Ambitious cybersecurity plans for the European Union (EU): Bolstering defenses and strengthening the Union’s voice internationally

In December 2020, the European Commission unveiled a set of proposals focused on a values-based, secure digital market, including a new EU Cybersecurity Strategy and within it a proposal to revise the Directive on Security of Network and Information Systems (NIS Directive). These acts, come at a critical time as the original NIS Directive was proposed in 2013 with negotiations finalized in 2017, and the most recent Commission communication on cybersecurity also published the same year.

As we know, technological advances are changing the world and how we live in it. Data shows that connected devices are forecasted to rise to 25 billion by 2025, with a quarter of these located in Europe. The global COVID-19 pandemic has accelerated our digital interconnectedness and underscored how reliant we are on technology, but also revealed our vulnerabilities and the determination of malicious actors.  For example, the surge of attacks targeting healthcare providers, agencies, and vaccine manufacturers at such a pivotal moment, has shown how cybersecurity can impact life and death. Additionally, the recent intrusion into the United States government systems highlights the importance of supply chain security and international accountability mechanisms’ efficacy. Now more than ever, our cybersecurity threat landscape prompts an urgent and critical need for global thinking with updated proposals to ensure that cybersecurity policies accurately reflect the digital age and the multistakeholder cooperation necessary for success.

The new proposals seek to address issues that surfaced on a global stage in 2020. The strategy consists of three core pillars:

  • Resilience, technological sovereignty, and leadership.
  • Building operational capacity to prevent, deter and respond.
  • Advancing a global and open cyberspace through increased cooperation.

The first pillar seeks to reform the network and information system security rules to increase the resilience of critical national infrastructure (CNI). There are also plans for the EU to launch a network of security operation centers across the Continent in an EU Cyber Shield. Further measures look to provide support for small and medium-sized enterprises, as well as cybersecurity training and recruitment programs, opening doors for more public-private efforts to increase the digital skills of every citizen.

The second pillar envisions the creation of a new Joint Cyber Unit to strengthen security cooperation between EU bodies and relevant member state authorities. Of particular interest to the Cybersecurity Tech Accord signatories are the proposals to strengthen the EU Cyber Diplomacy Toolbox to “prevent, discourage, deter and respond” against malicious activities, as well as the Union’s focus on enhancing defense cooperation.

Finally, the EU plans to work with international partners to strengthen rules-based global order, ensure security and stability in cyberspace, and protect human rights freedoms online.

This strategy also recognizes the deterioration of an effective multilateral debate on international security in cyberspace and the need for the EU and member states to take a more proactive stance in these discussions. This is a sad but necessary realization, and we hope that the EU, collectively and across the member states, can help reinvigorate this important aspect of international relations. We particularly welcome the proposal to adopt a common position on the applicability of international law in cyberspace.

The Cybersecurity Tech Accord signatories look forward to working with the Institutions in Brussels and the member states, in support of the implementation of these ambitious and timely plans. We are excited that the EU intends to elevate its leadership in several areas related to international peace, stability, and diplomacy – issues that we have vocalized since our inception. The strong emphasis on multistakeholder inclusion across civil society, academia and the private sector is particularly welcome, as is the focus on protecting human rights freedoms online.

It’s important to acknowledge that establishing clear rules will not be enough to ensure security and stability online. Thus, we are excited about the proposals to bolster the EU cyber diplomacy toolbox, which seeks to deter and respond to malicious cyber activities. We agree that the EU should focus on significant attacks that target critical infrastructure (such as healthcare), democratic institutions and processes, as well as supply chain attacks and cyber-enabled theft of intellectual property. Collective attribution and restrictive measures adopted by all 27 member states and agreed upon with qualified majority voting will be a major step for deterrence frameworks in cyberspace.

Finally, the Cybersecurity Tech Accord signatories would like to highlight the focus on WHOIS in the revised NIS Directive. Over the past two years, we have drawn attention to the challenges that arose from the restriction of access to domain names and registration data, which is essential to cybersecurity research, threat detection, analysis, and mitigation. We are therefore delighted to see that the EU plans to work to maintain “accurate and complete databases of domain names and registration data, or ‘WHOIS data’, and providing lawful access to such data as essential to ensuring the security, stability and resilience of the DNS”. Very common cyber threats such as domain spoofing, phishing, DNS hijacking, and DDoS attacks can and should be minimized by ensuring that lawful access to WHOIS data is enabled as soon as possible so that we can once again combat cybercriminals.