22 April 2023

Europe Upgrades its Cybersecurity Arsenal — Frightening the US

Janna Brancolini

The EU’s emphasis on privacy in its mission to advance cybersecurity could drive a wedge between public and private partners.

Three days after Russia’s full-scale invasion of Ukraine on February 24, 2022, Europe’s interior ministers gathered for an extraordinary meeting to address an urgent issue: How would European governments work together to repel a Russian cyberattack that could take down their essential networks?

What happened surprised them and the world: Russia’s cyberattacks on Ukraine’s digital infrastructure failed. Ukraine’s banks kept operating. Trains continued to run. Although cruise missiles hit the Ukrainian government’s data center, Microsoft, VMware, and other Western companies had protected the data by dispersing it outside of the country. 1

Ukraine’s success depended on strong private-public partnerships and a willingness to put aside counterproductive ideas about digital sovereignty. Today, the unanswered question is whether European policymakers have learned these lessons. Will they seek to strengthen private-public partnerships? Or will they respond by mandating counterproductive cloud certification and data-localization schemes?
Europe’s Legislative Landscape

Europe approaches cybersecurity differently than the US, which sees it primarily as a national security issue. In the European Union, the emphasis is on protecting privacy and warding off economic danger, says Sandra Joyce, head of global intelligence at Mandiant, a cybersecurity leader. 1 Cybercrime costs Europe an estimated €5.5 trillion ($5.9 trillion) per year, according to the European Commission. 2

In 2016, the European Parliament adopted the Network and Information Systems (NIS) Directive, the first piece of EU-wide cybersecurity legislation. The NIS Directive required member states to shore up defenses in “critical infrastructure” such as energy, transport, water, banking, and health care. 3 Operators of this critical infrastructure must notify national authorities of serious cyber incidents, and member states must share information about ongoing risks and threats. 4

In 2021, the European Commission proposed an update called NIS 2. 5 It expanded the scope of critical infrastructure to include space, express delivery, food, waste management, public administration, telecommunications, and digital services such as social networks and data centers. 6Photo: Belgium, Brussels, 2021/06/23. Press conference by European Commission vice-president in charge for promoting our European way of life Margaritis SCHINAS and EU commissioner for internal market Thierry BRETON on security and cybersecurity strategy. Credit: Photograph by Dursun Aydemir / Pool / Hans Lucas.

Under both NIS 1 and 2, national authorities issue certificates confirming that a product has passed security tests commensurate with the product’s risk level: basic, substantial, or high. All EU countries are obliged to recognize the certificate, easing trade across borders and saving businesses time and money on multiple certifications, according to the European Commission. 7

The goal of strengthening national security is never mentioned.

The NIS cybersecurity directives contain other significant flaws. They distinguish between critical and noncritical sectors, which critics warn creates a false distinction because it is difficult to impossible to separate and classify dangers in the digital world. If everything is connected, everything becomes critical infrastructure, notes Ot van Daalen, a cybersecurity researcher at the University of Amsterdam. A vulnerable camera could be used to execute a DDoS attack against an energy company, or a hacked router could be used to access a critical health care database.
The New Cyber Resilience Proposal

Europe is attempting to plug these gaps with the Cyber Resilience Act. Proposed in September 2022, it would set common cybersecurity standards for connected devices and services not already covered by regulation. 8 Products running afoul of the rulebook would face fines of up to €15 million ($16 million) or 2.5% of worldwide turnover, whichever is higher. Once finalized, the act will classify products as “default,” “Class I,” or “Class II.”

Class I products pose minimal security risks. Their manufacturers must either follow specific standards or complete a third-party certification process. These include browsers, password managers, identity and access software, routers and modems, and mobile device applications.

Class II products present the highest security risk and must receive third-party certification before being put on the market. These include software operating systems, public infrastructure and digital certificate issuers, industrial routers and switches, industrial internet of things devices, robot sensing, and smart meters. About 90% of digital products would fall into this high-risk category, including photo editing software and video games that present no real cyber dangers.

The Cyber Resilience Act would not apply to devices already covered under dedicated legislation, such as medical devices and automobiles. Additional rules would also be imposed for artificial intelligence systems that would be classified as high risk in a separate law on AI that is under negotiation. 9

The cyber legislation would take effect in two phases. Within 12 months of adoption, manufacturers would need to report cybersecurity breaches and vulnerabilities, and within 24 months, member states and affected businesses would need to conform.

Business groups and even some member states have expressed serious concerns. By allowing third parties to judge security precautions, any certification process is inherently risky, they say.

Other corporate critics fear that the Cyber Resilience Act could slow or even stall the rollout of essential new technologies and services. 10 “Businesses would have to wait for certification before adopting product security,” says Alexandre Roure of the tech lobby Computer & Communications Industry Association.
Cloud Services and Data Localization

Another danger is conflating cybersecurity with Europe’s quest for “digital sovereignty.” The battlefield on this front is cloud services. In 2021, France’s national cybersecurity agency, ANSSI, revised its cybersecurity certification and labeling program to disadvantage — and effectively preclude — foreign cloud firms from providing services to government agencies. 11

Meanwhile, ENISA officials are finalizing a European certification scheme for cloud companies to prove they abide by high cybersecurity standards. The draft requirements could force US cloud giants to disavow Washington’s data-access laws. Only European companies could qualify for the highest certification, excluding global leaders Amazon, Microsoft, and Google. 12

If adopted, this push to develop a European cloud industry promises to be counterproductive. It would force European companies to use high-priced, low-performing local providers. It would, perversely, prove a security risk. The best way to protect data, cybersecurity experts agree, is to distribute, not localize, data, and to store it with the biggest, most technologically advanced providers. 13 Ukraine’s success in safeguarding its critical data in multiple centers outside of the country provides strong evidence that data localization is not the best way to protect against cyberattacks.

Cloud services providers, mostly US companies, fear that the changes could be used to keep them out of the European market, which would, in turn undermine the continent’s cyber defenses. In a September 2022 white paper, Google called for Europe to rethink its approach and junk closed ecosystems, digital walls, or data localization in favor of what it called “open security,” relying on private-public partnerships, threat sharing, and encryption rather than certification. 14

Many EU governments share these concerns. Estonia, the Netherlands, Greece, and Germany have objected that the proposed ENISA rules would stifle competition. 15

How this issue is resolved will be key in determining whether a legitimate quest for cybersecurity provides real protection — or whether, perversely, it is just a cover for dangerous protectionism.
Transatlantic Cooperation

The war in Ukraine underlines the importance of public-private partnerships in helping a country anticipate and deal with cyber threats.

In the hours before it sent troops over the border, Russia targeted malware at dozens of Ukrainian agencies. AI helped deflect the attack, allowing defensive software code to be deployed, according to Microsoft. 16 Such private-sector advances in digital technology, particularly AI, will remain crucial in countering bad actors.

Effective cyber policy requires bringing together a broad coalition of lawmakers, regional bodies such as ENISA, national market surveillance authorities, law enforcement, trade groups, companies, academia, and consumers, says Isabella Wilkinson, a cybersecurity researcher at Chatham House. 17

Europe should extend cooperation with the United States. At the US-EU Trade and Technology Council, European and US leaders have made cybersecurity a priority. “In the current tense geopolitical environment, risks are increasing for critical internet infrastructures,” says the EU readout of the December 2022 meeting in College Park, Maryland. 18 The two sides vowed “to facilitate projects that strengthen the resilience of infrastructure such as strategic overland and subsea cables.”

Yet the EU and US are moving at different speeds. As the EU rushes ahead with its cyber plans, US cyber regulation remains rudimentary. A decade ago, the US Chamber of Commerce spearheaded a campaign to block legislation that would have imposed cybersecurity requirements on private businesses. Since then, the US has relied on voluntary schemes, executive orders, and the federal government’s purchasing power to raise cybersecurity standards, all with limited success.Photo: A woman looks at the screens during the Locked Shields, cyber defence exercise organized by NATO Cooperative Cyber Defence Centre of Exellence (CCDCOE) in Tallinn, Estonia April 10, 2019. Credit: REUTERS/Ints Kalnins

The war in Ukraine, coupled with the May 2021 ransomware attack on the Colonial Pipeline, increased the US appetite for action. 19 In June 2021, the Senate confirmed the country’s first national cyber director, and the following year Congress allocated $22 million for the office. 20 In 2022, President Joe Biden imposed the first cybersecurity regulations on oil and gas facilities. 21

In March 2023, the administration released a new cybersecurity strategy seeking to require companies to report vulnerabilities and intrusions, which had previously been voluntary. 22 But most changes require congressional approval, unlikely with a Republican Party-run House of Representatives.

The Biden administration advocates establishing a virtual rapid response mechanism at NATO. It has also vowed to unveil a new US cybersecurity program, though it has missed self-imposed deadlines for publication. 22 Russia’s attack on Ukraine has underlined the importance of effective cyber defense. Let’s hope Europe and the US learn the lessons.
Policy RecommendationsEurope’s Cyber Resilience Act should avoid slowing implementation of innovations such as AI that will protect connected services.Europe’s cloud certification scheme should avoid adopting protectionist measures and imposing data-localization requirements.Europe’s cybersecurity strategy should involve increased stakeholder participation, including industry groups and businesses, to promote public-private partnerships.The US-EU Trade and Technology Council should be used to head off potential conflicts in US and European cybersecurity policies — and to prevent Europe from using cybersecurity to keep US cloud companies out of its market.

Janna Brancolini is a Nonresident Fellow with CEPA’s Digital Innovation Initiative. She is an independent journalist based in Milan, Italy, covering legal affairs, business, technology, and sustainability for Bloomberg and the Los Angeles Times.

Corrections were made on April 10, 2023: An earlier version of this paper stated the European Union Agency for Cybersecurity (ENISA) would be made permanent by the EU’s Cyber Resilience Act. ENISA was given a permanent mandate by the EU’s Cybersecurity Act in 2019.

No comments: