This article is part of our special report Striking a balance: IT infrastructure and digital sovereignty.
Having recently taken up his seat at the helm of the EU’s cybersecurity table, new ENISA chief Juhan Lepassaar has a number of pressing challenges to contend with over the next few years, including the security of 5G networks, consumer protection in the digital world, and the digital robustness of our everyday products and services in the EU.
Juhan Lepassaar is the executive director of the EU Agency for Cybersecurity (ENISA). He spoke to EURACTIV’s Alexandra Brzozowski.
Following on from the Commission’s publication on the EU’s coordinated risk assessment of 5G networks, it’s clear that there are concerns and risks on the horizon. But in their national risk assessments, surely various member states had different concerns? Have we not seen a fracturing in the approach to 5G cybersecurity on the bloc?
Well, countries are in different situations when it comes to the rollout of 5G, when it comes to the vendors that they use, when it comes to the set-up and architecture of their current systems. Clearly there is no single way of approaching it. Yes, the national risk assessments are different, but there is also an element of commonality in all of them and this is what the EU risk assessment actually reflects these elements of commonalities.
Let’s talk about the scope of the recently adopted cybersecurity certification framework. What is ENISA doing here to help the European Commission devise the scope of it and what sorts products and services are likely to be covered?
Maybe firstly a few words about what the certification means. It is a framework that enables companies to assess whether their products and services they put on the markets are cyber secure. In reality, you could have different types of certification: you can self-certify, which means that you have a number of open common criteria on the basis of your own benchmarks, or you could have higher levels of certification which means that outside parties, third parties, and impartial parties will essentially audit whether your self-certification has been merited. The EU does not at this moment in time have an EU wide certification framework. We are in the course of developing it. The EU framework is voluntary, which means the takeup depends very much on the stakeholders.
Certification for 5G equipment will probably come because it looks like there is a political need for this but we need to really establish the rolling work program for certification in order to shed light on this.
What are ENISA’s priorities for the next five years and what do you see as the biggest threats coming up?
If you read the ENISA threat landscape report, what it highlights is that the biggest threats haven’t changed and the biggest threat is really ‘cyber hygiene’ – the state of health in terms of awareness and practice in businesses with regards to priorities related to cybersecurity. The other problem that the landscape report clearly identifies is the lack of skills and capacities to deal with these issues.
One of the big striking features is also that cybersecurity is no longer a domain that is just reserved for, say, IT security-minded people. It is becoming ever prevalent in all different policy domains and sectors and this has been exemplified by the debate around cybersecurity in the European Parliament hearings. It’s not only the Commissioner responsible for the digital economy who is asked questions about cybersecurity but also the Commissioner responsible for democracy and rule of law. It is an area that touches upon every sector.
In this ever more complex environment, what ENISA needs to do is to facilitate the cooperation between different stakeholders and member states. We need to make sure that ENISA acts as a good mechanic to keep the cybersecurity chain well-oiled.
On the Commission’s proposal for EU cybersecurity competence centres – which is currently going through the interinstitutional negotiation stage – could you explain what the chain of command would be?
It is envisioned that the research and innovation work currently done in the EU will be undertaken in the cybersecurity competence centres, in addition to recognizing how we can better build synergies between the different research networks that already exist and channel the money better so that we let’s say more added value and when it comes to cybersecurity.
There are pressing issues to do with quantum encryption, blockchain, and cybersecurity authentication that research needs to explore further. Those are precisely the job that would be under the remit of the competence centre network if the core legislators agree to set it up. It’s still early in the process of discussion.
The competence centres would be a valuable ally for ENISA to build up the capacities and expertise that Europe needs when it comes to operational issues. That’s very much in the hands of the member states.
You are Estonian, what are some of the best examples from your country in terms of digital and cybersecurity, that you like to bring to the EU stage?
There are great projects in every member state that can be singled out. That’s very good because that exemplifies this strength of cybersecurity across Europe. We have so much knowledge but also such a variety in the different understanding of how things can be done.
From my own country, I think there are three issues I would like to single out. Firstly, I think it’s the public awareness of cyber threats and cyber manipulation which is impressive – it’s relatively high due to our empirical experience.
The second point is that it’s quite natural for small systems to be in close cooperation with one another and sometimes there’s even informal cooperation between the private and public sectors. I think that is something that we should also look at EU level where for example when we look at the NIS directive.
The governance structure nevertheless is very centred on the public sector. And there are good reasons for that but I think there are ways how we can cooperate more with the private sector. I’m very glad that actually this has already happened within the framework of their current NIS directive. And I hope that this can be strengthened because it’s necessary for the private sector, which is often the first line of defence.
Finally, I think that my native country also shows that embracing a digital future does not necessarily come with the caveat of lowering cybersecurity standards, rather the contrary. So you can have both the opportunities and at the same time also mitigate the risks if done properly. And of course, that doesn’t mean that accidents don’t happen or that you don’t have security loopholes. You do, that happens with every new step but you have risks when you walk out from your home every day. This is very important. So I hope that this is something that other member states may be able to learn from Estonia.
[Edited by Samuel Stolton]