Cybersecurity agency hopes for 24/7 crisis response centre in Brussels

The EU cybersecurity agency ENISA hopes to set up a small emergency response office in Brussels that can have experts on call 24/7. [EPA/ROB ENGELAAR]

The EU cybersecurity agency ENISA wants to open its first Brussels office by mid-2019 to manage major crises around the clock.

As cybersecurity threats grow and threaten to knock out businesses, government offices and infrastructure like energy grids or hospitals, ENISA is pushing to move a handful of experts from its Athens office to staff up a 24/7 crisis centre in Brussels.

The move would start off small with a staff of around 5 by spring 2019, ENISA director Udo Helmbrecht said in an interview. But the change would mark a major shift for the small agency, which currently has 84 employees in Greece and an annual budget of €11 million.

Telecoms ministers from EU countries are expected to sign off on draft legislation that would increase ENISA’s budget and size during a meeting on Friday (8 June) in Luxembourg.

The agency has struggled for years to convince lawmakers that it needs more money, but Helmbrecht said there is added pressure because of the recent surge in large-scale cybersecurity incidents like last year’s WannaCry and NotPetya attacks.

On top of more money and staff, the cybersecurity bill would give ENISA a Brussels office that it will share with CERT-EU, the unit in charge of responding to cybersecurity attacks on the EU institutions.

“In the long term we need it to be 24/7, that’s clear. How fast we get it depends on resources,” Helmbrecht said.

EU cybersecurity agency seeks funds and power to police attacks

The EU cybersecurity agency ENISA will get a makeover in September when the European Commission renews its mandate and presents a batch of new cybersecurity measures. The director of the Athens-based agency has been asking for a bigger budget to deal with the rise in attacks on internet-connected devices.

After Friday’s agreement between ministers, the legislation must still go through three-way negotiations between national diplomats, MEPs and the European Commission. Helmbrecht said he expects it could be finalised by the end of this year.

ENISA does not currently have staff working around the clock, which Helmbrecht said makes it harder to react to big attacks. Only a handful of national cybersecurity agencies have experts on call 24/7.

Helmbrecht said that although the draft legislation will give the agency more power and require national cybersecurity agencies to cooperate more, there is still no formalised system on the EU level that outlines how ENISA and other authorities should respond to hacking crises that affect more than one country in the bloc.

“It’s not rocket science, it’s just structuring the things we’re doing, seeing what we have from classic crisis management and see how it works here,” he said.

Experts from all 28 EU countries’ cybersecurity agencies competed this week in a two-day ENISA-led simulation of an attack on airports.

Helmbrecht said the stress test could serve as a fresh reminder to national governments of the “cascade effect” of major cybersecurity crises like the WannaCry attack, which hit multiple European countries over the course of four days in May 2017. He hopes the competition could strengthen the agency’s bid to negotiate for a 24/7 crisis centre in Brussels.

ENISA does not publish rankings of how member states measured up in the exercise.

National governments reach breakthrough deal on voluntary cybersecurity certification

Diplomats reached a compromise on new cybersecurity rules more quickly and with less controversy than many observers close to the file had expected.

Subscribe to our newsletters

Subscribe