The EU takes cybersecurity seriously. And with cause. Cyber crime is rife, ransomware big business, and state actors increasingly resort to cyber interference to promote their interests and weaken adversaries.
Sir Julian King was the European Commissioner for the Security Union until 2020, and is a fellow at the Oxford Internet Institute and the Royal United Services Institute RUSI.
But cybersecurity doesn’t exist in a vacuum. It needs to be integrated into wider policies, on investment, on building industrial and societal resilience, and on how we regulate the digital and data space.
In the last Commission, working with Andrus Ansip and others, we took important steps to buttress the digital single market by reinforcing cybersecurity and data protection; tackling illegal abuse, protecting critical digital infrastructure, and strengthening the digital networks, from 5G to IoT devices, which increasingly constitute the plumbing of our interconnected lives.
This Commission have taken this work further, recognising the challenge. Cyber crime has grown massively in the last few years, now costing the global economy hundreds of billions of euros every year. The threat can touch all of us, through fraud, malware that spreads through our phones, like the fake parcel delivery tracker Flubot last year, and the many COVID scams. And Russia is showing, again, in Ukraine that hostile state actors won’t hesitate to exploit vulnerabilities. The threat in 2022 is fast developing and hard to match. An equally dynamic and intense response is required.
So, the Commission are absolutely right to update the EU’s cybersecurity strategy, to strengthen ENISA, the EU’s cybersecurity agency, to extend and reinforce network security requirements for critical infrastructure, including in financial services, health, and public administration. And to work with suppliers and the industry to develop higher standards and further secure the connected devices we use every day.
The EU, Commission and Member States, have shown that they take cybersecurity seriously as they set the budgets for the coming years, making it a clear priority in research and development, in key tech projects like cloud and new generation computing, and, more generally, as they invest in rebuilding post Covid, including through the Next Generation funding.
The same kind of focus on security, the same kind of care and attention needs to be taken as we regulate the digital and data space.
The EU is coming forward with groundbreaking new regulations, in the Digital Markets Act and the Digital Services Act, designed to promote competition and crack down on illegal practices and content online, and with a series of other proposals on the use and transmission of the increasing amounts of data we all generate. These new regulations will set the rules across the EU, for doing business in and with the EU, effectively setting out the protections individuals and businesses can rely upon. And because of the size and value of the EU market, they will have a significant impact beyond the EU too.
They have been carefully crafted and widely debated. But compared for example to the discussions on the competition aspects, there’s been relatively little focus on the security and cybersecurity implications.
There will be security implications, inevitably, as you set out new rules and practices on this scale. The fact that there is a, potentially important, security dimension has been recognised in some of the amendments introduced to the legislation, allowing platforms and others to take “proportionate” action to avoid introducing new security vulnerabilities. But how that is meant to work in practice remains unclear.
Some years ago, when the Commission was reforming the way messaging services work, there were some concerns raised about security and privacy implications. The Commission, sensibly in my view, tasked the experts in the security of electronic communications to review the proposals.
As these new regulations are finalised, and we prepare to implement them, it would be equally sensible to get advice on how best to manage the security implications from the experts. There’s real expertise, at the cybersecurity agency and in the various Member States. Indeed, the Commission recently brought all the Member State cybersecurity experts together to advise on how best to secure the EU’s 5G networks. So, it’s been done before.
Cybersecurity matters. The EU, rightly, recognises that. And has acted accordingly in the past. It should do so again as it regulates for the future.