Towards global consensus on cybersecurity requirements

Speakers: Rönkä Maija, Lanoo Karel, Preneel Bart, Voland Thomas
Moderator: Franklin Magnus

On the 8th of October, PubAffairs Bruxelles organised an evening discussion on the prospect of a global consensus on cybersecurity requirements with Ms Maija Ronka, Counsellor, Telecommunications, Permanent Representation of Finland – Finnish Presidency of the EU, Mr Karel Lanoo, Chief Executive Officer, CEPS, Dr Bart Preneel, Professor, KU Leuven and Dr Thomas Voland, Partner, Clifford Chance.

The event was moderated by Magnus Franklin, Director, Teneo cabinet DN and former Chief Correspondent at MLex.

After presenting the speakers, Magnus Franklin briefly introduced the issues at stake by recalling both the so-called “Osaka Track” initiative put forward during the last G7 on the matter of free flows of data and the fact that several commentators have underlined the need for a global consensus on cybersecurity requirements.

Within this context, the moderator asked the panellists to elaborate on the question of global cybersecurity requirements, given their respective roles and backgrounds.     

Mr Karel Lanoo began his intervention by stating that, although he cannot be considered an expert on cybersecurity, he has been following this question for many years as the financial sector has been highly affected by cybersecurity-related matters, as well as data flows and protection-related issues. Starting with this premise, he elaborated on the rapidly-growing landscape of technology and security by explaining the turning points and the cybersecurity challenges of the financial sector, as well as stating that the current questions have gone hand in hand with the main threats to the financial sector. Indeed, the speaker stated, both the financial and the cybersecurity sector are two domains which are faced with an ever-changing landscape due to technological and geo-economics evolutions to which Europe is struggling to adapt. Mr Lanoo took the example of some parts of the financial sector which are at risk of becoming non-profitable as a result of swift technological changes and higher competition. Within this context, Mr Lanoo stated that European players are striving to remain relevant at both the European and global level, while underlying that Europe is often not endowed with sufficient capacities to compete with other global players. From an historical perspective, Mr Lanoo mentioned the introduction of the Euro and the 9/11 attacks as two turning points which have raised the question of cybersecurity both globally and in the EU, and resulted in the reexamination of the security of financial cyber-infrastructures. Mr Lanoo continued by saying that there had been large-scale investments in that sense, while arguing that the European financial sector realised that that there was not a single trusted European provider of security at the time. The speaker continued by saying that the main shift of the last ten years consists of the fact that cybersecurity questions used to be confined to the security of hardware, while nowadays the main challenge consists of the security of the cloud. In this connection, Mr Lanoo stated that large companies are also compelled to compete within a market which has room for newcomers and that Europe can gain valuable positions by innovating and lowering costs. However, the speaker stated that, as it happened before, Europe has not yet developed a single entity which can provide the scale of cloud services which are nowadays essential for the smooth functioning of the financial sector, and added that this settings constitutes a huge data protection question. Mr Lanoo further emphasised that, as in the Swift case, the fact that Europe is not well equipped to face the current global competition will condemn not only European players to rely on non-European entities, but also European institutions to cope with data protection-related issues from a relatively weak position, both within and outside the EU. Mr Lanoo concluded by stating that the main feature of cybersecurity nowadays is the speed of the evolutions, hence it would be very difficult to make any forecast on how the question of cybersecurity itself and of cybersecurity requirements at large will evolve.

Dr Bart Preneel started his speech by clarifying that he is not a policy expert, but has been interested in politics and that the combination of his technical knowledge with his personal interest has increased over time. Dr Preneel also premised that he was particularly interested in participating in this debate, as the question of the free flow of data is of capital importance in today’s global society. He then elaborated on the concept of the “free flow of data” by stating that if one can instinctively agree that the free flow of data is a good idea, one should also realise that such a world would necessarily imply a loss of control over one’s own data. Indeed, Dr Preneel agreed with Mr Lanoo that the questions of the free flow of data and data protection are inextricably linked, given that if any entity passes on data, there is an actual loss of control from them, in particular if the provider is non-European. The speaker subsequently added that, even if the server of a non-European player is placed in a European country, remote access is always technically possible, as the real question is the control of the server and not its location. The speaker went further by explaining that the free flow of data is only possible if the security level is comparable. This exercise inevitably leads to the question of how to measure security. Regarding this last question, Dr Preneel stated that it has been and still is very hard to find the criteria through which cybersecurity is measured. The speaker recalled that there have been serious efforts to evaluate security and security standards since the late 70s, such as the so-called “Orange book”, which eventually ended up with the creation of the Common Criteria standard. However, the speaker said, this effort has been a failure as evaluating systems according to these criteria is expensive and time consuming; part of the evaluation such as cryptography and side channel resistance is controlled at the national level. Moreover, in times of agile development, as soon as a product or service is updated or patched, the Common Criteria security assessment is invalidated. As a consequence, very few products are currently evaluated using the Common Criteria; and serious flaws have been identified in products that have been evaluated. The speaker also explained that the Cybersecurity Act has resulted in a renewed interest in Common Criteria; this is remarkable given its very limited successes in delivering secure solutions to the citizens in the past decades. In this connection, Dr Preneel elaborated on the question of certification and affirmed that, on the one hand, certification does not assure in absolute terms the security of a given system, and on the other, it will likely result in the market distorting, especially in a fragmented regulatory framework, such as the one of the EU, as larger member states have a natural competitive advantage. Dr Preneel pointed out that this is perhaps inherent to cybersecurity standards as this matter touches upon the issues of sovereignty and autonomy of the nation state both globally and across Europe. Cybersecurity is not only relevant to critical infrastructure protection, consumer products and cybercrime, but also to intelligence and cyber war. Any model to evaluate cybersecurity must be, in any case, threat-based. This assumption implies evaluating the origin of the attacks, where they originated from, for example, from hackers, criminal organisation, terrorist organisations or nation states. Indeed, the speaker said, cyber warfare is another evolving landscape which further complicates the task for defining common criteria for security both at a EU and international level. Aside from these strategic issues, there are also very complex technological and scientific challenges: the academic community has not been able to develop cost effective and efficient evaluation methods to assess the security of products and services in the context of a quickly evolving landscape with highly complex and interdependent systems. One of the challenges is the shift from being hardware to software-centred. As an example, 5G technology will consists of a virtualised network formed by a complex layer of cloud-based systems – hence software-based – and it will be developed and operated by companies which traditionally used to deal with hardware. Dr Preneel also emphasised the huge impact that 5G will have in citizen’s daily life, as 2G was constructed for phone calls, 3G and 4G were constructed to transfer moderate amounts of data, while 5G is poised to take over the control of every infrastructure from home appliances to autonomous vehicle and nuclear plants. Regarding this last fact, the speaker reiterated the huge challenge we face in developing secure software-based infrastructures. As an additional dimension, under pressure of law enforcement 2G, 3G and 4G networks do not offer end-to-end encryption. As a result, Dr Preneel wondered if 5G networks, as well, would be designed with backdoors which would allow external access for justice and security purposes. It is well understood and has been demonstrated in practice that such backdoors can be abused by malicious actors. However, if such an actor would get access to 5G networks, the implications on the security of society would be much higher than in previous systems.

Dr Thomas Voland started his intervention by stating that we should assume the question of cybersecurity and cybersecurity requirements as a global issue due the very nature of the technology itself. He continued by stating that there have been attempts to tackle this issue at a national and/or regional level without satisfactory results. He stressed that the question of the free flow of data is of major importance to ensure the smooth running of the economy, the efficiency of the public administration, and the well-being of citizens, hence a workable global solution is required. Dr Voland continued by explaining that the matter of global standards on cybersecurity requirements is twofold: in fact, on the one hand, there is the question of how to define them, namely which are the risks and how to mitigate them; whereas, on the other hand, there is the question of how to enforce them, as, notably, a law without enforcement has a limited practical effect. With regard to the former question, Dr Voland stated that the focal point is on how to define security and clarified that, in his opinion, the EU is on the right track with the release of the recommendations on 5G. Nevertheless, Dr Voland also underlined that cybersecurity requirements are a moving target and must always include an international dimension when they are addressed. In this connection, Dr Voland reiterated his opinion that the nation state, as conceived by classic international law, is gradually losing influence over its cyberspace, as it is no longer able to contain and/or limit potential damages alone – at least not without harming fundamental rights and commercial interests. With regard to law enforcement, the speaker elaborated on some examples which have demonstrated that laws can be enforced at the international level. First of all, Dr Voland took the example of the EU’s GDPR, to which companies across the globe have been willing to comply with, both out of fear of enforcement and as a matter of corporate reputation. Secondly, the speaker explained how both regulations on dual use goods, including those regarding ICT products or the US sanctions against Iran, have been successfully put in place and enforced. However, Dr Voland clarified, the question of how to enforce potential international regulations vis-à-vis nation states, contrarily to what happens with companies, is probably one of the most challenging current global questions, as it refers again back to the domain of the security and sovereignty of nation states.

Ms Maija Ronka started by saying that she has had a fairly long professional history of working on EU policies related to cybersecurity. She went through some of the key pieces of EU legislation in this domain, such as the entering into force and the implementation of the NIS Directive and the negotiations on the Cybersecurity Act. Starting from this premise, she reminded Finland has indeed identified cybersecurity as a crucial question for the EU Presidency. The speaker also clarified that the institutional period in which the Finnish Presidency is taking place is an unusual period, as both the Commission and the newly elected Parliament have not yet started to work fully. However, Ms Ronka explained that this is also a very important timeframe to discuss the EU agenda, to set out the priorities for the coming years, and to start the discussion on a common understanding on how Europe should tackle highly important questions, such as cybersecurity. The speaker continued by stating that one of the priorities for the Finnish Presidency is enhancing the quality of life and the security of EU citizens, and these tasks include tackling cybersecurity, as well as hybrid threats. However, Ms Ronka continued, it is also equally important to strengthen the EU global role and to foster the global discussions on cybersecurity. The speaker subsequently said that, as the cyber world is cross-border by definition, actions in this domain require the EU to undertake a more active role in global governance in order to continue fostering a comprehensive dialogue, which naturally includes both political and geo-political aspects. Ms Ronka also stated that, from a broader perspective, the Finnish Presidency has been willing to encourage a global dialogue on the respect of the rule of law and human rights, and this has also included data privacy and the interconnection between new technologies and democracy. The speaker also underlined the importance of promoting a high level of cybersecurity in the whole of the EU, given its importance for the single market. The speaker then touched upon the ongoing discussion on the security of 5G and underlined the scale of the challenge for the Finnish Presidency, as the Commission only recently adopted the recommendation in this regard, and the implementation of the recommendation will be challenging for both European and national institutions. In this respect, she added, member states have been working throughout the summer and autumn to come up with national risk assessments, and they have cooperated in order to release a comprehensive European risk assessment. The results of the work on the assessment, Ms Ronka explained, will be seen throughout the Finnish Presidency, which aims to give a wide political message on this topic at the European Council meeting in December. The speaker also recalled that the Finnish Presidency has worked on promoting a data economy, which should be as human-centric as possible, while underlying that these themes are closely linked to the questions of cybersecurity requirements and privacy. Mr Ronka explained the challenges of finding a balance between the innovations that the data economy has brought about and citizens’ data protection and trust. The representative of the Finnish Presidency concluded by stating that, in her opinion, these last issues constitute the focal point related to cybersecurity and privacy with which European institutions will have to deal for a long time.

The main focal point of discussion consisted of the reasons for which Europe should act for a global consensus on cybersecurity requirements, instead of focusing exclusively on developing European standards.

Dr Preneel replied to this question by taking the example of smart phones components, which originate from different parts of the globe. Elaborating from this example, the speaker made the comparison between the “material world” and the “internet world” by stating that, as several institutions have adopted national, European and international rules which regulate global supply chains and given the ever-closer interconnection which information technology have brought about, it would be natural to reproduce a similar model for the cyberspace. Dr Preneel recalled the question of loss of sovereignty of nation states by remarking that current international dynamics demonstrate that there are other more pressing issues to reach a global consensus, above all, the phenomenon of the concentration of power. Indeed, the speaker explained, nation states had been losing influence when information technologies first came about, as their impacts were scattered across both the society and the globe. However, the speaker clarified, we nowadays are witnessing the phenomenon of power concentration whereby big tech companies have taken extraordinary powers globally and some large nation states have exploited their economies of scale to grow their technology and to create mass surveillance systems, while small and medium size companies and smaller nation states have struggled to compete with limited capacities.

Ms Ronka replied to the question by reiterating the fact that a single nation state, as well as supranational organisation such as the European Union, would not be able to protect their interest effectively by disregarding the international dimension of cybersecurity. Ms Ronka continued by stating that, for this very reason, the Finnish Presidency has highlighted in several occasions that it would be best for the Union to have a common and strong stance in order to have Europe’s voice heard within the international fora. Indeed, the speaker stated, as previously mentioned, that the global dimension of the EU should be strengthened, while respecting EU core values, as the EU Global Strategy elaborated by the former High Representative Mogherini has indicated. The speaker also mentioned the experience stemmed from the GDPR, which demonstrated to have valuable positive impacts and to set standards in the domain of privacy, not only across Europe, but also the world.

Dr Voland answered by elaborating on the experience of the GDPR and agreed with the speaker of the Finnish Presidency on the successful impacts of this piece of regulation on cybersecurity, as it requires certain security measures to be taken so that data is not misused, not only within the EU, but also for providers of countries outside the EU. With regard to the question of 5G, Dr Voland expressed his opinion that, although the debate has been ongoing for some time now, the process of evaluation of cybersecurity requirements is still at the beginning, both at EU and global level. The speaker also agreed with Dr Preneel on the need for global rules as a result of the current international nature of the economy, as physical components, data and infrastructure networks are part of the same ecosystem. However, Dr Voland partly disagreed with Dr Preneel on the impact of technology on the policy options of nation states by stating that, if it is true that certain nation states have benefitted and may have expanded their area of influence, while others, such as smaller nation states have lost influence, they all have lost their ability to adopt effective remedies on their own. The speaker further touched upon the question of regulation enforcement, and he highlighted that it is nowadays often necessary to cooperate with big tech companies in order to apply enforcement, e.g. due to a need to access systems or data. Further, as a result of this loss of control, Dr Voland expressed the opinion that this state of play behooves the international community to take some counterbalancing measures, such as binding global standards.

Mr Lanoo started his reply by stating that the EU must firstly reassess and reorganise its functioning as has, to some degree, already happened with the Cybersecurity Act. The speaker continued by stating that Europe needs, for example, a basic feature, such as a common taxonomy for cybersecurity. In addition, Mr Lanoo stated that the EU needs a bolder approach which the Cybersecurity Act did not provide sufficiently, as ENISA has gained additional functions, but it is still a cooperating authority and has no power to impose rules upon EU member states as other European authorities have. Indeed, Mr Lanoo remarked that several crucial decisions, with special regard to the domain of cybersecurity, are still being taken at the national level, while reiterating the fact that member states still do not feel comfortable with openly sharing (cyber)security and defence information with each other. The speaker continued by stating that a global consensus is needed, but a European consensus and new EU competences are needed first. Mr Lanoo also expressed his scepticism on the possibility of reaching a global consensus on cybersecurity requirements as traditional international bodies and mechanisms of law enforcement are struggling to be effective, such as in the case of the WTO. Mr Lanoo continued his reply by advocating for a more competitive Europe at a global level and took the example of the telecommunication sector to explain how EU companies are often competing against each other, while not having enough scale and capacities to keep the pace of the advancements happening in other parts of the world, such as in China or in the United States. The speaker concluded by acknowledging that the EU has been aware of these challenges for a long time and yet it has still not managed to put in place effective changes.

Dr Voland was asked if a higher legal protection at the international level actually would guarantee greater security of 5G networks, as well as which would be the best forum to discussion cybersecurity requirements at the global level.

Dr Voland stated that by approaching the question of cybersecurity requirements from a global perspective, it would first be possible to obtain a broader risk assessment. In addition, the speaker stated, by putting in place global rules, it would be easier to address a broader range of companies and players compared to any national or regional approach. Further, by adopting a global approach to cybersecurity and the free flow of data, all the actors involved in the value chain both public and private, would benefit from greater clarity of rules and standards. However, Dr Voland clarified, it all depends on the quality of the rules. Indeed, if international laws are not detailed and comprehensive enough to cover all the possible risks and do not include effective enforcement mechanisms, they would be poised to fail. Regarding the possible fora to address these issues, the speaker expressed the opinion that it is up to policymakers to decide which institution is best fit for purpose. The speakers also clarified that, with special regard to the “Osaka Track”, as it concerns more the use of data for trade purposes, it would probably fall into the competences of the WTO. However, he added, for what strictly concerns cybersecurity, the speaker stated that either the OECD or the UN could be more suitable international fora.

Dr Preneel was asked if limiting the focus on certain sectors, for example finance or automotive, could help bring about a global consensus on cybersecurity.

On the one hand, Dr Preneel thought that the idea of concentrating requirements for a given sector could help making some progress, while, on the other hand, he stated that the most important point of any given cybersecurity system is that every layer must be protected. The speaker also expressed his scepticism on Europe’s capacity to play the role of “honest broker” in the international arena due to its lack of industrial power in the sector. The speaker suggested that it would be ideal, although utopian, to have open systems to avoid any problems arising from possible backdoors of the given system. However, Dr Preneel concluded by raising the question of infrastructure security and end-to end encryption could be beneficial for a more open and secure cyberspace.

Mr Lanoo was asked whether EU has been making enough effort in convincing member states of the need of investing in cybersecurity for the safety of their citizens.

Mr Lanoo replied positively to this question, and expressed his hope regarding a policy area which has not been discussed during the debate, namely the question of defence. Indeed, the speaker remarked, the next EU MFF has dedicated a 13 billion euro budget to be invested in defence-related projects and, as this last is the area by excellence which can bring European closer and create new opportunities of collaboration, he expressed his optimism on the fact that member states will agree to work together towards a common cyber defence policy. The speaker also said that, by building up on what the EU has just agreed on in the Cybersecurity Act, some form of common cybersecurity shield could eventually be a reality. Mr Lanoo subsequently remarked that, in the Chequers Agreement, Britain has expressed its willingness to be part of the European cooperation on data-sharing, hence, even if Brexit happens, the UK would still contribute to the EU cybersecurity policies. The speaker concluded his intervention by expressing again his hope that cooperation in these domains will continue and improve, and that the next MFF will follow up on these significant steps made.

Ms Ronka was asked how has the Finnish Presidency addressed the question of evaluating the entire value chain involved in cybersecurity-related issues.

Reading this issue, Ms Ronka remarked the importance of the efforts made in order to release the recommendation on 5G security, for which member states have been working on a very strict timeline at a national level and carried out national risk assessments. Ms Ronka then remarked that several member states have addressed supply chain-related issues and expressed the opinion that the first aim of the whole exercise has been to list and evaluate the possible cybersecurity risks for Europe and how to addressed them. The speaker also specified that the recommendation planned to put together a EU-wide risk assessment that will be soon published, and to come up with some conclusions based on the national risk assessments, including in the domains of supply chains and third party suppliers. Ms Ronka added that these actions only constitute the first steps of a longer process, which will be defined in the years to come as, to date, the competent European institutions have identified certain risks, but they still need to identify possible remedies to the emerging security concerns. Ms Ronka concluded her intervention by stating that the ongoing institutional work aims to put their first results forward by the end of the year.

The Q&A session covered the following issues: the ongoing MFF negotiations, the question of backdoors, the relation between cybersecurity and current law enforcement and law enforcement practices in the EU, the question of judicial cooperation in the EU, the question of cybersecurity certification, the role of the US and China regarding a possible consensus on cybersecurity rules, the question of brain drain from European universities, the question of intelligence sharing both in the EU and across the world, the issue of liability with regard to cybersecurity, the trickle down effect of military research, the question of the balancing of rights and obligations translated into technical solutions, the differences between the challenges of cybersecurity nowadays compared to ten years ago, the negotiations of the Cybersecurity Act, the current and the future role of ENISA, the question of an EU industrial policy, the relation between trade protectionism and cybersecurity. 

Want to know more about the issues discussed in this debate? Then, take a look at the selected sources provided below!

Finnish EU Presidency Programme “Sustainable Europe, Sustainable Future”

Protectiong the security of citizens coprehesively, Finnish EU Presidency Programme

The EU Cybersecurity Act, European Commission

EU data protection rules, Euroepan Commission

International dimension of data protection, European Commission

EU International Cyberspace Policy, Euroepan External Action Service

We must treat cybersecurity as a public good. Here’s why, World Economic Forum

Leaders special event on the Digital Economy, G20

Osaka Declaration on Digital Economy, G20

Abe heralds launch of ‘Osaka Track’ framework for free cross-border data flow at G20, Japan Times

Speech by Prime Minister Abe at the World Economic Forum Annual Meeting, Japanese MFA

Harnessing full potentials of data economy: ‘Osaka Track’ for international rule-making and the role of the WTO, Digital Watch

Global Cybersecurity Index, International Telecommunications Union

The cybersecurity guide for leaders in today’s Digital World, World Economic Forum

Cybersecurity: Paris Call of 12 November 2018 for Trust and Security in Cyberspace, France Diplomatie

Paris Peace Forum

Cybersecurity is the biggest threat to the world economy over the next decade, CNBC

The EU’s search for tough cybersecurity standards, Euractiv

ENISA and a new cybersecurity act, Briefing, European Parliament Think Tank

Industry 4.0 – Cybersecurity Challenges and Recommendations, ENISA

5G and National Security: A complex puzzle, CEPS

Cyber finance challenges demand a unified response, CEPS

Network Equipment Security Assurance Scheme (NESAS), GSMA

Trusted Computer System Evaluation Criteria [“Orange Book”], US Departement of Defense