Draft EU legislation poses a threat to member states that already have sophisticated cybersecurity tests, like France and Germany, the director of France’s cybersecurity agency warned in an interview with EURACTIV.
France and Germany could be forced to “step back into the past” if a proposed EU cybersecurity bill is approved in its current form, warned Guillaume Poupard, director of the French agency ANSSI.
France and Germany are the most outspoken critics of a European Commission proposal from last year to reform the bloc’s cybersecurity rules.
The two countries are particularly wary of one measure that suggests creating a system to certify the cybersecurity level of technology products. The Commission’s proposal would give the Athens-based EU agency ENISA new powers to oversee the certification levels in that system.
Poupard and Arne Schönbohm, his counterpart heading Germany’s cybersecurity agency BSI, argue that ENISA should take a backseat because it does not have the experience or manpower to take on the new role. Instead, he wants member states to lead the discussions.
ANSSI, along with BSI, is one of Europe’s largest authorities in charge of preventing cybersecurity breaches and responding when hackers target companies or government offices.
ENISA dwarfed by French and German agencies
The European Commission wants to give ENISA more money and employees – but even with that upgrade, it would still be dwarfed by the larger French and German agencies.
“We know how to do it, we have experience, we’ve been developing it for 20 years,” Poupard said of France’s own certification system.
“We want a system at the European level but it should not try to make European member states no longer be major actors,” he added.
If ENISA’s steering of the new system fails, it will mean dragged-out legislative talks were useless, and potentially flimsy certification criteria could weaken the cybersecurity industry in all EU member states – not only France and Germany’s, according to Poupard.
“For Europe, it is a very important loss of time,” he said.
“Everything goes very fast, the attackers are very efficient. If we lose five years now, it’s an eternity.”
The Commission’s proposal from last September was planned before the massive WannaCry and NotPetya attacks crippled companies across Europe in May-June 2017. But the EU executive has made a point of highlighting the incidents as reason to push through new legal safeguards.
Under the draft legislation, ENISA would need to consult companies and member states before setting criteria for the certification system. After ENISA approves different security levels, national diplomats will need to vote on each one in a fast-track legislative procedure known as an implementing act.
“We are convinced that it will fail”
But that still gives ENISA too much sway over the system, according to the French and German agency chiefs.
“We are convinced that it will fail,” Poupard said, adding: “We were not very happy with what was proposed just because it doesn’t answer all the questions and it is much less efficient.”
The Commission argues that France and Germany’s push against ENISA’s oversight over the new system would only slow down the shift towards creating cybersecurity certification that’s valid across the EU.
France and Germany want member states to have an additional layer of control to approve certificates before ENISA signs off on them.
Giving member states that kind of influence “may have a consequence of time”, Despina Spanou, one of the top Commission officials in charge of the legislation, told lawmakers in the European Parliament’s Industry Committee (ITRE) on Monday (23 April).
More member state involvement could drag out the approval of certification criteria by “an additional year, which is something that would delay the schemes,” Spanou said.
In the European Parliament, MEPs’ debates over the bill have focused on whether companies should be required to certify their products before they can go on sale. The Commission’s proposal suggests only voluntary certification.
Poupard wants the legislation to require certification for products that can pose serious safety threats, like digital health technologies and internet-connected cars.
But he said that he agrees with the main idea behind the Commission’s proposal: that cybersecurity certification should be EU-wide to save companies money. The Commission’s proposal referred to expensive application processes for certification in some countries as one reason for the new legislation.
“We need something really Europe-wide,” Poupard said.
He insisted that the system should be more than just an agreement between member states to recognise each other’s national certification. Instead, their agencies need to actually share the same criteria to define security levels. It would be “a kind of nightmare” if some countries approve weak safeguards for products before they are sold in other member states, Poupard said.
ANSSI has recently branched out to work on emerging technologies, in line with French President Emmanuel Macron’s expanding policy agenda in areas like artificial intelligence. Last month, Macron announced that France will pump €1.5 billion in public research funding into the new technology by 2022.
French plan to develop a secure messaging app
Poupard is a member of JEDI, or Joint European Disruption Initiative, another Macron initiative for French and German experts to develop cutting edge technology research.
He described a new French government plan to develop a secure messaging app as an important upgrade because American and Asian services are likely to store data outside of Europe.
Last week, France’s digital ministry announced that it is developing a secure messaging app for government employees to use instead of Facebook-owned WhatsApp.
Poupard said that there is now more public interest in secure technologies after news broke last month that more than 87 million Facebook users’ data was processed without their knowledge by political consultancy Cambridge Analytica. The scandal helped “people understand more and more the necessity to protect data”, according to the cybersecurity chief.
“The place where it makes sense to store data, where it has economical sense, ethical sense, legal sense, is clearly Europe,” he said.
That matches up with the goals of JEDI and France and the European Commission’s plans to invest in home-grown technologies that can compete with American tech giants.
“We must work on, not the sovereignty or use of data, but mostly in Europe we must develop our digital autonomy,” Poupard said.
France came out with its own strategy on artificial intelligence before most other European countries. On Wednesday (24 April), the Commission will announce its funding programme in artificial intelligence, part of a bid to help European companies catch up with Asian and American firms.