The pandemic, which moved citizens’ lives into the digital sphere, saw a rise in security breaches within European businesses and institutions. Cyber attacks against key European sectors doubled in 2020. Significant malicious attacks against key sectors doubled in Europe – up to 304 incidents compared to 146 in 2019 – according to the European Union’s Cybersecurity Agency (Enisa). Cyber attacks on hospitals and healthcare networks rose by 47%.
In Sep 2022, EU Commission presented a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features. The Act, announced by President Ursula von der Leyen in September 2021 during her State of the European Union address, and building on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, will ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU: in addition to increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities, it will enable consumers to have sufficient information about the cybersecurity of the products they buy and use.
Margaritis Schinas, Vice-President for Promoting our European Way of Life, said: “The Cyber Resilience Act is our answer to modern security threats that are now omnipresent through our digital society. The EU has pioneered in creating a cybersecurity ecosystem through rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products. Today, we are completing this ecosystem through an Act that brings security in everyone’s home, in all our businesses and in every product that is interconnected. Cybersecurity is a matter for society, no longer an industry affair.”
Thierry Breton, Commissioner for the Internal Market, said: “When it comes to cybersecurity, Europe is only as strong as its weakest link: be it a vulnerable Member State, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack. And yet, today most of hardware and software products are not subject to any cyber security obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
With ransomware attacks hitting an organisation every 11 seconds around the globe and the estimated global annual cost of cybercrime reaching €5.5 trillion in 2021 (Cybersecurity Ventures as quoted in Joint Research Centre report (2020): “Cybersecurity – Our Digital Anchor, a European perspective”), ensuring a high level of cybersecurity and reducing vulnerabilities in digital products – one of the main avenues for successful attacks – is more important than ever. With the growth in smart and connected products, a cybersecurity incident in one product can have an impact on the entire supply chain, possibly leading to severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening.
The measures proposed today are based on the New Legislative Framework for EU product legislation and will lay down:
(a) rules for the placing on the market of products with digital elements to ensure their cybersecurity;
(b) essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products;
(c) essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes. Manufacturers will also have to report actively exploited vulnerabilities and incidents;
(d) rules on market surveillance and enforcement.
The new rules will rebalance responsibility towards manufacturers, who must ensure conformity with security requirements of products with digital elements that are made available on the EU market. As a result, they will benefit consumers and citizens, as well as businesses using digital products, by enhancing the transparency of the security properties and promoting trust in products with digital elements, as well as by ensuring better protection of their fundamental rights, such as privacy and data protection
The Cyber Security Strategy for the European Union, which was released in February 2013 and endorsed by the Council in June 2013, emphasises, “Cyber security efforts in the EU also involve the cyber defence dimension.” Consequently, the European Council adopted a “Cyber Defence Policy Framework” in November 2014, highlighting five priorities:
- Supporting the development of Member States’ cyber defence capabilities related to CSDP;
- Enhancing the protection of CSDP communication networks used by EU entities;
- Promotion of civil-military cooperation and synergies with wider EU cyber policies, relevant EU institutions and agencies as well as with the private sector;
- Improve training, education and exercises opportunities;
- Enhancing cooperation with relevant international partners.
ENISA, the EU’s cybersecurity agency, was made a permanent agency in 2019 and given more money and responsibility for cooperation and coordination of EU member states. The EU passed a directive in December 2020 that required companies to address cybersecurity risks in their supply chains and supplier relationships and member states to conduct risk assessments.
In January, Brussels ran cyber war games featuring a fictitious Finnish energy company in order to test the resilience and preparedness of cybersecurity in Europe, part of a planned six-week exercise.
Among the European Commission’s proposals is an EU-wide “cyber shield” of security operations centres that use artificial intelligence and machine learning as an early-warning system for cyberattacks and a joint unit to share information and collectively respond to threats.
Europe is also under growing cyber-warfare threat, as systems of three oil and transport companies in Europe and Africa were brought down on February 2, 2022. Europe was beginning to feel the war in Ukraine and the impact of tensions on the Russian border. This is in spite of new EU cybersecurity strategy presented by the European Commission where critical infrastructures, such as hospitals, energy grids and railways, were highlighted as a priority, but it also highlighted the risk to everyday homes and offices.
Cyberspace is understood as the fifth domain of warfare equally critical to military operations as land, sea, air, and space. Success of military operations in the physical domains is increasingly dependent on the availability of, and access to, cyberspace. The armed forces are reliant on cyberspace both as a user and as a domain to achieve defence and security missions.
Since 2008, the European Defence Agency (EDA) has been producing a Capability Development Plan (CDP) to answer the question, “how will Europe retain and develop the capabilities needed to react to the threats that may arise in the coming decades? It looks at future security scenarios and makes recommendations about the capabilities European militaries will need to react to different possible developments. Cyber security is also one of the priority actions underlined by the EDA’s Capability Development Plan. The European Defence Agency (EDA) is an intergovernmental agency of the Council of the European Union.
The updated EU Capability Development Plan (CDP) endorsed by the EDA Steering Board in June 2018 reconfirmed cyber defence as a priority for capability development in the EU. The CDP recognises the need for defensive cyber operations in any operational context, based on sophisticated current and predictive cyberspace situational awareness. This includes the ability to combine large amounts of data and intelligence from numerous sources in support of rapid decision making and increased automation of the data gathering, analysis and decision-support process. In November 2018, the European Council adopted an updated version of the EU cyber defence policy framework (CDPF).
The Agency is active in the fields of cyber defence capability development and in Research & Technology (R&T). In accordance with the 2014 Capability Development Plan Revision the focus lies on: Supporting member states in building a skilled military cyber defence workforce and Ensuring the availability of proactive and reactive cyber defence technology.
Developments in cyber warfare mean that it needs to be taken into account in the development of virtually all forms of capability. This includes risk assessment as well as exploration of new possibilities for European forces. By its nature, the cyber domain is not limited to national borders or physical presence, a fact that calls for a European perspective and collaborative activities.
In 2016, EDA committed dedicated resources to also address cyber threats in the air domain, in the background of Single European Sky and the increase of digitisation in air capabilities. An integrated approach ensures that cyber defence and domain-specific cyber defence efforts for the air domain stay aligned.
In the same year, member states established a Cyber Research and Technology Working Group within the EDA framework, focused on developing and keeping a Cyber Defence Strategic Research Agenda (SRA) up to date. The Cyber SRA calls for research in emerging technologies such as artificial intelligence, or cyber resilience to name just a few; given their disruptive potential, it would be daring to predict their impact on defence.
Leading projects for military forces
EDA’s ad hoc projects are underway to ensure that EU military forces are well-equipped to conduct CSDP missions and operations. Examples of collaborative research activities are Cyber Situation Awareness Packages (CySAP), malware detection and deployable cyber forensics.
Other promising candidates include machine learning – to increase resilience of command and control systems – and blockchain – to ensure confidentiality and integrity of military logistics, e.g. asset management and maintenance tasks, as well as to provide robust and secure tactical communications. Human factors are also considered a key research area because it deals with cyber operators’ cognitive and behaviour aspects, e.g. attention and stress management. Research findings may improve incident handling processes and provide more insight into the human-machine interaction.
Cyber Situation Awareness
The Project Arrangement (PA) for the Cyber Defence Situation Awareness Package Rapid Research Prototype (CySAP-RRP) was recently signed by the three contributing Member States: Spain (lead country), Germany and Italy. The project was conceived as the first step of a spiral development in order to set up a full Cyber Situation Awareness (CySA) operational capability. The core objectives of the project include essential research challenges to assist military decision-makers in cyberspace and to set the basis of a Command and Control (C2) system for cyber operations.
The CySAP-RRP will be built upon previous work done by EDA to develop a Target Architecture and System Requirements for an enhanced Cyber Defence Situation Awareness Capability. The core objectives of the project include essential research challenges to assist military decision-makers in cyberspace and to set the basis of a Command and Control (C2) system for cyber operations. Under this PA, results will be delivered using a spiral approach over the next 18 months. CySAP follows a modular approach which means that the adopted SA capability architecture will influence additional cyber defence solutions to achieve interoperability
EDA’s Project Team Cyber Defence (PT CD) identified the need for capabilities to enable military commanders at all operational levels to understand and manage the risk of cyber-attack. An important prerequisite is to provide situation awareness (SA) for the commander and his staff, based on a general and specific threat landscape from which the risk of cyber-attack can be observed, understood and evaluated. The objective is for military commanders to have a clear understanding of the cyber threat landscape including system vulnerabilities and attack vectors and to equip them with the tools required to make informed decisions in order to manage cyber risks during the planning and conduct phases of an operation.
EDA is currently working on cyber defence situation awareness for CSDP operations and how to integrate cyber defence in the conduct of military operations and missions. Together with the EU Military Staff, the Agency actively contributes to the cyber defence focus area of the US-led Multinational Capability Development Campaign. The aim of the deployable Cyber Situation Awareness Package (CySAP) for headquarters project is to integrate these functions and to provide a common and standardised cyber defence planning and management platform, that allows Commanders and their staff to fulfil cyber defence related tasks in their day-to-day business.
CySAP aims to integrate a group of technologies into a single platform to provide situation perception, understanding and future projection. It will provide military commanders with a cyber decision-support analysis tool to manage risks and cyber threats during the planning and execution phases of an operation. It will also enable headquarters’ staff to better visualise and interpret the threat landscape, as presented by the Security Operation Centre (SOC). The CySAP requires a collaborative interface arrangement with a SOC. Information provided by a SOC will feed a cyber operational picture, as defined within information exchange requirements and open interface standards.
Training & Exercises
Following a structured cyber defence training need analysis, which is expected to be updated soon, EDA develops, pilots and delivers a variety of cyber security & defence courses from basic awareness over expert level to decision maker training. This is accompanied by exercise formats for comprehensive cyber strategic decision making and cyber defence planning for headquarters.
Member States’ collaborative project ideas include the increasing mutual availability of virtual cyber defence training and exercise ranges (Cyber Ranges) for national cyber defence specialists training. The ranges are multi-purpose environments supporting three primary processes: knowledge development, assurance and dissemination. Accordingly, a federation of ranges may leverage three complementary functionality packages: Cyber Training & Exercise Range, Cyber Research Range as well as Cyber Simulation & Test Range functionalities.
The Cyber Ranges project will improve the use of existing and future facilities for conducting cyber defence training, exercises and testing. The latter is particularly interesting for research. Creating a simulation environment to test cyber products and services is paramount. Just as flight simulators train pilots on best practices about landing, taking off or managing unexpected situations, a cyber range can provide a hands-on learning experience to a cyber defender. Enhanced cyber situation awareness could make use of cyber range functionalities in modelling and simulation.
Advanced Persistent Threats (APT) Detection
Governments and their institutions are among the most prominent targets for APT malware, mostly aiming at cyber espionage. Intrusions are either discovered too late or not at all. Early detection is crucial for a concept to properly manage the risk imposed by APT. After a very successful feasibility demonstrator EDA is leading a follow-on project with a group of interested Member States to develop an even more capable solution as an operational prototype.
The Malware Detection project aims to develop an operational prototype for early detection of Advanced Persistent Threats (APT). Digital Forensics for Cyber Defence comprises technologies that enable cyber defence analysts to collect information and conduct investigations in response to cyber-attacks.
Digital Forensics for Military Use
The collection and evaluation of digital evidence in a military context becomes more and more important, in order to learn lessons from previous attacks (Post-Mortem Analysis), to attribute attacks to perpetrators, to harden military information infrastructures and to improve online analysis capabilities (Ante-Mortem Analysis).
The EDA project for a Deployable Cyber Evidence Collection and Evaluation Capacity (DCEC2) develops a technical demonstrator for a digital forensics capability for the military that specifically responds to the requirements of deployed military operations, such as force protection, agility and rapidity.
Cyber Defence Strategic Research Agenda (CSRA)
Cyber security technologies are relevant to both the civil and the military domain (“dual-use”). Considering on-going and future civil research, for example within the EU Research Framework Programmes, and the high resilience required in defence, it will be crucial to precisely target research & technology (R&T) efforts on specific military aspects. The CSRA is considering these aspects and will include a R&T roadmap for the coming years.
It will be part of an Overarching Strategic Research Agenda (OSRA) for the military and will be aligned and delineated with other research agendas in the cyber security & defence domain. Coordination of research projects with other EU stakeholders such as the European Commission, the European Space Agency and the European Cyber Security Organisation is also implemented.