Data privacy, IoT security, and closer co-operation among member states also on the agenda
ANALYSIS As Germany took the helm of the European Union in July 2020, the world was battling through an unprecedented crisis.
But while the country’s EU presidency program (PDF) is understandably focused on Covid-19, cybersecurity issues are still high on the agenda.
“The EU has had a reactive focus on cybersecurity, but the crisis – and working from home – has made innovation necessary, and it is moving higher up the priority list,” says Vladlena Benson, professor of Cybersecurity Management at Aston University and board member of the ISACA UK Central Chapter.
Germany’s EU presidency manifesto – called ‘Together for Europe’s Recovery’ – is calling for closer cooperation between EU countries on cybersecurity, especially for the protection of critical national infrastructure.
It will also work to improve “digital competence and cyber defence capabilities” of member states’ armed forces. This is tied into the German presidency’s desire to bolster the bloc’s foreign and security policy.
Here’s a roundup of the key cybersecurity issues that Germany is hoping to tackle over the next six months:
The EU will mandate a minimum level of security for connected devices. Germany’s EU presidency report stops short of defining a ‘connected device’, but states that all devices should “have a standard minimum level of IT security”.
This is widely seen as a requirement for consumer devices to have basic security measures, such as updatable firmware and the ability to change default passwords.
The new rules are likely to apply to internet of things (IoT) devices used in business too, including low-level equipment such as sensors and IP cameras.
Data protection and AI
The EU will also review how sensitive data is used. Germany wants to develop the use of artificial intelligence (AI), including within the healthcare sector, to help with economic recovery.
But AI must, the presidency says, be “developed with the good of our liberal democratic society in mind”.
The EU will focus on innovation, access to data, responsible data use, and security. It will look at how to share medical data across Europe as part of pandemic planning.
Improving secure access to data will also be part of the move towards a digital single market.
Data protection, too, will be improved. EU citizens must be able to store information on their devices without it being accessed by third parties – there will be a legal framework for creating secure storage options or “standardized secure elements” on devices.
Germany also says the EU will work to improve digital inclusion.
Germany holds the EU presidency until December 2020
Fighting the tide
The EU’s proposed measures come at a time when cybercrime is rising, and both public and corporate security budgets are likely to be stretched. This could limit the EU’s ambitions.
“Cybercrime is certainly on the rise, despite multiple efforts to strengthen law enforcement and multinational European cooperation,” says Rolf von Roessing, board vice chair at ISACA.
Progress has been made, especially under Finland’s presidency last year, which held exercises in cyber defense as part of its program.
But Germany, as the EU’s largest economy, will now need to play a leadership role.
“What the presidency’s priorities acknowledge is that well-resourced criminal organizations define the rules behind their attacks.
YOU MIGHT ALSO LIKE Strategies for combating increased cyber threats tied to coronavirus
“Successfully defending the EU against such a nimble adversary requires all member states to cooperate in securing critical infrastructure, lest an attacker exploit a weak link and destabilise the union,” says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre.
Mackey points out that the EU’s European Data Strategy needs built in safeguards to prevent data sharing for scientific research becoming “backdoors for broad data operations”.
The EU also needs to strike a balance between intervention and overburdening industry.
“It remains to be seen whether these ambitious programs and initiatives can all be launched within a short period of time,” cautions von Roessing.
“The current EU paradigm of more regulation and government intervention creates a risk of establishing additional bureaucracy.”
Securing the IoT – and beyond
Creating a standard for device security, however, has gained broad support from various industries.
“Setting a security benchmark is great for things like IoT, where security has tended to be an afterthought,” says Neil Thacker, CISO at Netskope and adviser to ENISA, the EU’s cybersecurity agency.
“It is quite difficult to put security on these devices if they only cost a few dollars or euros to create.”
INSIGHT Coronavirus: How to work from home securely during a period of isolation
The EU is keen to address issues of public trust around connected devices. Consumers often assume a device, such as a smartphone, is secure because it has a basic level of security.
But some experts believe the EU needs to go further.
“It’s great that they have called out device security,” says Thacker. “But I hope they also extend that to the cloud, as these devices are usually collectors of data or sensors, not processors of information. They connect to the cloud, so that also needs to be part of the thinking.”
German Chancellor Angela Merkel outlined the country’s EU presidency priorities in July
Cyber success, Covid threats
Balancing these conflicting demands of consumer protection, data sharing, and national security will not be easy – especially for a presidency that will need to focus much of its attention to the Covid-19 crisis.
Cyber-attacks have increased in the months since the coronavirus pandemic began to spread across the globe, targeting both remote workers and preying on the anxieties of the general public.
“Social engineering, phishing, and ransomware attacks have been occurring much more over the last three months, as users are much more vulnerable,” says Richard Cassidy, senior director for security strategy at Exabeam.
“All governments need to take much more ownership for the protection and privacy assurance of their citizens’ data.
READ MORE Israel and India sign cybersecurity agreement to protect against Covid-19 cyber-attacks
“This policy does not outline what, if any, focus will be on nation-state threats to citizens’ PII [personally identifiable information].”
Better user education, especially around sharing information on social media, is needed.
But few national bodies are in a position to counter the threats alone, suggests Professor Benson.
“A cohesive EU approach is in my opinion a vehicle to allow all countries to have a harmonised approach,” she says.
“And the single digital market will be key if we are to recover from the economic downturn.”
RECOMMENDED Who is behind APT29? What we know about this nation-state cybercrime group