Juncker proposes cyber agency

CERT-LatestNews ThreatsStrategic

European Commission President Jean-Claude Juncker delivered his 2017 State of the Union Address, before members of the European Parliament in Strasbourg on Wednesday, September 13. He quoted Mark Twain, who wrote, years from now we will be more disappointed by the things we did not do, than by the ones we did. While his speech made headlines in the Uk for what he had to say about the UK leaving the European Union, he spoke of initiatives by the European Commission on trade, investment screening, cybersecurity, industry, data and democracy.

Juncker said: “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks. (…) Today, the Commission is proposing new tools, including a European Cybersecurity Agency, to help defend us.”

The European Union already has the ENISA based in Crete. Speaking on the eve of the Tallinn Cyber Security Conference the Executive Director of ENISA Professor Dr Udo Helmbrecht welcomed the proposal from the Commission on the draft Regulation for the renewal of the mandate of ENISA, to expand ENISA’s mandate by addressing certification and standardisation of ICT products and better cooperation on preparing and addressing cross border cybersecurity challenges in Europe. He said: “I believe that these initiatives will improve the Digital Single Market and strengthen the ICT industry in Europe. The proposal forms a good basis for the upcoming discussions with the Council and Parliament on the future of the Regulation for ENISA and the building of a stronger cybersecurity framework for Europe.”

The network infrastructure firm NXP welcomed the proposal. It said the lack of trust by businesses and consumers in smart, connected devices remains a barrier to growth and jobs. The firm described the new Cybersecurity Package, including the Proposal for a Cybersecurity Act and a stronger mandate for the European Network and Information Security Agency (ENISA), is an important step towards making the cyberspace of the European digital market more secure, building trust in the IoT.

Ruediger Stroh, Executive Vice President and General Manager of the Security and Connectivity business for NXP said: “Implementing security by design and certified cybersecurity systems in low-cost, digital, interconnected mass consumer devices is good news to both businesses and consumers. The insight that security by design is a predicament for data privacy in the IoT is now widely accepted.”

Yet, the fact that the proposed EU cybersecurity certification schemes are voluntary and are not followed by immediate regulatory obligations on vendors or service providers, makes their impact highly questionable, the firm added. Effective cryptography as well as hard- and software security solutions have been available to the industry for quite some time, but few businesses have taken the needed action.

Stroh said: “If we want IoT security, we must not be afraid to act. Without a thorough certification scheme that makes security by design mandatory for manufacturers via technical specifications, the framework will have little effect. We need a binding certification – good practical approaches are available. Only then we will see a significant increase in security and privacy with manufacturers of connected devices.”