Category Archives: cyber security

Questions and Answers – EU Cybersecurity

What has the EU done so far to reinforce cybersecurity? 

The EU has now a range of instruments to protect electronic communications networks, including the Directive on Security of Network and Information Systems (NIS Directive), the EU Cybersecurity Act, and the new telecoms rules.

The Directive has introduced new mechanisms for cooperation at EU level, measures to increase national capabilities and obligations for operators of essential services and digital service providers to adopt risk management practices and report significant incidents to the national authorities.

The Cybersecurity Act introduces, for the first time, EU wide rules for the cybersecurity certification of products, processes and services. In addition, the Cybersecurity Act sets a new permanent mandate for the EU Agency for Cybersecurity (ENISA), as well as more resources allocated to the Agency to enable it to fulfil its goals.

According to the new telecoms rules (Electronic Communications Code), Member States have to ensure that the integrity and security of public communications networks are maintained, with obligations to ensure that operators take technical and organisational measures to appropriately manage any risks to the security of networks and services. It also provides that competent national regulatory authorities have powers, including the power to issue binding instructions and ensure compliance with them. In addition, Member States can attach conditions concerning the security of public networks against unauthorised access to the general authorisations for operators, for the purpose of protecting the confidentiality of communications.

Finally, in May 2019, the Council established a sanctions regime, which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU and its Member States. The new sanctions regime is part of the EU’s cyber diplomacy toolbox, a framework for a joint EU diplomatic response to malicious cyber activities that allows the EU to make full use of measures within the Common Foreign and Security Policy, including, statements by the High Representative, diplomatic demarches and, if necessary, restrictive measures, to respond to malicious cyber activities.

What is the EU Cybersecurity Certification Framework and what are its advantages?

A European cybersecurity certification scheme is a comprehensive set of rules, technical requirements, standards and procedures, agreed at European level for the evaluation of the cybersecurity properties of a specific product, service or process.

Cybersecurity certification plays an important role in increasing trust and security in products, services and processes that are crucial for the proper functioning of the Digital Single Market. Given the large diversity and many uses of ICT products, services and processes, the European Cybersecurity Certification framework enables the creation of tailored and risk-based EU certification schemes.

In particular, each European scheme should specify: a) the categories of products and services covered, b) the cybersecurity requirements, for example by reference to standards or technical specifications, c) the type of evaluation (e.g. self-assessment or third party evaluation), and d) the intended level of assurance (e.g. basic, substantial and/or high).

To express the cybersecurity risk, a certificate may refer to three assurance levels (basic, substantial, high) that are commensurate with the level of the risk associated with the intended use of the product, service or process, in terms of the probability and impact of an incident. For example, a high assurance level means that the product that was certified has passed the highest security tests.

The resulting certificate will be recognised in all Member States, making it easier for businesses to trade across borders and for users to understand the security features of the product or service. This allows for beneficial competition between providers across the whole EU market, resulting in better products and higher value for money.

Security by design: The Framework also encourages manufacturers or providers involved in the design and development of products, services or processes to implement measures at the earliest stages of design and development. This will allow protecting the security of thoseproducts, services or processes to the highest possible degree, in such a way that the occurrence of cyberattacks is anticipated and minimised (“security-by-design”).

The European certification framework will rely as much as possible on international standards as a way to avoid creating trade barriers or technical interoperability problems.

Who will benefit from this certification framework and how? 

The ability to understand whether a product, system or service meets specific requirements lies at the heart of being able to trust the digital systems we rely on. The Framework will be therefore useful for:

  • Citizens and end-users (e.g. operators of essential services), who will be able to make more informed purchase decisions related to products and services they rely on a daily basis.For example a citizen, who is considering purchasing a Smart TV and is aware of the cybersecurity risks involved when connecting smart objects to the Internet, will be able to consult the European Cybersecurity Certification website of the EU Agency for Cybersecurity. They will be able to find a model that has been certified with the appropriate cybersecurity requirements, guidance from the vendor on how to setup, configure and operate the TV in a secure way and for how long the vendor commits to provide cybersecurity patches if new vulnerabilities are found.
  • Vendors and providers of products and services (including Small and medium-sized enterprises (SMEs) and new businesses), who will enjoy cost and time savings as they will undergo a single process for obtaining a European certificate which is valid, and therefore allows them to compete effectively, in all Member States.Besides, vendors of ICT products and services will be keen to make buyers aware possibly by using a specific label linked to the certificate.
  • Governments, who, like all individual and commercial buyers, will be better equipped to make informed purchase decisions.

To add further value to cybersecurity certification, manufacturers or providers of certified products, services or processes, including those for which an EU statement of conformity has been issued, shall provide specific supplementary cybersecurity information (e.g. guidance and recommendations to assist end users with secure configuration, installation, deployment, operation and maintenance of the products or services, etc.).

What will the added value of the Framework be for SMEs and start-ups, in particular?

SMEs and new businesses traditionally face more difficulties in expanding into new markets with different requirements. The Framework will help reduce such market-entry barriers for SMEs and new businesses because companies will have to undergo the certification process of their products only once and the corresponding certificate will be valid across the EU. Furthermore, as the demand for more secure solutions is expected to rise worldwide, companies, including SMEs, whose products are certified, will enjoy a competitive advantage to satisfy such a need. Moreover, the possibility for companies to self-attest conformity with security requirements for products, processes and services that present low risk makes the Framework even more attractive for SMEs and new businesses.

Take the example of an SME that develops and sells ICT applications to larger companies that require certain assurances that the applications are appropriately secure and that they have been developed following best practices when it comes to secure coding. Using a European Cybersecurity Certificate, that SME can demonstrate both the security of its products as well as its secure development practices, hence meeting the requirements of its clients not only in one Member State, as is often the case today, but also across the entire EU.

Will cybersecurity certification become mandatory?

Schemes established under the Framework are voluntary, i.e. vendors can decide themselves whether they would like their products to be certified under them. However, the Cybersecurity Act foresees that the Commission shall assess the efficiency and use of the adopted European cybersecurity certification schemes. In particular, it will assess whether a specific European cybersecurity certification scheme should become mandatory through relevant EU legislation to ensure an adequate level of cybersecurity of ICT products, services and processes and improve the functioning of the internal market. Moreover, other legislation at national or EU level could make use of existing schemes as a simple way to describe future obligations on products or systems.

How is the EU Agency for Cybersecurity being reinforced?

Until now the EU Agency for Cybersecurity had a temporary mandate, which was renewed last time in 2013 and was set to expire in 2020. The Cybersecurity Act gave the Agency a permanent mandate, thus putting it on a stable footing for the future.

The current tasks of the EU Agency for Cybersecurity, such as supporting policy development and implementation as well as cyber capacity building, have been strengthened and refocused. New tasks have been added, most prominently regarding cybersecurity certification.

The new mandate incorporates additional important tasks already entrusted to the EU Agency for Cybersecurity by the NIS Directive, which was agreed in 2016, such as the role of the secretariat of the Computer Security Incident Response Teams (CSIRTs) Network that brings together national CSIRTs of EU Member States. In order to fulfil these increased responsibilities the Agency’s staff can grow by 50% and the financial resources are doubled, increasing from 11 to 23 million EUR over a period of 5 years.

What are the main tasks of the EU Agency for Cybersecurity under the new mandate?

  • Support to policy implementation in the area of cybersecurity, especially the NIS Directive, as well as to other policy initiatives with cybersecurity elements in different sectors (e.g. energy, transport, finance). The EU Agency for Cybersecurity will also assist Member States in the implementation of specific cybersecurity aspects of Union policy and law relating to data protection and privacy.
  • Cybersecurity capacity building, for example with trainings to help improve EU and national public authorities’ capabilities and expertise, including on incident response and on the supervision of cybersecurity related regulatory measures.
  • Market related tasks (standardisation, cybersecurity certification), such as analysis of relevant trends in the cybersecurity market to better match demand and supply and support the EU policy development in the areas of ICT standardisation and ICT cybersecurity certification.
  • Operational cooperation and crisis management aimed at strengthening the existing preventive operational capabilities and supporting operational cooperation as secretariat of the CSIRTs Network. The EU Agency for Cybersecurity will also provide assistance to Member States who request it in order to handle incidents and will play a role in the EU coordinated response to large-scale cross-border cybersecurity incidents and crises.
  • Coordinated vulnerability disclosure: The EU Agency for Cybersecurity will assist Member States and Union institutions, agencies and bodies in establishing and implementing vulnerability disclosure policies on a voluntary basis. It will also help improve the cooperation between the organisations, manufacturers or providers of vulnerable products and services, and members of the cybersecurity research community who identify such vulnerabilities.

What is the European Commission’s recommendation for a common EU approach to the security of 5G networks?

Fifth Generation (5G) networks will form the future backbone of our societies and economies,including in many critical sectors such as energy, transport, banking, and health, highlighting the need to address any vulnerabilities with regard to security and trust. In March 2019 the European Commission recommended a set of operational steps and measures to ensure a high level of cybersecurity of 5G networks across the EU. In particular, it recommended to Member States to complete an EU-wide risk assessment by October 2019 and to identify a set of possible mitigating measures, by December 2019. For more information about the Recommendation, including next steps, see this press release and these Questions and Answers.

What are the next steps?

The European Commission has proposed to significantly boost investment in cybersecurity and advanced digital technologies in the EU in the next EU budget period, notably through its proposal for a Digital Europe Programme. It has also proposed a new European Cybersecurity Competence Centre and network to pool resources and coordinate on priorities with Member States and to implement relevant projects in the area of cybersecurity. The proposal also aims at creating a Network of National Coordination Centres and a Cybersecurity Competence Community in order to ensure better cooperation and synergies among the existing experts and specialist structures in the Member States. This goes hand-in-hand with the key objective to increase the competitiveness of the EU’s cybersecurity industry and to turn cybersecurity into a competitive advantage for other European industries.

Advertisements

Fujitsu: Co-Creation for Success

This year, Fujitsu World Tour 2018, which stopped in Brussels on June 7, highlighted the “Co-Creation for Success“.

6 start-ups from the Hive Brussels network presented their innovations to more than 300 of Fujitsu’s most important customers and partners. As part of the “Labs Battle”, each start-up had 5 minutes to convince the public and the jury of the potential of their innovation. The laureate was n-Auth specialized on security of sensitive data.

We interviewed Mr. Yves de Beauregard, Managing Director Fujitsu Benelux who explained: “Today, digital co-creation is moving to a new phase, from concept to the creation of new opportunities. Our unique capabilities in advanced technologies, such as artificial intelligence (AI) and the Internet of Things, combined with know-how, achieve this goal, delivering true innovation and business value.

The complexity of Artificial Intelligence (AI) is more then a usage.  As example we have used AI in Order to develop a non destructive testing that’s the example of Siemens Gamesa using AI to analyse images and data in order to ensure that the wings of the windmills are produced with the highest quality possible because it is very expensive for those companies that have the necessity to dismantled in order to change the wings. For so far this is done by human beings that they are really checking and also using the experience in order to look after the quality of those wings . This is a typical example where the AI has actually got to learn what humans are looking after and ones the AI has learned, it can apply very easily to a massive data informations, in order to really detect what is not in line with the expectations.”

 What are the other applications of AI?

“Another example AI applications is in the medical industry. We have been using AI together with San Carlo hospital in Madrid, supporting doctors in case of psychiatric treatment and at first when they go to analysing which sickness has the patient. In the psychiatric treatment there is a number of interviews that are needed to really understand what is the behaviour and what are the symptoms to define the actual sickness. For this reason, psychiatry is not that digital. We developed together with S. Carlo Hospital a system based on AI that really try to measure the behaviour, the comportment, the answers of the questions submitted to the patients and therefore that are able to support doctors in making a diagnosis on what is the actual sickness that the patient is suffering . Therefore, this application help patient to get treated quicker and helps doctors, who have to do less interviews in order to define the proper sickness and, of course, it also helps public money because it really support the entire chain to do better, quicker and less expensive.”

The second topic is Cyber security.   

“Fujitsu has been recently nominated as one of the top leader in cybersecurity. We see the recent attack from malware. I am proud to say that none of the Fujitsu customer, have been drastically impacted. We are effecting protecting our customer proactively and reactively. The business of Fujitsu in cyber security significantly improving and growing. Number of new customers, new logos and new companies come and ask us to support them with regard to cyber security.”

With the Blockchain centre recently inaugurated in Brussels which development you can see?

“We are actually very amazed by the number of projects and request coming after the inauguration of the Blockchain centre in Brussels. We were definitely too shy in our plans. We are very intrigue by the number of companies that are actually embracing Blockchain technologies, in order to help them because is not easy to understand what is the value that such technologies could bring to your business. We have developed a kind of support that really help those companies to understand what means Blockchain for their business model, for their customers. In the same time we are moving  ahead with our research for Blockchain for smart cities and new projects keep on having a leading position on that market.”

Why do you think is an asset choose Brussels for the Blockchain centre?

Three most important reason. The first reason is that in Belgium there is a culture of settlement. There is a number of company working on functional settlement located in Brussels. So the culture of working as a chain or being in the middle of a chain, support people from the business to stream line, the processes, they are able to work better together is something that is strongly in Belgium. The second reason is obviously, because Brussels is located in the centre of Europe. The proximity with European institutions and finally also the language skills that is present in Belgium.”

How do you collaborate with Japan?

On Artificial Intelligence, cyber security and Blockchain there is a very strong collaboration with Japan. There is actually a very strong relationship. We can benefit in Europe also from the technology advancement that our colleagues have in Japan. Fujitsu is indeed a market leader in Japan and the biggest part of R&D done by Fujitsu is still predominantly in Japan. If we want to benefit from those R&D as quick as we can, we need to have those strong relationships with Japan.”

How was important for you to collaborate for 0 Plastic Rivers initiative?

I truly believe that a company in whatever the business is operating is a social body. That means we also have the responsibility to the society, to the next generation and to the environment. One of the stakeholders we need to be very careful is our environment and we believe that this initiative is very interesting. In 0 Plastic Rivers initiative I believe that sensor technologies and Artificial intelligence technologies, could really help in managing plastic waste issue by detecting plastics in the water. It is an important topic that matter to us and on which we believe. We can have an added value.”

Henry Borzi

Fujitsu inaugurate Blockchain Innovation Center in Brussels

Fujitsu opened a new international Blockchain Innovation Center in Brussels on March 21, 2018. The center undertake research with external partners, collaborating on specific projects to explore the technology’s potential and limitations. Fujitsu’s aim is to develop the potential of blockchain beyond financial services as a new architecture for information systems and sectorsof all kinds.

Brussels was selected by Fujitsu for the geographical, political, technological and linguistic advantages it offers to international organizations considering applications of blockchain technology, making it an attractive testing-ground for novel co-creation initiatives. The centerhas an international remit. Alongside local projects in Belgium, Fujitsu’s co-creation model has resulted in a number of international projects, including projects in Germany, UK, the Netherlands and participation EU Horizon 2020 projects.

Blockchain represent a big opportunity in Europe. Many people think that Blockchain beeng solely about financial services bitcoin and cryptocurrency. It is not. I think Blockchian could be the world glue or oil for the world economy and the public sector. So that make sense to be in the heart of Europe in a country with a long track record of innovation like Belgium.” Explained Duncan Tait, CEO of Fujitsu Americas and EMEIA.

One particular area of expertise that Fujitsu plans to develop in the Blockchain Innovation Center is the use of blockchain for the design and implementation of Smart City services, focusing not only on technology, but also on important aspects of the cityof the future, such as sociological and demographic factors, societal organization, economic functioning and ecological challenges. The center will support and encourage research, development and innovation, both for Brussels and for other cities, throughthe funding of innovative projects by companies, research organizations and the non-commercial sector. Although the initial focus is on Smart Cities, the goal is to deliver scalable, secure, business-ready blockchain and Distributed Ledger Technology (DLT) solutions in a wide variety of industries.

The first blockchain R&D project being developed at the center is called “Blockchain as enabler of services in the context of Smart Cities”, and is being conducted in collaboration with Innoviris, the Brusselsinstitute for the encouragement of scientific research and innovation. The 24-month project is focused on establishing blockchain knowledge and expertise for the design and implementation of services in the context of Smart Cities, in areas such as citizen participation and elections, and the interaction between smart devices, the Internet of Things (IoT) and a multimodal supply chain. It consists of two main tracks: to build fundamental knowledge about the use of blockchain for Smart City applications, and then to apply this knowledge to specific use cases, with the aim of creating meaningful business solutions.

Mr Kris Peeters, Belgian Deputy Prime Minister, commented that “Belgium is the ideal place to establish an international skills center such as the Fujitsu Blockchain Innovation Center. Not only it is located in the center of Europe, but it has also made the innovation the engine of its economy. In addition, our compatriots have excellent language skills, making them valuable contributors to multinational companies or international projects. It is important that all levels of government continue to work actively with innovative companies to support the overall economic fabric of Belgium.

Fujitsu has already identified more than ten projects and multiple European cities aiming to fulfill their ambitions to become Smart Cities have also expressed interest in collaborationwith Fujitsu. The Blockchain Innovation Center it is expected to lead to co-creation relationships with international and Belgian public bodies, customers, partners andthe Hyperledger Project (see Alternative Blockchain platformsbelow) to extend the technology beyond the current focus of proof of concepts into scalable, secure and business-ready DLT solutions.

What is blockchain?
Blockchain is essentially a database infrastructure, originally designed for the crypto-currency Bitcoin as an alternative to traditional government-guaranteed money and bank-controlled payments. What makes this technology special is the fact that the data is multiplied and stored across a network of nodes. This data distribution is the foundation and strength of blockchain technology, as it enables trusted information storage without a central controlling body (or trusted third party often referred to as an ‘authority’) by means of a network of computers (nodes). New transactions are sent to the blockchain, where they are encrypted before being sent to every node for validation and, once validated, stored in blockchain building blocks. Every new block is linked by cryptography (hash tree) to the previous block (which, in turn, is securely attached to its predecessor block). This makes the chain immutable: every change in one block entails change in every subsequent block on every node. Blockchain is said to provide trustworthiness like traditional ledgers. Therefore, it is usually referred to as Distribution Ledger Technology.

Watch the full interview with Duncan Tait, CEO of Fujitsu Americas and EMEIA:

Henry Borzi

Artificial intelligence and ethical standards

 

The Commission has opened today applications for a group on artificial intelligence (AI) to gather expert input and rally a stakeholder alliance.

Also today, the European Group on Ethics in Science and New Technologies (EGE), an independent advisory body to the Commission, has published a statement on artificial intelligence. The expert group will be tasked to advise the Commission on how to unite a broad and diverse community of stakeholders in a ‘European AI Alliance’; support the implementation of the upcoming European initiative on artificial intelligence; and come forward by the end of the year with draft guidelines for the ethical development and use of artificial intelligence based on the EU’s fundamental rights. The guidelines will be drafted following a wide consultation and building on today’s statement by EGE. Applications to join the expert group in artificial intelligence can be submitted until 9 April and the Commission aims to set this group up by May. The group will gather and build on the work done by other experts which is relevant to artificial intelligence, such as the high-level strategy group for industrial technologies (intermediate report) and the expert group on liability and new technologies. For the latter a call for applications was also launched today. This expert group will assist the Commission in analysing the challenges related to the existing liability framework.

FinTech: more competitive and innovative financial EU market

 

The European Commission today unveiled an Action Plan on how to harness the opportunities presented by technology-enabled innovation in financial services (FinTech). Europe should become a global hub for FinTech, with EU businesses and investors able to make most of the advantages offered by the Single Market in this fast-moving sector. As a first major deliverable, the Commission also put forward new rules that will help crowdfunding platforms to grow across the EU’s single market.

Today’s Action Plan envisages to enable the financial sector to make use of the rapid advances in new technologies, such as blockchain, artificial intelligence and cloud services. At the same time, it seeks to make markets safer and easier to access for new players. This will benefit consumers, investors, banks and new market players alike. In addition, the Commission proposed a pan-European label for platforms, so that a platform licensed in one country can operate across the EU. The Action Plan is part of the Commission’s efforts to build a Capital Markets Union (CMU) and a true single market for consumer financial services. It is also part of its drive to create a Digital Single Market. The Commission aims to make EU rules more future-oriented and aligned with the rapid advance of technological development.

New EU cyber platform

The European Security and Defence College will in September launch a cyber platform to coordinate education, training, evaluation and exercises (ETEE) in the field of cyber security/defence across Europe.

Marking ‘Safer Internet Day’ on 6 February 2018, the EU Member States tasked the European Security and Defence College (ESDC) with managing a platform for education, training, evaluation and exercises (ETEE) in the field of cyber security/defence.

The main task of the ETEE platform within the ESDC is the coordination of cyber training and education for EU Member States. The existing training will be harmonised and standardised and new courses will close the gaps between training needs and training activities. These efforts will be jointly undertaken by various stakeholders, including several centres of excellence and partner organisations.

The cyber platform will reach its initial operating capability by 1 September 2018. The process of recruiting three seconded national experts with specific knowledge in the field of cyber security will be launched in the coming days. The full operational capability of the platform is planned to be announced in April 2019.

€50 million for cybersecurity competence centres

The Commission launched today a call for proposalsfor a €50 million pilot to support the creation of a network of cybersecurity competence centres across the EU.

The winning consortia, including also university labs and research centres, should scale up existing research for the benefit of the cybersecurity of the Digital Single Market, with solutions that can be marketable. The experience collected in the selected projects will contribute to the design of the future competence network which will include a European Cybersecurity Research and Competence Centre. This pilot project was announced in September 2017 together with a wide-ranging set of measures to equip Europe with the right tools to deal with cyber-attacks and to build strong cybersecurity in the EU. The project will be funded through the Horizon 2020Framework Programme. The call for proposals is openuntil 29 May 2018. Yesterday, the Commission also took another important step related to improving cybersecurity: as the Directive on security of network and information systems (NIS Directive) will have to be transposed by all Member States by9 May, the Commission adopted animplementing regulation on digital service providers (i.e. cloud computing services, online marketplaces and search engines) and the severity of cybersecurity incidents. The NIS Directive is the first piece of EU legislation aimed at strengthening the EU’s cyber-resilience. It supports the strengthening of national capabilities,establishes technical and strategic cooperation at EU level and introduces security and notification requirements.

« Older Entries