EU Council Adopts New Cybersecurity StrategyPromotes Best Practices, Including Strong Encryption, Threat Information Sharing
The Council of the European Union has adopted a new cybersecurity strategy aimed at protecting EU citizens and businesses from cyberthreats by promoting best practices, such as strong encryption and threat information sharing.
The strategy outlines a set of frameworks for cybersecurity designed to help build "a resilient, green and digital Europe."
It calls for setting up security operation centers across the EU to monitor for attacks on networks. It also endorses implementing a security standard for 5G technology.
"The key objective is to achieve strategic autonomy while preserving an open economy," the EU Council notes. "This includes reinforcing the ability to make autonomous choices in the area of cybersecurity, with the aim to strengthen the EU's digital leadership and strategic capacities."
Other Action Items
The strategy calls for:
- Creating a joint cyber unit focused on the EU's cybersecurity crisis management framework;
- Accelerating the uptake of key internet security standards;
- Developing strong encryption while protecting fundamental rights and supporting law enforcement and judicial authorities;
- Preventing and countering cyberattacks that might affect supply chains, critical infrastructure and essential services;
- Establishing a cyber intelligence working group to strengthen the EU's Intelligence and Situation Center, which is responsible for sharing classified information with its member states;
- Establishing EU external cyber capacity by strengthening cooperation with international organizations and partner countries to increase cyber resilience.
Experts Weigh In
Senior security experts attending an online EU cyber policy forum on Tuesday hosted by cybersecurity firm Kaspersky supported the new cybersecurity policy, calling it a much-needed measure.
Guillaume Poupard, director general of the French National Cybersecurity Agency, which is known as ANSSI, said: “The new EU cybersecurity strategy includes a lot of very good things. We want to add European sovereignty to national sovereignty … with real ambition to increase global security in all states and with the EU and global states working together. Those without capacity do need to develop capacity. The new strategy is to cooperate all over Europe to help each other.”
Bart Groothuis, a member of the European Parliament, said member states should focus on establishing a common cybersecurity standard across Europe.
He also called for creation of a Computer Security Incident Response Team for all of Europe to help with threat intelligence sharing. “You must make new ways of collaboration possible," he says.
Commenting on the need for strong encryption, Kaspersky CEO Eugene Kaspersky noted: "Developed economies like the EU are still living with vulnerable communications, critical infrastructure, transportation – it’s a high risk. We need immune systems that are secure by design."
Regarding supply chain security highlighted by the new strategy, Lorena Boix Alonso, director for digital society, trust and cybersecurity at European Commission's DG Connect, emphasized the need for security by design and cooperation of all member states. "It is important to find intrusions quickly and adopt a coordinated response strategy by members," she said.
Standards can play a critical role, said Susana Asensio, a member of the board of directors at the Industrial Cybersecurity Center in Spain. “We want to define cybersecurity requirements for industrial projects and set standards and requirements,” she said.
Many organizations in the EU have been targeted for attacks, including those tied to the global SolarWinds supply chain attack and exploits of unpatched flaws in on-premises Microsoft Exchange servers.
On Monday, Swiss cybersecurity firm Prodaft said it has accessed several servers used by an advanced persistent threat group tied to the SolarWinds supply chain attack that continues to target organizations in the U.S. and the EU (see: Swiss Firm Says It Accessed SolarWinds Attackers' Servers).
Earlier this month, the European Banking Authority acknowledged that it was a victim of Microsoft Exchange Server attacks, but it said that there were no indications of data exfiltration (see: European Banking Authority Sustains Exchange Server Hack).