Security, Threats, and Innovative Service Providers

The European Union is home to more than 60,000 cybersecurity companies, and 650 centres of cybersecurity expertise – but that doesn’t make the 27-member bloc immune to digital incursion or more pernicious attacks. 

Austria’s foreign ministry was the subject of a cyber attack, the coordinator of Europe’s electricity grid experienced an intrusion, and the parliaments of both Belgium and Norway were targeted – all within the last two years.  

In June 2021, CNN revealed that cyber attacks within Europe had doubled in the previous year, with attacks on hospitals 47% higher, as ransomware targeted private patient data. 

While the victims of any cyber-attack learn from such incidents and routinely implement measures to avoid a recurrence, legislators are equally mindful of the requirements they can place on data controllers to incentivise a proactive approach to head off, rather than mitigate, potential incidents. 

In December 2020, the European Commission proposed a new “directive to enhance the resilience of critical entities providing essential services within the EU”. If adopted, its impact would be felt not only by publicly owned assets, like power and water infrastructure, but larger commercial entities operating within the bloc – including those underpinning financial markets and digital infrastructure. 

Organisations that found themselves subject to a data breach, hack or other cybersecurity incidents would be mandated to report incidents to national authorities and, even if not targeted, may be subject to specific oversight from the European Commission. 

Hacking and regulatory change 

Hacking can be a profitable business for those with the requisite skills – or the resources to hire them. In late 2020, the European Medicines Agency revealed that documents relating to the Pfizer / BioNTech coronavirus vaccine, which it was then evaluating, had been “unlawfully accessed”. Files relating to the approval process were amended in a manner that might cause doubt in those offered the vaccine, before being published on the dark web. 

Several days later, the European Union announced plans to update its Network Information System regulations, which dated back to 2008. This would make them fit for the modern era and back them up with stringent fines for transgressions. Further, as part of the regulatory revamp, the Union ensured it could be authorised to impose penalties on organisations and nation states through qualified majority voting, rather than unanimity, as was previously the case. 

Although the plans have yet to be approved, and may be amended before becoming law, this latter clause alone would significantly bolster the EU’s power, and the force of its evolving regulations. 

Encryption and internet standards 

The European Union outlined its cybersecurity strategy for the coming decade in March 2021. It includes support for the development and adoption of strong encryption and the update of key internet security standards, both of which should already sit at the center of any organization’s IT security policies. 

However, these are not set-and-forget measures. Standards are constantly evolving, and the European Council itself is working to find a realistic compromise at the point where encryption and the need for effective crime-fighting intersect. Organisations must ensure that any measures adopted today are, at the very least, adaptable – or else ensure they are not locking themselves into a long-term agreement that will be unworkable in the future. 

At the same time, the EU Cybersecurity Certification Framework, adopted in summer 2019, aims to reduce confusion by introducing a simplified, continent-wide certification scheme for both products and services.  

Developing infrastructure using certified products – and innovating services with certification in mind – will allow organisations to demonstrate their commitment to act as trusted parties when interacting with clients, suppliers and other enterprises. 

Adopting serverless security 

Retaining control of its own infrastructure gives an organisation the ability to precisely specify its make-up. However, switching to a managed cloud-based model and, further, spinning up services in containers, can deliver security benefits. 

By outsourcing maintenance to a specialised provider, an enterprise will benefit from in-built expertise, potentially provided by a team whose primary purpose is to keep systems secure and compliant with evolving regulations. Further, delegating processes to containers allows threats to be contained, reducing the risk of cross-contamination, and allowing the use of snapshots, to quickly return compromised containers to previous good states with minimal downtime. 

However, the serverless model is not a panacea. Cloud providers also have greater potential to learn through experience, as identifying threats targeting one client allows them to survey for similar elsewhere, and apply appropriate mitigation measures globally, even to services that have not yet been affected. 

Yet, the very nature of cloud provider business models, in which multiple services share common infrastructure, makes them an attractive attack vector in their own right, with the potential for several instances to potentially be impacted simultaneously by discovered exploits. 

For this reason, among others, it is essential that organisations maintain close watch, even of remote and managed infrastructure. It is they, after all, who will be answerable to the European Commission, and other official bodies, should hacking or a breach result in data being compromised.