New EU cybersecurity centres slated to research encryption

The European Commission is expected to propose creating a new network of cybersecurity centres in 2018. National governments want the centres to research encryption technologies. [Eduardo Woo/Flickr]

EU member states are expected to agree Monday (20 November) on a plan to set up new cybersecurity research centres that will focus partly on encryption technologies.

Ministers from EU countries want the network of cybersecurity centres to research different encryption methods as a way of building consumer trust in technology products.

The EU affairs ministers are expected to sign off on a set of cybersecurity measures at a meeting in Brussels on Monday.

In a sign of the bloc’s recent push to increase its work on encryption, one EU source said the emphasis on security technologies in draft conclusions from the meeting reflects a “new avenue of work for member states”.

The European Commission announced in September that it may create a new network of cybersecurity centres as part of a broad overhaul of the bloc’s measures to defend companies and government offices against hackers.

The EU executive will share a detailed assessment of its plan to create the new centres by mid-2018, and will follow with a separate legislative proposal.

Discussions on Monday are not expected to specify how many cybersecurity centres should be created as part of the network.

Brussels promises more police access to encrypted data, but no backdoors

The European Commission insisted that it does not want to weaken encryption as part of its latest push to give law enforcement authorities more access to private data.

The European Parliament and member states must negotiate and approve the upcoming proposal to set up the new cybersecurity centres. As a short-term test of the plan, the Commission proposed in September to create a pilot research centre with €50 million in funding.

The EU source said the centres could assess encryption standards, similarly to how authorities in some member states already test products.

“By having that we have more clarity about what is good, what is bad, what is going to be aging,” the official said.

That could result in consumers using encryption technology more if it has been vetted by EU researchers.

Juncker announces massive cyber security overhaul

The European Commission will add funds and new powers for the EU cyber security agency and introduce a range of measures to limit threats from hackers, Commission President Jean-Claude Juncker announced in his annual state of the union speech on Wednesday (13 September).

Member states have been “very clear” that they want the new centres to carry out the encryption research because they “don’t want to give this task away to any European institution”, the source added.

The Commission and diplomats from national governments have not indicated where cybersecurity centres in the network might be located, or if they will be spread across different parts of the bloc.

Cybersecurity issues are a sensitive area for national governments, and many are wary of sharing information about their own vulnerabilities with other EU countries.

The Commission announced in September that it also wants the centres to work on encryption.

EU countries have pressured the Commission to coordinate the bloc’s approach to encryption. Politicians in some countries, and notably outspoken ministers in France and Germany, have called for so-called backdoors in recent years, or weaknesses that are built into technology to give police access to data. Security researchers say that backdoors also weaken software and make it more vulnerable to hackers.

Last month, the Commission announced that it will not create legislation mandating encryption backdoors. Instead, the executive hopes to satisfy member states by giving more money to Europol, the EU police agency, to develop methods to crack through encryption. The executive also said it will create a network to help member states’ law enforcement authorities communicate about techniques to access encrypted data for investigations.

Technology companies have warned against any measures that could weaken encryption.

For some in the tech industry, the plan to carry out research on security technologies is a signal that EU legislators may now be shifting to encourage companies to use better encryption.

“The idea of more research, more focus, more spending of money on encryption is extremely important to protect our digital economy and the infrastructures that are dependent on strong encryption, be it banks, transport or government,” said Thomas Boué, director of policy for Europe, Middle East and Africa at the Business Software Alliance, a lobby group representing companies including Apple, Microsoft and Siemens.

Boué said researchers should coordinate with private companies and not impose any encryption techniques on the tech sector.

In its September announcements, the Commission said it wants the new cybersecurity centres to also work on other areas of technology research, including artificial intelligence, blockchain and digital identities.

According to the Commission’s plans, the centres would coordinate with other EU offices, including the Athens-based EU cybersecurity agency ENISA and Europol.

Ansip plans new EU cybersecurity centre

EU digital chief Andrus Ansip wants to set up a new office to certify the cybersecurity level of technology products — which would make them more competitive globally — as part of an overhaul of the bloc’s rules in September.