EU Cybersecurity Policy: Current Status & Future Challenges
This speech will look at the origins of current EU cybersecurity policy and explain how these origins have given rise to the Cybersecurity Act on the one hand and the GDPR on the other by looking at developments between 2009 and 2018. Emphasis will be given to policy initiatives in the area of critical infrastructure, as this is the main area of concern of ENISA. The second half of the presentation will concentrate on areas where there is currently a 'policy gap' and relate these areas back to easily recognisable trends at societal and technological levels. Finally, a number of candidates for future policy will be briefly discussed and the challenges that will have to be overcome in order to meet these challenges will be identified.
Where policy development is concerned, the starting point will be the influential COM publication of 2009 entitled 'Protecting Europe from large-scale cyber-attacks and disruptions: enhancing preparedness, security and resilience'. The important steps that started with this document and finally led to the Cybersecurity Act will be discussed in order to provide the rationale that led to the letter. Other important developments that happened during this period (such as the creation of the EU Cybercrime Centre) will be addressed and the significance of these events discussed. The speaker will also use the opportunity to illustrate how ENISA has contributed in a significant way to this development and will highlight the central role of the Agency in supporting this policy stream. Finally, several examples of other important policy developments will be mentioned and these will be related back to the core developments. As it is a recent development, the importance of the Cybersecurity Act will be stressed and the components of the Act will be presented. Here the emphasis will be only illustrating the fact that the Act is both a logical continuation of previous policy initiatives but also introduces new innovative mechanisms for moving forward (notably the new Cybersecurity Certification Framework).
In the second half of the presentation, the emphasis will be on what is not currently being catered for in the EU cybersecurity policy space and arguments will be presented for a policy approach that takes sufficient account of the way in which cybersecurity trends are affecting societal and economic trends.One of the key observations here will be that the constraints that new technologies put on the cybersecurity approach are quite severe (extremely high deployment volumes, short time-to-market and strong cost drivers). These constraints will force security practitioners to re-examine the way in which they construct 'control frameworks' and will probably result in a re-evaluation of the 'opportunity/risk balance' in the future. The point will be made that this is not an isolated issues and that the EU should develop a better appreciation of the economics of cybersecurity. This is a recognition of the fact that economics is a strong driver of cybersecurity (but also cybersecurity will be a strong driver in certain areas of economics in the future). In parallel, core concepts (such as the relationship between safety and security) are changing with cyber physical systems and this will also require rethinking our approach to security.
The intervention will end with suggestions on how to bring traditional policies and new areas together in a smooth fashion.
Steve Purser was born in the UK and attended the universities of Bristol and East Anglia where he obtained a BSc. in Chemistry and a PhD in Chemical Physics respectively. He started work in 1985 in the area of software development, subsequently progressing to project management and consultancy roles. From 1993 to 2008, he occupied the role of Chief Information Security Officer for a number of financial institutions. He joined ENISA in December 2008 and is currently responsible for all operational activities of the Agency.
Steve is currently a member of several Steering Boards and Advisory Committees, including notably the Steering Board of the CERT EU and the Programme Board of the EU Cyber Crime Centre. In the area of standards, he is the ENISA representative on the ISO SC 27 working group. As Head of Core Operations, he regularly represents ENISA in international conferences on information security.
He was a co-founder of the 'Club de Securité des Systèmes Informatiques au Luxembourg' (CLUSSIL) and has frequently published articles in the specialised press. He is also the author of 'A Practical Guide to Managing Information Security' (Artech House, 2004).