The EU should, among other things, strengthen the mandate of ENISA as the EU cybersecurity agency, create a certification framework at European level, and focus on the education and protection of internet users.
In an opinion adopted at the EESC plenary session on 14 February 2018 and drafted by Alberto Mazzola and Antonio Longo of the Section for Transport, Energy, Infrastructure and the Information Society (TEN), the EESC broadly supports the Cybersecurity Act set out in the cybersecurity package submitted by the European Commission to the Council in September 2017.
The concept of cybersecurity has emerged worldwide: it is a global challenge and attacks may take place anywhere. According to a special Eurobarometer survey on "Europeans' attitudes towards cybersecurity", 73% of internet users are concerned that their online personal information may not be kept secure by websites and 65% that it may not be kept secure by public authorities. Most respondents are concerned about being the victims of various forms of cybercrime, and especially about malicious software on their device (69%), identity theft (69%) and bank card and online banking fraud (66%).
In order to increase the European cybersecurity framework, the EESC proposes a number of practical measures.
- Strengthening ENISA as the EU cybersecurity agency
The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cybersecurity in Europe and is based in Greece. The EESC agrees with the Commission that its mandate should be made permanent. However, the Committee is of the view that ENISA should also be given more financial resources and focus its action on supporting e-government, in particular EU/worldwide digital identity for persons and organisations, preventing and combating ID theft and online fraud, and countering intellectual property theft.
In addition, increasing cooperation among stakeholders is key. This could be facilitated by boosting cooperation with Member States and setting up a formal network of national cybersecurity agencies. ENISA would then have the power to audit national bodies and in this way build reliance among all agencies.
It is important that all Member States establish a national cybersecurity agency, commented Mr Mazzola.
Today, more than half of them do not have a counterpart to ENISA. The European Commission should make sure that national good practices and effective measures are collected and shared.
In order to overcome the lack of resources at ENISA and capitalise on their specific competences, the Committee advocates the involvement and cooperation of all sectoral EU agencies, above all the European Banking Authority (EBA), the European Aviation Safety Agency (EASA), the European Medicines Agency (EMA), and the European Union Agency for Railways (ERA).
- More strategic investments
The EESC stresses that the EU should increase investments towards strategic objectives in the field of cybersecurity through strong public-private cooperation. Resources could stem from different European and national funds, private-sector investments, and a specially created EU Cybersecurity Fund.
More specifically, the Committee suggests turning the current contractual Public-Private Partnership (cPPP) into a Tripartite Joint Undertaking (European Commission, Member States and enterprises), which would not only increase resources but also build trust among stakeholders. The EU should also consider opening a new window in the current and future Connecting Europe Facility as well as in the next EFSI 3.0.
- An EU cybersecurity competence network
In order to be truly competitive on the global stage and build a solid technological base, the EU has to acquire "digital sovereignty". In this respect, the EESC agrees with the Commission that it is essential to create an EU cybersecurity competence network, based on a coherent, long-term framework encompassing all the stages of the cybersecurity value chain.
The network would act as a provider of technical expertise and cyber hygiene training and, by helping to reduce dependency on non-EU know-how for key technology capabilities, it would stimulate a competitive European industrial base.
A Cybersecurity Research and Competence Centre at European level would support the network by liaising between existing national competence centres across the EU. It would coordinate research projects and thus create an effective European cybersecurity ecosystem where innovation can take place.
- A European cybersecurity certification
The Committee believes that an EU cybersecurity certification framework should be put in place, with different requirements according to the different sectors. Certification schemes would help to increase security according to present needs and threat knowledge and should be based on commonly defined European cybersecurity and ICT standards at international level.
A certification framework could also provide a common baseline to face the challenge of cybersecurity fragmentation. Homogeneous interpretation of the rules, including mutual recognition between Member States under a unified umbrella, would specifically facilitate the protection of a Digital Single Market.
- A recognised labelling system at European level
The certification process should include a proper labelling system for both hardware and software, to be also applied to products imported from third countries. The benefits of the labelling mechanism are several: reducing costs to businesses, overcoming existing market fragmentation caused by different national certification systems, and facilitating consumer understanding of the features of the item purchased.
With a view to reinforcing consumers' trust, the EESC thinks that it would also be advantageous to create an ad hoc logo, like the "lock" at the beginning of the address bar of a website. This would immediately draw the attention of users and inform them about the reliability of products and websites.
- The human factor: education and protection
People are key agents in digital processes because they benefit from the internet, but at the same time they can also be victims of major cyber incidents. The Committee believes that the Commission's proposal should go further and focus on improving cyber skills among individuals and businesses.
In order to increase cyber hygiene and awareness, the EESC recommends three lines of action based on lifelong learning and training programmes, awareness campaigns, and the creation of an EU‑certified curriculum for high schools and professionals.
People are crucial to make cybersecurity a reality. They are users and consumers. We need to invest in education and training with a view to building a strong cyber skills base, increasing knowledge of "secure" cyber behaviour while promoting users' trust in the internet. To this end, it is fundamental that all national and regional authorities as well as businesses and SMEs come together in a collective approach, said Mr Longo.
- The Internet of Things (IoT)
The human factor also plays a central role in the common "Internet of People" (IoP) devices that we use in our daily life, for example the digital components of our cars and houses. We rely on an ever growing number of connected devices that are often not as well protected as traditional devices, giving cyber offenders more opportunities to act. EU certification could therefore provide a higher degree of security to the so-called Internet of Things (IoT).