Cercles des DSI

Devising a European cybersecurity policy

Published on

By Mélanie BENARD-CROZAT, Editor S&D Magazine

The European Cybersecurity Industry Leaders (ECIL) workgroup recently presented its recommendations for the development of a European cybersecurity policy. The ECIL was formed in 2015 to advise the European Commission and to work to develop European leaders in the area. The workgroup was led by Thales and Atos and included Airbus Group, Deutsche Telekom, Ericsson, Infineon, Cybernetica, F-secure, BBVA and BMW. 

European obligations

The ECIL is pleased with the agreement signed by European institutions on the information and networks security directive. This directive establishes a framework for defining requirements and risk management standards in a fully operational and secure digital single European market. "All the players on the information and communication technologies market should respect the same data confidentiality and cybersecurity obligations, regardless of whether they work in the European Union or not. All members of the digital sphere have a shared interest and responsibility to ensure this goal is met." It also suggested that European regulations permit real-time sharing of data on cyberattacks by private and public institutions, including personal data like IP addresses.

The workgroup’s report presented in January by Marc Darmon, Executive Vice-President of Thales, Thomas Kremer, Board member for Data Privacy, Legal Affairs and Compliance at Deutsche Telekom, and Philippe Vannier, Executive Vice-President Big Data & Security at ATOS, to European Commissioner for Digital Economy and Society Günther H. Oettinger includes a set of key recommendations to create a safer Europe and to encourage the emergence of European cybersecurity leaders.

Voluntary certification

Given the fragmentation of the European market, the ECIL believes a voluntary certification process is essential for the development of cybersecurity, "an area in which legislation, standardisation and labelling represent fundamental pillars of success," emphasise the report's promoters. They would be designed specifically for manufacturers, solutions and service providers whose products and services would benefit from the seal of protection and security. Corporate bodies and consumers would therefore be able to better identify secure providers. Building on best practices and on other internationally recognised certifications, new security requirements or recommendations for labels would therefore not be necessary.

Secure-by-design

The workgroup is also in favour of a “Secure-by-design” approach that envisions the development and production of more robust products, software and solutions. "Cybersecurity should now be integrated as a mandatory requirement of critical information systems like performance and resilience. The architecture of critical information systems has to be designed with cybersecurity integrated from the beginning rather than added at the end." explains Marc Darmon.

Data protection and encryption

Data protection focussing on encryption and secure data flows is one of the main recommendations.
Data confidentiality is a crucial element but perimeter protection is no longer sufficient. "It must be complemented by critical data encryption solutions, either on terminals, servers or in the cloud. With the explosion of Big Data analysis as a basis for company strategic decisions, data is now at the heart of the 21st century business landscape. Sensitive data must not be corrupted or stolen, and it is essential to know how to protect it," highlight group members.

Last, collaboration among Europe-wide Information Sharing and Analysis Centres (ISAC) would encourage and facilitate security information exchanges between Member States and Industry critical sectors in order to create an EU cyberspace for businesses and citizens.

Beyond politics, it is obviously essential to establish European cybersecurity leaders and reduce market fragmentation. But behind large operators and integrators are many small companies including "the ten or twenty of the largest French cybersecurity SME, which generate about twenty million euros in sales and which could aim to become global champions in their fields," opines Jean-Noël de Galzain, president of Hexatrust, an association of complementary players, information system, cybersecurity and digital trust experts.

The importance of encryption for civil society and industry

In addition to the role it will play in cooperation between Member States, the European Union Agency for Network and Information Security (ENISA) highlights the importance of "strong and trustworthy" encryption for civil society and industry, as a brick "for a society and an economy that depend on electronic services now more than ever".
Recent terrorist attacks around the world renewed debates that began with Edward Snowden's revelations: should consumers have access to encryption technologies? Does the need to monitor terrorist activities take precedence over citizens' right to privacy and their communication? Jean-François Pruvot, France regional director at Cyberark, adds: "In some countries, citizens have already resigned themselves to giving up data confidentiality in exchange for greater cybersecurity."

By Mélanie BENARD-CROZAT
Editor S&D Magazine
Excerpt of an article published on sd-magazine.com

Latest publication

CrowdStrike conducted a survey of cyberthreats affecting the supply chain. Answers in this article.

Read more