14 minute read
Cybersecurity for the digital decade
European cybersecurity for the Digital Decade
The EU published its Cybersecurity Strategy in December 2020 as part of its Digital Decade, with the first implementation report published the following summer. Continuing threats inspired the release of a new Cybersecurity Regulation in March 2022.
The main aims of the European Cybersecurity Strategy are broken down into three areas of action for the EU: resilience, technological sovereignty and leadership; operational capacity to prevent, deter and respond; and cooperation to advance a global and open cyberspace. The strategy was designed to “ensure a global and open internet with strong safeguards where there are risks to security and the fundamental rights of people in Europe”.
Key measures mentioned within the implementation report on the strategy issued in summer 2021 emphasised the importance of finalising the NIS2 Directive, regulation and a directive on digital operational resilience, and the need to establish a network of security operations centres (SOCs) for early detection of signals of cyberattacks, which was described as “more pressing than ever”. The report also noted, “given the increase of cyberattacks conducted by state or state-sponsored actors”, that responsible governmental behaviour must be promoted through the United Nations and other bodies.
Ransomware attacks such as the one suffered by the HSE in Ireland have become a primary concern for cybersecurity organisations across Europe, and indeed the globe. Ransomware typically infects computer systems so that users cannot fully use them or the data stored within, encrypts target files and displays notifications, requesting payment before the data can be unlocked. Cybercriminals involved in such attacks often request their ransom payments in virtual currencies, i.e., cryptocurrency, due to the difficulty in tracking these payments.
The European Union Agency for Cybersecurity (ENISA), in its ENISA Threat Landscape 2021 report, stated that “the frequency and the complexity of ransomware attacks increased by more than 150 per cent in 2020”, meaning that
ransomware can now be defined as “one of the greatest threats that organisations face today regardless of the sector to which they belong”, which in turn means that combatting ransomware attacks is now “a prime item in agendas for meetings on strategy among global leaders”.
Agreement has since been reached between the European Council and Parliament on the NIS2 Directive, which will adapt the previous NIS Directive to suit current cybersecurity needs by increasing resilience and incident response capacities in both the public and private sectors across the European Union. The original NIS Directive set out the national cybersecurity capability requirements of member states and a cooperation agenda regarding the exchange of information amongst the same EU countries. Member states were also obligated to promote a culture of security across sectors very relevant for the EU that rely on ICTs such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.
The NIS2 Directive has been designed in part to deal with the the looming threat of ransomware attacks. The Directive will push towards the introduction of stricter supervisory measures and more stringent enforcement requirements, including harmonised sanctions across the EU. The updated directive envisages then that a framework for better cooperation and information sharing between different authorities and member states would be established to create a European vulnerability database. This is a key difference from the original Directive, which did not envisage a common and shared framework for the unionwide tackling of cyber incidents such as the ransomware attacks. The scope of the Directive has also been broadened, with more organisations now required to take cybersecurity risk management measures and national authorities now required to act under more stringent supervisory measures. The network of SOCs appears to be progressing, with Atos opening its next generation SOC in March 2022 and the European Security Agency awarding the contract for its cyber-SOC, expected to be operational from 2024, to contractor Leonardo.
The Commission, in March 2022, proposed its new Cybersecurity Regulation in order to establish common cybersecurity measures across EU institutions, bodies, offices, and agencies. The regulation will put in place a framework for governance, risk management and control, create a new inter-institutional Cybersecurity Board and extend the mandate of the Computer Emergency Response Team (CERT-EU) as a threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider. The CERT-EU will be renamed the Cybersecurity Centre. Under the regulation, all EU organisations will be required to have frameworks of governance and risk management for cybersecurity, a baseline of cybersecurity measures, regular assessments, plans for cybersecurity improvements, and they will need to share information with CERT-EU in a timely manner.
Commissioner for Budget and Administration Johannes Hahn called the regulation “a milestone in the EU cybersecurity and information security landscape” and said that they are “based on reinforced cooperation and mutual support among EU institutions, bodies, offices and agencies and on a coordinated preparedness and response”.
Government and cybersecurity
In 2017, ISC2 stated that the world would fall 1.8 million people short of the number of cyberskilled individuals required by 2022, and testaments of skills shortages are still sounded by public and private sectors alike to this day, making it all the more important that governments take a proactive role in their states’ cybersecurity.
The principal elements of an effective and comprehensive national cybersecurity strategy, as defined by McKinsey and Company, are: a dedicated national cybersecurity agency; a national critical infrastructure protection programme; a national incident response and recovery plan; defined laws pertaining to all cybercrimes; and a vibrant cybersecurity ecosystem.
McKinsey states that “best-in-class countries give a single entity… the overall responsibility of defining and driving the cybersecurity agenda of the entire country”, a process which “involves developing a cohesive national cybersecurity strategy with a portfolio of initiatives”. Ireland satisfies this requirement through the National Cyber Security Centre (NCSC), formally established by the Government in 2015.
The need for a national incident and response plan as identified by McKinsey is also addressed within the NCSC, which enveloped the previously established Computer Security Incident Response Team (CSIRT-IE) upon its foundation. The CSIRT-IE is tasked with the provision of incident response services to government bodies and critical national infrastructure providers across Ireland and acts as a national point of contact for international partners to inform Ireland of cybersecurity matters of interest.
Ireland does not have its own critical infrastructure protection programme. This is handled by the CSIRT-IE and, as was noted in the Government’s National Cyber Security Strategy 2019-2024 –another of McKinsey’s requirements satisfied by Ireland – the critical infrastructure protection methodology set out in the European Union’s NIS Directive has been fully implemented in the State. The strategy contains within it a pledge that the NCSC will “continue to develop and apply these measures to ensure that the NIS Directive is filly applied in Ireland and that this application keeps pace with changes in technology and best practice”.
A vibrant cybersecurity ecosystem is certainly also present in Ireland despite skill shortages, with €2.1 billion revenue generated in 2021 and €1.1 billion in GVA, with 489 companies occupying 734 offices. As is noted by McKinsey, “while the world’s best national cybersecurity agencies have comprehensive strategies, it is not possible for a single organisation to deliver all the components of a strategy on its own” and the involvement of the ecosystem at large is needed. Five sector-specific engagement groups across the public and private sectors were arranged to cover national security and policing, enterprise development, skills and research, public sector ICT security, and critical national infrastructure protection, giving hope that, by the global consultant’s standards at least, Irish cybersecurity has a bright, all-hands-on-deck future ahead.
ENISA: Four priorities for European cybersecurity
The European Union Agency for Cybersecurity (ENISA) published its research and innovation brief which outlines four noteworthy challenges, gaps, and solutions for European cybersecurity. These are: the importance of a hyperconnected world; computational security; intelligent systems; and cybersecurity in life sciences (cyberbiosecurity).
Hyperconnected world
The report states that the main challenge is the generation of a “broader understanding on how hyperconnectivity may influence humanity and the social and political dimensions”. To solve this, ENISA proposes the re-definition of human-computer interaction, and the concomitant security risks that are associated with this. Also, it alludes to the challenges of ensuring that cybersecurity technology keeps pace with the transition from 5G to 6G for the next generation, stating that: “Multidisciplinary and future-oriented research will be required to facilitate the transition to this inevitable hyperconnected world.”
Intelligent systems
Better understanding is needed of the socio-economic ramifications with artificial intelligence (AI) applied to cybersecurity, with further requirements to develop technical and regulatory excellence. Furthermore, there is currently not enough institutional capacity to deal with AI. The report outlines the need to link vertical and horizontal views on AI research, design of approaches for monitoring large-scale and possibly interconnected systems. It also advocates for the exploration for biomimetic cybersecurity algorithms, as well as the inclusion of context awareness in machine learning in order to boost resiliency.
Computational security
There is a notable lack of skills in cryptography, as well as a reduced number of market opportunities. Owing to this, there is a need for standardisation and efficient support for developers working in the field, as well as the need to move cryptography research from fields to being embedded within hardware. The report recommends planning and preparation for the transition to the “postquantum era” of cryptographic systems, as well as implementing the cryptographic systems which are necessary side channel attacks. It additionally recommends the establishment of standards for quantum-resilient safe algorithms and protocols.
Cybersecurity in life sciences (cyberbiosecurity)
There is a technological skills and training gap for life science researchers, thus necessitating a better understanding of the implications of cybersecurity for life sciences research. There is also no clear vision of the security implications of life science technologies for cybersecurity research. ENISA aims to combat these challenges by the establishment of a risk management framework in the field of public health microbiology, for example, modern DNA sequencing. It also outlines the need to categorise bio-vulnerabilities in the context of cyber, as well as identify processes and routines throughout the life science fields that require cyberinterfaces and reliance on automation.
Energy Ireland 2022
1
Energy Ireland 2022 took place on 29-30 June at Croke Park, Dublin. Over 250 delegates attended the two day event which was opened with a virtual address from Minister Eamon Ryan TD. Delegates in attendance heard from 38 speakers, both visiting and local, from organisations including the Department of the Environment, Climate and Communications; European Commission; Sustainable Energy Authority of Ireland; ESB; Oxford Institute for Energy Studies; SSE Renewables; Commission for Regulation of Utilities; Bord Gáis Energy; Gas Networks Ireland, and Energy UK.
2 3
4 5
Russian invasion of Ukraine and the implications for Ireland
The Russian invasion of Ukraine continues to have pervasive implications. With a housing system being further tested by the more than 40,000 refugees who have arrived, as well as record fuel and energy prices, the Government continues to support the comprehensive sanctions on Russia.
As of August 2022, Russia controls roughly 20 per cent of Ukraine’s territory, including Crimea – which it has occupied since 2014 – and the self-declared breakaway republic of Luhansk, as well as much of the Donetsk Oblast, which incorporates the city of Mariupol. Ukraine has thus far successfully retained the port city of Odesa and successfully repelled attempts to capture the capital city, Kyiv.
Housing refugees
For Ireland’s part, the impact is multifaceted. Firstly, there is the housing and refuge to be provided to those fleeing from the war in Ukraine. Ireland has committed to facilitating as many refugees as necessary from Ukraine, with the Department of Justice projecting that up to 80,000 could arrive in Ireland for the duration of the conflict. As of 8 August, 44,365 refugees have arrived in Ireland, according to the Department of Justice.
The Department of Housing, Local Government and Heritage announced in March a €400 monthly payment for households who have housed refugees from Ukraine, a payment which started being paid out to qualified citizens from 9 August.
The Government has been struggling to accommodate the influx of refugees, and has resorted to calling on hotels, student accommodation, and GAA clubs to facilitate the provision of temporary housing for refugees. On 7 August, the Government announced that around 3,000 Ukrainian refugees currently housed in student accommodation will have to leave by the end of August, ahead of the upcoming academic year.
A new foreign policy
In February 2022, Taoiseach Micheál Martin TD declared that Ireland was “not politically neutral”, but was “militarily neutral”, thus affirming Ireland’s adherence with the foreign policy agenda being pursued by the European Union. That policy is clear: oppose Russia’s invasion and facilitate Ukraine’s defence of its borders by any means necessary without provoking direct conflict between Russia and the west.
Ireland’s foreign policy has been thrown into a state of flux arising from the EU’s robust response to the Russian invasion. The State has traditionally followed a policy of military neutrality since thenTaoiseach Éamon de Valera’s decision to remain neutral in the Second World War. Ireland’s neutrality has been called into question in the past due to the facilitation of Shannon Airport as a stopover point for the United States Air Force during the wars in Afghanistan and Iraq. The Taoiseach, in February, asserted that the Government would support the “strongest” and most “comprehensive sanctions” against Russia, and stated that Ireland is “militarily neutral” but not “politically neutral”.
The Taoiseach additionally created speculation that Ireland may join NATO after meeting with NATO and EU leaders in June. He furthermore stated that, in the event of such a decision, that the Government would not “need a referendum to join NATO”. This is due to the fact that military neutrality has been a convention adopted by successive governments but is not enshrined in the Constitution.
The Taoiseach has confirmed that the Government would hold a referendum in the event of a European Union defence pact, since there are provisions in the Constitution which stipulates the requirement for such a referendum.
Sanctions on Russia
The economic ramifications from the conflict globally cannot be overstated, with Ukraine exporting 40 per cent per cent of the world’s supply of grain, according to the UN Food and Agriculture Organisation. Furthermore, the disruption of the flow of Russia’s oil and gas, and the inflation crisis, which arose amid the supply chain crisis arising from the Covid-19 pandemic, has been exacerbated and has resulted in record fuel and energy prices.
Ireland is following the European Union’s implementation of comprehensive sanctions against Russia and Belarus as a backlash to the invasion, which are intended to curtail the importation of 90 per cent on oil imports from Russia. The EU announced that all crude oil imports from Russia will be phased out by February 2023, as well as a ban on insuring ships which carry Russian oil taking effect from December 2022. Furthermore, with the Russian economy experiencing 15 per cent inflation and a deep recession, the EU has banned investment or participation in projects co-financed by the Russian Direct Investment Fund, as well as transactions related to the management of assets and reserves of the Russian Central Bank, and the Belarusian Central Bank.
Some have criticised the sanctions as having an adverse effect to what was intended, as the Russian Rouble has since recovered from the initial economic shock from the sanctions, and its valuation is now stronger than it was throughout the second half of 2021. Having had its 10 largest banks removed from the SWIFT banking networks, Russian banks have subsequently been able to use the Chinese banking system, with China providing a large market for many Russian exports.
The European energy market has to find new means of making Europe energy independent, which will include a temporary increase of German coalpowered energy, as well as emphasising the long-term importance of ensuring a reliance on renewable energy.
