Keynote speech at Munich Security Conference, 16 February 2018
[Check Against Delivery]
Ladies and gentlemen,
I am particularly glad to open this session on cybersecurity here at the Munich Security Conference, together with CEOs and leaders of very important companies.
I welcome the initiative behind the "Charter of trust for a secure digital world" that will be signed today.
It sends the right message at the right time on the right issue: cybersecurity matters and it is the responsibility of all of us.
The security environment has changed dramatically over the past few years, in Europe and in the world.
We face new and ever more severe and complex threats, often more hybrid in their nature.
They are coming from both established and new forms of actors.
The distinction between internal security and defence becomes increasingly blurred.
Cyber-attacks are a new form of conflict, often relevant to both civil and military domains.
Last year only, we faced a massive wave of international cyberattacks, affecting several EU Member States.
Wannacry. Petya. Or more recently the organisation of the Olympic Games.
Attacks might come from hackers for political goals or with financial motives. It might take the form of ransomware, be part of a hybrid threat or even be nation-state cyber-espionage. Or it might have no obvious objective other than to 'disrupt' for the sake of it.
Our economies and societies depend increasingly on the internet and global connectivity. Smart connected devices are an integral part of our daily lives.
And the recent attacks underline how much our societies and economies are vulnerable. Be it government networks, power grids, webmail providers, central banks, telecom companies and electoral commissions, transport services.
For most companies, the challenge is not anymore if they will be attacked but rather when it will happen. Or even worse: Are they sure they have not already been hacked.
From a more defence perspective, cyberspace has become as the fifth domain of warfare equally critical to military operations as land, sea, air, and space.
And Europe - its Member States, its companies, its citizens - is vulnerable. It has neither the capacity, nor the structures or the processes in place to respond adequately to massive cyber-attacks
In the face of those common threats, we need a common response, especially at EU level, using all EU policies and instruments.
The EU is acting
And we are acting in that sense
The first line of action is on the recognition that the threats nature facing Europe has evolved.
Two years ago, I put forward, together with Federica Mogherini, a joint Framework to counter Hybrid threats. This was the first time ever that a strategy was designed at the highest political level against hybrid threats, including cyber threats.
Since then, we made significant progress to improving awareness, build resilience and respond to crisis.
We established the Hybrid Fusion Cell at EU level able to collect and share intelligence on hybrid threats. We also built the Centre of Excellence for Countering Hybrid Threats in Helsinki.
The second line of action is the renewed cybersecurity strategy that the Commission put forward in September last year under the leadership of Vice President Ansip and Commissioner Gabriel.
Our objective is to reinforce the EU's cyber resilience through concrete actions.
First, we proposed to transform ENISA into a EU cybersecurity agency able to prevent and respond to cyber-attacks in a more coordinated way. The agency will be able to conduct pan European cybersecurity exercises and will ensure a better sharing of intelligence.
Second, we promote the creation of a true Single Cybersecurity market with an EU-wide framework for cybersecurity certification which is crucial in the light of the rapid development of the Internet of things.
Third, we are proposing a blueprint for responding faster and in a more coordinated way at EU level to large scale cybersecurity incidents
Fourth, we are looking at the possibility to have more solidarity in case of attack through the set-up of a Cybersecurity Emergency Response Fund.
Fifth, we are proposing to develop a network of cybersecurity competence centres with a European Cybersecurity research and competence centre. Its role will be to roll out the technologies and cyber-capacities needed to detect and counter cyber-attacks.
The third line of our action, and besides the cybersecurity strategy, is to mainstream cybersecurity principles in all the key strategic sectors. Cybersecurity is a cross sectoral issue. And a weakness in one sector can have an important impact on others and the rest of the economy.
Let me take a concrete example highlighting the importance of cybersecurity at every level.
Being in charge of the EU Space policy, I coordinate the development of 2 flagship space programmes: Galileo and Copernicus.
Now that these systems are becoming operational, and more and more essential to our economies, we need to think seriously of the protection of these European space assets.
Galileo is essential for navigation systems, communications, search and rescue and to other critical infrastructures such as electricity grids and financial markets, which use the timing signal of these systems to synchronise their networks.
Copernicus, the earth observation system from space, is essential in agriculture, environmental protection, civil protection and disaster management, but also security and defence.
All the existing and potentially future space programmes (GovSatcom and SST) are vulnerable to cyber-threats. With consequences which could be very serious.
Our Space Strategy of October 2016 underlines the need to protect them and other critical European space infrastructure and services.
This requires having the best technologies at hand. This requires including cybersecurity principles within the design itself of these complex space system.
Space is only one example. But this is true in so many other sector: banks, aviation, cars, IoTs etc.
The Fourth line of our action at EU level is to strengthen the link with Cyberdefence. More precisely we want to develop specific cyber-defence capabilities. The line dividing cyber security and cyber defence is very thin.
This is in particular the case when it comes to the underlying technological challenge of preventing, detecting and countering cyber-attacks. Europe must ensure it has the industrial and technological capacity to be resilient.
It is a question of strategic autonomy and technological independence. And this is a central element of my action.
Last June, under my leadership, the Commissio proposed the creation of a European Defence Fund with almost €600m up to 2020 and 1.5bn a year after.
Its objective is to develop the defence capabilities we need to ensure Europe becomes a security provider on its own, preserve a certain level of strategic autonomy and does so in an efficient manner, ie through better cooperation between defence industries.
This is the first time we are putting forward EU money to support defence capabilities.
It is a test for the whole EU. It is part of the Future of Europe we want to build. A Europe that protects requires that we make certain importance choices in the technological capabilities we want to retain in Europe.
The European Defence Fund can and will be a vehicle to develop cyber-defence capabilities which could be useful to ensure more generally cyber resilience of Europe in the civilian or military domain.
For instance, projects such as innovative encryption systems, pan-European military secure networks, innovative capabilities to detect and identify attackers, and sustainable training and rapid response can be very helpful for Europe in its answer to the global technological challenge at stake.
And this is already a reality. This year, as part of the research pillar of the Fund, we will support the emergence of encryption technologies that are key both for military and civilian use.
We are also currently negotiating the first version of the Fund which will be active as of 2019. We are especially waiting for the opinion of the European Parliament next week to finalise hopefully an agreement by this summer. And the first capability projects, including cyber projects, are to be financed as of 2019. We count on Member States and industry to propose key strategic projects to be financed.
Cyber is also well covered in the recently launched Permanent Structured Cooperation on Defence, especially on information sharing, training and operations support. And two PESCO projects are directly related to the development of cyber defence capabilities.
Finally, we are also working in the framework of the renewed and strengthened EU-NATO Cooperation. Cyber-defence is part of the 47 concrete actions that were agreed between the EU and NATO following the adoption of a new EU/NATO Declaration in June 2016.
In the context of the cooperation with NATO, several activities are taking place such as:
- Fostering interoperability,
- Harmonising of training requirements and carrying out joint training;
- Fostering cooperation in Cyber Defence Research and Technology Innovation;
- Organising joint cyber exercises.
Allow me at this point a more general and political remark: strengthening Europe's capacity in defence matters in general will goes hand in hand with reinforcing NATO.
Europe's recent move on defence cooperation is not in contradiction with NATO. On the contrary, a stronger Europe in defence means ultimately a stronger NATO
Yes European cooperation in defence is moving forward at an un-precendeted speed. We have achieved more in last year than in the last 60 years on that topic.
However this should not be feared, but looked at as an opportunity: this means that Europe is becoming an even more credible partner for its allies.
And this is not a protectionist move. Simply Europe organising itself to ensure progressively its own security, including on cybersecurity/cyberdefence.
Ladies and gentlemen,
Cybersecurity and cyber defence is very high on the political agenda of this Commission.
We have put forward concrete proposal to strengthen cooperation and coordination at EU level. However, it is clear that more needs to be done so that cybersecurity becomes a reflex and not anymore just a "nice to have".
If we are to succeed, we need to work in partnership with all the actors, including the businesses.
So this is why I welcome this Charter.
The question of Defence and Security are at the hearts of our citizens.
A year before the European election, we owe to our citizens to show that we are taking their security very seriously. Cyber threats are crossing border easily, this is why the answer can only be a stronger Europe in cybersecurity/cyberdefence and ultimately a stronger cooperation with our allies in the global stage. This is key to the Defence and Security union we want to build.
[Check Against Delivery]