Written by Polona Car.
|This is the seventh edition of an annual EPRS publication aimed at identifying and framing some of the key issues and policy areas that have the potential to feature prominently in public debate and on the political agenda of the European Union over the coming year.|
The topics analysed encompass the 2024 European elections, budgeting in times of crises and war, lessons for public investment in the EU from the EU recovery instrument, the fiscal and monetary policy mix, climate
and socio-economic tipping points, the impact of increasing fuel prices on transport, cyber-resilience in the EU, protecting media freedom and journalists, the future of Russia, and geoeconomics in an age of empires
As cyber-attacks proliferate, 2023 is expected to see progress on several EU legislative and non-legislative proposals aimed at protecting infrastructure, connected devices, and the whole information and communications technology (ICT) supply chain to counter the wave of cyber-attacks.
A changing cybersecurity threat landscape
Russia’s war against Ukraine has put cyber-resilience in the spotlight. Russia’s aggression includes massive cyber-attacks on Ukraine but also on Ukraine’s partners in the EU. Even before the war, cyber-attacks were a great concern for the European private and public sectors (such as the cyber-attack against the German Bundestag in 2021). A ransomware attack occurred every 11 seconds in 2021, expected to accelerate to every 2 seconds by 2031, costing US$10.5 trillion annually by 2025. Cybercrime is the fastest-growing wealth transfer worldwide, inflicting increasing costs on the world economy with malicious actors becoming increasingly sophisticated. Rapid digital transformation, accelerated by the COVID-19 pandemic and geopolitical tensions, has increased the playing-field for cybercriminals. The 2022 ENISA report on the threat landscape in the EU revealed that 10 terabytes of data are stolen every month. Ransomware, which scores highest on the list of cyber-attacks in the EU, is followed closely by distributed denial of service (DDOS) attacks, with the largest ever DDoS attack in Europe recorded in July 2022. The Cisco annual internet report estimates that DDoS attacks will double from 7.9 million in 2018 to 15.4 million globally by 2023. Health service providers, pipelines, airports, ministries, hotel chains, banks and digital service providers are just a few examples of entities that have suffered from cyber-attacks over the past few years. Russia’s aggression against Ukraine is also provoking the rise of hacktivism and a surge in disinformation. Of particular concern are the growing capabilities of malicious actors, now using attacks against complete supply-chains.
Protecting the critical infrastructure
Especially disturbing are attacks against critical infrastructure such as energy, health and finance, which increasingly rely on IT, becoming extensively vulnerable to cyber-attacks. Russia’s hybrid approach, merging physical and cyber-attacks, has demonstrated that disruption of essential services is a realistic threat to the EU. For example, the attack on the satellite communication provider just one hour before Russia’s attack on Ukraine affected internet services and wind farms across Europe. The Directive on the Resilience of Critical Entities (CER), together with the revised Directive on the Security of Network and Information Systems (NIS2), respond directly to this challenge. However, the fast-evolving threat landscape, and incidents such as the cyber-attack against the Danish railway network in November 2022, demand accelerated implementation of the new legal framework. Hence, the Council adopted a recommendation in December 2022, to step up efforts aimed at protecting critical infrastructure, and foster inter- and intra-EU cooperation. In particular, it would urge Member States to implement measures under the 5G cybersecurity toolbox, considering the high dependency of essential services on 5G and its importance for the development of digital services. The subsequent EU policy on cyberdefence aims to increase the EU’s cyberdefence capabilities and synergies between military and civilian cyber communities. The connectivity of critical infrastructure will be provided by the infrastructure for resilience, interconnectivity and security by satellite (Iris²), a sovereign space-based secure connectivity system, to be functioning in orbit by 2024
Advancing operational capacity
NIS2 formally establishes the EU cyber-crises liaison organisation network (CyCLONe), rapid crisis-management coordination in case of large-scale cross-border cyber-incidents while the Joint Cyber Unit (JCU) ensures a coordinated response between civilian, law enforcement, diplomatic and cyberdefence communities, and should be fully implemented by 30 June 2023. EU cybersecurity capacity-building will be done in the framework of the European cybersecurity competence centre (ECCC), which is to become operational by March 2023. The centre aims to improve technological sovereignty through strategic cybersecurity investments. Together with the network of national coordination centres (NCCs), it will form the cybersecurity shield for the EU, powered by artificial intelligence (AI) and complemented by EU supercomputing infrastructure developed by the European high-performance computing joint undertaking. The first six quantum computers are expected to be available by the second half of 2023.
Protecting connected devices
Connected devices, such as home security applications, toys connected to the internet and smart cameras, expected to amount to three times in number the global population by 2023, have the potential to open the door to malicious actors and impact the whole supply chain, if hacked. To address this threat, the cyber resilience act (CRA) proposal would impose cybersecurity obligations on a very wide range of digital products before they are placed on the market. The proposal would impose high fines for non-compliance and ban products that do not abide by the rules. This could have an impact beyond EU borders, becoming an international reference for the cybersecurity of digital products. Intensive negotiations are expected on this proposal in 2023.
Protecting the supply chain
The October 2022 Council conclusions on ICT supply chain security should be materialised in the creation of the ICT supply chain security toolbox, to complement the coordinated supply chain risk assessment for ICT products under NIS2. The 5G security toolbox criteria could serve as an example when defining high-risk vendors – such as Huawei – for the security of ICT supply chains.
Progress is expected too on domain name systems (DNS) resolver (converting domain names such as www.name.eu into computer friendly IP-addresses, e.g. 192.168.2.1). A public European DNS resolver service (DNS4EU) should develop in 2023 as an alternative to public (non-EU) resolvers prevailing on the market, which would enhance the EU’s cybersecurity abilities and contribute to its digital sovereignty. We can also expect the finalisation of the EU certification schemes for cybersecurity of ICT products (EUCC) and for cloud services (EUCS), where it remains to be seen if disputed sovereignty requirements will be comprised in the scope of the latter.
Bridging the cybersecurity skills gap
The EU response to cyber-threats will depend immensely on having a sufficient and sufficiently trained cybersecurity workforce. The European cybersecurity skills framework (ECSF) will play an important role in defining the cybersecurity profession. The cybersecurity skills academy, which the European Commission has announced for the third quarter of 2023, could address the cybersecurity gap.
Read the complete in-depth analysis on ‘Ten issues to watch in 2023‘ in the Think Tank pages of the European Parliament.