Cyber-attacks are bigger, bolder and more global than ever before.  As the world continues to go online (Google expects everyone in the world to have internet access by 2020) the “attack surface” continues to expand:
  • The biggest bank robberies are now digital (e.g. the recent $ 81 million cyber heist in Bangladesh);
  • Potentially greater harm can be inflicted thousands of miles away to physical infrastructure (e.g. the Shamoon virus in the Oil and Gas industry);
  • State sponsored cyber-weapons are now a very real threat to our various blends of Liberal Democracy – from espionage (e.g. Russian hacks into the Democratic Party computer system) to the digital age equivalent of a missile strike (e.g. Estonia DDoS and Stuxnet).
October was the month for Cyber Security Awareness in Europe.  Educating citizens to be smarter on the net (e.g. change passwords, avoid infected sites and downloads etc.) remains very important to combatting these threats. However, at many of these Cyber Security Awareness programs, experts alarmingly share their concerns – first, many citizens are not heeding simple and effective cyber-hygiene guidance. Secondly, we are edging ever closer to our “September 10” moment in terms of being hours away from a devastating cyber-security event.   And, thirdly, they do not want European Politicians telling them how to fight this battle. The EU thus appears to be confronted with yet another conundrum:  Europe’s Digital Single Market is only going to be workable if secure.  Yet, our law making process is still largely rooted in the analogue world whilst our growing need for international cybersecurity co-operation is threatened by populism at the ballot box. As part of Cyber Security Awareness month, this article provides a short overview of the trajectory for both CyberSecurity public policy perspective and quite possibly – in this BREXIT period – an indication of a longer term EU model. Europe has long supported global standardization solutions to achieve public policy goals.  The GSMA standard catapulted Nokia into a global mobile phone success story. IT hardware policy solutions via so-called “New Approach” directives continue to be an effective means to provide Europeans with safe devices via a set of largely global standards.  Likewise, the EU has welcomed cyber-security experts following the same example to facilitate cyber-security adoption by Europe’s 23 million small businesses (e.g. ISO/IEC 27000- series).  The EU has followed up with light-touch initiatives to bake these standards into well understood and accepted requirements which fast-track adoption of digital solutions.  For example, voluntary Codes of Conduct – such as m-Health and imminent (at time of printing) Cloud Code of Conduct – include these same global cyber-security standards. The EU’s Network Information Security (NIS) directive aims to further harness this community of expertise. This directive allows vastly different Member States a multi-speed implementation in keeping with their technical starting point.  The directive introduces a Member State co-operation process which is expected to increasingly become a forum which plugs into existing technical expertise and relationships between, say, cybersecurity providers, critical infrastructure companies and Computer Emergency Response Teams (CERTS) around threat landscape information, access to state of the art technology and trends. The much awaited Public Private Partnerships (PPPs) complements the NIS’ focus on healthcare, energy and transport plus other areas of interest such as industrial controls, finance and e-government. Despite its goal to “better equip Europe against cyber-attacks and to strengthen the competitiveness of its cybersecurity sector”, EU officials are quick to point out that it accessible for any company regardless of parentage.  That said, Sir Julian King (the UK’s European Commissioner) recently hinted at an update to the EU’s 2013 Cybersecurity Strategy, in which he may seek to further clarify third country access.   The importance of global partnerships to tackle a global problem is key – especially with long standing allies. Regardless of what happens in November Presidential elections, a strengthening of existing EU-US cybersecurity activities around mutual recognition and access is important. Perhaps it bodes well that the United States also organizes its cyber-security awareness month in October...? In conclusion, the EU has embarked on a slightly different trajectory to address this important public policy objective for its citizens. There is still some way to go and admittedly teething issues relating to remolding long standing legal process and culture to an ever changing and complex challenge.  Similar to pollution, cyber-attacks are a borderless threat which surely require the pooling of political, economic and societal resources.  This reality inevitably bolsters the EU case to co-ordinate and/or lead a set of strategic imperatives to improve Europe’s cyber security.  The key to success, though, is for the EU to drive the ‘END’ goal of Digitizing core European Industries but leave the technical ‘MEANS’ up to existing communities of experts along with transparent NIS co-operation group and open PPPs. Indeed, if done properly, there is nothing to stop a set of early deliverables within Europe’s core industries (i.e. automotive, chemicals, pharma, industrial tools etc.) which would provide a timely and compelling reminder to those going to the polls next year in Germany, France and Netherlands.  Even the UK - clamoring for “more control” – might cede the point that somethings are better done at a European level who can speak as equals with other great powers in the world.   About the author: James Lovegrove is the senior director of APCO Worldwide in Brussels.

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.