincentive to commit such crimes. The Commission is therefore proposing to boost deterrence through new measures to combat fraud and the counterfeiting of non-cash means of payment.

The proposed Directive will strengthen the ability of law enforcement authorities to tackle this form of crime by expanding the scope of the offences related to information systems to all payment transactions, including transactions through virtual currencies. The law will also introduce common rules on the level of penalties and clarify the scope of Member States’ jurisdiction in such offences.

To step up effective investigation and prosecution of cyber-enabled crime, the Commission will also present proposals to facilitate cross-border access to electronic evidence in the beginning of 2018. In addition, by October, the Commission will present its reflections on the role of encryption in criminal investigations.

Background

Recent figures show that digital threats are evolving fast and that the public perceives cyber-crime as an important threat: Whilst ransomware attacks have increased by 300% since 2015, the economic impact of cyber-crime rose fivefold from 2013 to 2017, and could further rise by a factor of four by 2019, studies suggests. 87% of Europeans regard cyber-crime as an important challenge to the EU’s internal security.

Source: European Commission