Oireachtas Joint and Select Committees

Wednesday, 3 November 2021

Joint Oireachtas Committee on European Union Affairs

EU Cybersecurity Strategy: Discussion

Mr. Ciarán Cuffe:

I thank the Vice Chairman for that. I have a certain sense of déjà vubeing back here. On a personal level, it is nice to be back and in a committee room again. To introduce why I am here, I sit on one of the 20 committees of the European Parliament, the Committee on Industry, Research and Energy, ITRE, which deals with cybersecurity. I want to give members a brief overview of the EU's cybersecurity strategy as well as touch on some other topics that might be relevant. We have just come to the end of European Cybersecurity Month, the European Union's annual campaign dedicated to promoting cybersecurity among EU citizens and organisations, therefore, it is an appropriate time to be here.

The European Commission published a joint communication on the EU's cybersecurity strategy for the digital decade last December, just under a year ago. The latter aims to bolster Europe's collective resistance against cyberattacks and threats and ensure citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. The strategy includes a proposal for the revision of the directive on measures for high common levels of cybersecurity across the Union, which is the network and information security directive or NIS 2, and a proposal for a new directive on the resilience of critical entities.

The original directive dating from 2016 has three parts, national capabilities, cross-border collaboration and national supervision of critical sectors. First, EU member states must have certain national cybersecurity capabilities and they must have a national cybersecurity incident response team and perform cyber exercises, etc. Second, we need to collaborate across borders. The strategy provides for that also. Third, member states have to supervise the cybersecurity of critical market operators in their country such as in transport, water, and health sectors. Obviously, the focus has been on health, but it must also be on the energy sector, as we saw from the recent incident in the US, and in the finance sector to ensure we have good measures in place. However, member states were quite slow to fully implement this directive and, therefore, the Commission proposed this new directive, a revision of the directive last year. That has just come through committee last week and I voted on it. Therefore, a new directive is in the offing. The question is: will it change things?

NIS 2 aims to strengthen cybersecurity capabilities and to have better information sharing and co-operation on cybersecurity crisis management at national and EU level. It provides for an all-hazards framework to support member states to prevent, resist and recover from disruptive attacks wherever their source may be. My group has strongly pushed for the need to develop those cybersecurity skills we all need, particularly to get better gender representation in the industry.

From January 2019 to April 2020, the EU Agency for Cybersecurity reported approximately a quarter of a million malware infections every day within the Union. Europol highlighted a notable increase during the pandemic in the number of ransomware attacks on public institutions and large companies. Europol’s Internet organised crime threat unit stated that targeting such institutions allows cybercriminals to increase the ransom amount and has noted a significant increase in attacks on governments such as healthcare and education, energy and transport systems. EU institutions and bodies as well as member states have been targeted. We are all aware of the attack six months ago on the HSE but in the same month there were two large-scale cyberattacks against public service organisations in Belgium. The first concerned Belnet, the network which serves third level institutions and research centres as well as hospitals and federal ministries. The federal internal affairs department was subjected to a cyberattack of such a scale that it raised suspicions of the involvement of a foreign state. Given the Vice Chairman's caveats at the start of this meeting, I am reluctant to name names but it is commonly known certain states outside the EU would appear to be the focus for our attention on these attacks.

In March, the European Council adopted a cybersecurity strategy. It states we need to have a network of security operational centres across the EU to both monitor and anticipate signals of attacks on member states and a common cyber unit to provide clear focus to the crisis management framework at EU level. It also promotes strong encryption standards while permitting law enforcement and judicial authorities to exercise their powers online and offline to prevent such cyberattacks.

To touch briefly on the new legislation, it insists that member states have national cybersecurity strategies, establish computer security incident response teams and appoint national competent authorities for cybersecurity.

We need to strengthen the security requirements of member states, address the security of supply chains, streamline reporting and introduce more stringent supervisory measures. We have an awful lot on paper but really it comes down to the individual member state to implement not only the first directive from five years ago but the new directive when it comes into force. This is where the critical weakness is. It is about the implementation of the directives at member state level.

It is not just about the EU or the member state. It is also about ourselves. We need to be cyberaware. We tell our children not to get into a car with a stranger but all too often we click on the wrong link on our device and that opens up the pathway for a security breach. We are all guilty of simplifying things. In a world where half a dozen passwords are often needed in the course of a day we often take shortcuts. We need to practice better security awareness in our own operations. We are only as strong as the weakest link. We need to improve our own security. We need to do exercises at a member state level in the same way as our Defence Forces do physical exercises to prepare for attacks on us as a member state. At a cybersecurity level we need to prepare and share information and be ready for the next attack. It might not be on our health system. It might be on our energy networks. We are only as vulnerable as the weakest link and we have to take action to prepare for the next attack.

Comments

No comments

Log in or join to post a public comment.