Wednesday

1st Feb 2023

Opinion

How to enhance EU cybersecurity

  • Only this month, there were more stark warnings about further hacks (Photo: European Commission)
Listen to article

It may have been slightly embarrassing for the EU when on 29 March the Hungarian news site Direkt 36 made known how the Hungarian foreign affairs ministry had been hacked for several months since December 2021 by Russian intelligence, a few days after the European Commission proudly announced it had strengthened cybersecurity with a new set of measures to harden the networks of the EU bodies against penetration.

Since the Hungarian connection potentially compromised the sensitive communication channels with Brussels, the incident is yet another painful demonstration of how fragile cybersecurity really is.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

This incident is not an isolated one (the hacking of the Spanish prime minister is another prominent recent example) and I'm sure many more similar incidents have gone unreported.

Indeed, only this month, there were further stark warnings about further hacks.

It is against that backdrop that the EU Commission released a new Cybersecurity Regulation on 22 March, which intends to improve its institutions' "governance, risk management and control in the cybersecurity area".

This includes a new inter-institutional cybersecurity board, boosting cybersecurity capabilities and maturity assessments and better cyber-hygiene. More importantly, the mandate of the Computer Emergency Response Team (CERT-EU) will receive additional responsibilities for threat intelligence, information exchange and incident response coordination. These new rules add to existing initiatives to improve the EU's cybersecurity as facilitated by Enisa, the European Information Security Agency.

But the Hungarian hacking, which allowed the Russian intelligence services to read over the shoulder of an EU member state for an extended period of time, proves that cybersecurity is as networked as ever, and needs to be ensured far beyond the institutions and agencies of the EU itself.

It requires more incisiveness than is likely to be achieved by an inter-institutional board, which on the surface sounds like little more than yet another bureaucratic layer on top of the rest and a parallel with Enisa.

The EU and its members are increasingly dependent on digital infrastructure. This entails huge risks for severe disruption if this interconnectedness is compromised.

Whereas the usual cyberattacks naturally involve the theft of the EU's political and economic confidential information, the ongoing war in Ukraine could bring about more crippling cyber offensives.

The past months have revealed cyberattacks of varying size, prowess and success against digital communications, critical infrastructure, and even satellites. The EU and the world are at the dawn of a new digital era, wherein 5G and beyond, AI, quantum computing, intelligent drones, nanotechnologies, and concomitant innovations will enable a true Internet of Things that connects all devices but at the same time exposes those connections to great risk.

The question, therefore, remains what further steps need to be taken to enable a safe and secure digital environment.

Enisa's initiatives definitely lead to positive developments and awareness; however, they usually involve the creation of bureaucratic layers and procedures, and focus on incentivising without enforcing. New paradigms will be required to detect and defend against new attempts at exploiting our connectedness and mitigating their effects, and in this regard, the EU can learn a lot from its partners.

As a Nato powerhouse, the US remains the world's most capable cyber state in defensive, offensive and intelligence capabilities, thanks to decades of significant investment and clear political direction, and more could be done to share techniques with EU allies. Other examples include the United Arab Emirates which, driven in part by the sharp increase in cyberattacks, has become a strong regional cyber power.

Its strategy has included getting help from cyber experts, such as Amazon Web Services and Deloitte, to help upskill local staff in technology — a technique which EU states should also embrace further with the right partners.

While there are key differences in how offensive cyber capabilities are assessed, in order to counter the threat of authoritarian powers, as members of Nato, many EU states could also look to further enhance their offensive cyber capabilities to avoid being outmanoeuvred by China and Russia's heavy investment in this area.

However, the difficulty for the EU is that it is not an individual nation but the combination of 27 cybersecurity policies and mentalities, and hence will have to seek a way of overcoming the divisions this entails.

'To Do' list

To do this, the EU should enhance cybersecurity around three key elements: improving situational awareness, reducing the attack surface through coordinated countermeasures, and enforcing standards.

The EU is excellently placed to do all three, but standards will have to become stricter and be enforced rather than incentivised. Provided the CERT-EU will be given the capacity to process the incoming data, the incentives could include sanctions for not meeting the requirements, helping ensure the gravest incidents are prosecuted and having the EU set its considerable economic power against states that harbour cyber criminals.

Setting these capabilities up are not just technical, but also organisational challenges. Cybersecurity is not set up in isolation — it is as holistic and decompartimentalised as possible.

But cybersecurity can only be as strong as its weakest link.

Author bio

Kenneth Lasoen is a research fellow at the Clingendael Institute in the Netherlands.

Disclaimer

The views expressed in this opinion piece are the author's, not those of EUobserver.

EU reaches deal on flagship cybersecurity law

The European Parliament and EU member states have reached an agreement over new rules intended to protect Europe's public and private critical entities from cyberattacks.

EU condemns 'Pegasus' spyware use on journalists

An international investigation over the weekend by 17 media organisations, led by the Paris-based non-profit journalism group Forbidden Stories, said 180 journalists had been targeted by Israeli spyware. Among them were Hungarian reporters.

Magazine

To lead in cyberspace, the EU needs to avoid digital tribalism

To avoid digital tribalism the EU needs a strategy to better engage with the Global South, including the emerging digital powers such as Brazil, Egypt, Ghana, India, Indonesia, Jamaica, Kenya, Mexico, Singapore, South Africa, and Senegal.

Europe is giving more aid to Ukraine than you think

'Europeans need to pull their weight in Ukraine. They should pony up more funds.' Such has been the chorus since the start of the war. The problem is the argument isn't borne out by the facts, at least not anymore.

More money, more problems in EU answer to US green subsidies

Industrial energy-intense sectors, outside Germany and France, will not move to the US. They will go bust, as they cannot compete in a fragmented single market. So to save industry in two member states, we will kill the rest?

Column

Democracy — is it in crisis or renaissance?

Countries that were once democratising are now moving in the other direction — think of Turkey, Myanmar, Hungary or Tunisia. On the other hand, in autocracies mass mobilisation rarely succeeds in changing political institutions. Think of Belarus, Iran or Algeria.

Latest News

  1. EU green industry plan could spark 'dangerous subsidy race'
  2. Wolves should be defended, EU ministers urge
  3. EU Commission wants drones for Bulgaria on Turkey border
  4. MEPs rally ahead of vote for gig-economy workers' rights
  5. Europe is giving more aid to Ukraine than you think
  6. Hungary blames conspiracy for EU corruption rating
  7. Democracy — is it in crisis or renaissance?
  8. EU lobby register still riddled with errors

Stakeholders' Highlights

  1. Party of the European LeftJOB ALERT - Seeking a Communications Manager (FT) for our Brussels office!
  2. European Parliamentary Forum for Sexual & Reproductive Rights (EPF)Launch of the EPF Contraception Policy Atlas Europe 2023. 8th February. Register now.
  3. Europan Patent OfficeHydrogen patents for a clean energy future: A global trend analysis of innovation along hydrogen value chains
  4. Forum EuropeConnecting the World from the Skies calls for global cooperation in NTN rollout
  5. EFBWWCouncil issues disappointing position ignoring the threats posed by asbestos
  6. Nordic Council of MinistersLarge Nordic youth delegation at COP15 biodiversity summit in Montreal

Stakeholders' Highlights

  1. Nordic Council of MinistersCOP27: Food systems transformation for climate action
  2. Nordic Council of MinistersThe Nordic Region and the African Union urge the COP27 to talk about gender equality
  3. Friedrich Naumann Foundation European DialogueGender x Geopolitics: Shaping an Inclusive Foreign Security Policy for Europe
  4. Obama FoundationThe Obama Foundation Opens Applications for its Leaders Program in Europe
  5. EFBWW – EFBH – FETBBA lot more needs to be done to better protect construction workers from asbestos
  6. European Committee of the RegionsRe-Watch EURegions Week 2022

Join EUobserver

Support quality EU news

Join us