The European Commission has made a proposal to establish a “Cybersecurity Industrial, Technology, and Research Competence Centre” and a “Network of National Coordination Centres”. If adopted, the Centre will be responsible for implementing the spending of the Digital Europe and Horizon Europe programmes, which amount to up to 2.8 billion Euro (subject to the ongoing discussions on the European budget). That is why it is very important to influence how the money is spent.
I have been appointed the European Parliament’s rapporteur, so I will be leading the negotiations on the Parliament position. Read my draft report here.
Security research takes place in various places. As with other parts of the European economy, there are lots of small and medium size enterprises (SMEs), start-ups, a research community, and also individual professionals that create products, processes, and provide services such as consulting and training. But next to the economically oriented players, important impulses come from civil society, and non-commercial or pre-commercial civic tech projects that use open standards, open data, and Free and Open Source Software to contribute to the common good.
A European cybersecurity framework needs to seize the opportunities and build on the strengths that this structure in Europe can provide.
On the European level, the proposed Centre can link activities within Horizon Europe for cybersecurity research and Digital Europe for cybersecurity deployment, and would be complemented by other Union bodies like ENISA, the European Agency for Network and Information Security.
Cyber-solutionism
The Commission’s proposal uses the term “solution” to talk about products and services. The term is often used in the IT industry in advertisement and marketing. But it is important to understand that security is a process: As ICT technology evolves, so do the threats. Efforts to make infrastructure, networks and information systems more secure do not end with the purchase of a certain product or a service.
The Centre should not just pay companies to build specific products and help them get ahead financially. In my report, I change that focus from solutions to processes: Security needs to be re-assessed and strengthened constantly throughout the life cycle of a product.
Security of the Common Infrastructure
It is important to understand how interconnected all equipment and actors are on the Internet. For example, a vulnerability in an Internet-connected DVR can threaten the stability of the Internet.
The Internet is the common infrastructure that connects the worldwide economy, but it is also the infrastructure we rely on for communication, culture, and information, on a daily basis.
Even though it is not visible to most people, Free/Libre and Open Source Software is integral to the functioning of the Internet. It reaches from basic infrastructure components up to applications we interact with on our computers or smartphones. That is why a security vulnerability in one component can threaten the functioning of the Internet and everything that relies on it.
The security and reliability of our common infrastructure should therefore be in focus of the Centre’s activities.
Resilience rather than Defence and Dual-Use Technologies
The Commission proposes that the Centre and its activities will be financed from Union programmes that may not be used for military purposes. That is why I have opposed the Commission’s proposals to facilitate defence research and other defence-related projects.
Due to the nature of the Internet, it is usually not possible to identify where an attack originated, or which entity was responsible, with absolute certainty. Quite the opposite: evidence can be fabricated to disguise a source, or to lead to wrong conclusions. I find it worrying that states and intergovernmental organisations like NATO are considering using conventional military force in the case of “cyberattacks”.
Where ICT security products and processes can be equally useful in civilian and military contexts (“dual-use products”), the Centre should support existing frameworks for the control of dual-use technologies.
For the European Union, it is a priority to promote democracy, the rule of law, human rights and fundamental freedoms worldwide. Therefore, the Centre should promote and invest into the resilience and integrity of networks and information systems. Offensive military applications such as backdoors, withheld vulnerabilities, or exploits bear an inherent security risk for society at large and run counter to these European goals.
Society, Ethics and Representation
The Commission’s proposal plans to involve industry and research in all parts of the Centre. But it fails to take into account the societal and ethical implications that its actions, and the actions of its bodies may have. Nor does it take into account what concerns products, services, facilities, and research funded by it may raise. We need to change that, and therefore I included ethical assessments in my report.
More than other industries, the ICT sector is struggling to fulfil the demand for skilled workers. At the same time, the sector is extraordinarily imbalanced when it comes to the representation of genders, ethnic diversity and disabled persons.
My report adds rules on representation and diversity. Because it is in the interest of the industry, academia, research and others, to achieve balanced representation. And even more so, because it is in the interest of equality.
What’s next
The European Parliament and the Council have currently started discussing the Commission proposal internally. A first discussion in the lead committee in the Parliament (ITRE) took place last night (Monday, 14 January 2019). The goal is to adopt the Parliament position before the European elections in May.
To the extent possible under law, the creator has waived all copyright and related or neighboring rights to this work.