From Users to Commissioners: Cybersecurity is a Shared Responsibility

14 Nov 2019
Héloïse Martorell
Policy Analyst
[email protected]

With a fresh College of Commissioners in office, policy initiatives will soon follow. Cybersecurity has been named a priority and the largest concern for industry. Accordingly, lawmakers and industry experts discussed the current cybersecurity landscape and the shape of the future EU cybersecurity governance framework in the European Union at Forum Europe’s Annual Cybersecurity Conference on 14 November.

The sentiment first iterated by Roberto Viola, Director General of DG Connect, but echoed by every speaker at the conference, was the importance of creating a culture of information sharing between companies, from SMEs to multinationals. While companies may feel disincentivised from publicising a cyberattack, for fear of backlash from customers or competitors, the more they share, the less ammunition perpetrators have to replicate their attack on others. Tech companies can take the example from the financial sector. According to Chris Girling, CISO at Crédit Suisse, banks have repeatedly shared information at the first sign of a cyberattack, making it more time-consuming and expensive for perpetrators. Simply put, the more information companies have, the more countermeasures industry as a whole can adopt to protect themselves.

This practice must also go beyond industry to governments, at all levels and internationally. Cyber attackers’ reach goes beyond borders and EU countries are currently lacking the cross-border infrastructure to coordinate their protection. Some have already started to improve this. The governments of Slovakia, Hungary, the Czech Republic and Poland have worked together to boost their national cybersecurity capacity and encouraged the exchange of information between CERTs, according to Karol Okoński, Secretary of State, Polish Ministry of Digital Affairs, Government Plenipotentiary for Cybersecurity. Others must follow suit and expand this outreach to non-EU countries, including Japan and the United States.

Another popular theme of the day was cybersecurity certification. For industry, certification provides guarantee over the security level of equipment across the supply chain. For policy-makers, certification schemes are used to raise awareness and help ensure harmonisation within the private sector. The European Commission is currently testing cybersecurity certification through its voluntary scheme, with results expected in June 2020. However, it may revisit implementing mandatory certification during the review of the NIS Directive next year. Member states have adopted their own policy measures in the meantime. Germany’s upcoming reform of its telecommunications law – with a draft expected by the end of this year – will include mandatory cybersecurity certification. While certification provides a regulatory solution in theory, its dependence on common criteria cannot match the complex security systems of companies, varying by size and sector. Any scheme must therefore be implemented through industry participation and, most importantly, international coordination.

The EU’s sharpened focus on cybersecurity is embedded within a drive to set the pace for tech regulation and promote European policy standards on a global scale. As technological innovation continues to increase, devices become more connected, and cyber-attackers gain more tools, public-private sector coordination is necessary to improve cybersecurity capabilities across sectors and governments.