Cybersecurity partnership: Europe lacks ‘strategic’ tech muscle

Luigi Rebuffi leads the EU public-private partnership on cybersecurity - which pledged to raise €1.8 billion in investment by 2020. [Security & Defence Agenda/Flickr]

This article is part of our special report Europe’s cybersecurity agenda.

An EU cybersecurity fund could give Europe’s technology sector “strategic” powers it lacks, according to the head of a one-year-old EU public-private partnership on cybersecurity. The Commission set up the partnership last year to raise investment funds by 2020.

Luigi Rebuffi, who leads the partnership, told EURACTIV.com in an interview that Europe’s cybersecurity industry will likely surpass the €1.8 billion investment it pledged to reach within four years.

[This interview has been shortened for length.]

The EU public-private partnership (PPP) on cybersecurity was started in July 2016. What are you doing now?

It’s been a little more than one year. We have almost doubled the number of members we have in the association. Cybersecurity has become a topic that’s very high on the political and economic agenda this year for different reasons, for political reasons, for the Commission but also for all our members. Having national public administrations in the PPP, not only in the board of directors but also directly in our working groups, is a real added value because it makes a difference with respect to other initiatives, other PPPs. Because security is sensitive, security still remains a sovereignty issue and the fact that having national public administrations’ experts in the working groups makes the recommendations we issue [to the Commission] much more mature than simply if they were recommendations from industry.

Does the fact that cybersecurity is now a more urgent topic on the political agenda this past year have to do with some of the high profile hacking incidents that happened this year, like WannaCry?

WannaCry was ransomware. If you look at the statistics, ransomware is still not the most important threat in cybersecurity, I think it’s the third. It is not on the top of the list, but it has been advertised very much so it created a kind of increased awareness. I think it’s important to understand that cyber threats are really increasing and can potentially disrupt society. But my impression was that the most important effect was on the political level. The threat that national administrations have seen of cybersecurity as a threat against the political democratic life, the threat against democratic life, this has really pushed cybersecurity in the political agenda a lot.

You’re referring to incidents involving elections?

Exactly. They call it the threat to democratic life, that’s the jargon they use.

When the Commission started the PPP last year, there was a clear goal to raise €1.8 billion in investment funds by 2020. How close are you to that goal?

€1.8 billion was the initial goal this is linked to the Horizon 2020 project [which provides €450 million in EU funds]. The first of these projects is starting right now, we are just initiating the collection of investments based on this project and the last project from Horizon 2020 on cybersecurity will actually start in something like 2021, more or less. We are still in discussions with the Commission to extend, to define the criteria for monitoring the investments of these €1.8 billion. We know our members are investing in research and innovation. I cannot tell you exactly how we are doing today because one year on, we are still at the very beginning. But it’s very important to provide a satisfying answer on this point.

Juncker announces massive cyber security overhaul

The European Commission will add funds and new powers for the EU cyber security agency and introduce a range of measures to limit threats from hackers, Commission President Jean-Claude Juncker announced in his annual state of the union speech on Wednesday (13 September).

The Commission proposed a new EU cybersecurity strategy and a programme to certify the security standards of tech products last month. How do you think those latest proposals might affect Europe’s cybersecurity industry?

The proposal takes different points of view, mainly in three areas. The first is resilience, the second is deterrence, the third is on international relations. All three are very important and very relevant. But the first one on resilience is the most important one, especially with the certification aspects, but also with the growth of ENISA [the EU cybersecurity agency]. The implementation of the NIS directive [an EU cybersecurity law that will go into effect next year] and the creation of this network of competence centres. All these initiatives go in the right direction, and we very strongly support this strategy and the creation of a European certification framework. We would have liked, the industry would have liked to have more to better see how Europe will invest in the future. In the next step, after Horizon 2020, what will be the investments beyond simply research? We just mentioned the €1.8 billion on research and innovation. I’m sure we will satisfy this because if we don’t, if our European industry does not invest this amount of money, we will not be competitive. I’m sure they will invest much more. The point is: what will be the investments beyond research? The investment from the Commission, from the national public administrations but also from the private sector. This is something I think is very strategic and we are still not there yet with discussions.

We are building the future today because we are discussing the next MFF [the EU’s multi-year budget], we are discussing next legislation, the implementation of regulations and directives and we are preparing now what will happen after 2020. Our industry needs to have a better view on investment already starting now. Including investment not only for large companies but also SMEs. Private investment is still very weak in Europe. The Commission has published a strategy that is a view from the Commission somehow. We tried to reply to the Commission with our views, which is a mix of public and private sectors. Where we are trying to provide our views not only on research, not only on competence, but also on future investment.

The PPP works with several different industries, including telecoms and aeronautics. The position paper you sent the Commission last month showed that companies have different views on certification. Are sectors divided over certification? Does the division correspond more broadly to whether different sectors want more or less EU-level regulation on cybersecurity?

Indeed there are different views in the sectors. We have strong discussions at the working group level because this is somehow the first time where we put together different interests and different market sectors. Trying to have only one solution may be difficult. At the same time, the only one solution is the framework the Commission is envisaging, this European certification framework. I don’t want to discuss now the governance of it, which is still under strong discussion between the Commission and representatives from member states and is very sensitive. But I think the objective there, we strongly support that, is that there should be one framework. How you define the framework in the different sectors, this is exactly what we are discussing and I think we have to refine that in the coming months. We have realised different sectors have different needs and different levels of maturity. That’s the reason why the Commission said it’s a voluntary approach. Because we are not here to impose something on different sectors that have different requirements. Certain sectors are regulated already and need to impose certain requirements, other sectors are not regulated. There should be more specific needs that will be defined in the future. We’re at the very beginning of our discussions, there will need to be more time to define the rules.

Is there one main element that EU policy should focus on more to help the European cybersecurity industry? Is it there a more urgent need for investment, for example, or research like through the new excellence centres the Commission proposed?

The approach of the Commission on research is a traditional approach because they have this view that we have to first start with research to provide innovation and boost the market and so on. Industry sees it more from the investment point of view. The Commission is building somehow bottom up, it’s a “push” approach. The industry sees it as a “pull” approach. Of course there is an investment need. We will do research as a consequence of that. Both approaches are interesting and I would say important. But there is a third point that is very, very important on education and training. We can research and we can stimulate the market, but if we don’t have the people, the citizens, but also the professionals that are using these solutions, we will not go very far. If there is something very important to push, it’s the education framing. It’s also dealt with by the Commission’s strategy but still in a very limited part. Because education still remains at member state level so the Commission can have little leverage on this point. But it’s really a big issue. They say 350,000 experts are needed in the next five years–it’s something like mission impossible. Not because of the investment to be made but because of the time and the fact that we have to raise the interest of students and decision makers in this area.

One point I’d like to underline is that we need to educate or raise the interest of students, and we are today losing 50% of our chances because there is still a very limited number of women interested in jobs in cybersecurity. The gender issue that is very high on the agenda in other areas is also important here.

The PPP also recommended that there should be a new EU cybersecurity fund. The Commission already proposed a kind of emergency fund for member states that have suffered hacking attacks. Why should there be another kind of cybersecurity fund?

The discussion is still going on, not only on certification but in many other areas, on how we support SMEs or the creation of a cybersecurity fund. Because the Commission was envisaging an emergency fund in its strategy, but this is something that is dedicated to public administration. The EU cybersecurity fund is more about investment. It’s the creation of a fund like we saw in the defence sector. They proposed the creation of a European defence fund or a European security fund, which is managed today by DG Home [the Commission’s department on home affairs]. So to have something more dedicated to investment that could be public, could be private, but more dedicated to cybersecurity to support SMEs, but to better support strategic investment in the market and to increase digital autonomy. This is important. Europe is still lacking certain strategic competences in the ICT sector in general and in cybersecurity in particular. This fund could really help the development of this competence in the future.

EU cybersecurity chief: Now is the time to discuss liability

There needs to be more discussion about liability for cybersecurity attacks, Steve Purser, director of operators at the EU cybersecurity agency ENISA, told EURACTIV.com in an interview.