EUROPEAN CYBERSECURITY FLAGSHIP SUMMARY

Transcription

1 EUROPEAN CYBERSECURITY FLAGSHIP SUMMARY OVERALL VISION & OBJECTIVES Europe is developing its common cybersecurity approach on the principles laid down by the EU Cybersecurity Strategy, also tackling the protection of the European Digital Single Market (DSM). Yet Europe is still hesitating in implementing strong measures to protect its Network Information Systems and avoid undesired leakage of sensitive data. Envisaged investments on research and capacity building are still extremely limited when compared to the US. This will further widen the already critical divide that exists in ICT and ICT security. To build a Smart & Secure Digital Europe, we have to better understand what is at stake and reconsider our future investments, focusing them towards priorities that would have a real and positive impact on Europe, for the creation of jobs and growth and the protection of our cyber space, data and values. For this, we have to ask ourselves: Which position / role Europe and its industry could have in the global cybersecurity market? What is the level of strategic autonomy that Europe needs to achieve in the cybersecurity domain? In which cybersecurity domains can European industry make a breakthrough and become a global and competitive player? To answer these questions and address the many challenges of the cyber space, we propose the creation of a European Cybersecurity Flagship, with the following major objectives: The overall objective is to foster and protect the growth of the European Digital Single Market considering its cultural and economic ecosystem, ensuring a level playing field (access to products and services having adequate security, independently of the provider). More specific objectives are: o Develop the European cybersecurity market and the growth of a strong, competitive and genuine European cybersecurity industry, with an increased market position. o Develop and implement strategic European cybersecurity solutions in critical steps of trusted supply chains, for sectoral applications where Europe is a leader. This will allow maintaining a strategic presence in key steps of its supply chain, increasing Europe s digital autonomy for greater security, improved privacy and trusted data management. These objectives are market driven (targeting high economic impact) as well as security driven, linked also to EU sovereignty, societal (data protection) and increased technological independence concerns. A set of these recommendations can be found in the resolution approved by the European Parliament on March 12 th 2014, also indicating the development of a comprehensive EU industrial strategy for the IT industry and an Action Plan to develop greater EU independence in the IT sector, also to better control management of data according to EU laws and procedures. TARGET APPLICATION AREAS The proposed objectives would target future ICT / DSM challenges with specific actions, in markets where Europe is a leader (e.g. Industrial systems for aeronautics and car manufacturing but also financial services etc.) or where control of data is of strategic or sensitive importance (e.g. ICT infrastructure, public administrations). For this we could leverage upon emerging applications such as the Internet of Things, Big Data (Data Analytics for Cybersecurity and Intelligence), Cloud computing, Mobile and Cyber Physical EOS European Cybersecurity Flagship November2015 Summary 1

2 Systems, Industry 4.0 (smart Industrial Control Systems), Smart Grids, Smart and Resilient Cities, in order to build a Smart & Secure Digital Europe. CHALLENGES AND RECOMMENDATIONS FOR A EUROPEAN CYBERSECURITY INDUSTRIAL POLICY AND FLAGSHIP Cybersecurity is a growing concern, not only to our national public authorities and citizens with regards to their security and the protection of their privacy, but also to our economy. According to Lloyd s, cyberattacks cost an estimated 400 billion dollars in In the study made by EOS and its members, we have identified and analysed the following challenges for the development of a European cybersecurity market. We have then deduced some recommendations which can be part of a global EU cybersecurity industrial strategy. CHALLENGES Limited public private dialogue, information sharing and awareness RECOMMENDATIONS Public Private cooperation, information sharing and awareness Limited public public and public private cooperation, also leading to a fragmented EU market. The approximate size of the global cybersecurity market, dominated by North American suppliers, is 70 billion 2015 expectations (more than 40% of this market is in North America) with 8% average yearly growth. In the EU s 28 Member States market (which makes up 25% of the world market, i.e. 17 billion with a 6% yearly growth), the existence of different regulations and approaches towards cybersecurity as well as data privacy concerns, often driven by sovereign needs, leads to the development of various specific solutions, a fragmented market which hinders competitiveness. Low information sharing. There is a strong link between cybersecurity solutions and sovereignty prerogatives for Member States that can result in a lack of cooperation, limited information sharing of (cyber) threats and therefore intensifying market fragmentation. Limited education at school and academic level, insufficient training of professionals and lack of sufficient number of technical experts, lack of awareness by decision makers and still too few exercises with industry. Public Private Cooperation at MS and EU level for an end to end approach Information Sharing between MS and CERTs, Users to increase monitoring and advising on threats Education / Training / Awareness raising / Exercises: development of a cybersecurity ecosystem CHALLENGES Need for Regulations, Standards and Methods to structure and drive the EU market Need for legislations / directives to guide developments and, when needed, impose solutions (e.g. privacy and data protection). Citizens and businesses should have access to products and services with a basic and adequate security level, independently of the provider (level playing field). Cybersecurity and privacy solutions are still add ons and not sufficiently foreseen when designing the equipment / service (this is particularly true for critical infrastructure). Missing standards and guidelines adapted to the European market, approaches and sensitiveness: Europe is obliged to use RECOMMENDATIONS Guidelines, Regulations, Standards and Methods Legislation: NIS Directive implementation and market driving Regulations Implementation of cybersecurity, trust and privacy by design Standardisation for key products / applications / services NIST like EOS European Cybersecurity Flagship November2015 Summary 2

3 standards or de facto standards from external sources. Insufficient use of risk management methodology and no effective metrics of threat evaluation, impeding the deployment and use of appropriate solutions to counter menaces. Laboratory for guidelines adapted to the EU market Application of Risk Management methods and standards and use of effective metrics to evaluate the threats CHALLENGES Missing EU trusted solutions, weak supply chain and technology dependence of Europe Weak trusted supply chain and low digital autonomy: European cybersecurity supply chain is still very fragile, following Snowden s revelations and despite the increase of awareness to threats related to data protection in the cyber space. Lack of an overall (industrial / economic) strategy in R&I to develop EU trusted competitive solutions and EU champions. Cybersecurity Research & Innovation is not sufficiently funded in Europe (e.g. in comparison to R&I funds granted by the US federal government of $3 billion in 2014) and properly addressing competitiveness / industrial issues. In addition, there is a lack of a consistent strategy and a transnational approach to build a stronger EU industry. Results of Research and Innovation are hardly reaching the market. Insufficient certification and trusted solutions are being used in Europe: Currently used technologies, for critical infrastructure as well as for other vital services, have not been sufficiently validated following trust criteria by independent laboratories / organisations. Critical / sensitive solutions purchased without a certification of their trustworthiness. The EU is heavily dependent on IT hardware and software products designed and built outside the European Union. Many innovations in products and services ( commodity protection") are driven by the ICT mass market products (e.g. firewalls, antivirus, etc.): Europe is therefore becoming more and more dependent on imported ICT solutions and is increasingly vulnerable to the risks posed by cyber threats. Trusted solutions across the full supply chain are needed. Appropriate trust validation should be applied to the non EU solutions used today. RECOMMENDATIONS Development and certification of EU trusted solutions for increased digital autonomy Increase of EU Digital Autonomy for ICT and cybersecurity solutions Strategic Research & Innovation deployed to the market EU Certification / Trust Label and validation platforms Priority procurement of EU trusted solutions CHALLENGES Large but insufficiently competitive industrial base, missing financial support and focused investments Cybersecurity insurance business models are still at infancy stage and lack quality metrics. There is also low compliance to risk management approaches (when available). Large but scattered SMEs base, not reaching critical mass to be competitive and often subject to external (non EU) buy out when RECOMMENDATIONS Market development, competence and competitiveness increase, adequate investments Cyber Insurance using EU certified products & Risk Management Compliance Consolidation of European companies to support the creation EOS European Cybersecurity Flagship November2015 Summary 3

4 owing / developing interesting and innovative solutions. SMEs often suffer from a lack of trust and support to reach viable economic market independence and commercial strength. Cybersecurity industries (SMEs and larger companies) are very fragmented and of often with limited size and resources, working mainly at local / national level as trusted supplier to administrations, overwhelmed by non EU competition, and therefore not able to reach critical mass for wider / global competitiveness and export capability. Low financing level (for research capability development and capacity building) with respect to the US. Lack of venture capital and financial incentives to develop a sustainable business in Europe. Cybersecurity investments are still lacking a strategy and coordination across the EU for common growth, more trustworthy and mutual digital protection in application areas critical for Europe or where Europe is leader. of EU cybersecurity champions Wide support to SMEs Appropriate and focussed funding from research to capacity building, innovative financing & fiscal incentives Priority Investments in strategic solutions and services to support the European competitiveness in market leading sectors URGENT INVESTMENTS TO DEVELOP AN EU TRUSTED DIGITAL SINGLE MARKET Europe should start leveraging upon those areas where it has a good level of competence / competitiveness and build upon them to create by 2025 strong European champions for the global market, with the objective of developing an efficient Smart and Secure Digital Europe in the various application sectors. Priority areas for the development of cybersecurity in Europe should concentrate on the markets where European companies are among the world leaders such as: Manufactured goods: engineering / automation, Industry 4.0 and its application to the whole society (Smart Society or what we could call Smart & Secure Digital Europe ); electronics / ICT; Services: Industrial Systems for critical infrastructures for oil & gas / energy; transport including automotive and aeronautics; financial services; retail; leisure / tourism; public services like egovernment and ehealth; smart and resilient cities. Investments in emerging market like IoT, Big Data (Data Analytics for Cybersecurity and Intelligence), Cloud, Mobile and embedded systems, smart grids etc. could provide more opportunities to Europe to attain leadership than in more mature markets. Concrete strategic projects, at EU or MS level on capability and capacity building We have identified a number of concrete strategic projects, at EU or MS level on capability and capacity building, that can be covered by mature technologies and do not require fundamental research, rapidly leading to commercial products and generating business opportunities for European companies with positive economic impacts for Europe, the development of the DSM and to the security of our cyber space and our data: - European capability building: Advanced encryption technologies Enhanced development of cyber intelligence capabilities as support to the legal and proportional fight against terrorism and organised crime EU cybersecurity academia and education at MS level for the development of a sustainable and informed ecosystem of users and customers - European capability and / or capacity building: European trusted and secure routers EOS European Cybersecurity Flagship November2015 Summary 4

5 European trusted Security Information and Event Management (SIEM) solutions European trusted Intrusion Detection System (IDS) Open source operating systems - National capability and / or capacity building Sovereign clouds, Multi sovereign probes, SOCs (Security Operation Centers), Cybersecurity control centers (connected across EU) EU / MS validation platforms It is also paramount to urgently set up and support cybersecurity awareness of professionals and decision makers as well as the development of solutions which respect citizens privacy. WAYS AND MEANS To tackle the mentioned objectives, EOS proposes the following ways and means: 1. The creation of a Flagship initiative for an EU Cybersecurity Investment Programme supported by adequate funding (initial estimate of 13 billion over 10 years), which would be composed of: o Research & Innovation Programme based upon a competitive growth strategy. o Capacity deployment across Europe according to an agreed Roadmap, including short term focus on concrete strategic projects on capability and capacity building. Member States should identify specific cybersecurity capacity needs and flag them in their priorities for EU funding as part of this investment plan. The Public Private Partnership (PPP) foreseen in the DSM Strategy could well be the initial step of this Flagship. It should not be limited to research issues or it will have a negligible impact on the effective and rapid growth of the EU DSM. Wider objectives, linking H2020 with other funding, stimulating the growth of the EU cybersecurity industry and the increase of EU digital autonomy should be pursued. 2. The development of a specific European Cybersecurity Industrial Policy to support the implementation of the DSM Strategy and the EU Cybersecurity Strategy (as well as the Cybersecurity Flagship objectives) at EU and MS level. BUDGET In order to allow European cybersecurity companies to reach by 2025 a global competitiveness, as suggested in the objectives of this Flagship, Europe needs to aim for a coordinated spending for R&I and capacity building of an overall budget slightly higher than 13 bln in the next 10 years, both from the public and the private sector. This would represent about 6 % of the EU cybersecurity market for the next 10 years (or about 15% share of this market when considering only the market share owned by genuine European industries). With this investment, Europe should be able to increase its export at global level and grow the importance of European cybersecurity industries. Contributions to this budget could come from EU and MS funds, but also from private operators and suppliers or other private bodies such as banks and insurance companies. The envisaged cost for R&I could be about 20% of the total budget, in order to allow the creation of a solid and competitive technology base, while the rest should be allocated to infrastructure, equipment and services investments. The promotion of this Flagship initiative s objectives including the proposed EOS European Cybersecurity Flagship November2015 Summary 5

6 coordinated use of this money could help attract industry (suppliers, users and operators) investment in this sector. Furthermore, innovative business plans could be set up with insurance companies (including the use of certified solutions, and leveraging upon suitable regulations and standards) to optimise investments in security technologies and insurance premiums. IMPACT The proposed investment roadmap should allow a multiplying factor which will benefit society and bring a sound contribution to the European economy. This result cannot be reached should investments continue to be scattered and not sufficiently strategically planned. According to a recent EP study The Cost of Non Europe in the Single Market Cecchini Revisited, this amounts to about 55 billion per year for the digital economy. As cybersecurity accounts for roughly 2,3% of the IT market (global market of ~ 3.1 billion), we then consider that the proposed cybersecurity Flagship could have a positive impact in reducing the cost of non Europe (using a mathematical approximation) by 1,3 billion per year, thus compensating for the investments made, without considering the indirect benefits to citizens privacy and to national security. ROADMAP AND MILESTONES The proposed Roadmap for the implementation of the Flagship spans 10 years, from 2016 to TRL Research on Basic Technologies 1 3 FP7 H Development & Innovation Capability building / CS : Demonstrations / Lighhouse Validation & Pilots 6 9 C.S. Critical Infrastructures Security in Big Data / Threat Intelligence Privacy and Data Protection and Digital Identities Security of Cloud Computing and Data C.S. for Smart & Secure Cities; Public Services / egovernment C.S. Mobile Devices and IoT C.S. Industrial Critical Systems Deployment Capacity Building 9 Coordination & Support Actions Stakeholder Platform / NIS P: Roadmapping suggestions SRIA, governance, monitoring, socio economic issues, ecosystem Cyber Acceleration Spaces Education, Traning, Awareness Ecosystem EU Cybersecurity Inustrial Policy PPP Joint Undertaking R&I efforts initiated during FP7 are continued in H2020 and the subsequent European research programme with a more global strategic approach supported first by the cppp and later (from 2021) by a higher level governance (e.g. a JU). Work on basic technologies will of course be continued, as threats and the ICT sector are continuously evolving. Yet, the major effort on R&I is foreseen to be in the development & innovation phase, with the creation of capabilities demonstrated in pilots and lighthouse projects in the main emerging and strategic / sensitive markets, reaching the highest Technology Readiness Levels. Support to the PPP and SMEs as well as the creation of an education, training and awareness ecosystem should be provided as soon as possible. In parallel, capacity building at MS level using existing and future EOS European Cybersecurity Flagship November2015 Summary 6

7 capabilities should allow better use of funding in an end to end approach according to the identified priorities. IMPLEMENTATION STRATEGY OF THE FLAGSHIP GOVERNANCE: STARTING WITH THE CYBERSECURITY PPP The main goal of the Flagship is to propose a shared vision and actions of a harmonised Technology & Implementation Roadmap at European scale, as well as the integration and harmonisation of the relevant policy, legal, political and regulatory frameworks. The proposed implementation strategy takes into account ongoing activities, policies and bodies at MS and EU level and involves four mechanisms: Research on basic technologies; Development and Innovation projects for capability building; Demonstration / Lighthouse Validation / Pilot projects; Cooperation and coordination projects and Deployment Capacity building. Public and private stakeholders, from the demand (users) and supply side, at European and MS / local level have an important role to play which should be identified and described in a European Cybersecurity Industrial Policy, as recommended by this study. The European Commission should clearly lead the common policy, while Member States define their national needs and policies and drive the implementation of security solutions. Users should define the operational needs and suppliers should provide competitive and privacy aware solutions. In this task, the European Industry should be supported by national cybersecurity organisations as well as by EU Institutions and its agencies endorsing a more important role (e.g. ENISA could provide direct support to the development of an EU trusted industry and solutions). As first steps, the proposed flagship implementation approach leverages upon the envisaged PPP on cybersecurity. Our vision of the PPP goes beyond the traditional objectives of the Strategic Research and Innovation Agenda (SRIA), envisaging an end to end approach, also supporting an immediate coordinated implementation of the NIS Directive and existing technical solutions to support the development of the EU DSM. Objectives of the PPP Support the DSM strategy and the EU cybersecurity Strategy Definition and update of the SRIA, in cooperation with the NIS Platform Provide information on the SRIA for calls and streamline proposals towards SRIA objectives; support to the implementation, coordination and valorisation of results from H2020 projects. Definition of a EU cybersecurity industrial policy and implementation of its activities in order to develop a genuine EU cybersecurity industry and increase its digital autonomy Link between R&I funds (EU and national) and implementation funds for capacity building Dialogue and cooperation between stakeholders at technical and market level, public and private, demand and supply Support the creation of an EU ecosystem for cybersecurity (training, awareness etc.) Cyber acceleration space for SMEs and innovation: Cyber Labs; link across Cyber Clusters and Cyber Academia. Approach The proposed PPP should have a governance similar to those of other PPPs, but its objectives should be similar to those of EIPs. With this mix PPP/EIP approach we hope to gather the consensus of both the public and the private sector for reach the ambitious objectives Europe urgently needs to reach in this domain. Partners and role With cybersecurity, we are in a domain dealing with security issues and we cannot simply duplicate PPP objectives and structures in other commercial areas. Some restrictions should be imposed on the governance for developing a genuine European cybersecurity industry. At the same time, we should guarantee an access and dialogue with national public administrations that have strong sovereignty concerns on exchange of data. EOS European Cybersecurity Flagship November2015 Summary 7

8 A list of possible initial members (contacted or to be contacted) is presented in the following. As presented elsewhere, the criteria for this initial choice are to gather: National Associations / Clusters, in those larger countries that have such organisations Individual companies / RTOs particularly from those countries not being organised in associations / clusters National Administrations Other EU Associations Link with other activities The cooperation with the NIS Platform would allow the PPP to leverage upon its work on information sharing, risk management and R&D to fill technical gaps. The following scheme also shows that the PPP would leverage upon existing initiatives, like the other cppp that need ICT security solutions for their specific applications (and it would be preferable to avoid duplication of efforts in developing solutions / services) but also on the activity of the EIT ICT Labs on trust and security. The NIS P and the PPP should look TOGETHER at the constitution of an EU cybersecurity strategy and of the evolution and implementation of the SRIA. The solution could be given by tackling priorities in a matrix approach: transversal on products / services (data security, cloud security, network systems security, IAM, MSS, ) and vertical on application areas (transport, energy, finance etc.). The NIS P could look more at the transversal approach, as more basic technology, while the PPP (also structured in WGs) could look at the vertical sectors, being them closer to the market, to the structure of the Commission (different DGs) and MS administrations (different ministries) and final users (different customer sectors with different needs). In this case the NIS P could work on the identification of the future research needs for products / services. The PPP, as composed by market / industry experts, will also develop the elements / activities of an industrial cybersecurity policy, likely in dedicated WGs. When needed (e.g. for standardisation or certification issues) support will be requested to the NIS P for technical issues. A dedicated activity of the PPP will then work to better disseminate / put in value R&I work and link research funds to other funds leading to effective procurement. In this activity, an important involvement of market experts, users / operators, investors and public administrations is expected. Similarly to what is happening in certain clusters (e.g. HSD in NL) or national organisations the PPP could build up a cyber lab in Brussels to allow all its members to regularly exhibit and demonstrate results from EC R&I projects as well as new own technologies to integrators, users and operators, in order to promote and rapidly identify new EU trusted solutions to be implemented within a short period in the market. Linking and promoting activities initialised at MS / local level on Cyber courses (e.g. Cybersecurity Academy The Hague; International Master s programme in Cyber Security of the Tallinn University TTÜ). Proposed PPP Governance and Secretariat As presented in the previous scheme, the Cybersecurity PPP Association will be composed by Full and Associate Members, all participating in the Stakeholder Platform. The Board of Directors should be composed by representatives from EU bodies (when an association, the representative should not belong to a genuine EU company ): private sector (Industries, RTOs, Academia) + MS + representatives from Associations / Organisations. The PPP Partnership Board will gather representatives from the PPP Association and the European Commission. As a conclusion for the possible PPP governance, we have a scheme developed by EOS and its partners in a FP7 project called CYSPA, proposing the creation of a Cybersecurity Alliance focused on cybersecurity protection of sensitive infrastructures. We suggest using this Alliance and all its background with its investments from the Commission and private side, as the basis to build up the Association that will sign the cybersecurity PPP with the Commission. The advantage is that CYSPA already has a widely established network, business scheme and activities. It could easily enlarge its objectives and structure to the EOS European Cybersecurity Flagship November2015 Summary 8

9 objectives and structure of the PPP and of the relative Association. In the original CYSPA scheme, EOS has been providing a secretariat. EOS could provide the secretariat for the CYS PPP, offering a simple and fast answer to the many requirements in setting up the Association. EOS is a well established, independent and recognised organisation in Brussels, with a solid background in security and experience in managing (or in this case supporting) wide and complex environments / partners. EOS would be one of the founding members of the PPP, at the same level of other Associations / Companies / Bodies as proposed in the following scheme. CONCLUSIONS The effective development of a European cybersecurity industry could be attainable through the adoption of an approach linked to the high and fast growth of technological competence and competitiveness. Should Europe not sufficiently master critical technologies and implement validated trusted solutions all along the supply chain, there exists a risk that used solutions, coming from non EU trusted providers, purchased on the basis of their economic convenience or for other reasons, could hinder the privacy of European customers and threaten the confidentiality of their data. Several EU MS are already considering not having the resources to substitute non EU cybersecurity solutions with trusted national ones. Cooperation with the main non EU industries is needed, as Europe cannot live in autarchy. Nevertheless, some MS and companies believe that Europe can progressively develop more competence in the cyber space to both, on the one hand, recover market positions using trusted EU solutions, while on the other hand also better controlling the high level of privacy, data management, and the privacy and freedom of decision of EU citizens. This will require a strong political and economic commitment. We strongly urge the EU and MS to deepen the dialogue with the European supply sector for the creation of this Flagship programme and to support a coordinated end to end approach. We are confident that such solution can be swiftly implemented with the support of adequate investments to reach ambitious objectives, first with the PPP by 2020 and then with a higher level governance by This would develop a sustainable DSM ecosystem in Europe, making it a real and global cybersecurity leader. EOS European Cybersecurity Flagship November2015 Summary 9