Approach to Cybersecurity

in The European Union and

The Cybersecurity Act

Att. Kağan Erdem

In today’s technological era; communication, data transaction and access to information is very simple by means of the huge intercontinental computer network: the internet. Internet opened a new door into information age and made our lives so easy to such extent that we all depend on it. Shopping, commercial activities, gathering information about almost everything, audiovisual communication, access to public services, banking transactions, transportation and accommodation, social media… Internet allows us to do almost everything via our computers and forces all generations to adopt it since human life is strongly attached to technology now.

 

Humans made an extraordinary effort in order to develop computers and came a long way from 1s and 0s to achieve undreamed technological advancements. Now computers, internet and information technologies serve not only to persons but actually to governments, international organizations and companies. Interstate activities, scientific collaborations and public services are carried out with strong network systems. Under these circumstances, governments have already started to take necessary measures in order to strengthen their technologic infrastructures. Since it is now believed that the next world war will be between computers, cyber power gained importance beside economic, political, social, environmental and military power.

 

Cybersecurity is essential for persons, companies, governments and organizations. Personal data, official secrets, government policies, security intelligence are preserved digitally and in order to protect them, general awareness is being raised in this direction. At the present time; citizens, businesses, states and organizations are more conscious regarding the right of privacy, because they are aware of the fact that technological progress and digitalization make us powerful but at the same time we become vulnerable against threats. There are several examples of cyber-attacks which target companies and governments. Even the ones with high security infrastructures are overcome by serious attacks.

 

Everyday, a lot of people become victim of computer fraud, companies come to a full stop or state secrets are disclosed due to strong cyber-attacks. We might consider hackers as young computer enthusiasts with black hoods who break into computer systems for fun or to make social statements; however in our age, hacking is an industry which serves to big companies and governments in power struggle. Cybersecurity incidents, be they intentional or accidental, could disrupt the supply of essential services we take for granted such as water or electricity. Threats can have different origins - including criminal, terrorist or state-sponsored attacks as well as natural disasters and unintentional mistakes. [1]

 

As the right of privacy and data protection come into prominence day to day, the world tries to build security pillars to fight against malicious intent and a solid legislation becomes inevitable. In this context, the European Union is one of the hardest-working organizations in aforementioned fight against cyber-attacks and cyber-crimes. The European Council started to pay attention to cyber-crimes back in 1970s and took actions by forming strategies and committees in 1980s and 90s. The most important document on cyber-crime, the Budapest Convention, was approved in 2001 and signed by 63 countries. The Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception. [2]

 

One of the biggest steps en route to create a sense of solidarity and regulative unity between member states was the establishment of ENISA (European Union Agency for Network and Information Security, 2014). The aim was to create an authority which sustains coordination and collaboration in the European Union in an effort to strengthen network and information security, fight against cyber threats and raise awareness. ENISA is a centre of network and information security expertise for the EU, its member states, the private sector and EU citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. [3]

 

The two of the other cornerstones of the European Union’s cybersecurity policy are the EU Cybersecurity Strategy, 2013 and the Directive 2016/1148 on security of network and information systems (the NIS Directive). In document “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace”, strategy is articulated in five strategic priorities: achieving cyber resilience, drastically reducing cybercrime, developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP), develop the industrial and technological resources for cybersecurity, establish a coherent international cyberspace policy for the European Union and promote core EU values. [4] This new strategy was the first effective and very important step towards laying the foundations for unified European cyber security. The strategy includes the EU’s strategic vision to prevent and respond to European telecommunications systems’ failures and responses to such cases. [5]

 

The NIS Directive, adopted on 6th of July 2016, represents the first EU-wide rules on cybersecurity. The objective of the Directive is to achieve a high common level of security of network and information systems within the EU, by means of improved cybersecurity capabilities at national level, increased EU-level cooperation and risk management, incident reporting obligations for operators of essential services and digital service providers. The NIS Directive is a major milestone towards building cybersecurity resilience on the European level and the Directive entered into force in August 2016. [6]

 

ENISA put a praiseworthy effort in years by publishing numerous guidelines, factsheets, reports, recommendations; organizing conferences, workshops, training programs; working with CERTs (Computer Emergency Response Teams) and CSIRTs (Computer Security Incident Response Teams) and implementing the EU regulations on cybersecurity such as the ones above-stated. To enhance ENISA’s capabilities and intensify the cybersecurity strategy, on March 12, 2019, the European Parliament approved the proposal of the Regulation 526/2013, the Cybersecurity Act, which will be approved by the European Council and enter into force afterwards.

 

Under the Cybersecurity Act, ENISA now possesses a permanent mandate in development and implementation of the EU policy by continuing publication and assistance; improvement of operational cooperation by coordinating all cybersecurity bodies internationally; handling security breaches; following technological innovations; providing advices, guidelines and education. The Agency will have more resources and qualified workforce as it becomes the permanent pioneer of the EU cybersecurity politics.

 

Besides that, the Cybersecurity Act establishes the first EU-wide cybersecurity certification framework which will replace existing national certification schemes to ensure a common cybersecurity certification approach in the European internal market and ultimately improve cybersecurity in a broad range of digital products and services. [7] After the cybersecurity certification program is approved, businesses that manufacture and/or supply information and communication devices, products and services will be obliged to apply for the certificate of compliance. IoT (Internet of Things) devices will have to comply with security standards in production phase (security by design) and also users will be able to receive and use default security configurations without having extensive technical knowledge (security by default).

 

The Cybersecurity Act brings new rules and definitions with the aim of emplacing cybersecurity measures in even the beginning of the production stage. In the way of creating a unified digital market for EU member states, which is one of the key objectives under the European Digital Agenda, the new certification framework seems to also affect business between non-member states and member states. Most importantly the Act lights the way for new and efficient laws that regulate data protection, cybersecurity and cyber-crimes since the existing legislation in the world starts to remain incapable against increasing security vulnerabilities of personal users, businesses, governments and international organizations. The European Union foresees the future of digitalization and threats on cyber-space and continues to act as pioneer on the subject of cyber resilience. 

 

References:

 

[1] EU Cybersecurity Initiatives Factsheet, European Commission, 2017

[2] https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185

[3] Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity, ENISA, 2018

[4] https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf

[5] Cybersecurity Policy and Strategy in the European Union and NATO, László KOVÁCS, 2018

[6]  https://www.enisa.europa.eu/topics/csirts-in-europe/csirts-network

[7] https://ec.europa.eu/digital-single-market/en/news/cybersecurity-act-strengthens-europes-cybersecurity