The European Union’s recent resolution to help strengthen member states’ cybersecurity measures was a clear response to the rising threat of cybercriminals, cyber terrorism and state-sponsored cyberattacks.
Motion A8-0189/2018, which passed with 476 votes in favor, 151 against, and 36 abstentions, deals with cyberdefence in the European Union, and stated that “the EU and the Member States face an unprecedented threat in the form of politically motivated, state-sponsored cyber-attacks as well as cyber-crime and terrorism”.
Although the EU motion didn’t point directly to the source of such attacks, it recognized the key role played by institutions and companies in preventing, detecting, containing, and responding to cybersecurity incidents, and their commitment to encouraging innovation and the development of a European cyberdefence strategy.
The resolution was well-timed. 73% of EU executives in a recent Forrester survey were described as beginners in the detection of and response to cyberattacks, while only 11% of organisations had experts on their security teams. Businesses are clearly still underprepared.
Moreover, the EU motion spoke explicitly of Russian cybersecurity solutions developer Kaspersky Lab, whose trustworthiness has been called into question. The EU has in fact recommended that the 28 member states reconsider whether to continue working with this developer. And, although the motion is neither binding nor mandatory, the Russian company has consequently decided to end its lengthy collaboration with Europol.
This is an unprecedented move. The credibility of the company began to disintegrate when news emerged in the U.S. media that the Russian manufacturer was linked to espionage plots. Although the information cannot be corroborated, trust in the company has collapsed internationally.
Trust in a business where credibility is crucial
The vital point of all this is not that Kaspersky has failed technically or made errors leading contracts being dropped in NATO countries. The real problem is that the credibility of the Russian company as a cybersecurity developer has been compromised.
Buying and selling security is largely an act of trust. And in this case, what has happened, beyond any technical considerations, is that this trust has been lost on both sides.
The fact that the EU recommends not using the company’s services, as they could be dangerous, is an ambiguous claim in terms of cybersecurity. This is because, potentially, any security product could potentially cause a lot of damage if it fell into the wrong hands. This applies to any technology; a knife can be used to cut onions, but in the hands of a criminal it could be highly dangerous. The same applies to artificial intelligence or software designed to protect against breaches of privacy.
The idea had been gaining ground in the United States to the extent that the U.S. government decided to cease using Kaspersky as a supplier to the government and its agencies. And that fear then crossed the Atlantic. Months later, the United Kingdom and the Netherlands questioned the Russian software developer and soon after, the European Union issued a motion urging member countries to launch a pack of cybersecurity measures.
As such, the EU's recommendations to exclude potentially dangerous programs and devices will probably lead to many of its member countries banning those that have been confirmed as malicious. Including, among others, Russian cybersecurity software.
Greater coordination between Europe and NATO
The EU resolution shows that member states are aware of the rapid growth in R&D in areas such as nanotechnology, artificial intelligence, Big Data and advanced robotics. Consequently, it is important that the 28 members develop cybersecurity and training systems in coordination with other NATO members such as the United States to defend against cyberattacks organized by other countries.
Similarly, they should strive to increase awareness of the risks that the public faces in the event of cyberattacks against these technologies.
Moreover, the number of cyberattacks will continue to increase rapidly, since as technology advances, it is becoming easier for those without technical knowledge to carry out a cyberattack. At present, most cybercriminals use tools bought on the black market from other cybercriminals or even from countries interested in destabilizing others.
Attackers have more and better resources at their disposal than ever — both technical and economic. The results have been increasingly sophisticated and complex threats in addition to a greater number of attacks.
Equifax, CCleaner, WPA2, Vault7, CIA, KRACK, NSA, the elections hack – these are just a few of the main characters of the business cybersecurity landscape of recent months. They were the protagonists of massive infections, data theft, ransomware attacks, hacked applications used to launch attacks against a country or carry out targeted attacks against specific large companies, or exploit vulnerabilities affecting billions of devices.
Therefore, in the coming years, European Union members will have to confront a problem that affects the whole of society and of which there appears to be little awareness.
More talent needed to help prevent further attacks
A major factor in this threat is the lack of skilled personnel to perform cybersecurity tasks. New technologies and new forms of attack emerge every day, but there is simply not enough professional staff to analyse all these threats.
A Ponemon Institute research report looking into the relationship between cyber-resilience and the need to have highly qualified and specialized cybersecurity resources found that almost all companies with a high level of cyber-resilience consider it essential to have, within the internal security team or through an external SoC, highly qualified personnel in cybersecurity as part of the incident response plan.
Last year we witnessed the consequences of attacks such as WannaCry and NotPetya that blacked out services across thousands of companies worldwide. The WannaCry ransomware held hostage public and private organisations in telecommunications, health, and logistics, while the NotPetya ransomware targeted major European companies in virtually all sectors. The consequences of similar cyberattacks that crashed global markets for days could be catastrophic.
Until recently, financial entities and governments were the main targets of cyberattacks. Today, the development of businesses of any size and sector depends to a greater or lesser extent on the Internet and, consequently, the threat has become universal. As these dangers increase, current approaches to maintaining cyber-resilience no longer work. Cybersecurity management needs a thorough revision with new and improved security models.
Josu Franco, adviser on strategy and technology developments at Panda Security
Image Credit: Xtock / Shutterstock