This may have come as little embarrassment to the EU on March 29, when Hungarian news site Direct 36 reported how the Hungarian Foreign Ministry had been hacked for several months by Russian intelligence since a few days after the European Commission proudly announced it. Cyber security has been strengthened with new measures to tighten the networks of EU institutions against penetration.
This event is another painful demonstration of how fragile cyber security is really, as Hungarian communication has potentially compromised sensitive communications channels with Brussels.
The incident is not an isolated one (another prime recent example is the hacking of the Spanish Prime Minister) and I am sure many more similar incidents have gone unreported.
In fact, this month alone, there have been further warnings of further hacks.
Against that backdrop, the EU Commission issued a new cybersecurity regulation on March 22, which aims to improve its institutions’ governance, risk management and control in the area of cyber security.
It enhances the new inter-corporate cyber security board, cyber security capabilities and maturity assessments, and better cyber-hygiene. More importantly, the mandate of the Computer Emergency Response Team (CERT-EU) receives additional responsibilities for threat intelligence, information exchange and incident response coordination. These new regulations add to existing initiatives to improve the EU’s cyber security, said Enisa, the European Information Security Agency.
But Hungarian hacking, which has long allowed Russian intelligence services to be on the shoulders of an EU member state, proves that cyber security is a network as usual and must be made to go beyond agencies and agencies. The EU itself.
This requires more intersectionality than is possible with the inter-corporate board, which is little more than another bureaucratic layer above the surface and parallel to Enisa.
The EU and its members rely heavily on digital infrastructures. If this interconnection is compromised, it entails huge risks of severe interruption.
While regular cyber attacks naturally involve the theft of EU’s political and financial confidential information, the war in Ukraine can bring about more crippling cyber attacks.
The past months have exposed cyberstacks of varying size, prowess and success against digital communications, critical infrastructure and satellites. The EU and the world are at the dawn of a new digital age, in which 5G and beyond, AI, quantum computing, intelligent drones, nanotechnologies and companion innovations enable the real Internet of things that connect all devices but at the same time. Those connections are at great risk.
Therefore, the question remains as to what steps should be taken to enable a safe and secure digital environment.
Enisa’s initiatives will surely lead to positive developments and awareness; However, they usually involve the creation of layers of bureaucracy and mechanisms and focus on encouraging without enforcement. New models are needed to detect and defend our efforts to exploit our contacts and mitigate their effects, and in this regard, the EU can learn a lot from its partners.
As a NATO power hub, the US remains the world’s most capable cyber state in defense, offensive and intelligence capabilities, thanks to decades of significant investment and clear political direction, and much more can be done to share strategies with EU allies. Other examples include the United Arab Emirates, which has become a dominant regional cyber force due to the rapid increase in cyberattacks.
Its strategy includes seeking help from cyber experts like Amazon Web Services and Deloitte to help boost local staff in technology – which EU states need to further incorporate with the right partners.
Although there are important differences in how aggressive cyber capabilities are assessed, as a member of NATO, many EU states can look to avoid the heavy capabilities of China and Russia to further enhance their aggressive cyber capabilities. Invest in this area.
What is troubling the EU, however, is that it is not an individual nation but a combination of 27 cyber security policies and attitudes and therefore it needs to find a way to alleviate the divisions it covers.
To do this, the EU must increase cyber security around three key elements: improving situational awareness, reducing the surface of attacks through organized countermeasures, and enforcing standards.
The EU is best placed to do all three, but the standards must be strict and enforced rather than encouraged. Given the ability of CERT-EU to process incoming data, incentives may include non-compliance requirements, help ensure serious incidents are prosecuted, and the EU sets its considerable economic power against states that resort to cybercriminals.
Setting these capabilities is not just technical, but organizational challenges. Cyber security is not installed separately – it is as comprehensive and fragmented as possible.
But cybersecurity may be just as strong as its weakest link.