EU Cybersecurity Strategy for the Digital Decade: Questions and Answers

Now is the time for a fresh EU vision and plan for cybersecurity for 3 reasons.

Firstly, more and more critical and essential services, as well as billions of additional everyday objects in the home and in manufacturing are getting connected to the Internet. Attacks aiming to exploit vulnerabilities in these products and services are also proliferating in number and growing in complexity. The Green Digital transformation is a top priority for the EU, and this can only be successful if security is integrated to all the investment planned, otherwise there will be no trust in the technology.

Secondly, cyberspace is the site of a geopolitical contest and the idea of an open global Internet and an international norm setting framework is constantly being challenged.

Finally, the pandemic has accelerated our dependence on these digital tools and services. Society and the economy will not revert to pre-lockdown norms. Major investments are needed in the field of cybersecurity, and to make sure that Europe is strategically autonomous in this regard, leading in the development of secure technologies across the whole digital supply chain.

The strategy describes how the EU can harness and strengthen all its tools and resources to be technologically sovereign and strategically autonomous. It also describes how the EU can step up its cooperation with partners around the world who share our values of democracy, the rule of law and human rights.

This strategic autonomy needs to be founded on the resilience of all connected services and products. All the four cybercommunities — those concerned with the internal market, with law enforcement, diplomacy and defence — need to work more closely towards a shared awareness of threats. Moreover, they need to be ready to respond collectively when an attack materialises, so that the EU can be stronger than the sum of its parts.

A number of new strategic initiatives have been announced.

These include an EU-wide Cyber Shield composed of Security Operations Centres that use AI and Machine Learning to detect early signals of imminent cyberattacks and allow action to be taken before damage is done, a Joint Cyber Unit that will bring together all of the cybersecurity communities to share awareness of threats and respond collectively to incident and threats, and European solutions for strengthening Internet security globally, including a public EU domain name system resolver service
regulation to ensure an Internet of Secure Things.

The strategy introduces more, and stronger, cyber dialogues with third countries and regional and international organisations, including NATO, a Program of Action in the United Nations to address international security in cyberspace and a stronger EU cyber diplomacy toolbox to prevent, deter and respond to cyberattacks.

And, there will be an EU External Cyber Capacity Building Agenda and an EU interinstitutional Cyber Capacity Building Board to increase the effectiveness and efficiency of EU external cyber capacity building

The EU needs an agile means for detecting and deflecting increasingly complex and frequent cyberattacks.

Currently, information sharing and analysis centres (ISACs) help stakeholders in industry and public authorities to exchange threat information. But, we need to constantly monitor networks and computer systems to detect intrusions and anomalies in real time.

Many private companies, public organisations and national authorities do this through security operations centres.

This is highly demanding and fast-paced work, which is why AI, and in particular machine learning techniques, can provide invaluable support to practitioners.

The Commission proposes to build a network of Security Operations Centres across the EU, and to support the improvement of existing centres and the establishment of new ones. It will support the training and skill development of staff operating these centres. This network will provide timely warnings on cybersecurity incidents to authorities and all interested stakeholders, including the Joint Cyber Unit, like a mesh of watchtowers.

Investments in the whole digital technology supply chain, contributing to the digital transition or to addressing the challenges resulting from it, should amount to at least 20% — equivalent to €134.5 billion — of the €672.5 billion Recovery and Resilience Facility consisting of grants and loans.

EU funding in the 2021-2027 Multiannual Financial Framework is envisaged for cybersecurity under the Digital Europe Programme. Meanwhile, funding for cybersecurity research is foreseen under Horizon Europe, with a special focus on support for SMEs. In total, this could amount to €2 billion, plus Member State and industry investment.

The European Defence Fund (EDF) will support European cyber defence solutions as part of the European defence technological and industrial base. Cybersecurity is included in external financial instruments to support our partners, notably the Neighbourhood, Development and International Cooperation Instrument

The Joint Cyber Unit is a platform that will help to better protect the EU from the most serious cybersecurity attacks, especially cross-border ones. It is based on the concept that sharing information among relevant EU and national stakeholders can give a significant boost to the EU response to cybersecurity risks and threats, as per the call from the Commission President in her 2019 political guidelines. This applies especially across communities, such as defence, civilian, law enforcement and external action. So, the Joint Cyber Unit could help participants to acquire a common understanding of the threat landscape and help them to coordinate their response.

We need the Joint Cyber Unit for many reasons.

Firstly, the EU currently does not have spaces to facilitate a structured cooperation between Member States and all the relevant EU cybersecurity institutions, bodies and agencies.

Secondly, existing networks and communities need to tap into their full potential and step up information sharing, including with the private sector. This is something that does not happen enough today.

Thirdly, the Joint Cyber Unit would plug the gaps in, and give a boost to, the existing framework for cooperation between EU institutions, bodies and agencies, and Member States' authorities in the event of against major cross-border cyber incidents or threats.

Finally, the Unit would provide a space for the civilian, diplomatic, law enforcement and defence cybersecurity communities to work together. Moreover, it would give cybersecurity stakeholders, including the cybersecurity product vendors and third country partners, a focal point for sharing information about threats.

The Joint Cyber Unit would not be an additional, standalone body or affect the role and functions of existing authorities, but it would help bring them together and tap into each others expertise.

Setting up the Unit is envisaged in four steps:

1. defining and mapping available capabilities;
2. establishing a framework for structured cooperation and assistance;
3. implementing the framework;
4. expanding capacities, with input from industry and partners.

Building a common operational platform requires trust and the proper involvement of all the relevant participants. This cannot happen overnight and needs to be carefully defined and prepared before all the Unit capabilities are rolled-out. In addition, it is necessary to first create properly functioning mechanisms among EU institutional stakeholders, primarily Member States, before being able to expand it to private sector stakeholders.

In keeping with what has been done in the last months, between now and February the Commission will continue to consult with relevant stakeholders in order to identify the most appropriate process, milestones and timelines for achieving the Unit.

Every connected thing contains vulnerabilities that can be exploited and affect other services, networks or even entire economies.

Internal Market rules include safeguards against insecure products and services. Certification under the Cybersecurity Act aims at incentivising safe products and services without compromising on performance. The first Union Rolling Work Programme to be adopted in the first quarter of 2021 will allow industry, national authorities and standardisation bodies to prepare for future European cybersecurity certification schemes.

However, we need an even more comprehensive approach. The Commission already plans to update rules under the Radio Equipment Directive. It will also consider new horizontal rules for all connected products and associated services, including a new duty of care for connected device manufacturers to address software vulnerabilities, requiring the continuation of software and security updates as well as ensuring, at the end of life, deletion of personal and other sensitive data. This would complement both the General Product Safety Regulation (which is to be updated in 2021 but does not address cybersecurity directly) and ‘the right-to-repair obsolete software' initiative presented in the Circular Economy Action Plan.

If you want to access a resource — like a webpage — under a particular domain name such as .eu or .com on the Internet, your request needs to be translated or ‘resolved’ from the name of the site to a number. More specifically, the numerical Internet Protocol (IP) address. A resolver service will then refer the request to the Domain Name System (DNS) servers so you can access the webpage.

However, the basic structure of the Internet, as well as its core protocols and supporting infrastructure, is vulnerable to attack and disruption. This includes the Domain Name System (DNS).

Most EU businesses rely on a few public DNS resolvers operated by non-EU entities. If one of these resolver services is disrupted, it becomes much harder for EU authorities to deal with possible malicious cyberattacks and major geopolitical and technical incidents.

This is why the Commission encourages EU companies, Internet Service Providers and browser vendors to diversify their dependence on DNS resolution services. To assist them further, the Commission will support the development of a public European DNS resolver service.

‘DNS4EU’ will offer an alternative, European service for accessing the global Internet. It will be transparent, conform to the latest security, data protection and privacy by design and by default standards and rules, and form part of the European Industrial Alliance for Data and Cloud.