Building up a European Cybersecurity

Transcription

1 Milano 18/03/2014 Building up a European Cybersecurity Luigi REBUFFI EOS CEO CLUSIT Security Summit 2014

2 Cyber (cybersecurity; cybercrime; cyberdefence; cyberterrorism ) actors in Brussels European Commission EU Parliament European Council Council of the European Union DGs: CONNECT / HOME / ENTR / MOVE / ENER / TAXUD / MARKET / MARE / JRC Agencies: ENISA / EUROPOL / EU LISA Committees: SEDE / BUDG/ ITRE / LIBE / AFET / IMCO EEAS EDA EU Counterterrorism coordinator EU Data Protection Supervisor Presidency of the Union: GR, IT, COREPER II - Committee of Permanent Representatives Sectoral Associations Member States

3 European Parliament: co-legislation activities on cybersecurity Report on Cyber Security and Defence (2012/2096(INI)) Report on the proposal for a regulation of the European Parliament and of the Council concerning the European Network and Information Security Agency (ENISA) 28/02/2013 European Parliament legislative resolution of 4 July 2013 on the proposal for a directive of the European Parliament and of the Council on attacks against information systems Report on on critical information infrastructure protection achievements and next steps: towards global cyber-security (2011/2284(INI)) NIS Directive (13/03/2014)

4

5 Some Units dealing with Cybersecurity in DG CONNECT H3 - development and deployment of EU Digital Public Services, focussing on cross-border excellence in egovernment, and based on the egovernment Action Plan Public services: digital service infrastructures in the Connecting Europe Facility Public services: egovernment Action Plan Public services: on-line, cross border egovernment services H4 - policy, research and innovation solutions and carry out activities enhancing the security of Internet networks and services and the protection of citizens' on-line privacy and security. Cybersecurity Strategy for the European Union Cybersecurity, privacy and trustworthy ICT: research and innovation eprivacy H5 - policy framework to ensure that digital technologies improve sustainability in general including energy security and resource utilisation; accelerate the deployment of integrated energy, transport and ICT solutions at local level Green ICT and Resource Efficiency ICT for Mobility Smart Cities Smart Grids E2 - leading an integrated cloud strategy for Europe. Software & Services, Cloud: European Cloud Computing Strategy Software & Services, Cloud: research and innovation Software: Innovation and growth E3 - provide support for web entrepreneurship and Internet businesses in Europe. Collective awareness platforms Future Internet Public-Private Partnership Web Entrepreneurs and Businesses

6 INDUSTRIAL LEADERSHIP : ICT Topic: Cybersecurity, Trustworthy ICT; ICT Research & Innovation Actions Security-by-design for end-to-end security Cryptography Activities supporting the Cryptography Community H2020 Opportunities for Cybersecurity Call for Proposals SECURE SOCIETIES - DIGITAL SECURITY: CYBERSECURITY, PRIVACY AND TRUST H2020-DS-2014 Privacy (give users control over their data) Access Control (user friendly, non-password based) Risk management and assurance models (adapt existing risk management frameworks to cyber-threats) H2020-DS-2015 The role of ICT in Critical Infrastructure Protection (test interdependencies on critical ICT) Secure Information Sharing (highly secure information sharing that creates trust) Trust eservices (business cases for esignature, eauthentication) INDUSTRIAL LEADERSHIP : ICT Topic: Advanced Cloud Infrastructures and Services; ICT Research & Innovation actions: Cloud security Innovation Actions: platforms for trusted cloud systems.

7 European Organisation for Security Main objectives: Develop a larger and harmonised Security Market across EU countries Develop activities, solutions and business in: Border Control, Cyber Security, Civil Protection, Protection of Critical Infrastructures, Urban Security, EOS Members (42, from 13 European countries): From all major sectors: civil security, ICT, energy, transport, defence, services, research (centers and universities). 2 million employees worldwide, more than 65% of the European security systems market.

8 EOS TEAM (Strategy Integration & Support) Definition of common positions via indipendent platforms: EOS Working Groups Board of Directors (Strategy) Border Control Civil Protection Critical Infrastructure Protection Protection & Resilience of the Cyber Space Checks and Surveillance of Land and Maritime Borders Smart Borders Checks carried out at border crossing points Border Surveillance Surveillance of land and EU sea borders (and beyond) CBNRE, Crisis Management, Training, Response Simulation Urban Security Urban security, emergencies, vital infrastructure protection (including mass and land transportation, energy, food, financial etc.) Protection and Resilience of Critical Infrastructures Civil Aviation & Supply Chain End-to-End Civil Aviation Security for passengers and goods and Supply Chain Security Cybersecurity, Cybercrime & Cyber Terrorism, Cyber Defence Task Forces on: Privacy and Data Protection EU Funds EU Security Industrial Policy (PCP, Standardisation, Certification, etc.) EU Land Transport Security

9 EOS working group on cybersecurity Advice to EC and EP R&D priorities EP reports EU Cybsersecurity Strategy EU Cybersecurity Industrial Policy White Papers NIS Platform (WG 1,2,3) Projects (coordinated by EOS): CYSPA: European Alliance to protect cyberspace in Critical Infrastructures (Transport/ Energy/ egov / Finance) CAPITAL: Integrated research and innovation agenda for Cybersecurity and privacy COURAGE: Cybercrime and Cyberterrorism European Research Agenda (DG ENTR)

10 EU Cybersecurity Industry context THE MARKET A 56B worldwide market dominated by North America B 43 77% B 13 23% CyberDefence markets driven by trusted national players (Raytheon, LM, L3Com, BAE, Cassidian, Selex, Rhode & Schwartz, Secunet, Thales, Indra ) Some markets closed : China, Russia, Enterprise markets driven by global players : IBM, Microsoft, Cisco, Checkpoint, Symantec, McAfee, Kaspersky, CA 17% 14% 19% 50% Sources : ASDReports, Gartner, Thales

11 EU Cybersecurity Industry context THE SITUATION Increasing demand to cope with risks arising from ICT pervasiveness new challenges coming from mobility (incl. payments and identity schemes), big data, cloud computing, M2M, physical-logical security interaction, e-supply chain, etc. 28 EU Member States with different regulations and approaches to managing network and information systems security and data privacy leading to a fragmented market and difficulty to reach critical size Sovereignty issues and civil-defence links reinforce national approaches Cybersecurity industry competitiveness hampered by lack of end-to-end approach and insufficient uptake of comprehensive risk analysis ICT security still seen as a matter of buying the right products Complexity to access to funding for European innovators and difficult to move from innovations to markets R&D funding mechanisms too slow to keep pace with fast evolving cyber threats Data privacy : a constraint or an opportunity? Low level of investment on capabilities

12 EU ICT / cybersecurity technology independence Commissioner Kroes at the High Level Cybersecurity Conference (28/02/2014): why the US managed to succeed in intercepting our conversation / data? Why we are so unprepared and unsecured against such threats? Why does so much of our data leave Europe? Why do our citizens prefer American platforms? Why are our European equivalents unable to compete? The revelations of Snowden came as a shock to many, but in a sense they were a wake-up call. European reaction is still weak: there are no major investments to build up European capacities. Is it too late for Europe to create major European competitors for ICT infrastructures? Is there a political will in European Member States to support such development? Digital Sovreignty Digital Independence

13 Cybersecurity Strategy of the EU: An Open, Safe and Secure Cyberspace The EU vision presented in the strategy is articulated in five strategic priorities: Achieving cyber resilience Drastically reducing cybercrime Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP) Develop the industrial and technological resources for cybersecurity Establish a coherent international cyberspace policy for the European Union and promote core EU values Commissioner Kroes at the High Level Cybersecurity Conference (28/02/2014): the European Cybersecurity Strategy is providing us with the right building blocks Q: But do we have the plan of the house to use wisely these building blocks? Q: Are public and private stakeholders in Europe ready to build such a common cyberhouse?

14 NIS Directive Commissioner Kroes at the High Level Cybersecurity Conference (28/02/2014): We will have no future without resilient and secure networks and systems. If the NIS Directive in the end does not make the necessary improvements, if it would have only a marginal impact on our trusted and secure networks, that will weaken our business, weaken our economy and maybe weaken our society too. A weak Directive will let down Europe! NIS Directive (envisaged by the EU Cybersecurity strategy - approved by the EP on 13/03/2014, likely by the Council by end 2014) should provide better coordination and risk management for the protection of Information Networks with a smart and effective cooperation between all Member States and all relevant stakeholders.

15 Measures to ensure a high common level of network and information security across the Union. NIS Directive - EP Approval Scope: Compulsory measures should be limited to infrastructures that are critical in a stricter sense (essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial market infrastructures and health). Information society services and public administrations, software developers and hardware manufacturers should not be included. Protection and processing of personal data: Any use of personal data should be limited only to what is necessary and should be as anonymous as possible, or even totally anonymous. National competent authorities and single points of contact on the security of network and information systems: Designation of one or more competent authorities by Member States. Each Member State should appoint one single point of contact. The single point of contact shall ensure, among other things, cross-border cooperation with other single points of contact. Computer Emergency Response Teams (CERTs): each Member State shall set up at least one Response Team for each of the sectors, responsible for handling incidents and risks according to a well-defined process. CERTs shall be enabled and encouraged to initiate and to participate in joint exercises with other CERTs, with all Member States-CERTs, and with appropriate institutions of non-member States as well as with CERTs of multi- and international institutions.

16 Measures to ensure a high common level of network and information security across the Union. NIS Directive - EP Approval Security requirements and incident notification: no delegated acts but clear criteria to determine the significance of incidents to be reported. To determine the significance of the impact of an incident, the following parameters shall inter alia be taken into account: i) the number of users whose core service is affected; ii) the duration of the incident; iii) the geographic spread with regard to the area affected by the incident. After consultation with the notified competent authority and the market operator concerned, the single point of contact may inform the public about individual incidents, where it determines that public awareness is necessary to prevent an incident or deal with an ongoing incident. Member States shall encourage market operators to make public incidents involving their business in their financial reports on a voluntary basis. Implementation and enforcement: flexibility regarding the evidence for compliance with the security requirements imposed on market operators by admitting proof of compliance provided in a form other than security audits. The single points of contact and the data protection authorities shall develop, in cooperation with ENISA, information exchange mechanisms and a single template to be used both for notifications.

17 NIS Directive and voluntary approach Public administrations and several market operators have been removed from the original Directive proposal (they will not be subject to security regulations) such as internet payment gateways, e-commerce and cloud computing services. Internet service providers (e.g. Google, Amazon, Ebay and Skype) will not be asked to report security incidents Is this really what we need to secure the society, when we all know the growing importance of security in Internet, in transactions and in the cloud? Should we really base the development of such services on voluntary certification schemes? President Obama issued in February 2013 the Executive Order on Improving Critical Infrastructure Cybersecurity which calls for the development of a voluntary riskbased Cybersecurity Framework a set of industry standards and best practices to help organizations manage cybersecurity risks. Is this voluntary approach, strongly supported by American companies operating in Europe, really the most adapted to our 28 Member States or it is simply a way of leaving the control of our cyber space to those who control it already today?

18 NIS Platform Collaboration between public and private sector: the NIS Platform The European Cybersecurity Strategy calls for the establishment of a NIS Network Information Security - platform, bringing together relevant European public and private stakeholders tasked to develop incentives to carry out appropriate risk management and adopt security standards and solutions, to find technology-neutral best practice to enhance cyber security as well as possibly establish voluntary EUwide certification schemes Start building a common understanding of needs and cooperation at European level on cybersecurity. Adoption of a common risk management processes (WG1 of the NIS Platform) will determine the development and the adoption of secure ICT solutions Information sharing process (WG2 of the NIS Platform) will help understanding threats and impacts Definition of R&D needs / agenda (WG 3 of the NIS Platform)

19 From the NIS Platform to an EIP on cybersecurity Objective of a possible evolution of the NIS Platform: cyber-architects from Member States should be ready to federate national views, overcome sovereignty constraints, design the plan of the European cyberhouse and build it in a public private cooperation. The NIS Platform could evolve into a specific EU Cybersecurity Programme supported by a European instrument such as the European Innovation Partnership (EIP) to develop an overall political and strategic governance. This Programme could steer all the elements for an end to end approach in this sector: from research and innovation, implementation, training, funding and incentives and other elements, like Research and Innovation as well as standardisation and certification, of a possible European cybersecurity industrial policy.

20 EU Cybersecurity Industry future MOVING FORWARD EOS calls for a fast adoption and implementation of a European Cybersecurity Industrial Policy (CYSIP) in order to: Secure European societies with European technology Establish a competitive and efficient European industrial base in cybersecurity Develop European solutions and services Boost the European cybersecurity market Sustain the development of the European digital economy

21 EU Cybersecurity Industry policy WHAT COULD BE AN EU CYBERSECURITY INDUSTRIAL POLICY? As for any industrial policy, an EU CYSIP would build upon : A strategic vision based on market assessment and make-or-buy orientations An analysis of the technological dependence and its consequences on digital economic sustainability, societal impacts and sovereignty issues A coordinated R&D and innovation policy A coordinated public procurement policy: For the protection of state-owned / operated infrastructures and large governmental ICT systems A business-oriented, balanced and technology-neutral regulation framework: Ensuring a level-playing field throughout Europe Reaching the right balance between incentives and compulsory frameworks Compensating efforts by co-funding and labelling measures Promoting European standards

22 EU Cybersecurity Industry policy WHY DO WE NEED SUCH A POLICY? Example of the ICT domain : Most HW and SW products procured from outside EU Still strong supply base for services in EU (IT and telecoms) : IT applications development and operations reflect specific business models over-harmonisation has benefits but also costs Cyber security business models are currently drawn from ICT ones: With specific exceptions (e.g. encryption systems) or niche start-ups With an under-developed services market Why do we need an EU industrial supply? Because of data protection issue (personal and trade data) Because of a de facto link to cyber defence Because EU has a strong supply base coming from the ICT and the security industry to build upon a wider market

23 EU Cybersecurity Industry policy Where could / should there be a specific European product policy? Likely not in commodity protection products, close to the ICT mass markets (firewalls, antivirus, IDS software ) where global mature suppliers exist Opportunities in specific areas (components / equipments) such as probes and core network routers Opportunities in supervision and monitoring tools for CIs and security services centers deployment (SOCs) Potentially in niches from new smart markets (smart security systems, smart and secure mobility, smart and safe city) as well as SCADA and Industrial Control Systems

24 How to pave the way for an EU Cybersecurity Industry policy? Establish a coherent and harmonised set of European policies Support the implementation of the NIS Directive Comprehensive and relevant scope National strategies and CERTs deployment Governance and adequate infrastructures Encourage Public Private dialogue & Cooperation Encourage participation of the European cyber security industry at the NIS Platform Include private sector in EU-wide cyber exercises Leverage on and coordinate existing public-private initiatives (NATO, ENISA, NISP, EC3, EIP, KIC )

25 How to achieve a CYSIP? R&D and supporting the adoption of new technologies R&D at EU level: Horizon 2020 programme for the development of new technologies and capabilities to face new and fast evolving threats. Missing strategy in the R&D workprogramme Derive work programmes and topics from gap analysis and users / operators driven operational needs (also EC Advisory Group for the Security Programme) Threats are evolving rapidly, much faster than the pace of the European funded research Ensure timely and simple administrative processes (cut the red tape) Implement PCP schemes to bridge the innovation-to-market gap and harmonise specifications (with the support of national administrations and users/operators) Align EU initiatives (TDL, CSP, CYSPA, etc.) into an overarching strategy and roadmap In the cyber space, MS administrations are not setting the pace for implementation and use of innovative solutions (as in other security markets): it is a free environment, linked to a liberal market, with very limited control. Economic and societal constraints will drive the pace of adoption of new technologies.

26 How to achieve a CYSIP? Standardisation and Certification Standardisation and certification of cybersecurity solutions and services at national and European level could drive the implementation of new technologies and help harmonising the European security market and overcome its fragmentation. Develop standards and certification (EU security label) Development of performance-oriented standards, technology neutral, that can better follow rapidly evolving needs, threats and technology, fostering the development of EU references for the global market. Link security standards to certification of new products (standards per se would be useless). This could reduce costs and create stronger EU references for export. EU certified solutions and services to better define and limit insurance premiums, providing combined technology/insurance responses to threats. Create a Cyber European Agreed Product list (e.g. managed by ENISA)

27 How to achieve a CYSIP? Fostering R&D and deployment with an increased and focussed budget for cybersecurity Increase budgets to provide the required level of cybersecurity, at national and EU level. For EU-funded R&D and validation (H2020) for key components development and pilots; for sector-based test-beds for the evaluation of CI (SCADA, ICS ) cyber resilience For purchasing capacities for deployment of large programmes in MS Use of cohesion funds and Public Procurement Initiatives for all those applications and infrastructures leveraging upon the security of communication and exchange of data, encouraging harmonized public procurement for national assets and CIP, through PCP. Security of broadband networks and cyber security of large infrastructure in Cohesion Policy Internal security fund for cyber protection of law enforcement / border management systems Specific funds to accompany security new constraints for market operators and critical infrastructures

28 How to achieve a CYSIP? Fostering R&D and deployment with an increased and focussed budget for cybersecurity For investments to protect Critical Infrastructures, Protect European Institutions and major European Programmes: EU showing the way through major cyber security investments on EU-wide existing or forthcoming assets (with European impact): EU Institutions ICT platforms protection Integrated maritime surveillance, satellite systems and air traffic management, energy transmission systems etc. Deployment of EU based data centers and secured cloud services Specific support mechanisms for cyber security SMEs

29 How to achieve a CYSIP? Awareness and Training Raising awareness and educating users on the benefits of cyber protection to preventing cyber risks and increasing protection of cyber-enabled applications, without creating unnecessary fears. Awareness programs should be implemented at Member State level within the civil society and organisations, promoting data protection and data privacy culture. Basic training in information and communication technologies should start at primary school level (understanding what s behind the screen). Awareness raising at all levels (including C ) of corporate: raising awareness of cyber threats at professional level would help improve risk management of networked infrastructure, encourage better investments and foster resilient services. Operators of key infrastructures leveraging upon ICTs should be educated on how to prevent and react to cyber threats, via relevant behaviours and innovative technologies. Lack of skilled cyber defence architects, engineers, and workers development of university courses to more widely rise a generation of skilled cybersecurity experts. Security of ICT is an excellent way for developing jobs, thus contributing to the recovery of our economies.

30 In the meantime From Federal News Radio, early Aug : Department of Homeland Security has awarded contracts to 17 firms to provide continuous diagnostics and mitigation services, also known as CDM, to the federal government, creating a potential model for private groups to measure and adjust their own cyber security efforts ( ) (and) designed to defend public sector IT networks from cyber threats ( ) Booz Allen, IBM, General Dynamics-IT, Lockheed Martin, Northrop Grumman, Hewlett Packard, SAIC and CGI Federal Inc. (CGI) were among the contract winners. McAfee will provide the tool suites under many of the contracts. The contract is worth up to 6 billion USD.

31 And now in Europe? The European security industry and research centers (EOS) are ready for more concrete steps and develop further a structured public private dialogue and cooperation: within the European countries, across the countries and across sectors. But are public administrations, at European and national level, ready and willing as well to provide the needed political and economic support?

32 THANK YOU! FOR MORE INFORMATION AND SUGGESTIONS: EOS Cyber Security Working Group Coordinator Mari KERT : mari.kert@eos-eu.com EOS coordinator for the CYSPA Alliance (and project) Nina OLESEN: nina.olesen@eos-eu.com EOS - CEO Luigi REBUFFI: luigi.rebuffi@eos-eu.com