On Tuesday, 25th of October, PubAffairs Bruxelles hosted a debate on the cybersecurity challenges of digitising the European industry, with Mr Pierre Chastanet, Deputy Head of Cybersecurity & Digital Privacy Unit, DG CONNECT, Mr Robert Dehm, Information Society and Telecommunications Attaché, Permanent Representation of Germany to the EU, Mr Pascal Rogard, Telecommunications and Information Society Attaché, Permanent Representation of France to the EU, Mr Bart de Wijs, Head of Cybersecurity, ABB Power Grids division, and Mr Andrey Suvorov, Head of Critical Infrastructure Protection Business Development, Kaspersky Lab. The event was moderated by Per Stromback, Editor at Netopia.eu
Per Stromback introduced the speakers and asked, as a first point of discussion, whether the EU was doing enough in the realm of cybersecurity.
Mr Chastanet began by explaining that the recently adopted NIS Directive is not the only policy instrument introduced by the Commission, but that cybersecurity initiatives in the EU were first established with the 2013 Cybersecurity Strategy, which entailed a series of initiatives that the Commission is still pursuing today. Mr Chastanet explained that these initiatives are based on three pillars, namely, preparing the cyber resiliency of Europe; an in depth look at cybercrime in the EU, and attaining global cooperation with respect to cybersecurity. Alongside the strategy, Mr Chastanet explained that the Commission put forward a legislative proposal that eventually became the NIS Directive, the first piece of legislation in the world that imposes cybersecurity obligations on both the public and private sector, something that Europe could be proud of. He concluded by stating that in his view the Commission has achieved a good and stable legal text that addresses priority cybersecurity issues in the EU. Mr de Wijs believed that Europe could have been faster in coming up with such legislation. However, he stated that he was glad that the NIS Directive had been created and that it made reference to international standards as it made it easier to implement cybersecurity solutions that were accepted in other parts of the world. He believed that reference to international standards was fundamental for a common approach to cybersecurity.
A second point of discussion concerned the mandatory reporting by companies to competent authorities of cybersecurity accidents.
Mr Chastanet believed that the worst thing a company could do when experiencing a cybersecurity accident is to hide it, as it would increase the damage caused and it would hinder competent authorities from providing suitable assistance. He reiterated that this is not a “blame and shame” exercise, but rather a tool used to build confidence, as no public exposure would result from companies reporting to competent authorities. Mr de Wijs believed that it was inevitable that products or systems that are software based should have at some point vulnerabilities that could be exploited, and believed it necessary to find a proper way to respond to such situations, making sure to identify problems as quickly as possible, being able to recover as quickly as possible and sharing vulnerabilities for responsible disclosures with their vendors, within the industry and with customers. Mr Dehm believed that not all companies would share the view that mandatory reporting of security accidents would be beneficial, as many large companies would have resources available to them that are superior to those provided by national authorities. Additionally, he pointed out the fact that the man-power of competent authorities was not the same across the EU. He believed a more balanced approach should be utilised to address cybersecurity accidents and that the role of the state should be limited to the areas that are unavoidable, such as the critical infrastructure sectors. Mr Suvorov explained that cybersecurity has been recognised as an important issue at the management level of companies as the management is recognizing that not addressing cybersecurity issues can have serious effects on the production level and the resources of a company. He concluded by stating that many companies are already implementing the requirements established under the NIS Directive, namely reporting to competent authorities and cybersecurity solution providers. Mr Suvorov further argued that the processes leading up to the creation and implementation of new technology did not take security sufficiently into account during its development stages. He felt that this is particularly a problem due to the number of connections between industrial control systems and the basic Internet. In order to address these issues, Mr Suvorov explained that close cooperation between Kaspersky Lab, its customers and competent authorities helped in addressing rising threats and vulnerabilities on a global level. Mr Rogard stated that the negotiations on the NIS Directive took a long time, as there were various discussions in the Council as to whether market competition would address the need to improve cybersecurity, or whether legislative authorities should take a more active role. He revealed that France was in favour of a mandatory model when it comes to the implementation of cybersecurity solutions for companies, in order to protect them and incentivise them to invest in cyber protection. He underlined that cybersecurity was not only an issue related to security but also an important element of competitiveness for companies. He concluded by stating that sharing cyber accidents was a useful way for understanding the current threats landscape, and therefore making the overall system more prepared and resilient,. He believed that cooperation between MS on a voluntary basis would first have to develop before going to another approach.
A third point of discussion concerned whether industry was reluctant to embrace digital opportunities, due to the number of cyber threats.
Mr Suvorov was optimistic that the increased collaboration and development of joint cyber security approaches and frameworks between industrial players would help other industrial sectors embrace digital opportunities. Mr Chastanet believed that if companies did not embrace digital opportunities, it would undermine the EU Commission’s target of establishing a Digital Single Market. Mr Chastanet further referenced a Communication published in the summer which encouraged the sharing of information at sectorial level and fostered public-private cooperation. He explained that these initiatives, alongside the NIS Directive, aimed at leading to a seamless information flow between the various actors in order to increase resilience in Europe.
The final part of the debate and the Q&A session, also covered the following issues: security by design; how not to disrupt global data flows when addressing cybersecurity; how to address the fragmentation of the cybersecurity market; whether Member States have different selection criteria with regards to critical infrastructure; end-to-end encryption and backdoors; certification of cybersecurity products and services; data protection.
Do you want to go further into the issues discussed in our debate? Check our list of selected sources which we have provided for you
The Directive on security of network and information systems (NIS Directive) | European Commission
European Union Agency for Network and Information Security (ENISA) | Publications
France and Cybersecurity | French Minister of Foreign Affairs
Cybersecurity Strategy for Germany | German Minister of Interior
Facing the cybersecurity challenge | Lloyd’s report
Industrial CyberSecurity | Kaspersky Lab
Security Bulletin – Predictions for 2017 | Kaspersky Lab
What Copyright Can Learn from Cyber-Security | Per Stromback
21 Digital Myths – Reality Distortion Antidote | Per Stromback
