On November 10, 2022, the European Parliament adopted new legislation to strengthen EU-wide cyber resilience. The goal is to incentivize member states to comply with stricter monitoring, risk management, and enforcement measures – including reporting and information sharing -, as well as to align their sanctions. These requirements, among other provisions, cover incident response, supply chain security, encryption, and vulnerability disclosure.
On November 23, a few hours after the European Parliament recognized “the Russian Federation as a state sponsor of terrorism”, a DDoS attack, claimed by Killnet and Anonymous Russia, paralyzed its official website. This shows that the European institutions were not immune to cyber threats.
Entities are increasingly under threat
In its latest quarterly report, CERT-EU said it recorded 186 attacks against European entities. “We issued 35 threat alerts to warn of malicious activity detected in their vicinity. In 63 percent of the cases, the malicious activity was cyber espionage in nature. The government, diplomatic, and defense sectors remain the most targeted. 51% of the attacks exploited spear-phishing for initial access and 20% exploited vulnerabilities (zero-day or n-days),” its perpetrators detailed.
Despite legislation and CERT interventions, cyber breaches in the coming years will be more diverse, complex, and sophisticated, warned Juhan Lepassaar. At the Cybersecurity Week Luxembourg 2022 (CSWL2022) in September 2022, the head of ENISA unveiled the top ten cybersecurity threats likely to emerge by 2030, according to a study conducted between March and August 2022 by its services.
The top three risks identified include compromised software dependencies in the supply chain, advanced disinformation campaigns, and the rise of authoritarian digital surveillance and loss of privacy.
“The identified and ranked threats are extremely diverse and still include those that are most relevant today, such as ransomware and DDoS. It is our responsibility to take every possible step up front to ensure we increase our resilience over time, and to improve the overall cybersecurity landscape in 2030 and beyond,” said Juhan Lepassaar.
Against this backdrop, are the EIOs sufficiently prepared? In March 2022, the European Court of Auditors (ECA) published the results of an audit to determine whether they, as a whole, had made adequate provisions to protect themselves against cyber threats. Indeed, the EU’s financial regulator is looking into the security and cyber resilience of European institutions: “A resilient and efficient entity is essential!” said Mirko Iaconisi, ECA attaché and co-author of the report.
The EU, too heterogeneous a community
For him, the excessive heterogeneity of this diverse and disparate community is in itself a source of cyber risk: “The EU has more than 80 bodies, all independent, with specific mandates, legal bases, and cyber infrastructures. This ranges from large institutions with their own dedicated cyber capabilities and expert teams, to small agencies, some with fewer than 30 employees, with limited budgetary and human resources,” he notes.
Unsurprisingly, the auditors’ findings are clear: “We conclude that their level of cybersecurity readiness is not commensurate with the threats. Key cybersecurity best practices, including some critical controls, are not always applied. Many IOAUs are clearly under-budgeting their protection against cyber threats,” states Mirko Iaconisi.
In addition, some organizations reportedly still lack true cybersecurity governance, according to the report. In many cases, there is no cyber strategy or, where one exists, it is not approved by senior management. Finally, security policies are reportedly not always formalized and risk assessments do not cover the entire IT environment.
And while the IOAUEs have established structures for cooperation and information exchange in the area of cybersecurity, they are not fully exploiting potential synergies, according to Mirko Iaconisi: “They do not systematically exchange information about their cybersecurity-related projects, security assessments and service contracts. Furthermore, basic communication tools such as encrypted email or video conferencing solutions are not fully interoperable. This can result in less secure information exchange, a duplication of effort, and higher costs.”
What accounts for this lack of preparation? “Most of the entities questioned about their main cyber challenges mention the lack of skills and dedicated experts, budgetary constraints, and limited staff knowledge of cyber issues, the first line of defense,” answers the European Court of Auditors’ attaché.
Support and skills are needed
And while smaller entities need support to build their skills and raise their maturity in terms of cybersecurity, the entities in charge of supporting them (ENISA and CERT-EU) are failing to fulfill their role.
“We noticed that both operators – and especially the overburdened CERT-EU – failed to provide all the support they would need. We recommend that ENISA and CERT-EU work closely together and focus more on the less mature EU bodies to help them build their skills and thus raise the maturity level of the whole community,” notes Mirko Iaconisi.
Based on these findings, the ECA recommended that the European Commission improve the cyber security preparedness of EU-IOs. This should be done through “a legislative text establishing common binding rules for all EU-IOs in this area and increasing the resources of the EU-CERT”.
On November 22, the Council of Europe adopted its position on a “draft regulation establishing measures to ensure a common high level of cybersecurity in the institutions, bodies, and agencies of the Union.” This compromise text, co-authored by the Council and the European Parliament, aims to “improve the resilience and incident response capabilities of all EU entities and address disparities in their approach by creating a common framework.”
It defines the various obligations of the entities of the Union concerning both the establishment of a framework for the management, governance, and control of cybersecurity risks. But also in terms of cyber risk management, communication, and information sharing. In addition, it provides for strengthening the mandate and funding of the CERT-EU, enhancing the sharing of incident-related information with the CERT-EU, and promoting coordination and cooperation in the response to cybersecurity incidents.
Once this framework is in place, European entities will have to deal with the current and future shortage of cybersecurity officers, “which is a major risk to effective cybersecurity management” according to Mirko Iaconisi.
Admittedly, this expertise gap is among the top 10 cyber threats likely to emerge by 2030. It “will remain a problem in the longer term,” says Juhan Lepassaar. But training the right talent won’t be enough. So “the question is whether these skilled people will stay in Europe; that’s one of the challenges of our future cybersecurity,” warns the head of ENISA.