As part of a broader mission of making Europe the world’s safest digital environment, the European Court of Auditors (ECA) has released a comprehensive, 74-page report (“Challenges to Effective EU Cybersecurity Policy”) detailing the cybersecurity challenges facing the European Union in 2019 and beyond. The report was based on a review of position papers, official policy documents, studies by third parties, and actual field work examining the cyber readiness of the European Union. While the ECA specifically noted that this was a briefing paper and not an audit report, the document did include many recommendations about how best to respond to the growing number of cyber threats to the EU.
Streamlining the EU’s complex cybersecurity policy landscape
One major theme that emerged from the report was the very complex cybersecurity policy landscape within the EU, with individual member states often having a very different view of which cyber threats should receive the maximum priority, as well as which laws and legislation should apply to different cybersecurity challenges. Thus, one recommendation from this ECA report on cybersecurity strategy was simply to streamline and rationalize the policy and legislative framework.
Perhaps not surprisingly, the European Court of Auditors very much took an auditor’s approach to making sense of the current “patchwork” legislative environment. The starting point, says the ECA, is simply to come up with measurable objectives for different regulatory bodies, and then to determine where there might be gaps in EU law. To make that job easier, the ECA provided a number of charts and infographics outlining the current policy and legislative framework, so as to make meaningful accountability and evaluation possible for different information security initiatives.
Boosting the EU’s “cyber-resilience”
Another key theme of the ECA briefing report on cybersecurity challenges was that the EU needed to do a better job of boosting cyber-resilience across all EU member states. As the ECA points out, one major goal of cybersecurity professionals should be the ability to respond quickly to different cyber incidents. While the EU may have many rules and regulations in place, and while some businesses have given thought about how best to respond to a cyber threat, there needs to be much more effort dedicated to prompt responses to online attacks.
To highlight the need for greater cyber-resilience, the ECA noted that a staggering 80 percent of EU businesses reported at least one “cyber incident” in 2016. With that type of cyber threat such a ubiquitous reality, you would think that these businesses would be doing a much better job of evaluating threats, considering the potential financial damages involved, and coming up with a response plan. Yet, that doesn’t seem to be the case. The ECA noted that a majority (69 percent) of EU businesses have no understanding of their exposure to risk, and consequently, a clear majority of EU businesses have not even considered the financial risks involved by not beefing up their defenses against cybersecurity challenges.
Reducing the risks of cross-border data breaches
The ECA briefing report on cybersecurity challenges also took a broad-ranging look at how cyber threats might impact more than one EU member state at one time. With that in mind, the ECA report specifically looked at the potential for “large-scale, cross-border” online breaches. These data breaches might be the result of cyber criminals looking to launder vast amounts of cash across state borders, or hacktivists planning large-scale distributed denial of service (DDOS) attacks designed to bring certain organizations or government agencies to a screeching halt.
One recommendation found within the report attempted to address these cybersecurity challenges. As the ECA points out, the EU needs truly EU-wide standards for training, certification and cyber risk assessments. Right now, the situation exists where EU member states are not ready to come to each other’s aid in the event of a massive, cross-border cyber attack.
Extending cyber defenses for a growing “attack surface” within the EU
To help transform these insights and recommendations into actual policy changes, the ECA briefing report also outlined the growing “attack surface” within the EU. Gone are the days when the only concern of security specialists needed to be physical computer systems housed within a secure perimeter. Today, innovations ranging from Big Data and the cloud to the Internet of Things means that more devices than ever before are hooked up to the Internet, and that more data than ever before is also at risk in the event of a cyber breach.
Thus, in order to make Europe “the world’s safest digital environment,” policy makers need to take into account this much wider attack surface. Creating the very best cyber defense possible means understanding all of the various attack vectors that hackers and cyber criminals can utilize.
An evolving view of cybersecurity challenges
As a further way to help bring government leaders across the EU up to speed on cybersecurity challenges, the briefing report also touched on the concept of cybersecurity, and how this concept continues to evolve. According to the EU, cybersecurity should be defined as “all the safeguards and measures adopted to defend information systems and their users against unauthorized access, attack and damage to ensure the confidentiality, integrity and availability of data.”
To show the various dimensions of cybersecurity, the ECA briefing report also outlined the broad risks involved with data, presenting several charts on different threat types, and how they impact data. The four major risks to data, says the ECA, are disclosure, modification, destruction and denied access. Different cyber threats focus on one (or more) of these goals. For example, some hackers have in mind the public disclosure of personal data for reasons such as identity theft, while others are looking to launch distributed denial of service attacks against corporations in an effort to extort money from them. Thus, there is not one single cyber threat that EU member states need to be preparing for – there are many different cyber threats out there that need to be considered.
Next steps for the EU
Since this report was officially a “briefing report” and not an “audit report,” the recommendations are just that – recommendations. However, if the EU is really intent on creating the world’s safest digital environment, then it should look to act promptly in order to address each of the cybersecurity challenges described within the report. By improving coordination across EU member states, by building greater resilience to cyber attacks, and by raising overall awareness of the growing number of cyber threat vectors, the EU can take important steps in boosting the overall safety of its digital environment.