Ladies and gentlemen,
Thank you for your invitation. This is a timely event: cybersecurity was a major theme of this year's State of the EU address. President Juncker spoke about the need for the EU to be better equipped to face the continuously evolving threat from cyber. Given the audience I am happy to be able to give you a preview of the proposals we will be launching early next week.
I don't need to say – in Estonia of all places – how important cybersecurity is.
This country has embraced the enormous opportunities of digital.
It has also seen the consequences a large-scale cyber-attack can bring.
We all live in an ever-more deeply interconnected age, ever more dependent on internet services.
That brings many social and economic benefits. But it also brings new risks – both in form but also crucially in scale.
Staying secure online is becoming as important as staying safe offline.
The EU started work on tackling this threat back in 2013 with the EU cybersecurity strategy.
And the Network and Information Systems Directive we agreed last year built on this, requiring critical services essential for our society to be properly protected.
But the threat continues to change both in its nature and also in terms of the expanding threat surface.
It's not just computers and phones that are connected; but homes and hospitals; governments and electricity grids; the news we read and, soon, the cars we drive.
The internet of things means potentially tens of billions more devices going online.
Cyber threats are becoming more strategic, with the ability to endanger our critical infrastructure or even our democratic institutions.
And they are becoming endemic, spreading from IT networks into the business-critical operations of other economic sectors.
Since 2016 more than 4,000 ransomware attacks have occurred every day, a 300% increase compared to 2015. Recent big attacks like WannaCry showed both how large the impact can be – and how far we have to go in improving our response. It affected over 230,000 systems in 150 countries and was a powerful reminder of just how significant the challenge facing us is.
So the Commission will propose reinforcing our collective response, based on the three pillars of resilience, deterrence and defence. In all these areas, we need to strengthen cooperation, and how we work together. And we need to focus at the same time on international governance and cooperation.
First, we urgently need to become more resilient. We must make ourselves harder to attack, and be quicker to respond.
The Commission will propose a new EU Cybersecurity Agency based on ENISA – the EU’s Network and Information Systems Agency – to help ensure a rapid and coordinated response to attacks across the whole EU.
The starting point is for Member States to implement fully the NIS Directive we already have. To review their national strategies to take in all relevant dimensions of society and the economy.
To extend beyond the critical sectors already set out in legislation to other sectors at risk, starting with public administrations.
And to ensure that Computer Security Incident Response Teams (CSIRTs) are properly resourced – something for which there is EU funding available through the Connecting Europe Facility.
'Security by design approach',
But the Cybersecurity Agency also needs to help ensure that those tens of billions of new products are sufficiently cyber-resilient – both before they are put on the market and beyond, as new threats emerge. That means establishing an EU cyber security standards and certification framework to ensure that security is built in: “security by design”. With devices developed to the highest standards and producers offering a ‘duty of care’ to make their products cyber-secure. The framework should promote new EU-wide certification schemes and procedures, a comprehensive set of rules, requirements and standards at European level to evaluate how secure digital products or services actually are. So buyers can know which products, services, connected devices are cyber-secure and to be trusted allowing them better to choose the right product.
Cybersecurity everyone's responsibility
Laws are one thing; culture is another.
Some 95% of successful attacks are enabled by some type of human error.
So, cyber security begins at home; with simple cyber hygiene practices like safe passwords, checking attachments and backing up. Not rocket science, but it can make a real difference.
People need to develop better cyber hygiene habits; and businesses and organisations also need to adopt appropriate risk-based cybersecurity programmes and update them regularly to reflect the evolving risk landscape.
We've seen some great examples of cooperation. Supported by Europol, "No More Ransom" is a public-private initiative that – since launch last year - has helped over 28,000 successful decryptions, depriving cyber criminals of an estimated €8 million in ransom money.
Of course attacks can also have a political rather than a criminal motive. They may seek to spread propaganda; even undermine democratic processes. Awareness-raising about online disinformation campaigns and fake news can help. There are already successful EU and national examples, including here in Estonia. And we need to promote and build on this.
Investment in innovation and skills
Building resilience also means having people with the right skills, driving technological innovation to stay ahead of those looking to attack us.
Europe faces a "cyber security skills gap", a shortfall currently estimated to sum to 350,000 people by 2022. Addressing this skills gap is central to effective resilience. So cyber must be mainstreamed and prioritised into education and training curricula.
It’s a fact of life today that many European manufacturers depend on acquiring critical technologies from outside the EU.
We have taken the first step towards boosting European industrial capabilities, with the creation of the Public-Private Partnership on Cybersecurity, which will mobilise €1.8 billion of investment, running until 2020.
We want to complement and continue that work. So we propose to create a pan-European cybersecurity competence network to reinforce capabilities across Europe. And alongside that, a new European Cyber Security Research and Competence Centre to focus on new solutions supporting and benefiting EU companies. We will present a proposal next year, building on a pilot phase which starts soon.
The Blueprint for crisis response
The final element of our proposals to strengthen resilience is to up our game in responding to cyber incidents. As recent attacks have shown, there are many different actors that need to be involved; and they need to work together, swiftly and efficiently.
We have set out a Blueprint so we have a well-rehearsed playbook for how to respond to a severe cross-border incident or crisis.
It issued this week – we will obviously now need to test and update it with all those stakeholders involved.
Making ourselves harder to attack through real resilience is only part of the answer. We also need to create real and credible disincentives for those who might contemplate attacking us – be they criminals, hostile non-state or state actors. Simply put, that means dramatically increasing the chances of getting caught and attaching severe penalties to committing hostile cyber acts. Credible cyber deterrence therefore encompasses effective detection, traceability, investigation and prosecution. And in all this, as the private sector runs so much of cyber space, again we need to reinforce public/private cooperation.
Tracing and identifying perpetrators is notoriously difficult. That's why we want to look at ways of identifying websites and IP addresses including encouraging the uptake of the new protocol (IPv6), as it allows the allocation of a single user per IP address, which can bring benefits to users as well as wider cybersecurity.
Law enforcement capacities need to keep pace with the fast-changing technological tools and modus operandi of cyber criminals. We need therefore to step up cooperation and sharing of expertise and to reinforce the cyber forensics and detection capabilities of Europol.
There are also challenges to access digital evidence. We want to tackle barriers to prosecution, including by facilitating access to electronic evidence. Digital services and data flows are cross-border in nature but the work of investigators and prosecutors is still too often set within national frameworks. So we will come forward soon with specific measures to speed up the processes for dealing with cyber-crime, terrorism, and other forms of digital criminal activity.
To boost our capacity to prosecute and sanction hostile cyber actors, we have already adopted Directives on attacks against information systems and on child sexual abuse. We are now adding to this with a new proposal addressing payment fraud, which is more and more a digital crime.
Deterrence is not only about stepping up the law enforcement response but also about stepping up the political response to attacks and building up deterrence though Member States' defence capabilities.
There is a clear international, political and defence element to our approach on cybersecurity. Cyber security lies at the interface between internal/external, public/private and civil/military which makes it complex and challenging. But we need to cover all the bases. We want to work with the Members States to explore the scope for the EU Defence Fund funding projects to help develop and strengthen capabilities in this area.
And finally, we need to boost the current international processes to agree on the norms of state behaviour, the applicability of international law and confidence building measures in cyberspace.
The Foreign Affairs Council Conclusions in June adopted "the cyber diplomacy toolbox", a framework for responding to malicious cyber activities against EU, which envisages a series of countermeasures against aggressors, including sanctions.
3. International cooperation
There is a need, now more than ever, to team up with our key international partners and work together.
The EU will continue strongly to promote the position that international law, and in particular the UN Charter, applies in cyberspace. It will also continue to support efforts to build national resilience in our neighbours and other third countries which will help raise the level of cybersecurity globally, with positive consequences for the EU.
Building on the substantial progress already achieved, the EU will deepen EU and NATO cooperation on cybersecurity, hybrid threats and defence.
With 22 common members, the EU and NATO have a shared interest in becoming more cyber resilient.
The EU-NATO Joint Declaration signed in Warsaw last year provides a clear framework for joint work and a number of concrete initiatives have already been taken forward as confirmed at the latest Foreign Affairs Council.
Significant progress has been made in many areas, from countering hybrid threats, to operational cooperation in maritime security, to cyber security and defence initiatives, to name just a few.
For the first time, NATO and EU staff are exercising together their response to a hybrid attack scenario.
The next months and years we shall continue to deepen exchanges between EU and NATO to synchronise, complement and enrich our respective approaches to resilience and countering hybrid threats at home and abroad.
Ladies and gentlemen, the interconnected world in which we live today offers many opportunities for citizens, governments, international organisations, and public and private actors. But it also offers unprecedented opportunities for criminals, terrorists, and other hostile actors. That is why it is essential to work together to build our resilience to drive technological innovation, to boost deterrence, including through traceability and accountability – and harness international cooperation, to promote our collective cybersecurity. The Commission stands ready to play our part — working with Estonian Presidency — to take this forward.