Europe must boost its efforts to tackle long-term cybersecurity risks, and update the assessment framework
July 2, 2018
Guest blog post by Austeja Trinkunaite, Secretary General The Council of European Professional Informatics Societies (CEPIS)
According to our recent study, 38 % of the analysed European National Cybersecurity Strategies (NCSS) fail to represent a holistic and political-strategic approach to cybersecurity. Many EU member states focus almost exclusively on short-term, operational aspects, and neglect the higher, strategic level that ensures a long-term initiative and international coordination. These are among the latest findings from CEPIS’ Legal and Security Issues Special Interest Network (LSI SIN), who also highlight that a sufficient assessment tool of the strategic aspects is lacking. Referring to the recent assessment by the European Union Agency for Network and Information Security (ENISA), the group states that this does not include efforts for improving high-level decision-making capacity, and whether the NCSS are effectively combating cybersecurity risks on this level has not been answered sufficiently.
For this reason, CEPIS is calling for a new, common European evaluation framework to ensure a long-term strategy for reducing risks to cybersecurity among member states of the EU. More specifically, we suggest examining the NCSS according to the priorities identified in the Cybersecurity Strategy of the European Union, which provides an appropriate, country-neutral source for a common framework. This strategy presents four domains for measuring the extent to which EU member states comply with the strategy – these are as follows:
1. Amount of effort made to set-up a specific body for coordinating efforts at the political-strategic level
2. Active cooperation with the international community to address transnational cybersecurity issues
3. Development of industrial and technological resources for the international cybersecurity ecosystem, such as highly secure products or innovative approaches
4. Initiatives for reducing cybercrime
By applying this approach, we have consequently found that most European NCSS currently do not represent a holistic approach to cybersecurity. It is shown that six out of the 21 NCSS analysed cover less than three out of the four areas required, and that measures for reduction of cybercrime, and developing industrial and technological resources for the cybersecurity ecosystem, are not mentioned by 11 of the them. This means that, while an appropriate, common assessment framework still needs to be put in place, there is indeed also a current lack of properly equipped national strategies for cybersecurity across Europe.
As digitalisation continues to advance at a fast pace, policy makers and other relevant stakeholders must ensure that Europe is ready to meet the challenges that come with it. Facilitating a comprehensive and long-term strategy for a safer cyberspace will be key in this process.Guest contributor