State of the Union 2017: The Commission scales up its response to cyber-attacks
Questions and answers
Why does the EU need to take action on cybersecurity?
Since 2013, the technological and security landscape in the European Union has changed at a very fast pace. Digital technologies are now an integral part of our daily life and the backbone of our economy. The Internet of Things revolution has become a reality, with tens of billions of devices expected to be connected to the Internet by 2020. At the same time the number and diversity of cyber threats is continuously growing.
With the recent ransomware attacks, a dramatic rise in cyber-criminal activity, state actors increasingly using cyber tools to meet their geopolitical goals and the diversification of cybersecurity incidents, the EU needs to be more resilient to cyber- attacks and create effective cyber deterrence, including through criminal law, to better protect Europe’s citizens, businesses and public institutions. As announced in President Juncker’s State of the Union address on 13 September, the Commission and the High Representative are therefore today proposing to reinforce the EU’s resilience and response to cyber-attacks by strengthening the European Union Agency for Network and Information Security (ENISA), creating an EU-wide cybersecurity certification framework, a Blueprint for how to respond to large-scale cybersecurity incidents and crises, and a European Cybersecurity Research and Competence Centre. Today’s proposals also include a new Directive on the combatting of fraud and counterfeiting of non-cash means of payment to provide for a more efficient criminal law response to cyber–attacks, as well as a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities and measures to strengthen international cooperation on cybersecurity.
This wide-ranging cyber security package builds on existing instruments and presents new initiatives to further improve EU cyber resilience and response in three key areas:
- Building EU resilience to cyber-attacks and stepping up the EU’s cybersecurity capacity
- Creating an effective criminal law response
- Strengthening global stability through international cooperation
Facts and Figures
The scale of the problem makes the need to act even more urgent. Recent figures show that digital threats are evolving fast: since the beginning of 2016, more than 4,000 ransomware attacks have occurred worldwide every day, a 300% increase since 2015, while 80% of European companies have been affected last year. Studies suggest that the economic impact of cybercrime rose fivefold from 2013 to 2017, and could further rise by a factor of four by 2019. Ransomware has seen a particular increase, with the recent attacks reflecting a dramatic rise in cyber-criminal activity. However, ransomware is far from the only threat.
An increasing number of Europeans also see cyber-crime as an important threat for the European Union, according to a Eurobarometer survey. 87% of respondents regard cyber-crime as an important challenge to the EU’s internal security and a majority are concerned about being victims of various forms of cybercrime, with the largest proportions concerned about discovering malicious software on their device (69%), identity theft (69%) and bank card and online banking fraud (66%). The two most common concerns about online payments are the misuse of personal data, identified by 45% percent of respondents, and the security of the transaction itself, with 42%. This has prompted many to act to better ensure their security online, with 62% having changed their passwords over the past six months and 45% having installed anti-virus software. However, some have even stopped conducting online transactions with 12% having reduced their online purchases and 10% having opted out of online banking.
1. Building EU resilience to cyber attacks
Why is the Commission proposing a strong EU Cybersecurity Agency?
The current mandate of the European Union Agency for Network and Information Security (ENISA), based in Greece, will expire in June 2020. In light of the significant changes that have occurred in the cybersecurity landscape since the adoption of the ENISA Regulation, the Commission decided to bring forward the evaluation and review of the mandate of the Agency.
So far ENISA’s role has mainly been to provide expertise and advice rather than dealing operationally with cybersecurity. This has already started to change. The Directive on the Security of Network and Information Systems (NIS) has formally created a network of Member State Computer Security Incident Response Teams (CSIRTs) and the secretariat for this network is provided by ENISA.
The Commission now proposes to reform ENISA into a stronger EU Cybersecurity Agency with a permanent mandate, greater operational resources and a stable footing for the future. The main aim of the Agency is to assist Member States in implementing the NIS Directive. New tasks and resources will be given to the Agency in areas such as operational cooperation and Information and Communication Technologies (ICT) security certification in order to reflect the new reality and needs in cybersecurity. ENISA will therefore play an important role in the field of EU cybersecurity certification policy by preparing, in cooperation with Member States’ certification authorities, candidate European cybersecurity certification schemes. The new Agency’s mandate, objectives and tasks will be subject to regular reviews.
Why is the Commission proposing an EU cybersecurity certification framework for ICT products and services?
ICT security certification plays an important role in increasing trust and security in products and services that are crucial for the smooth functioning of the Digital Single Market. At the moment, a number of different security certification schemes for ICT products exist in the EU (e.g. Certification Sécuritaire de Premier Niveau in France, Commercial Product Assurance in the UK). While these initiatives confirm the importance of certification, there is a risk that multiple certification initiatives will lead to barriers in, and the fragmentation of the single market. For example, smart meters currently have to undergo separate certification processes in France, the UK and Germany.
On the other hand, a “one size fits all” approach to cybersecurity certification will not work across the large variety of ICT products and services. The Commission is therefore proposing the creation of a European cybersecurity certification framework which is expected to deliver numerous individual European cybersecurity certification schemes, i.e. clear descriptions of security requirements to be met by covered products, systems or services. Resulting certificates confirming compliance with such requirements are recognised in all Member States making it easier for businesses to trade across borders and for purchasers to understand the security features of products or services.
The use of the certification schemes will be on a voluntary basis for market players. High cybersecurity standards – attested through such a certification scheme – could evolve into a competitive advantage for companies wanting to assure consumers that their products and services are at a certain level of cybersecurity. Such a scheme will thus encourage “cybersecurity by design”.
Who will benefit from the certification framework and how?
The ability to understand whether a product, system or service meets specific requirements lies at the heart of being able to trust the digital systems or devices we rely on. The framework will therefore be useful for:
- Citizens and end-users (e.g. operators of essential services), who will be able to make more informed purchase decisions related to ICT products and services they rely on day-to-day.
- Vendors and providers of ICT products and services (including SMEs and new businesses). They will have to go through one single process in order to obtain a European certificate valid in all Member States. For SMEs and new businesses, it will also mean the elimination of potential market-entry barriers. By avoiding having to go through several certification processes, the cost of which may vary significantly depending on the product or service concerned, the evaluation assurance level sought and other components, businesses will save a lot of money. For the BSI “Smart Meter Gateway” certificate, for example, the cost is more than €1 million (highest level of test and assurance, concerns not only one product but the whole infrastructure around it as well), while the cost for smart meter certification in the UK and France is about €150,000. Finally, as the demand for more secure solutions is expected to rise worldwide, vendors and providers will also enjoy a competitive advantage to satisfy such a need.
- Governments, too, will be able to make more informed purchase decisions and will at the same time be equipped with an institutional framework that enables them to identify and express priority areas that need ICT security certification.
How will the European framework fit into existing or international initiatives?
The schemes proposed in the future European framework will rely as much as possible on international standards as a way to avoid creating trade barriers and ensure coherence with international initiatives. We will continue working with our closest trade partners towards the development of global standards in this area.
2. Stepping up the EU’s cybersecurity capacity
What is the purpose of the recommendation for a coordinated EU response to cyber-attacks (the Blueprint)?
The Recommendation describes how existing and established Crisis Management principles and mechanisms make full use of cyber security entities on the EU level and cooperation mechanisms between the Member States and streamlines all existing procedures and actors into one process and clarifies their roles, at technical, operational and strategic level, in the event of a major cybersecurity incident. The objective of the Recommendation is for the EU to have in place a plan in case of a large-scale cross-border cyberattack or crisis. It sets out the objectives and modes of cooperation between the Member States and EU Institutions in responding to such incidents, and explains how existing crisis management mechanisms can interact with the existing cybersecurity entities at EU level.
The Recommendation also asks Member States and EU institutions to establish an EU Cybersecurity Crisis Response Framework to make the Blueprint operational. It will regularly be tested in cyber and other crisis management exercises.
Which bodies will be involved in the crisis management? How will they coordinate?
Crisis management will involve actors at Member State and European levels. The competent national authorities and Single Points of Contact established by the NIS Directive, the Computer Security Incident Response Teams (CSIRTs) and the Cybersecurity agencies will be involved in the Member States. ENISA and Europol/EC3 (the European Cybercrime Centre at Europol), the European Commission, the European External Action Service and in particular its services in charge of crisis management, as well as the Council will be involved at European level. These bodies will cooperate together at technical, operational and strategic level.
How will cyber-attacks like WannaCry and (non)Petya be dealt with under the Blueprint?
Large-scale cyber-attacks affect many countries both within and outside the EU, as was the case for the WannaCry and the (non)Petya attacks. The purpose of the Blueprint is for the EU to set up a well-rehearsed plan in order to react to a cyber-incident or crisis which involves cooperation at European and international level. It will ensure swift communication between the different actors and a coordinated response to large-scale cyber-attacks. It will also put in place mechanisms to identify the cause of such attacks in order to effectively mitigate and manage the causes. It will be up to the Member States, through the integrated political crisis response (IPCR) mechanism, to decide when the Blueprint is put in practice.
When and why will the Network and the European Cybersecurity Research and Competence Centre be set up?
The EU needs large-scale investment in cybersecurity technologies, products, processes and expertise to achieve cybersecurity technological autonomy and to protect its digital economy, society and democracy. These capacities are also essential to contribute to global efforts aimed at creating a secure cyberspace for all. Building on the work of Member States and the Public-Private Partnership launched in 2016, the Commission now proposes a further step in order to reinforce the EU’s cybersecurity capability. This includes creating a Cybersecurity Competence Network with a European Cybersecurity Research and Competence Centre at the heart.
The European Cybersecurity Research and Competence Centre will help develop and roll out the tools and technology necessary to keep up with an ever-changing threat and make sure our defences are as state-of-the-art as the weapons that cyber-criminals use. It will complement capacity-building efforts in this area at EU and national level.
The Commission will launch an impact assessment to examine available options – including the possibility of setting up a Joint Undertaking – with a view of setting up this structure as soon as possible. The Commission also proposes to launch a pilot phase under Horizon2020 in order to create a new momentum in cybersecurity investment. The Commission plans to make available €50 million in funding in the short term for this.
3. Creating an effective criminal law response
Effective deterrence means putting in place a framework of measures that are both credible and dissuasive for would-be cyber criminals and attackers. As long as the perpetrators of cyber-attacks – by both state and non-state actors – have nothing to fear besides failure, they will have little incentive to stop trying. A more effective criminal law and law enforcement response focusing on detection, traceability and prosecution of cyber criminals is central to building effective deterrence.
One step towards improving the criminal law response to cyber-attacks was taken with the adoption in 2013 of the Directive on attacks against information systems which sets out minimum rules concerning the definition of criminal offences and sanctions in the area of attacks against information systems and provides for operational measures to improve cooperation amongst authorities.
As laid out in the assessment report on the measures taken to transpose the Directive, presented today, there is still scope for the Directive to reach its full potential if Member States fully implement all of its provisions. According to the assessment, the Directive has led to substantive progress in criminalising cyber-attacks on a comparable level across Member States. However, further efforts are needed in particular as regards the use of definitions and common standards of penalties for cyberattacks. The Commission is committed to ensuring full and correct implementation of the Directive and will continue to provide the necessary support to the Member States. Currently, the Commission sees no need to propose amendments to the Directive.
The Commission wants to boost deterrence further and is therefore proposing a new Directive on the combatting of fraud and counterfeiting of non-cash means of payment to provide for a more efficient criminal law response to cyber-crime.
What is “non-cash payment fraud”?
The most common non-cash payment instruments are payment cards (credit and debit), credit transfers, direct debits, e-money, virtual currencies, mobile money, vouchers, coupons and fidelity cards. Non-cash payment transactions have been steadily increasing in Europe in the last years, both in terms of quantity and value.
Non-cash payment fraud can take different forms. Criminals can trigger the execution of payments by using payer information obtained through, for example, phishing, skimming or obtaining information on dedicated websites selling stolen credit card credentials on the darknet. Payments can also be fraudulently executed through counterfeit or stolen cards used to pay in stores or withdraw cash at ATMs or through the hacking of information systems to process payments, for example through tampering with points of sale for card transactions or unlawfully increasing credit card limits to allow excess expenses to go undetected. Existing data for card fraud shows that in 66% of cases, the fraud is committed without the presence of the card, by using stolen card credentials.
Why is non-cash payment fraud a threat to security?
The fraud and counterfeiting of non-cash means of payment represents a threat to security as it provides important income for organised crime and enables other criminal activities such as terrorism, drug trafficking and trafficking in human beings.
Europol reports that the criminal market for payment card fraud in the EU is dominated by well-structured and globally active organised crime groups, which may be making illegal earnings of at least €1.44 billion per year (the level of card fraud estimated by the European Central Bank). This amount is likely to increase, mainly fuelled by the increasing digitalisation of the economy and the emergence of new payment instruments through technological innovation.
In addition, non-cash payments are essential for online transactions and their security is fundamental for establishing a Digital Single Market. Conversely, non-cash payment fraud causes significant direct economic losses (for example, airlines lose around USD 1 billion per year globally in card fraud) and reduces consumer trust, which may result in reduced economic activity and limited engagement in the digital single market.
Why is the Commission proposing a new Directive on non-cash payment fraud?
Technological developments, such as the increasing use of mobile payments or virtual currencies, have brought about substantial changes in the area of non-cash payments and the increase in online fraud. In order to ensure that crimes committed with new payment instruments can be effectively prosecuted, the EU’s criminal law framework need to be up to date notably to ensure an approximation of the level of penalties. In particular, the fact that non-cash payment fraud often takes place online challenges the traditional concept of territoriality since information systems can be used and controlled remotely from anywhere. Therefore, jurisdiction should be asserted for the offences committed irrespectively of the offenders’ nationality and physical presence, but in view of any damage caused by the offence on the territory of the Member State.
Whilst the current Framework Decision on combatting the fraud and counterfeiting of non-cash means of payment has contributed to creating a common EU criminal law framework, the current level of harmonisation is not sufficient to adequately support cross-border investigations and prosecutions.
How will the new Directive help fight non-cash payment fraud?
The Commission is proposing to boost deterrence through a new Directive to combat the fraud and counterfeiting of non-cash means of payment. In line with the EU Agenda on Security and the EU Cybersecurity Strategy, as well as the Digital Single Market Strategy, the new Directive will boost Member States’ capacity to prosecute and sanction non-cash payment fraud by:
- Strengthening the ability of law enforcement authorities to tackle this form of crime by expanding the scope of the offences related to information systems to all payment transactions, including transactions through virtual currencies;
- Introducing common rules on the level of penalties, in particular by setting a minimum level for the highest penalties Member States can impose. These can range from two to five years depending on the offence. The new rules make it a self-standing offence to possess, sell, procure for use, import or distribute a stolen or unlawfully appropriated counterfeited or falsified payment instrument;
- Clarifying the scope of the jurisdiction by ensuring that Member States have jurisdiction in cases either where the offence has been committed using an information system located within the territory of the Member State while the offender may be located outside of it or if the offender is located within the territory of the Member State but the information system may be located outside of it. The scope of the jurisdiction is also clarified regarding the effects of the offence by ensuring that Member States are able to exercise jurisdiction if the offence causes damage in their territory, including damage resulting from the theft of a person’s identity;
- Ensuring that cybercrime victims have a right to access information about available assistance and support. In addition, the new rules will improve the conditions and incentives for victims and private entities to report crimes;
- Introducing measures to improve Union-wide criminal justice cooperation by strengthening the existing structure and use of the operational Contact Points;
- Addressing the need to provide statistical data on the fraud and counterfeiting of non-cash means of payment.
To effectively step up the investigation and prosecution of cyber-enabled crime, the Commission will also present proposals to facilitate cross-border access to electronic evidence in early 2018. In parallel, the Commission is implementing practical measures to improve cross-border access to electronic evidence for criminal investigations, including funding for training on cross-border cooperation, the development of an electronic platform to exchange information within the EU and the standardisation of judicial cooperation forms used between Member States. The Commission is also looking into different ways of reinforcing forensic capabilities across Member States. One step would be to further develop Europol and its European Cybercrime Centre. By October, the Commission will also present its reflections on the role of encryption in criminal investigations. Finally, to better assist Member States and boost their cybercrime investigative capabilities, the Commission will dedicate €10.5 million under the Internal Security Fund (ISF).
4. Strengthening international cooperation on cybersecurity
The EU’s international cybersecurity policy is designed to address the continuously evolving challenge of promoting global cyber-stability, as well as contributing to Europe’s strategic autonomy and security in cyberspace, always guided by the EU’s core values and fundamental rights. The EU will prioritise the establishment of a strategic framework for conflict prevention and stability in cyberspace in its bilateral, regional, multi-stakeholder and multilateral engagements. As part of the strategic framework for conflict prevention, the EU promotes the application of international law, and in particular the United Nations Charter, in cyberspace. The EU further supports the development of non-binding voluntary norms of state behaviour and cyber confidence building measures.
Given the global nature of the threat, building and maintaining robust alliances and partnerships with third countries is fundamental to the prevention and deterrence of cyber-attacks – which are increasingly central to international stability and security. The EU has built up specific cyber dialogues with the US, Japan, India, South Korea and China. Close consultations with international organisations, such as NATO, the ASEAN Regional Forum, the OSCE, the Council of Europe and the OECD are also in place.
How can the EU diplomatically respond to malicious cyber activities?
On 19 July 2017, the Council agreed on Council Conclusions on a Framework for a Joint Diplomatic Response to Malicious Cyber Activities (the “Cyber Diplomacy Toolbox”) that allows the EU and its Member States to prevent and respond to malicious cyber activities. Through the use of measures within the Framework of the Common Foreign and Security Policy instruments, the EU and its Member States seek to encourage cooperation, facilitate the mitigation of immediate and long-term threats and influence the behaviour of potential aggressors in the long term. This should be seen as complementary to, but not a replacement for, existing EU cyber diplomacy engagement or, indeed, Member State activity.
How will the EU contribute to global cyber capacity building?
Global cyber stability relies on the local and national ability of all countries to prevent and react to cyber incidents, and investigate and prosecute cyber-crime cases. Supporting efforts to build national resilience in third countries will increase the level of cybersecurity globally, with positive consequences for the EU.
Since 2013, the EU has been leading on international cybersecurity capacity building and systematically linking these efforts with its development cooperation. In order to improve the EU’s ability to mobilise its collective expertise to support this capacity-building, a dedicated EU Cyber Capacity Building Network should be set up, bringing together the European Commission, European External Action Service, Member States’ cyber authorities, EU agencies, academia and civil society. EU Cyber Capacity Building guidelines will be developed to help offer better political guidance and prioritisation of EU efforts in assisting the third countries.
The EU will also work together with other donors in this field to avoid duplication of effort and facilitate more targeted capacity building in different regions.
5. Cooperation on Cyber Defence
With cyber threats being one of the major security threats of our times, a rapid increase in cyber defence capacities within the EU is needed to mitigate the risk and adequately respond to harmful cyber operations. New and existing initiatives, such as the European Defence Fund, will be central in supporting further cyber defence efforts, such as a cyber defence training and education platform.
The European External Action Service and the European Defence Agency (EDA) have been engaged with Member States on cyber defence since 2013, when the EDA Cyber Defence Project Team was set up with Member States. There will be a renewed emphasis on the EU Cyber Defence Policy Framework, adopted by the EU in 2014, that aims to raise Member States capabilities, streamline their doctrines, increase training and exercise opportunities, promote dual use research and protect Common Security and Defence Policy missions and operations.
The Member States are in the lead on cyber defence, but the EU can complement their efforts by advancing defence industrial development, encourage policy coordination between Member States on cyber defence at the strategic level and look for civil and military synergies that the EU can provide. Dual use research and development, capability development in cyber defence doctrine and technology and training will be priority areas.
Supported by the High Representative, the Commission and the European Defence Agency, those Member States interested could pull capabilities together to form projects on cybersecurity within the framework of a Permanent Structured Cooperation (PESCO).
How is EU-NATO cooperation on cybersecurity developing?
Building on recent progress, the EU will strengthen its cooperation with NATO on cybersecurity, hybrid threats and defence, as foreseen in the Joint Declaration of 8 July 2016. The two partners will also intensify the sharing of information between their respective cybersecurity bodies, i.e. the Computer Emergency Response Team for the EU institutions (CERT-EU) and the NATO Computer Incident Response Capability (NCIRC). Another key action will be their common participation in parallel and coordinated exercises and enhanced interoperability of cybersecurity standards. For the first time in 2017 and 2018 NATO and the EU will carry out parallel and coordinated exercises in response to a hybrid scenario.
Source: European Commission