Cyber security: painting the threatscape facing Europe
How can Europe keep up with global technology advances and mitigate cybersecurity risks? EU Network and Information Security head Udo Helmbrecht gives his insight.
In spring 2013 the revelations of Edward Snowden, a contractor of the US National Security Agency, sent shock waves through Member States. Europeans became familiar with the word ‘cybersecurity’. We met the man responsible for achieving a high and effective level of network and information security within the EU. His work is considered as essential for ensuring prosperity and keeping the online economy running.
Udo Helmbrecht, hello and welcome to the Parliament. You're the executive director of ENISA, the European Agency for Network and Information Security. Now if there's a need for such an agency, it means there's probably a threat. Is Europe prepared, and how prepared is it? We are prepared in certain areas but honestly, in other areas we still have a long way to go. For example, we have exercises with the Member States. We have a good network of computer emergency response teams.
This means that on a technical level we are prepared, we can talk to telecommunications organisations. But if you look at the political level, we have currently the NIS directive, and the trialogue with the Parliament, the Commission and the Council, and this shows that there is still a long way to go. You mentioned telecommunications. They are supposed to report the problems they've encountered. Do other companies, specialised on the internet, have to report - Facebook, or companies like Cisco, do they have to report problems? How do you deal with it? The answer is strictly no.
I think if you look back, it started in 2009 when the Commission launched a communication and critical infrastructure protection, which means we are talking about the area of the resilience, robustness of the internet. Therefore you have the telecommunication framework, a regulation where there is an article that telcos have to report, but in the other areas you can say that everyone can still do what they want. If it's possible to listen to Chacellor Angela Merkel speaking on her telephone, I suppose it's even easier to get into a company's server and steal very important information. Is the threat real? You know from the Snowden revelations that the threat is real, otherwise it would not have been published and discussed.
I think it's as you said at the beginning, Europe became aware of the problem - but we still have no solution. So I think one point is that we are dependent on information technologies, but there are a lot of US or Chinese companies delivering the core components. There are a lot of small and medium sized companies in Europe, which are working in the IT security area, but there aren't really big players. There are a couple of big companies, but if you look for example at Nokia, the mobile division is now with Microsoft so no mobiles are produced in Europe anymore.
You mentioned Cisco before. For a while Cisco was a market leader. The problem is that in the last decade Europe was focusing on competition, competition, competition. And on a political level the people didn't care that core technologies went outside Europe. So I think we need a policy initiative for having more core competences and companies in Europe. There are about 28 different cybersecurity policies in Europe, is there a European cybersecurity strategy? -We have one. The positive thing is that the politicians have understood there is an issue.
And as I mentioned, with the NIS directive or the data protection regulation there are a couple of initiatives, so hopefully with these initiatives we can then go a step further. Last question, business. Europe talks about the digital agenda being the solution to getting out of the crisis, that this will be the economy of the future. How safe is Europe today and how ready is Europe today to develop a real digital agenda? The problem, when I give such interviews, is that I don't want to panic.
But I think if you look at this, there is one big challenge that people are not aware of. In many cases we are crossing from the analogue world to the digital world, and those people in the analogue world don't have the digital-world skillsets. This means that if you look into smart metres for electricity metres in households, who really ensures that it is secure? If you have power-steering, people talk about safety, but the question for the future is who is really talking about IT security? I think that not enough people and engineers are thinking about IT security.
Udo Helmbrecht, thanks a lot for this interview. Thanks a lot.