The EU cybersecurity agency ENISA wants to open its first Brussels office by mid-2019 to manage major crises around the clock.
As cybersecurity threats grow and threaten to knock out businesses, government offices and infrastructure like energy grids or hospitals, ENISA is pushing to move a handful of experts from its Athens office to staff up a 24/7 crisis centre in Brussels.
The move would start off small with a staff of around 5 by spring 2019, ENISA director Udo Helmbrecht said in an interview. But the change would mark a major shift for the small agency, which currently has 84 employees in Greece and an annual budget of €11 million.
Telecoms ministers from EU countries are expected to sign off on draft legislation that would increase ENISA’s budget and size during a meeting on Friday (8 June) in Luxembourg.
The agency has struggled for years to convince lawmakers that it needs more money, but Helmbrecht said there is added pressure because of the recent surge in large-scale cybersecurity incidents like last year’s WannaCry and NotPetya attacks.
On top of more money and staff, the cybersecurity bill would give ENISA a Brussels office that it will share with CERT-EU, the unit in charge of responding to cybersecurity attacks on the EU institutions.
“In the long term we need it to be 24/7, that’s clear. How fast we get it depends on resources,” Helmbrecht said.
After Friday’s agreement between ministers, the legislation must still go through three-way negotiations between national diplomats, MEPs and the European Commission. Helmbrecht said he expects it could be finalised by the end of this year.
ENISA does not currently have staff working around the clock, which Helmbrecht said makes it harder to react to big attacks. Only a handful of national cybersecurity agencies have experts on call 24/7.
Helmbrecht said that although the draft legislation will give the agency more power and require national cybersecurity agencies to cooperate more, there is still no formalised system on the EU level that outlines how ENISA and other authorities should respond to hacking crises that affect more than one country in the bloc.
“It’s not rocket science, it’s just structuring the things we’re doing, seeing what we have from classic crisis management and see how it works here,” he said.
Experts from all 28 EU countries’ cybersecurity agencies competed this week in a two-day ENISA-led simulation of an attack on airports.
Helmbrecht said the stress test could serve as a fresh reminder to national governments of the “cascade effect” of major cybersecurity crises like the WannaCry attack, which hit multiple European countries over the course of four days in May 2017. He hopes the competition could strengthen the agency’s bid to negotiate for a 24/7 crisis centre in Brussels.
ENISA does not publish rankings of how member states measured up in the exercise.