The EU Commission has launched a public-private partnership on cybersecurity that is expected to trigger €1.8bn ($2bn) of investment by 2020. The EU is promising to invest €450m ($502m) in a bid to spur innovation in cybersecurity with the remainder coming from the private sector.
Some security commentators reckon the Brexit vote means that British organisations are set to lose out on the benefits of this investment. However given the uncertain political climate in the UK - which remains a full member of the EU for a t least two years and possibly longer - a UK lockout is far from definite.
Kevin Bocek, chief security strategist at Venafi, commented: “It’s good to see the EU increasing funding and making cybersecurity a top priority and sad that, due to Brexit, UK universities and businesses will miss out on this investment.”
More broadly, Bocek expressed concerns about whether or not the investment will be going to the right place. “One of the key areas identified that the public/private partnership will focus on is ‘securing identities online’ – however, I think beyond this they need to recognise the need to secure identities of machines, software, devices and the foundation internet itself, not just people,” Bocek explained.
According to a recent survey by management consultants PricewaterhouseCoopers, at least 80 per cent of European companies have experienced at least one cybersecurity incident over the last year. The number of security incidents across all industries worldwide rose by 38 per cent in 2015. The EU uncontroversially asserts that cybersecurity issues damage trust in e-commerce. Security risks to infrastructure providers in energy distribution, banking and health also pose a growing risk.
As part of its Digital Single Market strategy, the Commission wants to “reinforce cooperation across borders, and between all actors and sectors active in cybersecurity, and to help develop innovative and secure technologies, products and services throughout the EU”.
The EU strategy (announced Tuesday) involves the launch of the first European public private partnership on cybersecurity. The EU will invest €450m (£384m) in this partnership, under its research and innovation programme Horizon 2020. Cybersecurity firms, represented by the European Cyber Security Organisation (ECSO), are expected to invest three times more. The partnership will also include members from national, regional and local public administrations, research centres and universities. The partnership is designed to foster cooperation at early stages of cybersecurity research and development. Ii’s hoped the program will yield infosec products and services to cater to the energy, health, transport and finance sectors. in particular.
The UK’s Cyber Security Strategy is based on a similar assessment of risks but is pitched more towards protecting critical infrastructure systems than is apparent from the EU blueprint. The UK also wants to encourage cyber-security startups but this aspect of the strategy only gets a supporting role whereas for the EU it gets star billing. Last year UK Chancellor George Osborne announced plans to double investment in protecting “Britain from cyber attack and develop our sovereign capabilities in cyberspace”. with a budget totalling £1.9 billion over five years.
Part of the spending increase will go towards previously announced plans to hire 1,900 more staff at GCHQ. GCHQ director Robert Hannigan said last year that private industry wasn't doing enough to improve cyber-security.
Earlier this year, the outgoing Obama administration proposed increasing federal cyber-security spending by $5bn, or around a third, in the hope of reaching $19bn in 2017.
Jeux sans frontières
The Commission is also seeking to tackle the fragmentation of the EU cybersecurity market. Vendors currently need to undergo different certification processes to sell its products and services in several Member States. The Commission is considering plans to develop a possible European certification framework for ICT security products.
Eurocrats wants to ease access to finance for smaller businesses working in the field of cybersecurity, perhaps with an eye to emulating the success of cyber-security startups in Israel, where close co-operation between government and private industry is the norm.
Finally the EU Commission is bringing forwards its evolution of the long established European Union Agency for Network and Information Security (ENISA).This review will assess whether “ENISA's mandate and capabilities remain adequate to achieve its mission of supporting EU Member States in boosting their own cyber resilience”. The Commission also plans to look into how to improve cybersecurity cooperation across different sectors of the economy, including in cybersecurity training and education.
“This is good news and a welcome move by the Commission,” independent infosec consultant Brian Honan, the founder and head of Ireland’s CERT, told El Reg. “It demonstrates a concrete and sizeable support in making cyberspace in Europe more secure.”
“While the NIS [Network and Information Security] and the GDPR [ General Data Protection Regulation] puts the focus on cybersecurity from a legislative point of view, this type of investment and support provides industry with a strong incentive in relation to security,” he added. ®