Implications of the EU announcements for Cyber Security in July 2016
5 July 2016
What are the Implications of the European commission program to introduce cyber security regulation and the strengthen competition including more public-private partnerships in cyber security?
The European Commission developed plans several years ago that included activities to plan for better cyber security in EU, to drive more innovation and competitiveness for the EU member states.
This includes several initiatives but could be summarized into the following areas
Establishing the ePrivacy directive concerning citizen data privacy and data controller and data processor regulations. principally in rules for visibility and consent and to right to anonymity of location and tracking
Establishing the Contractual Public-Private Partnership mechanism to drive the Horizon 2020 Research and Innovation implementation for Cyber security investment and coordination with EU member states build from the so-called Network and Information Security (NIS) Platform and its security and competitiveness of EU members and Industry companies, public bodies and citizens.
The post safe harbor regulation that is tending to consider the General Data Protection Regulation due in May 2018 on a single set of rules and services for EU consent , data breaches, sanctions, right to erasure and data portability among its key legislature.
These initiatives are collectively seeking to drive the digital single market DSP, a cornerstone of the EU principles of open trade within the EU block for member states and the movement and ability to set up businesses and trade in those member states.
Exploring the details of the initiatives
The announcement to use the Contracted Public-private partnership on cybersecurity CNECT / H4 roadmap was started in Dec 2015 and 18 months later June 2016 plan. It was driven from the realization that the Internet is now part of the economy and indispensable element of modern public administration. Cyber security fundamental to building access and trust in enabling and driving trust in those systems of ecommerce and citizens.
The decision for the establishment of a contractual Public Private Partnership cPPP was seen as key to establishing a mechanism to drive a more joined-up approach across EU member states to stepping up the supply of more secure digital services in the EU market. Central to this is the ability to leverage grant funds and collaboration bottom up from the EU member states research and innovation companies and academic groups and initiatives to drive more competitive EU cyber security solutions.
Horizon 2020 Work Program 2016 -2017
The Horizon 2020 is a framework Programme for Research and Innovation (2014-2020) – provides the legal framework for the establishment of a public-private partnership.
The Horizon 2020 Programme strongly supports the three strategic priorities of Open Innovation, Open Science, and being Open to the World. Favouring Open innovation means encouraging the capitalisation of results from European research and innovation. Open Science includes moving forward on the need for more open access to research results and the underlying data.
Contractual grants mechanisms
As part of the Innovation Investment Package representing an investment worth over EUR 22 billion, seven Public-Private Partnerships (PPPs) relevant to industry in the fields of innovative medicine, fuel cells and hydrogen, aeronautics, bio-based industries, electronic components and systems, railways, and EU air traffic management system, address strategic technologies.
These PPPs are complemented by a similar level of investment in nine contractual Public Private Partnerships (cPPPs) implemented through the work programme on sustainable production processes, energy efficient buildings, green vehicles, cleaner manufacturing processes, telecommunications network infrastructure, high performance computing, robotics, photonics, and big data , to develop new technologies, products and services which will have a substantial impact on the competitiveness of the EU industry, and the creation of new high-skilled jobs in Europe.
What is the EU Digital Single market DSM ?
The EU market is the largest by trading value currently approximately 16-17 Trillion US Dollars compared to 14 Trillion of the US and 10 Trillion of China. The EU Market is made up of with 28 countries representing 500 million people and works on the founding principles of establishing EU member states movement and freedoms to work and live as a single block. Initiatives to drive an open trading market that enables the EU member states to be more competitive as a collective whole. For example, trade agreements are negotiated as a EU block level, matters such as cyber security are encouraged to enable cross-border management and trading of EU member states to build trust and to realize the potential of the massive EU single market. Central to this is the ability to invest at scale and leverage skilled workforces, innovation and research in the EU leveraging the power of the combined member states.
The European Union governance structure is empowered to adopt measures with the aim of establishing or ensuring the functioning of the Internal Market, in accordance with the relevant provisions of the Treaties (Article 26 of the Treaty on the Functioning of the European Union — TFEU). In view of a huge fragmentation of the market for ICT security products and solutions, the EU action is needed to achieve a single market in this field, which is also a prerequisite for a well-functioning digital economy.
Why is an EU cyber security approach key to the EU Digital Signal Market ?
Several challenges are faced in achieving this goal of a Digital Single market in the EU, the current 28 member states have uneven in their ability to compete through strong leverage of their member states own supplier base versus the competition oftne from outside the EU block.
Cyberspace is borderless by nature and is increasingly complex with cyber attacks ranging from denile of service, data breaches, data theft to spying, surveillance and terrorism. In general these are only increasing across all industry sectors and driving a strong development of counter measures and investment by technology vendors, industry and governments from all nations.
In addition to the threat and necessity to management cyber threats, the other key realization is that strong cyber trust and security is critical to an operating trading marketplace. The Cyber Security solutions area is the stronger growth market with a global cyber security market expected to grow to $80-120 billion by 2018. The challenge has been in investment and coordination in the EU own home grown vendors and solutions who have struggled to compete with ICT providers outside and most of these not from the EU block.
The EU market has been dominated by a small group of global vendors, competing with a high number of smaller European suppliers. The top five vendors controlled 20.4% of total market (and they all came from outside the EU). The EU suppliers, while showing a positive dynamism, remain mostly national or regional players. Their cumulative market share was estimated at round 16.5% of the total EU NIS market revenues. The fragmentation of the cybersecurity supply industry in Europe is a principle reason for the recent initiatives in EU cyber security regulations.
Origins of the European Cyber Security Strategy
In 2013 the European Cybersecurity Strategy was adopted. One of its five priorities is to develop industrial 2 and technological resources for cybersecurity. The strategy proposes to mobilise public and private resources to stimulate innovation and the competitiveness of secure ICT solutions supply in Europe. For this reason the EU Cybersecurity strategy has launched a public-private platform at EU level (so-called Network and Information Security (NIS) Platform). which looked into future research priorities, identified key challenges and corresponding desired outcomes in terms of innovation-focused, applied but also basic research in cyber security, privacy and trust and proposed new ways to promote truly multidisciplinary research that foster collaboration among researchers, industry and policy makers. This has resulted in the publication of a Cybersecurity Strategic Research Agenda1 (SRA) of the NIS Platform in the third quarter of 2015.
first comprehensive piece of EU cybersecurity legislation, the Network and Information Security (NIS) Directive.- National readiness for cyber security EU-wide approach to cyber security and strengthen the currently limited cooperation among Member States; and key sectors of the economy would be subject to security obligations following an approach aimed at harmonizing the internal market. It is therefore very likely that the implementation of the business requirements under NIS Directive will lead to increase demand for cyber security solutions.
The Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted in 2014, with which the EU has managed to lay down the right foundations and a predictable legal framework for people, companies (in particular SMEs) and public administrations to safely access to services and do transactions online and across border in just "one click". The NIS Directive soon to be adopted is a first step to bringing about a high common level of cyber security across the EU through improving national cybersecurity capabilities (currently uneven across the EU);
Opportunities and Challenges on realizing the EU Cyber Security strategy
EU industry fragmentation is a key issue as stated in the EU Cyber Security reports (Ref)
"This industry and market fragmentation is a clear barrier for European companies to compete and grow their businesses across borders in Europe but also on a global scale. While European companies tend to be strong and innovative, their size and capacity (mostly SMEs with few larger actors) are smaller in comparison to their US, Israeli, Chinese, South-Korean, Japanese or Russian counterparts as they experience difficulties in expanding beyond national borders. The difficulty to compete on the European and global levels often leads to mergers and acquisitions of European SMEs by non-European actors, weakening the European sector and leaving Europe also more vulnerable and technologically dependent on others.5 The barriers preventing European cyber security companies from scaling up their operations have also an unintended consequence of the outflow of highly qualified specialists, who leave the EU to look for better job and research opportunities on other markets. Should Europe fail to stimulate a common cyber security market and to create opportunities to grow for its companies, it risks losing its cyber security industry all together as it might not be able to stand fierce global competition."
Why partnership to tackle cyber security ?
A key set of takeaways for the cyber practitioner include
Because of the “technology stack “ covers a wider set of attack vectors of devices, software applications, networks and data centers and databases that are typically spread across multiple vendors and cloud computing services.
“Not one person can know all” – fast moving area of people and technology developments – need to keep on top of it.
Need to have a “joined up approach” between enterprise , public authorities and citizens to drive adoption
“ attack from many sides” - many types of attack potentially from many “gaps” open up in cyber attacks
Lessons from past cyber attacks
The size of data breaches – millions of records and
The number of threat points – for example the the Russian bank attacks of 2015 was malware stealth
Zero day attacks – Like TalkTalk likely to rise and cyber becomes more sophisticated
The key is to establish partnerships to manage knowledge and awareness in the EU and any other country and industry. The rate of change in cyber technology and cyber attackes needs a responsive and progressive approach to keep ahead and to be able to lead a market.
Next steps and consequences
The use of EU legislation will move ahead to seek to establish the foundations of a joined u and coordinated response.
Article 25 in the Regulation of the European Parliament and of the Council establishing Horizon 2020 – the Framework Programme for Research and Innovation (2014-2020) – provides the legal framework for the establishment of a public-private partnership, The contractual agreement should specify the objectives of the partnership, respective commitments of the partners, key performance indicators, and outputs.
EU-wide approach to cyber security and strengthen the currently limited cooperation among Member States; and key sectors of the economy would be subject to security obligations following an approach aimed at harmonizing the internal market. It is therefore very likely that the implementation of the business requirements under NIS Directive will lead to increase demand for cyber security solutions.
The strategic consequences
The EU is seeking to stimulate and leverage collaboration on basic research in multi-disciplinary research collaboration – funded by the H2020 Euro 100 Billion research and innovation program.
Secondly, it is also is driving need cross-boarder collaboration and intelligence,
Thirdly, to respond to the increase demand for cybersecurity solutions.
It is clear that this represents the bigger picture of the Digital Economy and the need to address issues at the right strategc scale.
Notably in playing a strong role and leveraging emerging digital technologies (e.g. cloud, big data, 5G, embedded systems)
And for critical vertical industrial sectors essential for a well-functioning single market (e.g. energy, automotive, rail, aviation, health, banking, finance…).
Why it matters
Doing nothing would maintain the EU status quo of largely national approaches and would not serve to create a well-functioning European market for cybersecurity products and services.
Unable to respond to NIS growing demand by EU providers
Missed opportunity for Europe to become a global leader in the field of cyber security
H2020 Establish mechanisms for better coordination of the research agendas of the European Union institutions and the Member States, and incentivise the Member States to invest more in R&D.
EU will seek closer cooperation with organisations that are active in this field such as the Council of Europe, OECD, UN, OSCE, NATO, AU, ASEAN and OAS. At bilateral level, cooperation with the United States is particularly important and will be further developed, notably in the context of the EU-US Working Group on Cyber-Security and Cyber-Crime.
For the Eu member states this is the direction of travel for the strategy and the nature of the cyber security world that is borderless and underpinning the modern global and local economies across all sectors. Non EU countries as well as EU countries have a vested interest to make this work.
1. Contracted Public-private partnership on cybersecurity CNECT / H4
2. H2020 overview
3. EU Cyber Security paper 2013