ENISA, the EU’s cyber-security agency, is helping to bring much-needed alignment across the 28 member states of the European Union, according to the agency’s director of operations Steve Purser.
Interviewed at FIC 2019 last month in Lille, France, he told SC Media UK that "up until a certain point when the EU got involved, countries were doing things in different ways", making it more difficult to coordinate in the event of pan-European cyber-security incidents.
Purser said that while some countries had an asset-based approach, others took a procedural view – and some used a mix. "Nothing wrong with that," he said. "We were never looking for everyone in Europe to do the same things, but we are looking for approaches that are aligned so that it’s compatible and you get a successful cross-border approach to cyber-security in critical infrastructure."
ENISA recently received a boost to its authority and budget with the passage of the EU Cyber Security Act which has given ENISA a permanent mandate – something it didn’t have before – and created a new task for ENISA in cyber-security certification.
Ultimately, ENISA’s aim is "to make sure that if anything pan-European happens, we have enough infrastructure and process in place to take care of it," he said.
Key to this is information sharing, but Purser warns that despite how much people talk about it, it’s more difficult than it looks. "I've been in this business a very long while – and I’ve been talking about this for the past 10 years – and I think the secret of this is not to treat it too glibly," he said.
Sharing too much information, or indeed the wrong information, simply leads to data overload, he warned. "You still see people at conferences saying, we need to share more information, but that doesn't mean anything. My take on this would be, you need to share the right information with the right people at the right time for some specific goal," he said.
He added: "We still get lots of requests to collaborate with ENISA, which is sort of rather vague – full of good intentions – but where they tend to fall down is either because things are not focused enough or because people totally underestimate the amount of effort it takes to keep collaboration going. It's actually very high."
Communication in the event of a major cyber-incident is perhaps more important than continuous data sharing, and one of the ways that ENISA encourages member states is through its Cyber Europe exercises. Held every two years since 2010, it involves private and public sector organisations across Europe in simulated large-scale cyber-crisis simulations.
A report on the first exercise in 2010 found that 55 percent of participants were not confident that they could find vitally important points of contact in other member countries in the event of a full-scale cyber-security crisis.
Purser said important lessons were learned from that first exercise. "We wanted to test three things in the case in the cyber-security emergency. Who do you call? What is your understanding of their decision making power? And what techniques do you use to exchange the necessary information?" he said.
"We did badly on all three," he confesses, adding: "Which was the best thing that could have happened because we woke up the community."
Based on this feedback, member states improved their communications through successive iterations of Cyber Europe which included the 2018 exercise which centred on a simulated attack on the aviation industry.
What’s the evidence that it worked? Purser points to the way Europe managed the WannaCry attack in 2017. "You could say, you didn’t do very well," he says, "but in fact I would argue the opposite… we did a lot better than we would have done otherwise."
While it wasn’t perfect, the response was more effective than it would have been without the exercises in crisis communications, he says. There were many pre-existing vulnerabilities in organisations affected by the attack that cyber-security agencies across Europe could do nothing about. The silver lining is that it has motivated governments to address the issues, with Purser reporting significant improvements in cross-border cooperation.
Despite the recent boost to its status with the passage of the Cyber Security Act, Purser is under no illusions about ENISA’s abilities to resource cyber-security across Europe. "I have a team of around 55 people – and they're really good people and I'm proud of them – but that's not a lot to secure Europe," he says.
ENISA relies on the thousands of specialists in the member states in organisations such as the National Cyber Security Centre (NCSC) in the UK, Germany’s Federal Office for Information Security (BSI) and the French cyber-security agency ANSSI.
"Our job is to bring these people together and to leverage their competence," Purser says. "And here's what I've learned for doing this for 10 years: first of all, if you take this approach, and you give people not the solution, but the problem, you get a lot of innovation coming back. But secondly, you get a sense of ownership, because it's their solution. So at ENISA, I'm not saying we don't try to do that – we try to be innovative like everybody else – but it's much more sensible, I think, to use all the thinking power that's out there and get people involved in the process, who feel as if it's their process, to contribute."
Only in this way will ENISA achieve the scale to meet the rapidly growing challenge, he says, noting that many of the processes and ideas which drive cyber-security were born in the mainframe era while Europe races ahead with the digitalisation of its economy.
By 2020, he says, it’s predicted that Europe will have in excess of 20 billion connected devices. While the current thinking tends to focus on securing the network from the insidious effects of the device – a mainframe-era paradigm – the focus should instead be on securing the device from the network.
Unfortunately the remorseless logic of the market – pile it high, sell it cheap – means that manufacturers and consumers are failing to put a premium on security. Cheap devices are shipped in an inherently unsecured state, a shortcoming that is compounded by the inability to manage or update the devices effectively.
To that end, one of ENISA’s new remits under the Act is to create a cyber-security certification scheme for hundreds of products and services.
Purser says that ENISA will work closely with member states to create the various certification schema which will then be implemented by the member states and the cyber-security industry.
Part of this will involve educating European citizens about the value of buying certified products and services and "gradually bring the markets in to more secure practices", he says.
One issue hanging over the entire pan-European cooperation drive is Brexit, the imminent departure of one of the EU’s most significant cyber-security players when the UK ceases to be a member state on 29 March 2019.
Purser says the loss of the UK as a cyber-security partner will be keenly felt in the EU, but he is hopeful that cooperation will continue as it is truly a "global problem".
"The UK is very strong in cyber-security, and we will continue talking one way or another – it just will not be according to the same rules in the same frame," he says.