On 25th September 2018, PubAffairs Bruxelles organised in partnership with Orange a debate on whether the upcoming cybersecurity certification schemes can enhance Europe’s security and competitiveness. The speakers included Mr Miguel Gonzalez-Sancho, Head of the Cybersecurity Technology and Capacity Building Unit, DG CONNECT, European Commission, Ms Sara Bussière, Senior European Affairs Advisor, Orange, Mr Jocelyn Delatre, Smart Mobility Manager, European Automobile Manufacturers’ Association (ACEA) and Mr Sylvain Bouyon, Head of Fintech Programme, Centre for European Policy Studies (CEPS). The event was moderated by Magnus Franklin, Director, Teneo cabinet DN and former Chief Correspondent at MLex.
After introducing the speakers and the topic of the debate, Magnus Franklin gave the floor to Ms Bussière who presented insights on the latest data related to cybersecurity threats and the actions taken by Orange to mitigate such risks.
Ms Bussiére started by explaining that the increase in cybersecurity threats and crimes has been driving governments’ policymaking. It has also led to an increase in awareness among industry and citizens. She pointed out that, back in 2017, Jean-Claude Juncker, President of the European Commission, stated “Cyber-attacks know no borders, but our response capacity differs very much from one country to the other, creating loopholes where vulnerabilities attract even more the attacks. The EU needs more robust and effective structures to ensure strong cyber resilience and respond to cyber-attacks. We do not want to be the weakest links in this global threat.” She shared data on the recent dramatic rise of differing types of attacks and notably cybersecurity incidents suffered by businesses.
Ms Bussière went on to showcase Orange’s contribution to stronger cyber resilience and a cybersecure society. One of the key ways Orange contributes is by helping its customers manage digital risk. Orange is an end-to-end service provider in this context. Orange helps its customers notably to prepare their security strategy and ensure it is working; Defend and monitor their critical assets and data against cyber threats; Analyse security events and detect breaches; Qualify, contain and remediate attacks; Hunt and investigate emerging threats, fraud and data leaks.These services are all possible thanks to its dedicated security business unit, Orange Cyberdefense, its global presence and global capabilities.
Ms Bussière then explained that the European Commission has put forward proposals to strengthen European resilience to cyber-attacks by supporting effective implementation of the first EU cybersecurity law (NIS Directive) while improving Member States cybersecurity capabilities and increasing EU-level cooperation. Moreover, the Commission has put forward initiatives, in the form of the Cybersecurity Act, to strengthen the EU Agency for cybersecurity to better assist Member States, while developing an EU Certification Framework to ensure that products and services are cybersecure. In addition, Ms Bussière explained that the European Commission just put forward a new initiative to create a network of national coordination centres and an EU Cybersecurity Industrial, Technology and Research Competence Centre relying on existing expertise in Member States.
The speaker highlighted to the attendees that the framework for the EU cybersecurity certification scheme would be debated in the trilogue, notably the negotiations between the European Parliament, the Council of the European Union and the European Commission, on the 1st October 2018. It is believed that a political agreement would be reached by the end of 2018. She concluded that some of the key elements for Orange are: increasing the role of the industry in proposing and defining EU schemes, the notion of self-assessment to be correctly defined compared to certification, the voluntary nature of the EU cybersecurity certification schemes.
Following the presentation, as a first focal point of discussion, the moderator Magnus Franklin asked the speakers about the biggest challenges currently facing European cybersecurity.
Mr Delatre started his intervention by stressing the fact that ACEA looks at cybersecurity from a very specific area, i.e. connected and automated cars, “the cars of tomorrow”. He explained that they have been somewhat removed from discussions on cybersecurity in the past as connected cars have only just been deployed and are, in fact, for the most part, yet to be deployed on a grand scale. Nevertheless, cybersecurity is now an issue that is fully addressed by the automotive sector. When it comes to the Cybersecurity Act, their main concern is the amount of regulation that they must deal with. This is best exemplified by the fact that the sector would have to implement the cybersecurity scheme in parallel to certificate policies for connected cars, such as the Cooperative Intelligent Transport Systems (C-ITS) – an EU project will allow road users and traffic managers to share information and use it to coordinate their actions, with a view to improve road safety, traffic efficiency, etc. They are also coping with up-and-coming regulation regarding the cybersecurity of automated vehicles, now part of the revised General Safety Regulation, while the automotive sector also has to tackle the forthcoming policy at the United Nations Economic Commission for Europe on cybersecurity .
It is therefore a highly complex, occupied legislative landscape. As such, it is essential that EU legislation is streamlined, as well as voluntary at times to offer industry experts the flexibility to design effective cybersecurity systems. Mr Delatre noted that their concern is that the automotive sector seems to be the recurring issue when it comes to the Cybersecurity Act, i.e. it has been suggested that connected vehicles should be among the first products to be certificated. He believed that other sectors should be prioritised as cars are already subject to a whole host of security related regulations. He added, however, that he sees a clear benefit having an EU wide cybersecurity certification framework.
Mr Bouyon replied to the question by discussing the latest report by CEPS’ taskforce on cybersecurity concerning the financial sector published last June. The report identified a number of issues surrounding regulating the cybersecurity space. The first issue they saw was that, broadly, cyberattacks are becoming increasingly transnational. Hence, if the threat is global, it follows that the response must also be global. In practice, this is very difficult to implement. He noted that the Commission seems to be supportive of this approach, but warned that there is a lot of work to be done if we want a cross-border coordinated approach to cybersecurity, efforts towards which have only recently begun. Some examples the report cites where more coordination is necessary include taxonomies and responses to cyber incidents. These remain fragmented across Europe and as such, may hinder an effective response to cyber breaches. The second issue identified, on finance, relates to the recent increase via new legislation in requirements for cyber incident reporting. He mentioned the General Data Protection Regulation (GDPR), the NIS Directive, the revised Payment Services Directive (PSD2), the Electronic Identification and Trust Services (eIDAS), etc. There are many reporting requirements, yet it is rarely clear what supervisors and regulators wish to do with the information gathered Mr. Bouyon contested. More clarification with regard to reporting requirements is therefore necessary.
Another issue is linked to the lack of information sharing. This is key to mitigating cybersecurity risks. Mr Bouyon called for more information sharing between regulators, supervisors, both national and international, cross-sectorial and with the industry. Moreover, the CEPS report identifies the necessity of creating a benchmark for statistics. Such a diverse range of statistics exists with regard to cybersecurity, with different institutions and businesses using varying sets. This makes it a very fragmented policy area. A further problem is related to cyber hygiene and prevention. In the report, the taskforce attempted to define principles concerning cyber hygiene. Mr Bouyon explained that what is interesting about prevention is that it is often the focus of the cybersecurity debate, i.e. how to prevent attacks. However, measures for the inevitable occurrence of a cyberattack also need to be discussed and implemented. Such measures include: making it clear who to call when a business suffers an attack, how to track the perpetrator, how to extradite them to the right court, etc. He also spoke of the issue with remedies, i.e. who is to be held responsible and how to assess whether the cyberattack victim carried out sufficient cyber hygiene. Finally, Mr Bouyon recalled a recent announcement by European Commissioner for the Digital Single Market, Andrus Ansip, about an emergency fund for critical infrastructure. This is a measure that also needs further discussion. He concluded that the list of the issues related to regulating cybersecurity covered in the report is not exhaustive.
Mr Gonzalez-Sancho highlighted the Commission’s challenges in implementing cybersecurity measures. He stressed that this is a fast-evolving, multifaceted landscape, which represents the “dark side” of going digital as an economy and society. The digitisation of the economy has led to the omnipresence of cybersecurity threats. He explained the Commission’s approach towards cybersecurity vulnerabilities and threats. Legislators will never entirely eliminate cybercrime and threats as, just like traditional security threats, they will always exist. Therefore, legislation should be about how to best prevent and address risks. He added that this makes cybersecurity a prerequisite for society and the economy to go digital. Mr Gonzalez-Sancho went on to discuss what policymakers can do to promote the digitalisation of their economies while addressing cybersecurity issues. He pointed out that a big challenge to formulating policy responses is that the legislative system cannot be as fast or dynamic as developments in cyberspace. Another challenge is that cybersecurity tends to be primarily addressed within the realm of national governments.
However, he believed that the realisation has started to dawn among Member States after a series of attacks that the cross-border nature of cyberattacks demands a European response. Mr Gonzalez-Sancho reminded attendees that a few years ago the main cybersecurity-related cross-border activities involved only cooperation on research. Nowadays, Member States are moving to cooperate much more closely on cybersecurity policy, however legal frameworks are needed to strengthen this cooperation. Mr Gonzalez-Sancho mentioned the recent example of the Network and Information Security (NIS) Directive, which aims to enhance capabilities among Member States, ease the exchange of information and promote cooperation on incidents and reporting. He continued to state that subsequent Commission proposals have focused on coordinated responses from Member States to cyber threats, supporting cooperation through EU funds for research and deployment and, more recently, with a proposal for a European cyber competence centre and network. Mr Gonzalez-Sancho concluded by adding that there is a need to step up the European policy response to evolving cyber threats.
The moderator then enquired about the recent Commission proposal on a European cyber competence centre and network.
Mr Gonzalez-Sancho explained that the proposal has two main objectives. One is to develop and support cyber capabilities, for example by promoting research and deployment. The other is of a more industrial nature, as it concerns cooperation, the alignment and sharing of expertise. In structural terms, this means there will be a central competence centre at the European level, in particular for managing European projects and funding, as well as a centrally coordinated network of national competence centres. He summarised that the ambition is to house cyber support, funding for cybersecurity research and the development of solutions under one roof. The proposal also touches on the aspects of sharing expertise, synergies, and skills. In other words, it aims at lowering the barriers to cyber solutions for governments, businesses and citizens.
Another focal point of the panel discussion consisted of the role of ENISA as the European cybersecurity infrastructure.
Mr Delatre expressed support for the role of ENISA. He appreciates the efforts they have made to map out the cyber threats and summarised the methods by which to tackle them in their December 2016 report on smart vehicles. However, he added that it is as yet unclear whether ENISA is the right platform to share information. Other means already exist such as analysis centres, which represent dedicated platforms for sharing information. He concluded that is beneficial to have a fully-fledged cybersecurity agency in the EU, but that legislators should wait before piling on roles, duties and competencies on ENISA.
Mr Bouyon argued the importance of ENISA receiving sufficient resources to carry out its role. He explained that ENISA is useful for mapping, conducting research, etc. However, if the Commission proposes that ENISA engages on the operational side, it will need many more resources. He emphasised that there must be consistency between the mandate and these resources.
Mr Gonzalez-Sancho stressed that the Commission sees ENISA as an integral part of the European cybersecurity landscape. Of course, it is not the only part of the landscape since other measures are necessary, as shown by the other Commission proposals put forward in this space. ENISA certainly plays a role in terms of analysis and mapping, but also, thanks to the Cybersecurity Act, it will play an increasingly operational role, which will require additional resources, in particular in the area of certification.
The rest of the debate and the Q&A session covered the following issues: The strengths of the automotive industry in handling cybersecurity failures, the financial sector’s approach to the risks posed by cyber-attacks, which financial products will first be subject to the certification scheme; the harmonisation of the accreditation process from Member State to Member State and the effects of certification on industry standards. In addition, the pros and cons of a voluntary vs a mandatory scheme. the implementation process of the certification scheme and ENISA, and its compliance with GDPR, liability and enforcement challenges, the time frame for the new scheme to be fully implemented across the EU; simplifying the car industry’s regulatory landscape and the harmonisation of regulation with international cybersecurity standards was discussed.
Do you want to go further into the issues discussed in our debate? Check our list of selected sources, which we have provided for you!
Proposal fo a Regulation of the European Parliament and of the Council on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (”Cybersecurity Act”), European Commission
Orange’s positions: Committed to Europe, Orange Group