Cybersecurity, Digital Privacy and data protection

As computers gain hold of nearly every facet of our lives, our reliance on them grows. Even now, the water supply, traffic light systems and supply chains of whole communities and cities rely strongly on the correct functioning of computer systems. Should these be infiltrated or manipulated, the consequences could be costly as well as devastating. People with malicious intentions could leverage these systems to wreak damages in the scale of millions of Euros. To ensure that such scenarios do not occur, cybersecurity needs to be strengthened and innovative ways to recognise and oust threats need to be explored.

General Considerations

For improvements in the field of cybersecurity, target-oriented research and development is of utmost importance. Despite dealing with a strongly digitised field, it is essential to keep in mind the human factor and relevant social aspects, because the implementation of any form of cybersecurity measures, no matter how secure in theory, is heavily dependent on the people using and interacting with it every day.

In order for stakeholders in all areas to accept innovative cybersecurity tools, at least in all situations in which they might encounter them, it is inevitable for all systems to be sufficiently user-friendly. Furthermore, it is of special importance to enable active participation of stakeholders through improved opportunities for dialogue.

Promoting the examination of cybersecurity issues is not only a matter of specific use cases where improved cybersecurity tools might protect private persons as well as organisations and companies, but also crucial for the secure functioning of the Digital Single Market within the EU. A competitive and trustworthy market is a fundamental prerequisite to a successful and prosperous European Union.

The challenges of cybersecurity preparedness

Because of European Union citizens’ and companies’ dependence on digital infrastructure, cybersecurity preparedness is a matter of high priority.

The digital infrastructure, upon which other sectors, businesses and society at large critically depend, must be resilient and trustworthy, and must remain secure despite the escalating cyber-threats. New technologies and their novel combinations require innovative ways to implement security measures and to make new security-related assumptions, identifying “zero-day” or potential unknown vulnerabilities, forecasting new threats (plus their cascading effects) and emerging attacks, and managing cyber risks.

Because of the difficulties many organisations have in forecasting cyberthreats that are relevant to them, even entities that are willing to secure their critical infrastructure are in danger of missing the truly vulnerable gaps in their protection strategies. In order to continually shield organisations from harm by hackers or malware, cybersecurity experts need to adapt to everchanging conditions of new threats and attacks.

Cybersecurity skills need to be continuously advanced at all levels (e.g. security officers, operators, developers, integrators, administrators, end users) in order to enable cybersecurity, digital privacy and personal data protection within the EU Digital Single Market.

Concrete steps

In order to create persistent cybersecurity solutions, researchers are called upon to develop, test and validate an information platform with real-time interactions and sharing capabilities. These will be used to collaboratively improve given security mechanisms, reaching better forecasting abilities. The projects will strongly rely on a shared approach that features the appropriate tools to develop and refine today’s as well as tomorrow’s evidence-based simulation scenarios.

It is encouraged that private and public end-users are included in the process, so that Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) are brought into the fold. By utilising the provided data, risk analysis models need to be continuously updated in order for them to be poised for current and future threat levels.

In addition, the proposals should show that the econometric models contribute to: (i) identifying affordable security controls that are needed to protect valuable organization assets, (ii) promoting the development of cyber insurance and liability policies/contracts and (iii) fostering service level agreements addressing security, privacy and personal data protection requirements and policies. Proposals should bring innovative solutions to enforce and encourage accountability of security as a shared responsibility.

Econometric models can assist in the search for affordable, real-world cybersecurity application possibilities. Another factor that needs to be taken into account is the social aspect of digital security training, especially in hands-on training environments. In order to facilitate a better exchange of public and private stakeholders, close cooperation with and participation of SMEs is encouraged.

Budgetary estimates for proposals following these provisions lie between five and six million Euro, seeing as this amount should be able to address the challenges defined above. Nevertheless, proposals exceeding this sum are not automatically excluded and may very well be suitable as a project.

Expected impact

From this project, the European Commission expects following impacts:

Short-term:

• Professionals better prepared to detect, block and mitigate emerging cyberattacks;
• End-users of cybersecurity products and services more involved into expressing actual needs to developers/vendors, through cyber range and simulation;
• More organized  collaboration between  a network of cyber ranges  and Europe-wide initiatives such as the CERTs/CSIRTs cooperation network of the NIS directive;
• Improved risks analysis models to be used by public/private organisations, through the use of economics for evidence-based cybersecurity and data privacy;
• Appropriate econometric models able to learn from cyber incident data on a wide scale;
• Improved knowledge on how organisations can make the right investment to secure their operations against cyber-attacks (e.g. where they result in personal data breaches 49 ), using economics for evidence-based cybersecurity and data privacy;

Medium and long term:

• Improved resilience of ICT systems/infrastructures and reduced time and cost in infrastructures for training users; 
• EU member states better prepared to face malware campaigns and to take down malicious infrastructures; improved EU-skills market;
• Better preparedness to put in place cybersecurity measures and identify the necessary resources for recovering after a cyber-attack;
• Improved security, resilience and sustainability of organisations.

Keywords

cybersecurity, cyberwarfare, cyberattack, hackers, resilience, Digital Single Market, cybersecurity preparedness, security,