‘Everybody knew that the pandemic was coming. Were we ready to react collectively? We were not’

Coronavirus, supply chain attacks highlight 'lack of coordination among EU member states when it comes to cybersecurity

“Cyber weapons are a reality, and cyber defense is a dream,” asserted Eugene Kaspersky, CEO of antivirus giant Kaspersky, discussing the EU’s Cybersecurity Strategy for the Digital Decade at an online seminar yesterday (March 23).

Launched in December last year, the strategy aims to reinforce collective resilience against cyber threats – meaning cooperation is key. 

But in a year that saw ransomware and a plethora of other attacks increasing around the world, the response wasn’t always as coordinated as it might have been, said Bart Groothuis, member of the European Parliament and rapporteur on the EU’s Security of Network and Information Systems Directive (NIS2).

“What struck me was that all their command-and-control servers were being used by the actors at the time, and we knew about it, right? But it wasn’t being shared. It was being shared passively, but there was no active component,” he said. 

“I was annoyed that we knew about the command-and-control servers, but there was no DNS company that would act to stop the attack, while it would be very obvious to do so. I’d like to see a more active component in our European cybersecurity posture.”

Emergency response

Lorena Boix Alonso, director for digital society, trust, and cybersecurity for the European Commission’s DG Connect department, said that this lack of coordination among EU member states had been apparent during the Covid-19 pandemic.

“Everybody knew that the pandemic was coming. Were we ready to react collectively? We were not,” she said, adding that there was a good case for a new cyber unit focused on preparing for emergencies.

“We need it because we need to be ready, so that our existing operational capabilities are fit for purpose in case surprises happen,” she said.

Securing the software supply chain

Alonso also called for an increased focus on supply chain security. “We are… looking at other proposals to require every company as part of their cybersecurity risk management activities to look also at the vendors and manufacturers they are dealing with to be part of the risk management program,” she said.

RELATED Software supply chain attacks – everything you need to know

And Susana Asensio, member of the board of directors of the Industrial Cybersecurity Center in Spain, said that security-by-design was not always being implemented, especially when it comes to operational technologies rather than IT.

And this, she said, could come back to bite organizations in years to come.

“We are aware of many digital systems that are not included in cybersecurity requirements from the design stage,” she said.

“These will be legacy systems in a few years, and to be honest I don’t think most will be able to afford to replace them in the short term.”

YOU MIGHT ALSO LIKE What does the UK’s Integrated Review mean for cybersecurity?