ENISA – the EU Cyber Security Agency – aims to broaden its mandate in the next organisational review, due to take place in September.
The vice president for the digital single market, Andrus Ansip, visited ENISA this month and said that a new approach to cyber-security was required because of the rising incidence of cyber-crime, especially attacks against IOT devices, businesses and critical infrastructure.
The mid-term review of the Digital Single Market made cyber-security a key priority and will require a new role for ENISA, Ansip said. “The Commission will review the EU cyber-security strategy and propose a new ENISA mandate in 2017. As part of this approach, the Commission is also working on cyber-security certification and labelling to make the EU digital environment safer."
ENISA's executive director Udo Helmbrecht warned that threats were evolving quickly with the changing cyber landscape which threatened the economic well-being of the EU. “There is now a greater risk that cyber incidents will have an impact in more than one member state. Today, more than ever, there is a place for a European body such [as] ENISA to be positioned with a cyber-security mandate that is resourced to address the cyber challenges of today and tomorrow, and which facilitates and complements the activities of member states towards harmonisation while supporting cost-efficiently the digital single market.”
In a document, “Cyber security beyond 2020”, ENISA set out its case for a wider mandate. It currently has an annual budget of €11 million (£9.5 million) and employs about 84 people. However, quoting Moore's Law in his introduction of the report, Helmbrecht said this wasn't enough to protect the EU against the rising flood of cyber-crime.
In particular, he would like to see the agency's mandate strengthened to give it “a stronger position in addressing the cyber-security lifecycle challenges and improving the ability to address its own initiative tasks list”.
It was acknowledged that this would require a larger budget for ENISA although the exact amount was not specified.
ENISA recently agreed “a common position on cyber-security” regarding IOT and smart devices in a paper that identified four key challenges. Developed in cooperation with industry, it is touted as “a set of suggestions for policy makers”.
During the recent WannaCry outbreak, ENISA organised a dedicated cyber taskforce which it described as “the first ever case of cyber cooperation at EU level” which involved deploying EU Standard Operating Procedures. In addition, ENISA reported regularly to the European Commission and liaised with its partners at the EU CSIRT Network.
ENISA's request for a larger budget was welcomed by Mark James, security specialist at ESET. In a statement to the media, he said: “Anything that helps us target cyber-criminal activity with a view to eradicate or slow it down has the thumbs up from me. And seriously however small it may seem it has to be a good thing, right?
“We are not going to win the war overnight; however, we need solid intelligence, a good covering of knowledge and understanding as well as strong solid experience in the fields that need it. We also need to work together and this is not going to happen, unless everyone does it.”
Alex Mathews, lead security evangelist at Positive Technologies, said in a press statement, “As has been proven time and again, proactive intelligence sharing and cross-border collaboration is absolutely crucial in countering this threat. It aids with a swift response and provides enforcement with teeth. As more and more everyday objects become interconnected, the need for this will only increase.”
And Javvad Malik, security advocate at AlienVault, commented in an email to SC: "While it may not be possible to come up with a definitive answer to addressing the cyber-security challenges faced today, ENISA definitely is a step in the right direction where we need more resources, not less. By building a community that spans across every EU country, it can be well-positioned to help identify and take action against threats, particularly for nations with fewer resources.
"However, it is important to remember that today's cyber-threats aren't restricted by geography, so while ENISA is great for Europe, it would be ideal to see similar efforts replicated across the globe. The more the security community can share threat information freely and quickly to identify the methods, tools and infrastructure used by attackers, the better placed companies and nations [will be to] defend themselves."