ESBG welcomes the Commission's set of measures to build strong cybersecurity in the EU. Achieving cybersecurity through prevention and deterrence, detection, and last remedy and repression is the key determinant to a digital society. ESBG particularly welcomes the initiatives on the preventive side, to enhance digital skills of the youth, and particularly, the Digital Opportunity initiative, aimed at boosting digital skills on a cross-border basis, through internships. This requires an unambiguous signal from policy makers that cybersecurity is at the forefront of their concerns (e.g. by making cybercrime a most serious offense, with floor sanctions applied across the Union, by having police forces investigating cyber-attacks as a matter of priority, by instituting a transparent, standardized data reporting across Member States). The capabilities of industry participants to effectively fight cyber-attacks will be enhanced by adequate training in skills, and formally allowing the exchange of threat information in real time between peers, unconstrained by data privacy or competition legislation. The development of structured messages to report threats and attacks to a single point should be encouraged. Any law that aims at data security and combatting cybercrime will need to include FinTech newcomers and third parties as well, as they are new to the market they are usually less used to dealing with cyber-attacks. This makes it likely that they are the weakest link in any data transfer that might include data from banks. Finally, cooperation with bodies outside the EU should be encouraged.
Prevention and deterrence
Service providers and intermediaries of course have to take all necessary measures to protect both their static and transaction data. These must be constantly refreshed to adjust to evolving technology and new threat profiles (service providers should be allowed to share research and development, as they deem appropriate). In order to ensure that providers and intermediaries are motivated to invest, legislation should be clear (beyond and above any sanction) that the party responsible for allowing a breach should bear the remedial costs e.g. a merchant whose database has been hacked should be financially responsible i.a. for the replacement cost of customer debit and credit cards at risk. It is essential that providers and intermediaries can exert at their product and risk management functions, which include the possibility for geoblocking to either manage potential liabilities and/or address identified threats (consumers themselves should be enabled to geoblock access to their accounts and usage of their payment instruments to protect themselves as they feel suit). Overall any legislation should be assessed against the risk of altering the level playing field with respect to cybersecurity: some players should not be compelled to invest disproportionately in order to counter new risks imposed on their supply chain. Regarding prevention, the role of digital skills and awareness must be acknowledged and promoted, as informed citizens and consumers are better placed to identify cyberattacks. In this respect cyber risk education should be addressed in all stages of life, starting with schools.
Providers and intermediaries should of course implement, and regularly test and rehearse processes to detect and react to intrusions. Best practices at industry level are useful in this respect when updated regularly. Because of the very nature of cyber threats, threat intelligence must be shared rapidly between peers and such intelligence must be shared in a format that is understandable and usable by peer organizations, in an as automated way as possible. The development of trusted, real time channels for the exchange of such information should be encouraged. The exchange should not be constrained by data privacy or competition legislation. In other words the setting up and operation of collaborative environments for this purpose should not be considered an infringement of competition legislation. Financial institutions must also rest assured that the information they voluntarily share with government about cyber threats will remain confidential. Finally, cooperation with bodies outside the EU should be encouraged.
Remedy and repression
The party responsible for allowing a breach to occur (by not applying mandatory or industry-recommended measures and/or technology) should be liable for remedying the damage caused. Enforcement authorities including police forces should be compelled to investigate cyber-attacks with much greater priority (e.g. in the UK today reportedly only 1% of cybercrimes are investigated by police forces). This supposes an adequate allocation of resources, know-how and technology, to recoup the imposition of sanctions, a reduction of losses to cybercrime, and a better functioning of the digital society. The effectiveness of tracking cybercrime should be monitored via transparent, standardized data reported by all Member States on an annual basis. Finally European legislation should ensure that cybercrime be considered a most serious offense, with floor sanctions applied across the Union in all Member States.
Across all phases, cybercrime can be fought effectively not only by a cooperation of industry sectors but also by working closely with government authorities, in particular with respect to the exchange of information.
Cybersecurity Month, held in October 2017, gave ESBG and opportunity to concur with the European Commission's stated view that “cybersecurity incidents, be they intentional or accidental, are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, healthcare, electricity, transport or mobile services". Cybersecurity is defined as “the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent net-works and information infrastructure".
Countering cyber threats and constantly enhancing cybersecurity are a challenge in particular due to:
As evidenced by the Commission, ransomware attacks have increased by 300% since 2015. According to several studies, the economic impact of cybercrime rose fivefold from 2013 to 2017, and could further rise by a factor of four by 2019. In the aftermath of the “Wannacry" and “(Non)Petya attacks", a recent report has estimated that a serious cyber-attack could cost the global economy more than €100 billion. It is also observed that cyber incidents and attacks are on the rise, and in some Member States 50% of all crimes committed are cybercrimes. 80% of European companies experienced at least one cybersecurity incident last year, and there were more than 4,000 ransomware attacks per day in 2016. Globally, over 150 countries and more than 230,000 systems across sectors and countries were affected with a substantial impact on essential services connected to the internet, including hospitals and ambulance services.
To equip Europe with the right tools to deal with cyber-attacks, the European Commission proposed on 13 September 2017 a wide-ranging set of measures to build strong cybersecurity in the EU:
Besides, the Commission has put forward guidance on how online platforms should step up prevention, detection and removal of illegal content, as the social responsibility of online platforms is growing with the surge of illegal content online, including online terrorist propaganda, xenophobic and racist speech inciting violence, and terrorism.