EXCLUSIVE / Europe’s cybersecurity agency has admitted it is unprepared for the advent of the internet of things, lacking the money and expertise to meet the challenges posed by the much hyped move towards digitally connected devices.
The internet of things can connect up to 20 billion devices by 2020, according to the European Commission’s Digital Single Market strategy. The Commission said that big data, cloud services and the Internet of Things are central to the EU’s competitiveness.
“I have no one who is an expert in the internet of things,” said the European Network and Information Security Agency’s (ENISA) agency’s director of operations Steve Purser in an interview with EurActiv.
“Our coverage of technological change is minimal. I have one, perhaps two people who are experts in clouds. I have one person in industrial control systems. That’s quite a weak basis for the future,” Purser told EurActiv.
ENISA advises European institutions and member states on cybersecurity measures. Since 2010, the agency has organised pan-European cybersecurity exercises, the first effort to bring together all EU countries for an exchange on security measures.
It has an annual budget of €10.1 million culled from Commission and national funds, and a total of about 60 employees.
Purser said ENISA’s budget hasn’t changed much in the last ten years, although cybersecurity threats have mushroomed during that time.
“These things, even if it’s not ENISA that does it, someone needs to be doing them,” he said.
The European Commission allocated €50 million in cybersecurity research for this year as part of its Horizon 2020 programme, and announced a total of around €500 million on cybersecurity and privacy research until the programme’s end in 2020. Separate funding goes into law enforcement programmes targeting cybercrime.
With ENISA’s limited resources, Purser said the agency is a weak competitor up against private firms that hire cybersecurity experts and generally offer higher salaries.
“It’s very difficult for us to attract resources because we’re competing with environments such as the City of London that are offering cybersecurity professionals very good deals,” Purser said.
Purser argued that ENISA’s budget should be increased because there is a need for European countries to band together to defend against malicious attacks on the internet.
According to Purser, national cybersecurity measures are too limited, since the biggest threats European countries face come from outside their national borders.
“To some extent, talking about national cybersecurity is a misnomer because we’re in a global network and that network doesn’t recognize the borders of Belgium or the borders of the UK or anywhere else. It’s simply a global network,” Purser said.
“It needs to be a global approach. As part of that global approach there’s a European approach. And for the European approach, what I’m saying is it would make more sense to invest more.”
The Network and Information Security (NIS) directive, which would require companies in command of critical infrastructure to report attacks to their systems, started to move forward this spring after being stalled last year. Some private companies said they’re concerned about what kinds of companies will be obliged to report those threats.
In May, the Commission announced that it would propose “free flow of data” and European cloud initiatives next year.
European cloud computing companies have been eager to promote security.
“The perception of security is very important for getting people to engage. Particularly small and medium sized companies have been slow to adopt clouds and part of the reason for that is security,” said Paul Meller, spokesman for technology trade industry association DigitalEurope.
EurActiv recently reported that ENISA is also not working on security issues relating to civil drones.
An EU cyber security strategy was presented by the Commission and in 2013, covering the internal market, justice and home affairs and foreign policy angles of cyberspace.
The European Commission shortly after proposed a directive with measures to ensure harmonised network and information security across the EU.
The proposed legislation will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact.”
The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
All member states would be required to adopt network and information security strategies and set up teams to respond to incidents. Cooperation networks would be created at EU level.