Tackling cyber threats together

The cyber challenges arising from our highly — digitalised society are here to stay. We can tackle them on the EU level, here is how

Sir Julian King
European Commissioner for the Security Union

  • This article was originally published as part of the 2018 edition of Bled Strategic Times, the official gazzette of the Bled Strategic Forum (BSF) international conference. You can access the full version of this and other BSF publications by visiting our official website.

This year’s Bled Strategic Forum is all about “bridging the divide” — focusing on the things we have in common rather than what divides us, something especially important in a world which feels increasingly fraught and divided. And nowhere is this aim more apt than in the field of cybersecurity.

That’s because the highly-digitised world we live in not only offers a myriad of opportunities, but also throws up new kinds of threats. Cyber means can be used for financial gain or for political motives, by terrorists, criminals or state actors. They are easy to perpetrate and can be unprecedented in their reach, devastating in their effectiveness and extremely difficult to trace or attribute. They are unlike other security challenges we face; not only because both the threat surface and attack vectors are largely privately owned but also because of the sheer scale of the societal, geo-political and economic consequences if we fail to act.

Faced with this multi-faceted challenge, we need to take action on two fronts: tackling classic cyber threats to systems and data; and closing down the space for broader cyber-enabled threats, like fake news, which seek to manipulate behaviour.

For the first challenge, the Commission last year brought forward a comprehensive package of proposals to reinforce our cybersecurity based around the three pillars of resilience, deterrence and defence.

A need for greater cyber resilience

We urgently need to become more resilient. We need to make ourselves harder to attack, and be quicker to respond through both structural and behavioural measures.

We are in the process of creating a genuine EU Cybersecurity Agency to help set standards and coordinate the response to large scale incidents, building on the base of the existing EU Network and Information Security Agency (ENISA).

The Agency will take on a crisis response function in response to major cyberattacks and based on a pre-agreed ‘Blueprint’. It will also be responsible for establishing and running an EU-wide cybersecurity standards and certification framework — the EU Cybersecurity Act — to ensure that products and services meet the highest standards of cybersecurity.

It will oversee the full implementation of the Directive on Security of Network and Information Systems, the NIS Directive, by Member States including extending it beyond the existing critical sectors, starting with public administrations and making sure that national Computer Security Incident Response Teams (CSIRTS) have the resources they need.

In addition, it is critical to promote “security by design”, or we will inadvertently create a potentially calamitous situation where connected devices have little or no security protection built into them.

The objective of our proposal is to develop an approach to certification at the European level, responding to different security needs. It should notably ensure that a certificate issued in one country will, under specific conditions, automatically be recognised in others.

To facilitate consistency with frameworks and standards already in place, we want to build on existing national and transnational work, notably by ensuring that the schemes proposed in the future European framework rely as much as possible on international standards. Industry plays a central role in the standardisation process, and under our proposal, it would have the opportunity to engage in the preparation of these schemes.

In parallel, there is room for industry-led initiatives to ensure security best practice is comprehensively and widely adopted. This work is already underway and I welcome the industry’s engagement in defining basic cyber hygiene principles.

Making ourselves more resilient also means having the right skills and technological capacities.

Europe faces a “cyber security skills gap” currently estimated to reach 350,000 people by 2022. Having this skills base is central to effective resilience. So cyber must be mainstreamed and prioritised in education and training curricula.

We also need to invest in research to stay ahead of those looking to attack us.

We already have a cybersecurity public-private partnership in place with EU research funds which will trigger 1.8 billion euros in investment by 2020.

This is a good start but we need to complement and continue that work. We need to make sure the EU retains and develops essential capabilities to secure its digital economy, infrastructures, society and democracy. To achieve that, we are proposing to create a pan-European cybersecurity competence network to reinforce capabilities so that European players are not too reliant on critical technologies from outside the EU.

Creating credible disincentives for cyber attacks

Deterrence means creating real and credible disincentives for those who might contemplate attacks. We need to dramatically increase the chances of getting caught and attach severe penalties to committing hostile cyber acts.

Law enforcement need help to trace and identify perpetrators, a notoriously difficult task — according to Europol, 90% of cybercrime investigators regularly run up against this kind of attribution problem. That’s why we are looking at ways of better identifying websites and IP addresses including encouraging the uptake of the new protocol (IPv6) as it allows the allocation of a single user per IP address, bringing clear benefits including to cybersecurity investigations.

We also need to step up cooperation and the sharing of expertise and reinforce the cyber forensics and detection capabilities of Europol’s EC3 to boost forensic capabilities.

And we have taken steps to increase law enforcement access to electronic evidence, including when it is hosted in a different country. In April, we set out proposals to provide law enforcement and judicial authorities with new tools to obtain cross-border e-evidence — such as emails, texts or WhatsApp messages — for the investigation and prosecution of crimes, including terrorism and cybercrime.

The measures include the ability for Member States to directly compel service providers in another jurisdiction to provide data through the creation of a European Production Order.

Tackling the growing threat of disinformation

But beyond these more traditional kinds of cyber attack, we are now facing a much broader set of cyber threats. We are seeing the increased use of cyber means to spread propaganda and disinformation, and to incite terrorism.

To combat this, the Commission brought forward a range of measures in April against disinformation and fake news online. In doing so we sent a very clear and strong message to internet platforms — Facebook, Twitter and others — who have such a prominent role in our society — and who equally have a responsibility to take action.

We are not asking them to judge what is true or not. But we do want more transparency, traceability and accountability online, and platforms need to help deliver this.

Our newsfeeds should tell us clearly when content has been paid for and by whom, when it has been distributed via bots rather than by other users and why we are being shown certain content.

In addition, we will strengthen the work done by ‘fact checkers’, we will support quality journalism and we will promote media literacy and critical thinking.

We have asked stakeholders to draw up and agree on a Code of practice, to be adopted by internet platforms, requiring them to improve how adverts are placed, to restrict targeting options for political advertising, and to reduce the revenues made by those behind disinformation. It will also promote greater transparency around sponsored content — marking it clearly as such, and stating who has paid for it.

To successfully tackle disinformation, we need to call it out — for example, we set up the East Strategic Communication Task Force in the European External Action Service to strengthen quality media in the region and to improve our capacity to respond to Russian disinformation.

Since its establishment in 2015, East Stratcom has catalogued over 4,000 examples of disinformation, including for example 31 disinformation narratives around the chemical attack in Salisbury and 57 around the downing of flight MH17.

We also need to consider the issue of disinformation in the context of upcoming elections such as the European elections next May.

Across the EU, there are many initiatives at national level focused in particular on possible interference in upcoming elections. There is also strong transatlantic cooperation on this issue, which is discussed in the EU/US security and cyber dialogues and in the context of Transatlantic Commission on Election Integrity.

We now need to ramp up this work and ensure that public authorities as well as other actors — both public and private — are as prepared as possible. In the EU, that means establishing plans at national level to guard against cyberattacks and election interference.

To this end, we need every Member State to comprehensively assess the threat to their democratic processes and institutions, whether from more traditional cyberattacks or from the manipulation of information. They should have a national action plan and a task force bringing together representatives from all relevant authorities — cybersecurity, intelligence, law enforcement, electoral commissions and the private sector — with the task of countering these cyber threats.

Above all, they should treat elections as a central component of their critical infrastructure protection and resilience planning.

Looking further ahead, the Commission will convene a high-level meeting next month, bringing together national players in order to take stock of progress on the various fronts and to identify and share best practices for election security. This will build on the work done by the NIS Cooperation Group on a Compendium on Cyber Security of Election Technology to define the key resilience measures to combat cyber threats to elections at national level, including the need for a response-protocol in case of incidents, training and exercises on possible scenarios at all levels, and a robust and trusted network across the relevant authorities at national level to deal with incidents.

Our work in all areas of cybersecurity, then, is crucial to ensuring Europeans can enjoy the full benefits of a digitised world in the years to come. This is not a challenge which will go away, however, and in order for our efforts to bear fruit, we do indeed need to “bridge the divide” — because it is only by working together, at all levels, that we can successfully counter those who would use cyber means to harm us and the societies we live in.


You can also follow #BSF on Twitter, Facebook, and Instagram. Full versions of past panel discussions are available on our official YouTube channel.

Bled Strategic Forum

Written by

A platform for high-level strategic dialogue among leaders from private & public sector. Organised by Slovenian MFA & Centre for European Perspective (CEP).

Bled Strategic Forum

The official Medium publication of Bled Strategic Forum (BSF) — a platform for high-level strategic dialogue among leaders from private & public sector. Organised by the Slovenian Ministry of Foreign Affairs & Centre for European Perspective (CEP).

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade