The European Union recently published a political commitment to strengthen ICT supply-chain security and proposed a new plan to expand and reinforce its EU-wide cyber defence capabilities, reaffirming its commitment to the security of its digital infrastructure and to international law and norms in cyberspace. Citing the large scale impact of the ever growing number of supply chain cyber-attacks on civilian infrastructure and private property, and the return of war in Europe with Russia’s military invasion of Ukraine, the European Union has renewed its call on the strategic importance of cybersecurity and its key role in geopolitics in today’s world.
The Cybersecurity Tech Accord and its signatories welcome the publication of these key documents, and look forward to closer cooperation with the European Union to ensure the strengthening of cybersecurity across the continent. The Tech Accord has consistently advocated for governments to focus more closely on ICT supply-chain risks as a key issue, particularly on their potential to impact elections (Read: Supply-chain Risks, Insider Threats and How Trust Impacts Elections By Jon Ford, Managing Director of Global Government Services & Insider Threats and Tim Appleby, Managing Director of US Federal Programs and Services at Mandiant). Our initiative works to ensure that ICT supply chain security is upheld as an international norm of behaviour in cyberspace, especially in the context of the United Nation’s Open Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security.
On 17 October 2022, the European Union’s body representing member states, the Council of the EU, approved conclusions aimed at charting a path towards strengthening its ICT supply-chain security. The conclusions stressed that EU member states should work on reducing strategic dependencies on third actors, including in the digital area, in order to avoid replicating the disruptions in supply chains caused by the COVID pandemic, the shortages in raw materials and semiconductors that affected supply chains across the world, and the more recent fossil fuel crisis across Europe. Dependencies on high-risk suppliers for ICT products should be further mitigated through closer cooperation among member states and like-minded international partners.
The Council of the EU seeks to achieve this by developing and deploying strategic digital capabilities and infrastructure and reinforcing its ability to make autonomous technological choices, while maintaining openness, and global cooperation with like-minded partners.Members states of the EU are therefore asked to ensure suppliers of ICT supply-chains are diversified to avoid creating dependencies on single suppliers, especially high-risk suppliers, for key public infrastructure.
With these conclusions, the Council of the EU further calls on the creation of an ICT Supply Chain Toolbox, built on the successful EU’s Toolbox for 5G Security. The Toolbox would build upon strategic threat scenarios identified for ICT supply chains and provide measures for responding to these scenarios. The Council conclusions also call for boosting financial support and incentives for measures aimed at strengthening ICT supply chains, including in key EU digital programs like Digital Europe and Horizon Europe Programmes.
To further reinforce the EU’s renewed push to secure its cybersecurity capabilities, on 10 November 2022 the European Parliament and the Council of the EU published a Joint Communication on an EU policy on Cyber Defence to address the deteriorating security situation following Russia’s invasion of Ukraine and to protect EU citizens and its infrastructure. Stressing the increasing relevance of geopolitics for cybersecurity, the EU recognized the need for a stronger, more united, and more active European Union in this field.
The Communication is built on four pillars which include several initiatives that the EU will undertake to help strengthen its cyber capabilities:
To reinforce coordination mechanisms among national and EU cyber defense players, the EU will increase information exchange and cooperation between military and civilian cybersecurity communities. The EU will establish an EU Cyber Defence Coordination Centre to coordinate military awareness and preparedness on cybersecurity, as well as to establish ways for collaboration between Military and Civilian CERTs.
The development of cybersecurity standardization and certification to secure both military and civilian domains will ensure a more secure EU defense ecosystem. The EU communication highlighted the need to address the security non-critical software components that can be used to carry out cyber-attacks on companies or governments. The EU will develop recommendations on EU cyber defense interoperability requirements as well as non-legally binding recommendations for the defense community (inspired by its Network and Information Security 2) to contribute to an increased overall cyber defense maturity at national level.
Increasing investments in shared cyber defense military capabilities will be key, as will reducing dependencies and anticipating technological development to increase technological sovereignty. The EU will support such investments through its cooperation platforms and funding mechanisms available at the EU level, such as PESCO, the European Defence Fund, as well as Horizon Europe and the Digital Europe Programme.
Building on existing partnerships with partner countries, including within NATO frameworks and with like-minded countries, the EU will set up tailored cooperation in the area of cyber defense at the international level.
The Cybersecurity Tech Accord and its more than 150 Signatory companies applauds the EU’s leadership in identifying ICT supply-chains as a critical aspect of cybersecurity and commends its willingness to strengthen its internal cyber defense capabilities at this turning point in history when cyber conflict is becoming a new normal. Our initiative calls on the EU to leave the door open for meaningful engagement with the multistakeholder community – including industry – in a constructive manner. Private sector digital and technology companies are uniquely placed to provide intelligence and assessment, as well as use case scenarios, on methods and preemptive techniques that can be used to ensure the security of ICT supply chains.
On 7 December, alongside the upcoming intersessional meeting of the UN Open Ended Working Group on information security (OEWG), our initiative will host an in person hybrid event titled: “Ensuring the integrity of the ICT supply chain”. Consistent with the UN norm to “ensure the integrity of the supply chain,” representatives from the tech sector and the United Nations Institute for Disarmament Research (UNIDIR) will highlight the dangers posed by sophisticated attacks against the ICT supply chain and what governments and the multistakeholder community can do to uphold this expectation for responsible state behavior online. Register here.