On June 30th, the Security & Defence Agenda held an evening debate in Brussels, for a discussion on the cyber-security landscape in Europe and the possibilities offered by transatlantic cooperation in this field.
‘Critical infrastructure protection in the cyber-age’ appears to be one of the main imperatives that states face nowadays, and their vulnerability to new technologies has been a reason of increasing concern. Nonetheless, as the panellists demonstrated, the new digital landscape entails further risks for both states and private citizens’ security, and innovative strategic postures are needed if the present menaces are to be effectively countered.
Sigrid Johannisse, Advisor on Innovation, ICT Applications and Security, Cabinet of Neelie Kroes, and former Vice-President of the European Commission, opened the floor suggesting that the European Union has already a cyber-security strategy in place.
The Network and Information Security (NIS) directive should allow the EU states to reach the same degree of capabilities in the field of cyber-security, implement their coordination, and ease transmission of companies’ information to governments in case of security-related problems. The NIS agenda is not a simple cosmetic accessory as it represents an important step towards communitarian rules in the field; intelligence services’ culture is based on trust, and cooperation’s skills take time to mature and reach satisfactory operational levels.
However, a process of further integration of the EU states legislations will require a step-by-step schedule, as a timeline would prove beneficial in avoiding slow-downs in the process. In addition, it should be borne in mind that it is difficult to reach unanimity in the support of EU cyber-security proposals, even if consensus among the Member States regarding security topics is growing. Furthermore, the new European Commissioners’ views on the cyber-security policies could differ from the ones of the officials previously in charge; slow negotiation and compromise are likely to continue characterising the field.
Leaving aside the legal aspect of the matter, the speaker considers that people should “stop playing to be naïve”, and instead pay attention in trying to be more aware of the risks present in the cyber space. In that respect, an educational process involving the young generations appears to be all the more important. The fact that what is shared online can be seen and used by any other Internet user and that personal contents are relatively accessible for both public and private agents should be highlighted. Additionally, as many victims of cyber-crime do not report violations to authorities, it can be argued that even a good part of the adult population “does not have a clear picture of where the problems are”. Even if aware of general potential safety breaches, users lack the skills to maximise their own security. To counter the problem, IT educational projects should try to involve not only the youngsters, but a wider spectrum of the population as well.
Moreover, the importance of a safe digital environment derives from the wide range of sectors touched by the new technologies: cyber-security is becoming increasingly complicated and electronic devices pervade people’s everyday life. The trust placed on the digital economy can be consequently seen as a precondition for the future well-being of the European states, and as a key to successful transatlantic cooperation and further deepening of the Western understanding with Asia. ‘Protection’ in this case does not equal ‘protectionism’, but instead represents its exact opposite, as it eases economic transactions and global trade.
An important support could come from private companies, as they actually have incentives to develop safer digital tools and keep updating devices to the always-changing cyber environment. The public pays great attention to security-friendly technologies, and improvements in the field would result in important comparative advantages. One of the priorities of the next European Commission should therefore be the identification of the digital threats with market opportunities for the private sector, also because companies have a special capability of “raising the budget” when compared to the public agents.
Nonetheless, governments should not lower consumers’ defences in front of those same private actors. One widespread problem is the unwillingness of companies to offer their clients the choice of opting out of free services provided by them. Once an online payment is completed, the data used for fulfilling the transaction is likely to be employed again for different kind of promotions, mining consumers’ freedom of not been exposed to undesired publicity and offers.
Freddy Dezeure, Head of the Interinstitutional Computer Emergency Response Pre-Configuration Team (CERT-EU), agrees with the previous speaker in that cyber-challenges are increasing and that the number of used devices is growing. Estimations report that if nowadays “they roughly correspond to one per person, in the future there are to be one per every detectable star in the universe”. Moreover, not only they become massive in numbers, but more and more invasive as well, forcing citizens to rely on their help for daily tasks and economic activities. On the other hand, such tools have become more complex and difficult to use than in the past.
The result is increased user vulnerability. Criminal and terrorist networks, mafias, rogue states and regimes are in fact keen to exploit the breaches present in the current cyber-scenario; among them, non-state actors are the most common and dangerous threat.
An effective way of limiting such menaces consists of embedding security in technology itself; moreover, a constant exchange of information among cooperating states could prove beneficial in safety terms. And although a complete overview of the attacks is impossible to obtain, an anti-cyber espionage campaign should start with considering protection of the critical infrastructure related to energy and strategic defence, involving both public and private installations. To find a new defensive balance, however, money will not be enough without the unique contribution that only cultural patterns and ethical frameworks can offer. In particular, restauration of trust is needed if the transatlantic partners are to enhance their collaboration.
Michael Daniel, Special Assistant to the U.S. President and the Cybersecurity Coordinator, started his speech emphasising how decisions concerning technological issues have become political ones, and how policy discussions have turned to be more sophisticated than ever. Questions like “Which information should we share?” do not find simple, technical answers anymore.
To tackle the issue, however, a holistic approach is decidedly needed. The initial assumption must be that “governmental networks are compromised, as governments are incapable of impeding security breaches for an indefinite period of time and violations of the systems sooner or later occur”.
Huge advantages in the field of intelligence are the scale of the networks in place and their interoperability. As no one single governmental entity has all of the tools needed to fulfil its job at its best, inter-state collaboration is unavoidable and higher cooperation with the private sector is needed. And a risk-based management can be deemed as essential, especially in times of economic stagnation, given the difficulties even in counting how much the expenditure in cyber-security amounts to.
In that respect, the transatlantic info-sharing cooperation can still be considered as the core of the US and European states’ security systems; the gap between the West and the developing world in cyber-space safety remains still huge and likely to be only marginally reduced in the times ahead (“from 15 to 20 years would be needed to fill that gap”).
In conclusion, it could be noted how all of the panellists agreed in that putting people in the position of implementing technological solutions attained will be one of the hardest tasks policy makers face.