Ladies and gentlemen

It is a pleasure to be here in Munich with you today.

With so many security experts in one room, you do not need me to tell you about the global threat posed by cybercrime.

I think it is enough to say that today, people – and companies – no longer think about if they are going to be hacked, but when it will happen.

Or maybe worse, if they are not sure if they may already have been hacked.

Are they prepared to deal with it? Are we?

Will businesses survive? Is Europe as a whole prepared?

At the moment, I would say: unfortunately not. We are working hard to do something about it.

Cyber threats evolve as quickly as technology, which plays an increasing part in our daily lives.

All these devices, systems and services are connected, exposed and vulnerable.

An attack might come from a hacker for political goals. Or one with financial motives. It might be a threat made through ransomware, a hybrid threat or even nation-state cyber-espionage. Or it might have no obvious objective other than to 'disrupt' for the sake of it.

The definitions are not as clear as before.

Cyber weapons are also becoming a commodity. The concept of a predictable threat - as we used to know it - is long gone.

Today, both the targets and the attack methods are far more unpredictable.

I got first-hand experience of cyber-attacks when I was Estonian Prime Minister.

Over three weeks in 2007, a wave of distributed denial-of-service attacks crippled dozens of government and commercial servers. 

It has been called Web War One – and Estonia was a clearly chosen target.

Not surprisingly, Estonia has now fixed cybersecurity as a top political priority.

Political parties and elections now also attract cyber-criminals. This risk to our democratic processes is real, and one that we take very seriously.

Critical infrastructure – like transport, energy, banking, healthcare – is at risk. No sector is immune from attack. We can no longer assume that our IT systems – emails, phones, personal computers - are safe.

But is fighting cybercrime a one-sided battle, a struggle that criminals are winning?

I do not believe that it is. But only provided that we do not become complacent. And only if we take these threats seriously and if we tackle them together.

Given the speed of technological progress, counter-measures must be constantly updated to keep up with new challenges and risks, as they emerge.

How? Regulation is one possible instrument - and there is a place for it, when appropriate. We can help ourselves with obvious precautions, like using strong passwords, two-factor authentication and preventing phishing by dealing systematically with strange e-mails.

But the main thing is to work more closely together so that we reduce the risk.

That means a solid commitment to research and investment in cybersecurity.

It means we have to coordinate closely, share experiences and know-how, and help each other.

And it means everyone: governments, law enforcement, industry, NGOs, research institutions. By sector, nationally as well as internationally.

You probably recall the events of last November, when a vast international criminal infrastructure known as Avalanche was taken down.

The operation involved prosecutors and investigators from 30 countries, with coordination provided by Europol and Eurojust.

Five individuals were arrested, 37 premises searched and 39 servers seized. Victims of malware were identified in more than 180 countries – which shows just how far Avalanche's activities had spread.

This international operation shows why we need to cooperate across borders. With cyber threats, we are all in the same boat. So we are all at risk.

Ultimately, it is individual EU countries that have to deal with attacks on networks situated on their territory. Some governments will also say that it is only they who can act to protect national security - and nobody else.

But no single country can realistically fight these attacks on its own. In addition, capabilities for dealing with cybercrime are uneven around EU countries.

That makes us all vulnerable to cross-border and cross-sector cyber threats.

Mixed national approaches and poor cross-border cooperation weaken the effectiveness of counter-measures.

International cooperation will help to fight an attack, certainly at the early stages – not only to remove a specific threat, but also contain it.

Frankly, the world has been slow to do this. In Europe, we have not been coordinated enough to cope with the problem.

And that problem is that we are fighting an almost invisible and unconventional enemy lurking in the shadows.

It is time for Europe to catch up on cyber issues. I am pleased to say this is now happening.

For the Digital Single Market to work properly, our digital networks have to be protected.

Cybersecurity is a top political priority for this Commission. As part of our commitment to make Europe a safer cyber space, we can play an important coordinating role in shaping regulation. But only where it is needed.

Last year, we set up the first EU-wide cybersecurity law, the Network and Information Security directive.

And we launched a public-private cybersecurity partnership to generate €1.8 billion of investment by 2020.

The idea is not only to fight cybercrime effectively but also to make sure that EU companies can compete in this fast-growing market, with huge potential for jobs and growth. Working closely with Europe's cybersecurity industry is vital.

Each of these steps forms part of a push throughout 2017 to strengthen the EU's overall capacity, cooperation and resilience in dealing with cyber-attacks.

Later this year, we will review the EU's cybersecurity strategy, based on three elements: directly tackling cybercrime, guaranteeing network security and working closely with our partners around the world.

Take the Internet of Things, where we know there are security concerns, not only in Europe.

As cyber-physical systems interconnect, they will become smarter, more powerful and more capable. They will bring opportunities, social and economic.

But: they will also become more vulnerable to botnet attacks that may affect thousands of devices.

The Commission has been working on how to improve the security of the Internet of Things system. By 2020, we may be looking at around 50 billion connected devices worldwide.

Since there are no rules yet for their security, we are looking at several options.

These include codes of conduct for privacy and security, and certification schemes for networked devices to provide a minimum level of secure authentication.

EU-wide certification would help to strengthen trust and confidence in the online environment, and also make sure that cybersecurity products and services are technically compatible between countries.

We are already aware of national initiatives to set strict cybersecurity requirements for ICT components in traditional infrastructure, including certification requirements.

These are important – but we should guard against interoperability gaps developing or different national requirements splintering the EU's single market.


Ladies and gentlemen

While the Network and Information Security directive is great progress, I believe that Europe needs a more systemic approach to cybersecurity.

There is growing awareness that EU-coordinated efforts – regulation as much as cooperation – can make a real difference to the resilience of European network and information systems.

As we have heard lately: "Cybersecurity is no longer enough: we need a strategy of defence, prevention and response".

But what do we really mean by resilience?

Resilience is an evaluation of what happens before, during and after a digitally networked system comes up against a threat.

Resilience accumulates over the long term. And, most importantly, it should be included in overall business and organisational plans.

That is what we, European industry, policy makers and leaders, have to make sure happens on the ground:

- to create an environment where the public and private sectors work together to minimise the risk of cyber-attacks;

- to think long-term, to prepare, to capacity-build as a way to ward off attack;

- and to make Europe's digital services and networks as safe and secure as they can possibly be.

Thank you.