The EU needs to step up its cooperation between civil and military cybersecurity authorities when member states are attacked by hackers, according to the EU cybersecurity agency ENISA.
The Athens-based agency asked the European Commission for a bigger role in responding to cybersecurity breaches. Part of that role would mean working more with the military when hackers attack more than one EU country. Those cybersecurity breaches can potentially become an EU competency, according to a document that the agency sent the EU executive, which EURACTIV has obtained.
ENISA sent the 20-page document to Brussels to argue for more centralised EU oversight over cybersecurity rules, a certification system to guarantee technology products are secure and for an overhaul of how authorities respond to major hacking attacks.
Foreign ministers from EU countries agreed in June that they can use sanctions to retaliate against hackers.
ENISA argues that more EU action is still needed if multiple member states are affected by major cybersecurity attacks.
The EU agency has pointed to recent large-scale cybersecurity crises like the WannaCry attack in May as proof that it has already started to work more with authorities in different EU countries to manage breaches that affect more than one member state. Now, ENISA wants the Commission to give it more powers.
The agency has asked the Commission for a number of additions to be included in cybersecurity certification legislation that it plans to announce in September.
ENISA wants the Commission to set up a “cybersecurity standards coordination body” as well as a “fast track” process so that a planned EU programme to rank the cybersecurity level of products can be used for technologies that develop quickly, like the so-called internet of things, or devices that are connected to the internet. The agency also asked for the Commission to make sure its certification law is a pan-EU system covering services and skills, in addition to products.
Andrus Ansip, the EU vice-president in charge of the Commission’s digital single market policies, has so far refrained from sharing details about his plans for the certification programme: he has not said whether it should be binding legislation, voluntary or a fully centralised, pan-EU system.
ENISA’s director Udo Helmbrecht has been an outspoken supporter of creating a legally binding certification system that covers all EU countries.
The EU certification programme should grade products according to how secure they are—ranging “from lightweight certification for IoT devices to complex certification for high security applications such as are used for electronic banking identity”, according to ENISA.
The agency also wants an EU-level assessment of whether companies should be held responsible if they don’t disclose security weaknesses that could make their software more vulnerable to hackers.
ENISA is bidding to be put in charge of that programme.
In addition to the certification scheme, the Commission’s announcements in September will also include a new legal basis for ENISA and an updated version of the bloc’s wide-ranging cybersecurity strategy.
ENISA wants the EU strategy to name a “lead agency” tasked with coordinating between private companies and government institutions on cybersecurity issues.
For years, the agency has lobbied the Commission for a budget increase so that it can hire more staff members—it currently employs around 80 people in its Athens and Crete offices—and have the manpower to monitor cybersecurity breaches around the clock, instead of relying only on national authorities to share their information.
So far, the EU executive has not given in. EU member states are touchy about beefing up the EU agency, since cybersecurity issues are for the most part a national issue.
But ENISA wants to gain a more prominent role as the Commission gets ready to amp up EU institutions’ work on cybersecurity.
The agency is bidding to become a “cybersecurity coordination hub” that offers “‘cross-community support services’ such as threat analysis, cross-community trends analysis, trusted information exchange, advice on standards and certification practices, standard risk analysis techniques and taxonomies”.
If the Commission gives all of those jobs to ENISA, it will “help to avoid fragmentation and duplication of resources,” the agency’s document reads.
There are several other EU offices that also work on cybersecurity, including the EU aviation agency EASA, the Commission’s cybersecurity response team CERT-EU and a policy unit within the Commission.
The agency also wants the Commission to take a heavier-handed role in setting technology standards “so that Europe is driving the marketplace rather than being pushed by vested interests”, ENISA wrote.
Most tech standards are set by international organisations like the International Telecommunication Union, which sets telecoms network standards or EU bodies like ETSI, the European Telecommunications Standards Institute.