The EU cybersecurity agency ENISA will receive a makeover in September when the European Commission renews its mandate amid a whirlwind of new cybersecurity measures. The director of the Athens-based agency has been requesting a larger budget to deal with the rise in attacks on internet-connected devices.
“It would be good to have seven days a week, 24 hour resources here,” ENISA director Udo Helmbrecht said in an interview.
Helmbrecht called the EU response to the WannaCry ransomware hack, which affected thousands of people over a week ago, the first example of collaboration by authorities across the EU. National experts shared information and put out warnings to internet users over the weekend, he said.
The directive on security of network and information systems, an EU cybersecurity law that was passed last year, requires cybersecurity authorities in every EU country to share information on attacks. ENISA helps put smaller member states in touch with bigger countries—often with better resourced cybersecurity offices—that can share what they know.
“You have a technical community in Europe…[and] this community is working, that’s the message,” Helmbrecht said.
A decade after the 2007 attacks which overwhelmed websites in Estonia, there is still no procedure for how European authorities should deal with a cybersecurity crisis, according to Helmbrecht. It’s a situation ENISA wants to change.
“We have to be more agile and flexible for the future,” he said. With only 84 employees and an annual budget of €11 million, ENISA has been pushing for a larger budget for years; Helmbrecht unsuccessfully requested an additional €5 million from the Commission in 2017.
Helmbrecht is aware of the resources required to adequately address potential and existing threats: he was formerly the head of Germany’s cybersecurity agency BSI, which now has more than 600 employees.
“If you talk about the cybersecurity strategy, this is something where you also talk about priorities. You say everything goes digital and ICT is the backbone of our society. If a politician says this, then a politician also has to do it,” he said.
ENISA’s budget struggles are linked to its limited role with no say on legislation. The agency’s role is limited to only providing advice and research, and organising exercises where national authorities show each other how they respond to emergency attacks.
Andrus Ansip, the Commission Vice-President in charge of EU technology policies, visited ENISA’s Athens headquarters two weeks ago, after announcing in Brussels that he will present the agency’s new legal mandate and a slew of cybersecurity policies in September.
Helmbrecht praised Ansip’s support for the agency. “There is a good chance that with this new ENISA mandate, we can be stronger,” he said.
“If the world is getting like this, you might need more” than just a soft approach on cybersecurity, he said.
Ansip confirmed two weeks ago (10 May) that his September proposals might include measures on certification and labeling to verify how secure technology products are.
It’s an issue that Helmbrecht has advocated for. He even pushes for further discussion on how liability rules might be altered to deal with cybersecurity attacks.
“You have in other areas like cars and planes, regulation of quality management and type approval,” he said.
“Everyone who has a garage company can put their [software] product on the market and there are no controls. We have to change that and put a bit more pressure on it,” he said.
One option could be to require companies to provide a software fix for security problems. If firms don’t create them, they should perhaps be held liable for the outcomes of attacks, Helmbrecht suggested. “We need something as a customer that says who is responsible and who is liable.”
The Commission has promoted labeling as a means for companies to leverage their security guarantees as a marketing tool. Labels “would ultimately help the EU lead in establishing global IT security certification policies and boost the competitiveness of EU industry in European and global markets,” according to an explanatory document from the Commission.
But tech companies have rejected the plan, arguing it will hurt some firms’ business if consumers can see how their security features rank against other companies’.
After Ansip’s announcement about his plans to possible introduce a labeling system – the Commission is still assessing whether it will or not – tech association DigitalEurope, which represents Google, Microsoft and other companies, spoke out against the proposal.
“Rather than promoting security certification and labeling,” the lobby group said the Commission “would be better investing in additional resources for ENISA, as well as encouraging public-private partnerships to develop industry-led solutions and standards.”
The Commission launched a €450 million public-private partnership last year to invest in cybersecurity with tech companies and public authorities. Helmbrecht said the programme has attracted almost €2 billion and needs to keep gaining momentum to broaden the market for secure technologies.
“We have small and medium companies but we don’t get this growth. We don’t want talents to go to Asia or to the US, and we don’t want to have small European companies be bought by Americans. We have to have growth in Europe,…[and] when it runs, nobody can stop it again,” he said.