The European Union wants to create an "Open safe and secure cyberspace"
May 2013 by Marc Jacob
The European CyberCrime Centre (EC3) is seeking to to proactively fight against cybercrime in working for the coordination of the actions of EU countries. The EC3 is effectively becoming a European control centre in its role as provider of critical information for the work of investigators. This organisation should enable rapid reaction against cybercrime affecting critical infrastructure and information systems in the Union. EC3 missions fall directly within the European cybersecurity strategy and will create an "Open safe and secure cyberspace."
Bruno Halopeau, Strategic Advisor at European CyberCrime Centre(EC3) Europol and Member of Permanent Stakeholder Group of ENISA
GS Mag: Can you explain what EC3 is and its objectives?
Bruno Halopeau: First we have to look back in May 2010, where the EU Commission released the Digital Agenda. In this agenda, it enumerates a number of actions and under the 3rd pillar “Trust & Security”, you can find the Action 31 - Analyse the usefulness of creating a European cybercrime centre. This is actually where this idea comes from.
An evaluation was conducted end of 2011 and beginning 2012 and the decision was reached to place it within Europol since the Centre is a continuity of what Europol was already doing in the past years.
What is new is a detailed mandate and aligned with the CyberSecurity Strategy of the EU with a main focal point which is to support MS in that field and especially:
● Give a rallying point to European cybercrime investigators, providing them with a collective voice in discussions with relevant stakeholders from politics, the private and public sectors, academia, users’ associations and civil society organisations;
● Unite European cybercrime expertise to support Member States in capacity building by setting up the appropriate structure to share and develop knowledge in the most dynamic and effective way;
● Act as the European cybercrime information focal point by ensuring information collection on cybercrime from the widest array of sources, leading to an enhanced information picture on cybercrime in the EU for all actors involved;
● React in a fast and adequate way to cybercrimes (including cyber attacks) affecting critical infrastructure and information systems in the Union;
● Deliver tailored, state-of-the-art support to Member States’ cybercrime investigations, including operational analysis, high-level forensic assistance and technical expertise, as well as facilitating the coordination of these investigations.
The EC3 officially opened its doors on January 11st 2013. Of course, the centre still have to scale-up to its cruise speed from now until end of 2014 but it already benefit from well established Europol interconnection and cooperation network with Member States and its partners for operational cases. GS Mag: Can you give us an overview of the cyber security strategy announced on 7 February by the European Union?
I will start with the vision statement of the CyberSecurity Strategy for the EU which states: Open, safe and secure cyberspace. Here, Open does not mean unregulated and/or anarchist environment. Open is in the sense of freedom of speech and actions within the laws in other words having a "democratic cyberspace".
So, what does this vision means in more tangible words? It is to simply ensure the safety of EU Citizens in their cyberspace experience and build a trusted and secure cyberspace environment not only for businesses and investors but also for consumers, which is the ground for economic prosperity.
This how the strategy is built around.
In that perspective, which is emphasized also in the conclusion of the CyberSecurity strategy, it is our responsibility to achieve this vision together whether we are an EU citizen, from the private sector, public administration or from the military.
For instance by taking some high level examples:
Citizens or internet end-users have to understand that opening files from unknown or untrusted sources or visiting malicious websites turning their workstations into botnet zombies, lower the overall security and trust level of the internet infrastructure and lessen their confidence of the use the it. though willing to protect their reputation, corporate businesses have to understand that they contribute to cybercrime by not denouncing attacks on their infrastructure and can lead to their own bankruptcy.
Public organizations / governments have to understand that excellent expertise exists in Europe and initiatives to report vulnerabilities should be encouraged and not punished like it can be the case in several EU countries. Military understands that the 5th domain (CyberSpace) becomes more and more prominent but cooperation with civil community is even more important than before and unavoidable.
Last example, Press has to understand that nowadays CyberAttacks are not a scoop anymore and putting overexposure should not be the way to go.
To me the most important to retain from the Strategy are in 5 folds:
First, Resilience, ensure that our infrastructure and communication networks have a continuous acceptable level of service even facing heavy CyberAttack, disruption attempt and natural disaster.
Second, Combating CyberCrime, in order to effectively eliminate threat overtime, working on protection which is CyberSecurity would not be enough; we also have to confront with the root cause.
Third, Better Cooperation/Coordination, this point is crucial to ensure that we all act as a collective voice and work in the same direction.
Fourth, Awareness, internet end-user and most of businesses are still not sufficiently aware of the risks that exists and especially less on what are the best habits to have. Like you take care of your body by having a good hygiene, in the cyber world too you should have a “security hygiene” (Cf ANSSI guide on security hygiene - http://www.ssi.gouv.fr/IMG/pdf/guid...)
Fifth and last, have a strong internal market for CyberSecurity products, that is fundamental in order for our countries, businesses and citizens to be able to purchase products that are engineered, developed, designed and/or produced in EU in order to ensure a higher level of confidence in the use of them.
GS Mag: What role will play structures such as EC3 and ENISA in its implementation?
Bruno Halopeau: Before answering the question, I would like to highlight some specific points that are important to understand what we are talking about. Not everybody understands the terms CyberSecurity, CyberCrime and CyberDefense the same way. That is an issue, and basically there are different definitions/views of those terms whether you look at a point of view of the EU, of a Member States, other countries and other international organization such as for instance NATO.
It is important to make a clear distinction of what are those terms in the context of the EU which are also explained in full details in the strategy. To summarize:
● CyberSecurity refers to safeguards and actions that can be used to protect the cyber domain. Preserving Confidentiality of information, Integrity and Availability of infrastructure/communication networks.
● CyberDefense is the military part of the CyberSecurity
● CyberCrime refers to criminal activities where computers and information systems are involved either as a primary tool and/or as a primary target.
Considering this, EC3 and ENISA have been specifically mentioned in the Strategy and are expected to play a leading role in several areas. But they are not the only ones, also the Commission, EEAS, EDA, CEPOL and Eurojust have their role to play.
But if I have to summarize in simple roles, I would say:
● ENISA to support Member States and the Commission to address CyberSecurity issues.
● EDA to support Member States in the Capability building for CyberDefense across the participating Member States
● Europol to support Member States on CyberCrime matters.
GS Mag: How security agencies of the member states of the EU, as ANSSI for example, will be able to sign-up in this strategy?
Bruno Halopeau: I do not think that the CyberSecurity Strategy of the EU was aimed at dictating to the Member States what they have to comply to. It is rather a Strategy that is highlighting the main stream work we have to focus on as Europeans in order to promote “An open, safe and secure cyberspace”. Each country remains sovereign and has its own priorities and specificities.
This is proven by that fact that some EU countries did not wait the CyberSecurity Strategy of the EU to have their own like one of the pioneer in Europe, Estonia in Mai 2008, France in February 2011 et lastly Finland end of January 2013. And I see very good Strategy statements in existing ones.
Again, I would prefer to see in your question “cooperation” rather than “sign-up”.
GS Mag: How will you collaborate with other countries in the world in terms of cybersecurity?
Bruno Halopeau: As everyone knows, there are no boundaries in the cyberworld. Criminals can be located anywhere to commit crime next door or at a very remote location. But that is not the only aspect; currently committing cybercrime is still low risk with high profits that the reason why it is very attractive. We cannot accept that fact, so the main goal for the international community is to invert this tendency.
International cooperation is obviously key to efficiently tackle those crimes. It is easier said than done and considerable work is currently underway at several levels. Considering this, we have to emphasize that we are not only focusing on Europe but also already working with other states and international organizations.
As for example, you may be aware, that Interpol is also currently in the process of building a Global Cyber Centre in Singapore highlighting even more the necessity of having such bodies to tackle the cybercrime issue. Additionally, it is important for us and our Interpol colleagues to engage each other on the same direction, that is why we have agreed to include our respective management in the two Centre’s advisory bodies in order to complement each other, coordinate work, share information and prevent overlaps. This is viewed as cost savings and also cooperating rather than competing.
Lastly, we will have also to engage more with countries/regions where Internet is growing fast like South America, Africa and Asia. This engagement can be done at several levels for instance as support, exchange of expertise, mutual agreements and most importantly operational agreements where we can join forces to dismantle multinational cases which is always the case in cyberspace.
GS Mag: How do you think should evolve the European cybersecurity policy in the future?
Bruno Halopeau:It is obviously too early to draw conclusions on how effective the CyberSecurity Strategy is, but we will have to assess what works and what’s not to evolve for the better. As a first strategy, it is certainly not perfect but is a key step and to my opinion a solid basis.
Also technology evolves very quickly and the current threat landscape will certainly be very different in a few years’ time than from what we face today.
The evolution, as any strategy, will have to take all this into account of course but also, to me, I foresee as the biggest challenge in the coming years is dealing with data protection issues: how to find the right balance between having good personal data protection for citizen and business and the ability/flexibility to exchange data to fight Cybercrime. Also the new generation that was born with the Internet and Social Media might have a different view on data protection than the view we have today; this of course over time will influence undoubtedly the regulations and governance which will have to be reflected to the new strategies.
Lastly, as the main stream of today’s technological evolution we will have to pay particular attention to the evolution of Cloud Computing, Big Data and the Internet of Thing which will bring new/modified threats that will be exploited by Cybercriminals. Preventive measures have also to be reflected to the future strategies.