A trusted and cyber secure Europe

The European Union Agency for Cybersecurity (ENISA) analyses the threat landscape on a yearly basis to have a better view of trends and attack techniques. The Agency is also exploring how foresight techniques could help address future cybersecurity threats, says Juhan Lepassaar, Executive Director of the European Union Agency for Cybersecurity.

Juhan Lepassaar, Executive Director of the European Union Agency for Cybersecurity

What is the state of cybersecurity in Europe?

The European Union has issued a new cybersecurity strategy in 2020 to address the security challenges brought about by the expanding use of digital services, products and processes across the Member States.

The European Union Agency for Cybersecurity has been engaged in actions to help Member States achieve a high common level of cybersecurity for many years now and has recently been given enhanced responsibilities by the Cybersecurity Act. We are now cooperating with the wider cybersecurity community, putting in effort to reach the different communities and working hand in hand with national authorities, the CSIRTs network, CERT-EU, but also with other EU institutions and agencies, gathering experts with different profiles and background in our working groups. We aim to provide support to all sectors of our economy.

However, cybersecurity threats across the EU are still generally on the rise with ransomware ranking as a prime threat. We also see that new actors have emerged such as hackers-for-hire and that these threat actors now resort to a wider range of techniques to perform their attacks. Despite all the preventive measures we can take, it’s obvious that, with the continually growing online presence and by increasingly relying on digital services, products and processes, the exposure is also growing proportionally, and this is something we definitely need to take into account.

This should not hold us back though. I really see this as another reason why we need to maintain and even renew the efforts already engaged. In the end, building our resilience is the only way we can substantially reduce the volume and impact of cyber threats and incidents in the Union.

The work on resilience is currently expanding now it is included as a main objective of the new strategy. We have a wide variety of resilience activities the European Union Agency for Cybersecurity organises, ranging from knowledge sharing, awareness raising, designing training materials and tools, developing certification schemes, analysing trends, promoting legislative compliance, etc.

Every year the EU Agency for Cybersecurity collects cybersecurity incident reports from Member States and analyses them. While the analysis for 2021 is still ongoing, in 2020 most incident reports were about incidents in the health sector (262), the telecom sector (171), the banking sector (124), digital infrastructure (95), and the energy sector (90). Cyber incidents with significant impact on critical sectors have increased by 72%. The last ENISA threat landscape reveals that this is a general trend across sectors including a substantial rise in ransomware. Findings reveals that the demand of ransomware payments 2020 has more than doubled in 2021. The results of a survey showed that 66% of the organisations contacted suffered significant revenue losses due to ransomware attacks.

How is cooperation on cyber issues between Member States going?

With the extended mandate given by the Cybersecurity Act (CSA), the Agency has strengthened the cooperation with the operational actors in the field. This of course includes the support given to Member States to facilitate cooperation among them on cyber issues. For instance, the European Union Agency for Cybersecurity is now closely interacting with the CSIRT communities of the Member States to build and advance their CSIRT capabilities.

The cooperation of the European Union Agency for Cybersecurity with Member States on cyber issues is multi-faceted. We support the coordination at many different levels. One important task given to us is to help Member States develop their national cybersecurity strategies. National strategies make it clear what actions should be taken to improve the security and resilience of national infrastructures and services in a harmonised way across the EU. The European Union Agency for Cybersecurity has developed a framework for Member States to self-assess the level of maturity of their strategic objectives. This framework is an important tool to build cybersecurity capabilities both at strategic and operational level.

We also help businesses and organisations, including operators of essential services or digital service providers with measures they can take to prevent incidents and protect their assets. We do not intervene independently when incidents happen, but we are here to provide advice and expertise if we are requested to. Our role is also to support an effective and coordinated response in case of large-scale cross-border incidents. This coordinated role is central to Member States for crisis management.

A number of initiatives have been taken therefore to develop an EU wide network to make the cooperation a more efficient one among Member States. One of such initiatives is the EU Cyber Crisis Liaison Organisation Network or CyCLONe which is a network of agencies from the 27 Member States of the EU, all in charge of cyber crisis management. This network was set up to prepare and respond to major crisis at the operational level. The role of the European Union Agency for Cybersecurity here is to provide secretariat support to the network.

5G security talks. How is the security of next generation mobile networks seen in the EU?

Ensuring the resilience of 5G networks has been an objective of the EU over the past years. The European Union Agency for Cybersecurity has been called to support the development of the common toolbox of mitigating measures referred to as the 5G toolbox. The European Union Agency for Cybersecurity has been following the progress made since by the EU27 in implementing the EU 5G toolbox measures meant to strengthen security measures and published a report on this progress.

More recently, the European Union Agency for Cybersecurity received a request from the European Commission in February last year to prepare a new candidate cybersecurity certification scheme on 5G. This certification will contribute to address specific risks and should further improve the cybersecurity of 5G networks. A call for 5G experts was issued soon after to establish the ad hoc working group to be dedicated to the development of the scheme and possibly coordinate whenever appropriate with the European Cybersecurity Certification Group (ECCG), the NIS Cooperation Group Work Stream and its subgroup on 5G standardisation and certification.

Certification is a key element of the Cybersecurity Act. The European Cybersecurity Certification Framework will help create market-driven EU certification schemes. The objective here is to help reduce the fragmentation between the current certification schemes across the EU. The certification schemes delivered will be recognised by all Member States. Trade across borders will be made easier for businesses and also for users as it will help them understand better the security features of products and services.

How to ensure that the EU remains cyber secure in the future?

The European Union Agency for Cybersecurity therefore looks into the world of emerging technologies. This is inevitable if we want to possibly assess the potential new cybersecurity risks associated with technologies currently being developed and most possibly already integrated in the next products and services to end up on the market. Technological developments are no longer to be seen as something that might happen in a hypothetical future. They are happening now and often likely to be integrated tomorrow if not already there today. If research and development teams are working on the development of quantum computing or post-quantum cryptography or in artificial intelligence, this is where we should also focus our attention, and this is what we do.

The Agency also analyses the threat landscape on a yearly basis to have a better view of trends and attack techniques. Having the right threat intelligence at hand is a must have if we want to help the whole cybersecurity community identify the best resources to use to respond to such attacks. Threat intelligence can also give us the insight we need to prevent them from happening in the first place, which is the scenario I personally would like to see.

The European Union Agency for Cybersecurity is also exploring how foresight techniques could help address future cybersecurity threats. The foresight methodology allows a deeper reflection on various possible futures and strategic preparation to plausible scenarios. This is a major strategic planning tool which could open new perspectives to the way we approach cybersecurity.

Finally, investing in cybersecurity remains an important step in ensuring cyber resilience especially for critical sectors. A report by the Agency found that the median value, a typical operator of essential services in the EU earmarks 7.7 % of its IT investments for information security. For Finland, this is slightly below average at 7.1%. Differences were also noted across sectors, some of which are more mature than others.

The report analysis how Operators of Essential Services invest their cybersecurity budgets and how this investment has been influenced by the NIS Directive.  It found that the median value of spending on implementing the NIS directive amounts to 5.1 % in the EU, compared to 3% in Finland.

Measuring the effectiveness of cybersecurity is a challenging task. Looking at cybersecurity investments and where resources are spent provides us with an understanding of the state of cybersecurity across the Union.