Upload
ngotram
View
220
Download
0
Embed Size (px)
Citation preview
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 1
Cybersecurity for a trusted EU Digital Single Market
‐ EOS Market Study for a Cybersecurity Flagship Programme ‐
An EOS Strategic Initiative
Extended Public Summary
December 2015
INTRODUCTION
The EU cybersecurity strategy was adopted by the EC in 2013 to drive development and application of cybersecurity solutions in Europe. However, the market for cybersecurity products is dominated by global suppliers and Europe is lagging behind. Shadowed by low efficiency, this is coupled with increasing issues including technological independence, sovereignty, legitimate privacy concerns and market fragmentation (at EU and MS level). Trust and information sharing across countries still remains a key concern in the development of an EU cybersecurity platform.
The present situation and need for action has been well identified in in the resolution of the European Parliament of March 12th, 2014, stating, among other: “large‐scale access by US intelligence agencies has seriously eroded transatlantic trust and negatively impacted on trust as regards US organisations acting in the EU” … “the fact that intelligence agencies have accessed personal data of users of online services has severely distorted the trust of citizens in such services, and therefore has an adverse effect on businesses investing in the development of new services” … “it is essential for companies providing such new services and applications to respect the data protection rules and privacy of the data subjects whose data are collected, processed and analysed, in order to maintain a high level of trust among citizens” … “EU's firm belief in the need to strike the right balance between security measures and the protection of civil liberties and fundamental rights, while ensuring the utmost respect for privacy and data protection;” … “review the current public procurement practices with regard to data processing in order to consider restricting tender procedures to certified companies, and possibly to EU companies, where security or other vital interests are involved” … “in order to achieve maximum IT security, Europeans need to be willing to dedicate sufficient resources, both human and financial, to preserving Europe’s independence and self‐reliance in the field of IT;” … “the mass surveillance revelations that have initiated this crisis can be used as an opportunity for Europe to take the initiative and build up, as a strategic priority measure, a strong and autonomous IT key‐resource capability;” … “Action Plan to develop greater EU independence in the IT sector, including a more coherent approach to boosting European IT technological capabilities (including IT systems, equipment, services, cloud computing, encryption and anonymisation) and to the protection of critical IT infrastructure” … “direct more resources towards boosting European research, development, innovation and training in the field of IT”.
Europe has started major initiatives in ICT sectors for the growth of its digital economy (more recently: big data, cloud, IoT etc.), mainly on research related issues. All these activities foresee “self‐standing” security approaches, not benefitting from shared competences and solutions and not sufficiently leading to market implementation. A transversal security approach across these initiatives could increase efficiency and help the concrete use of European cybersecurity solutions for awareness, protection, threat detection, response and recovery. Such an overarching initiative should be complemented by a capability building roadmap leading EU and MS to invest in network and information systems security projects, thereby bridging the gap between innovation and market and ensuring that other large set‐ups such as broadband networks, satellite communications and EU‐wide large communication and information systems (e.g. in air traffic management) be properly protected.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 2
THIS STUDY
This paper builds upon and takes into account the noteworthy results of previous initiative such as FP7 projects (CYSPA, CAPITAL, etc.), NIS Platform WG3, ENISA studies and analyses and national strategies where available and the competence of the major industrial and research actors in Europe.
It examines the cybersecurity context in general, recalling cybersecurity, cybercrime and cyberterrorism definitions, introducing issues linked to Privacy, Trust, Risk Management and Information Sharing in the cyberspace, analysing the cybersecurity challenges in the global and European market before considering the opportunity for Europe to move towards an increased digital autonomy.
The analysis starts by looking at the ecosystem elements that can be affected by cyber threats; the emerging areas of this ecosystem that can potentially be threatened and the threat agents (those who perpetrate the threats).
Current efforts in the United States and in Israel are presented as case studies before drawing up a map of the public and industrial efforts in cybersecurity across Europe. A comparison of the efforts in these countries allows us to assess similarities, differences and lessons that can be learned from the different models.
Despite the complexity of the cybersecurity market structure in its products and applications, an analysis of its size, characteristics and typology has been done, aiming to bring together the wide but often non‐harmonised elements of public studies.
A market segmentation, in accordance with EC studies, has been used to present the different solutions and services to counter the various cyber threats, as well as the suppliers of these products. A database of genuine European industrial actors has been created describing more than 336 European cybersecurity companies and their main competence.
In the vertical market analysis, we have looked at demand needs for several main application sectors like Industrial Control Systems (manufacturing and utilities, including the Industry 4.0 approach), Energy Networks (including smart grids and smart meters), Transport (aviation, rail, road, space, and sea), Finance, Healthcare, Smart and Secure Cities and ICT infrastructure.
Crossing these elements for the different market application sectors, the threats and the competence of the companies has allowed us to identify where the sectors / products in which the European offer is most important are and where it is more competitive. At the same time, we have identified where more efforts will be needed to reach a higher level of digital autonomy and competitiveness in strategic / important sectors.
With all these elements a “Strengths, Weaknesses, Opportunities and Threats” analysis for EU cybersecurity has been conducted from different points of view: European Aspects, Market and Business, R&I and Technical, Education and Skills, Policy and Legal.
As a conclusion, a list of recommendations supporting the creation of a European cybersecurity ecosystem and market as well as the development of a genuine and competitive European cybersecurity industry has been proposed. A Roadmap and a tentative budget over the next 10 years are given to support the setup of the proposed actions.
CYBERSECURITY, CYBERCRIME ETC.
Cyber security attacks have increased exponentially in the last few years. Every day, as the evolution of technology marches forward, new and more complex cyber risks emerge, threatening significant harm to an organisation’s brand and bottom line. Everyone and every organisation is a target.
Cybersecurity is an area that does not have a single definition. In order to have a common understanding of the issues, we adopt the following a broad definition suggested by ITU. Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organisation and user’s assets. Organisation and user’s assets include connected computing devices,
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 3
personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.
When talking about cyber threats, it is usual to distinguish different categories:
• Cybercrime: crime on the internet has a new dimension. Modern technology allows organized crime to scale their “business”, especially outside the legal boundaries of states.
• Cyber‐Espionage. Military/state/industrial espionage has existed for thousands of years. The only difference between traditional espionage and cyber espionage is the use of technology and as long as we have civil intelligence agencies it will not stop.
• Cyber‐Warfare: We are facing a new type of asymmetric warfare with a new paradigm and no taxonomy.
The analysis of the cost of cyber breaches can help identify the security challenges and drive the risk management procedures, with the consequent capacity investments.
COST OF CYBER ATTACKS
Cybersecurity is a growing concern, not only to our national public authorities and citizens with regards to their security and the protection of their privacy, but also to our economy. Lloyd’s estimates that cyber‐attacks have cost 400 billion dollars in 2014.
McAfee’s estimation of the cost of cybercrime (and its consequences in restoring services / repairing the system) is between 375 and 575 billion dollars per year. More importantly, cyber‐attacks could also constitute a direct threat to employment. For example, some companies affected could see a significant number of their jobs threatened: 200,000 in the United States, 150,000 in Europe.
Cyberattacks have increased by 48% in 2014 compared to 2013 according to PwC. In total there have been 43 million cyber‐attacks in 2014, which represent 117 000 attacks per day. Since 2009, cyber‐attacks have raised by 66% per year on average. PwC also finds that Europe is the most targeted continent with an increasing of 41% in 2014 compared to 11% in North America and only 5% in Asia Pacific.
The World Economic Forum warns that over the next six years cyber‐attacks could cause losses up to 3 trillion dollars.
A COMMON EUROPEAN CONCERN: EU POLICIES and ACTIONS at EU and MS LEVEL
A number of EU Institutions / Organisations are concerned today by cybersecurity policies and issues. They include:
European Commission,
Council of the European Union,
European Parliament
External Action Service
ENISA
EC3/Europol
European Defence Agency
CERT‐EU
EIT ICT Labs
European Standardisation Organisations
In the last years, the European Institutions have adopted (or are adopting) a number of key EU policy initiatives on cybersecurity such as:
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 4
European Security Industrial Policy
European Union Cybersecurity Strategy
Directive to ensure common level of network and information security (NIS Directive)
Digital Single Market Strategy
EU Data Protection Package
eIDAS: Electronic identification and trust service Regulation
PSD2: Revised Directive on Payment Services
Cybersecurity has been increasingly recognised as a global concern in Europe, because it potentially targets any country and organisation. All European countries have been targeted by malicious cyber actions. Currently, only 19 of the 28 MS of the EU have published national cybersecurity strategies with more or less clearly defined objectives. However, many of them still lack the desired quality, remaining vague and high‐level and lacking a clear implementation plan. More importantly, these documents are static whereas only few countries have revised and improved their original strategies. Few MSs have reinforced their strategy with the relevant legislative and policy instruments that support the objectives of their strategies.
Companies in EU countries have started to organise themselves at regional or national level around “clusters” (or associations) to take advantage of synergies, share best practices and increase visibility. A number of clusters have been identified. While the added value at regional and possibly at national level seems quite clear, an analysis is still needed to identify and expand on what for the moment are still intuitive added values for gathering these clusters at European level, leading to a wider critical mass.
THE CYBERSECURITY ENVIRONMENT AND MARKET IN US & ISRAEL: LESSONS FOR EUROPE
The US has developed a successful cybersecurity industrial policy, which has allowed their companies to dominate markets worldwide. The competences of US companies have been developed in an ecosystem created by the government. The sector consists of both start‐ups and giants. US companies systematically buy promising small European cybersecurity companies often for an amount much higher than the turnover. On the other hand, the US protects acquisitions of its own companies with regard to cybersecurity technology and more broad objectives are supported by a substantial public investment from the NSA, the Department of Homeland Security and the Department of Defence as the public budget dedicated to cybersecurity was $ 13 billion in 2014, which represents nearly 16% in the federal IT budget. At the same time, the US government has invested massively in cybersecurity (3 billion per year for research and development), which financed 80,000 jobs in the industry, building on from the defence industry.
The US approach to cybersecurity has a strong influence on Europe, both because leading US companies are using the results of this approach in European markets, and because EU MS, and sometimes EU Institutions, are considering the possible introduction of similar solutions (e.g. the development of a possible EU NIST and Small Business Act for cybersecurity).
The US approach, likely well adapted in a liberal market with a centralised technical coordination, a well‐structured and defined approach and standards as well as high level political support of strategic / trusted companies, is hardly applicable in the present European situation, with the high fragmentation across countries, the weak coordination of (allowed by MS) EU Institutions and Agencies, the still limited awareness of political decision makers as well as the low level of commitment (and awareness) of the economic sector.
The voluntary‐based liberal market approach in the US does actually not need regulations: the market is already heavily structured and there are rules like the CFIUS to control the activity of non‐US owned companies. While a similar voluntary approach is supported by certain liberal European countries and by major international (often US) incumbent companies, other European countries are looking for a certain level of regulation (in the respect of national sovereignty and interests) to defragment the market and create a more favourable situation for the implementation of sustainable risk based solutions. Furthermore, cybersecurity, as a security market, cannot be – like other security areas – totally un‐
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 5
regulated, as it has an important if not vital impact on national and citizens’ security and the protection of economic growth.
We will have to find a good blend between specific EU approaches, better adapted to our markets, culture and sovereignty issues, and already well developed US competence.
Israel is one of the world leaders in cybersecurity due to its public engagement and investment in the domain. The public agenda pursues two complementary objectives. The first one is to ensure Israel’s sovereignty in cyberspace through the development of defensive and – likely ‐ offensive capabilities. Indeed, Israel is surrounded by many threats, which can potentially use cyber as a way to attack the country and destroy or, at least, seriously disrupt its critical infrastructures. The second objective is economic. Israel has conceived cybersecurity as an economic system in its own right, able to innovate, create jobs and export. Both objectives are supported with a massive annual public investment –roughly $3B a year.
A comparison with the Israeli approach, immediately shows the need for the development of a stronger ecosystem in European countries, based upon a solid education and training. Without reaching the Israeli level in quantity of cyber experts available to the market when coming out of their compulsory military service, Europe could take inspiration from their best practices and better organise its national and European education and awareness, for citizens, professionals and decision makers.
GLOBAL CYBERSECURITY MARKET CHARACTERISTICS
Global cybersecurity market dominated by global suppliers from North America. The global cybersecurity market (2015 expected) is €70 billion, 8% average yearly growth, more than 40% of this market is in North America and 25%, (i.e. €17billion) in Europe (with a 6% yearly growth). The enterprise market is largely dominated by global cybersecurity suppliers such as Microsoft, IBM, CISCO, Symantec, etc. Beyond these supplier companies, we could also mention those companies managing (and thus controlling) a large number of data like Google and Facebook, that can have an impact on our privacy and security at large. Main expert IT consultants are also originating from the US: market studies and advice to the EU and MS often have a US‐driven approach.
Hereafter our estimation of the cybersecurity market by country, with input from existing market studies (Gartner, Visiongain, IPACSO, CAPITAL etc.) and information from EOS members.
CYBERSECURITY NATIONAL MARKETS 2014 € bln Market % Average growth in the next 10 years
US 26 39,0% 4%
P.R. China 5,5 8,2% higher than 10%
Japan 5 7,5% 5%
Germany 4,3 6,4% 5%
UK 3,7 5,5% 5%
Russia 3,1 4,6% 6%
France 3 4,5% 5%
South Korea 2,6 3,9% 5%
India 2 3,0% higher than 15%
Italy 1,9 2,8% 8%
Canada 1,2 1,8% 9%
Israel 1,2 1,8% 7%
Australia 0,9 1,3% 8%
ROW 6,3 9,4% 9%
TOTAL 66,7 100,00% Higher than 8%
With a look to the near future, the increasing adoption of mobile, cloud computing, social and information (often interacting together) will be the main drivers for the use of new security technology and services in
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 6
the near future. The European market is however smaller than the US market which is estimated to be around €25 bln in 2014. The UK, Germany and France constitute the biggest market sub segments and about 60% of the European market and estimated to achieve growth rates of between 5‐6%.
In the most recent years, there is a clear growth in the cybersecurity market, as part of the wider IT market used by the different applications. Cybersecurity constitutes today, on average, about 2,3% of the IT spending which is expected to be about €3100 bln (source: Gartner) in 2015.
Mature commodity market. Most IT hardware and software products are built outside the European Union. The market in “commodity protection" products, close to the ICT mass markets (firewalls, antivirus, IDS software etc.) is already reaching maturity and is therefore more costly and complex to enter.
Market owned by “EU companies”. Quite challenging is the evaluation of the percentage of the world market secured by “genuine” European companies. A rough first estimation gives a value of about 6 bln €, corresponding only to 35% of the European market and 8,5% of the world market, thus showing the progress that the genuine European cybersecurity industry can make. The corresponding number of highly skilled experts in the European cybersecurity industry suggests a figure of about 100.000 direct jobs.
ISSUES / CHARACTERISTICS OF THE EU CYBERSECURITY MARKET
Typical characteristics of the European cybersecurity market are given hereafter. A longer list of strengths and weaknesses is given later (SWOT analysis).
Market fragmentation. The EU’s 28 Member States have different regulations and approaches towards cybersecurity as well as data privacy concerns: this leads to the development of various specific solutions. More coordination in requirements would bring better interoperability, thus increasing the market size and creating larger opportunities for industry while decreasing development costs. The fragmentation of the European market has enhanced the dominance of US players not only from the competition perspective but also in the fields of data protection and cyber security. We need a level playing field in terms of privacy and security between Europe and United States.
Innovation led by on non‐EU ICT products. Pervasiveness of ICT in different products and services such as electronic banking, e‐commerce platforms, big data, cloud computing, e‐supply chain, smart devices and internet of things‐ many innovations in products and services are driven by ICT products that are not designed and manufactured in Europe. The downside to becoming dependent on ICT is that we are increasingly vulnerable to the risks posed by cyber threats. The service based approach in which Europe has demonstrated strengths could be the one in which Europe can better compete.
Innovation is strong in Europe, emanating from ICT labs, SMEs and large players, but not always properly funded due to a lack of a consistent transnational approach. Results of Research and Innovation are hardly reaching the market. There is still a lack of strategy in EU research: several ongoing efforts are identifying technology and societal gaps but the identified R&I priorities are not sufficiently considering the wide economic / industrial perspective to bring the EU industry to a global competitive level. For this reason, in this study we try to better identify areas where the EU is well positioned to be a global leader, what are the strategic products and services, and assist in defining long‐term plans for building up these competencies.
Financial. Weak entrepreneurial culture, lack of venture capital and seed money calls for other ways to support innovation with the relevant financial effort and awarding mechanisms efficient enough to keep up with the pace of cyber threats.
Anticipated support from public procurement not yet in place. In its recent assessment of the progress made on the implementation of the EU Cybersecurity Strategy, the Commission acknowledges that concerning the action to “Develop, by the end of 2013, good practices to use the purchasing power of public administrations to stimulate the development and deployment of
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 7
security features in ICT products and services”, no progress has been made and that “such good practices will be developed in the near future”.
EU industrial policies not yet addressing specific cybersecurity issues. Whilst the European Security Industrial Policy and the Communication for a European Industrial Renaissance set out the main roadmap for the development of a more competitive European security industry, they did not specifically stress them as main problems in the domain of cybersecurity.
Cybersecurity and cyberdefence. Cyberdefence can be considered as a form of cybersecurity dedicated to the protection of military installations and protection of classified information relating to military operations, using the highest security standards from risks compromising decision superiority during military missions. In certain EU countries, cyberdefence is considered as the defence of the nation’s critical (IT) infrastructure, in particular with the support or supervision of defence forces: technologies are the same as those used for civilian applications, only the threats and the requirements are different.
Sovereignty. The current market fragmentation is partly due to the fact that security in general, and cybersecurity in particular – especially as a component of critical infrastructures and national assets protection – remains, within the EU treaties, a national responsibility. Furthermore, cybersecurity cannot be isolated from “cyber defence”: in sensitive domains like cryptography, this would mean to continue developing, at least to a certain extent, country‐specific solutions. Hence, there is a strong link between cybersecurity solutions and sovereignty matters for the Member States which can result in a lack of cooperation and lead to increased market fragmentation.
Strategic autonomy. The EU is heavily dependent on non‐EU technologies in many domains in the ICT and cybersecurity field. Whilst this is not necessarily an issue for commodity hardware and software solutions, it can become a major problem when considering devices manufactured by suppliers outside of Europe’s legal frameworks and without full confidence that the devices do not include, for instance, built‐in backdoors or are applying the same level of quality requirements.
We are far from being at the right level of preparedness. The full implementation of an EU single digital market calls for more coordination at the EU level with a clearly identified industrial vision. To increase our position in cybersecurity, the study will try to answer the following questions:
The place for Europe and its industry in the global cybersecurity market. The main questions for Europe are:
• what is the level of strategic autonomy that Europe needs to achieve in the cybersecurity domain?
• in which cybersecurity areas can European industry make a breakthrough and become a global and competitive player?
Objectives for the development of a strong European cybersecurity industry and an industrial base in a coordinated EU approach:
• Market driven objectives with high economic impact
• Security driven objectives linked also to EU sovereignty, societal (data protection) and increased technological independence concerns
EMERGING AREAS (POTENTIALLY THREATENED)
Mature markets, like Network Systems Security, though being huge and still growing, are quite difficult to enter and reach a high level of competitiveness. New emerging markets, heavily impacting our future (and already present) way of living would show more opportunities for Europe. The following emerging areas have been identified by the CAPITAL and CYSPA FP7 projects (led by EOS).
• Future Clouds and Cloud Computing Models
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 8
• Future Security and Privacy Incident Management: Information and Event Management & Complex Event Processing Technologies
• Cyber Security and Privacy Engineering: Security and Privacy by Design for Development of Vulnerability Free Software
• Internet of Things: Smart Inter‐Connected Devices and their Impact on Cybersecurity and Privacy
• Mobile Computing (including social networks)
• Big Data
• Critical Industrial Systems (including Industry 4.0)
• Online Trust and Transparency for Privacy: Trusted Cyber Identities Including Recommendations, Rating, Reputation, and Reasoning for Trust
• Metamorphic networks
• Software Defined Networking
These areas, while reflecting the present approach in EC funded projects, which underline in particular societal issues (e.g. privacy), are also of interest for a more economic / industrial analysis.
For all these areas, we have identified the societal impact, the industrial relevance, the supporting IT Technologies, how they are impacted by cyber threats, if they are influenced by privacy issues, what are the relevant on‐going activities and what are the related application fields. We have then presented the main challenges & opportunities and the needed future topics of research to respond to cyber threats in these areas. A large number of potential threats have been analysed for each emerging area and the most important are shown in the table above.
PRODUCTS AND SOLUTIONS
To break down the cybersecurity market and assess it we have followed the segmentation used in the latest EC study from ECORYS. Using this breakdown and with the information gathered from different market studies, we estimate the market for the different products / services as in the following.
Hereafter our estimation of the cybersecurity market by segment, with input from existing market studies (Gartner, Visiongain, IPACSO, CAPITAL etc.) and information from EOS members.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 9
MARKET BREAKDOWN BY SOLUTIONS / SERVICES 2014 € bln
Market % Average growth in the next 10 years
Governance, vulnerability and cyber‐security management
2,7 4,0% 11%
Identity and access management 7,3 11,0% 10%
Data security 11,3 17,0% 6%
Cloud Security 2,7 4,0% 12%
Applications security 2,7 4,0% 7%
Network systems security 14,7 22,0% 5%
Hardware (device/endpoint) security 4,0 6,0% 6%
Audit, planning and advisory services 9,3 14,0% 6%
Management and operations services 2,0 3,0% 7%
Managed security services ‐ MSS 9,3 14,0% 15%
Security training services 0,7 1,0% 10%
TOTAL 66,7 100,0% higher than 8%
An interesting market view is also obtained by multiplying the market size for each solution / service area with its percentage growth. In this case, we obtain, as shown hereafter in a normalized ‐ over the largest value – view, a perception of the market dynamics linked to the market size: this shows the interest for entering certain markets (most attractive for their size AND growth).
We have split the market for products / services into several segments from an industrial point of view. Those market segments integrate several capabilities or solutions. The breakdown can be summarised in a following table (segmentation from the ECORYS market study “Study on the development of statistical data on the European security technological and industrial base” adapted by the EOS cybersecurity WG).
Products Governance, SIEM (security information and event management), monitoring systems and secure SCADA
0.00
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 10
and Solutions
vulnerability and cybersecurity management
Threat Intelligence (collection of data, semantic analysis, correlating and deduce security actions and implement e.g. in SIEM …)
Security monitoring visualization
Identity and access management
Electronic access control (identification, authentication and authorisation) for IT and communications equipment (hardware), systems and networks
Data security
Encryption, cryptography and digital signature solutions
Public key infrastructure solutions
Digital rights management solutions
Content filtering and anti‐spam solutions
Data loss/leak prevention (DLP), privacy, secure data deletion, secure archiving, data recovery
Cloud Security Data hosting (service)
Data security
Applications security
Security of IT software and applications (design, coding development and testing)
Network and systems security
System and network security software (e.g. firewalls, antivirus, anti‐malware, anti‐DDoS, intrusion detection, tracking and tracing, gateways)
Unified Threat Management (UTM) solutions
Terminal (fixed or mobile) security solutions and terminal hardening solutions
Vulnerability scanners
Internet/network communications security solutions (e.g. secure phone, video conferencing, e‐mail and messaging systems)
Secure Execution Platforms and Operating Systems Security
Hardware (device/endpoint)
security
Secure personal portable devices and identity documents
Hardware security modules
Enrolment and issuance equipment/systems for access control and identify management
Biometric‐based security equipment/systems
Network encryption equipment/systems
Cyber security Services
Audit, planning and advisory services
Security audit, vulnerability and intrusion testing, and risk and threat assessment
Security strategy, planning and management advice; other IT/cybersecurity consultancy serv.
Security certification and conformity/compliance assessment
Digital forensics: post mortem (incident / intrusion) analysis, investigation and proof preservation
Cyber Insurance
Management and operations services
Security engineering, design and architecture development
Implementation (technical assistance/expert support services) and integration, interoperability testing
Security project management
Managed security services ‐ MSS
Security system management and operations
Continuity and recovery management
Trusted third party services / E‐content and e‐reputation services
Operational support (technical assistance/expert support services)
Security training services
IT / cybersecurity education, training and awareness
In the analysis, we have described the different challenges for each sector / sub sectors, the trends and the main companies, also at EU level. We have seen that the European industry is competitive and competent in several areas having a large market dynamics (market size & growth) like Data Security and IAM, which could be areas for further development of global championship.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 11
This graphic is based upon a QUALITATIVE analysis. In particular, limited open information on “application security” relegates this topic in a low competitiveness / competence position. Being qualitative, this graphic can be improved with more specific information and deeper analysis.
A graphic display of the cybersecurity market size and growth, starting from the figures given in § 5.1.3, shows that European industry is competitive and competent in several areas having a large market dynamics (market size & growth) like Data Security and IAM, which could be areas for further development of global championship.
NOTE: the darker the rectangle, the higher the competence / competitiveness of European cybersecurity companies.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 12
VERTICAL ANALYSIS (APPLICATIONS)
A vertical detailed analysis of the different application markets has been done to see gaps and trends for application of cybersecurity solutions and services in the following areas:
‐ Industrial Control Systems: Utilities (Water, Food, Agriculture), Nuclear, Chemical, etc.; Future Industrial Production: Industry 4.0 and cybersecurity
‐ Energy Networks: smart grids, smart meters ‐ Transport: Rail Transportation, Aviation Transportation, Road Transportation, ‐ Finance ‐ Public Administration: Vital Services / eGovernment ‐ Healthcare / eHealth ‐ Smart & Secure Cities ‐ ICT Infrastructure
An important factor in the choice of priorities for supporting the growth of a European cybersecurity industry is the area of application of the solutions / services. Even if the different solutions are in general applicable to all kinds of systems, specific customers and applications could need more specific solutions having an important impact on the security and resilience of the system / critical service itself.
A first major distinction can be made between industrial systems and information systems. A critical differentiator between industrial systems and information systems is that industrial systems control real world physical processes that relate to nuclear power, water, electric, gas and other critical infrastructures. Therefore, targeted attacks on industrial systems such as disruption to nuclear reactors or to the electrical power grid ecosystem can have real world consequences on human lives and the environment. For the most part, the same cannot be said of the information systems domain where the consequences of, for example, a disrupted online banking or retail service has such a profound and critical impact on society, with a considerable economic weight, and should therefore be protected as well from cyber‐attacks.
Industrial systems are undergoing a paradigm shift from isolated ecosystems to IoT‐style ecosystems where isolated islands are interconnected to other Intranets and Internets. Industrial systems concerns domains where Europe is among the world leader such as pharmaceutical, and manufacturing (e.g. automotive, food production …), buildings infrastructure (e.g. Heating Ventilating & Air Conditioning, elevator transportation and physical access control to and within buildings) or industrial system of societal / vital importance, such as water treatment, oil and gas, transportation, and electric power, and for this reason they deserve special attention when establishing investment priorities in Europe.
This graphic is partially based upon a QUALITATIVE analysis. For this reason, this graphic can evolve in the future with more information and analysis.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 13
EUROPEAN CYBERSECURITY INDUSTRY
There is no European cybersecurity industry able to compete at the same level with the large American and Asian cybersecurity companies. In cybersecurity, when “national products and services” exist, they often correspond to specific “national sovereign needs” and are not usually capable of competing on a global scale. Today, the European market for cybersecurity is essentially driven by these sovereign needs and that is why the market is so fragmented between national industries that meet the needs of their domestic and respective sovereign markets. It is essential for Europe to find a way to structure the European cyber industry in order to compete internationally but also have to keep in mind the strategic need of “mastering” national products.
Although Europe has some positive examples of cybersecurity industry their number and size remain limited on the global scale. The development of a strong European cybersecurity industry and an industrial base requires extensive investment capabilities and a joint effort of the EU Member States.
We estimate that there are tens of thousands EUROPEAN companies active (having as main or partial business) in the cybersecurity sector. For this study, we have developed a database of more than 400 genuine European companies (only those having Headquarters in Europe) active in the different cybersecurity sectors / solutions / services. The list of European cybersecurity companies is of course not exhaustive; yet, we think we have identified the most important main companies, as well as some of the most promising / interesting SMEs.
There are few European companies with an international cybersecurity footprint. There are few industries able to compete on national and European levels, outside the major defence companies.
In the market / suppliers analysis, we have identified a considerable number of large and small companies covering more or less well the spectrum of the needed solutions for the different application sectors and emerging areas. It is not the intention of this study to provide a detailed analysis of the level of performance and competitiveness of each company and each product. We can say that Europe has a fair presence in all the market segments but a relatively weak level of competitiveness across the majority of sectors / products.
We recognise that SMEs are particularly present (with respect to the overall companies in certain products / services) in Data Security; Application Security; Network Security Systems; Audit, Planning and Advisory Services as well as in Security Training Services.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 14
In the market / suppliers analysis, we have identified a considerable number of large and small companies covering more or less well the spectrum of the needed solutions for the different applications sectors and emerging areas. It was not in the intention of this study to provide a detailed analysis of the level of performance and competitiveness of each company and each product. We can say that Europe has a fair presence in all the market segments but a relatively weak level of competitiveness across the majority of sectors / products.
We recognize that SMEs are particularly present (with respect to the overall companies in certain products / services) in Governance, vulnerability and cybersecurity management; IAM; Data Security; Application Security; Network Security Systems; Audit, Planning and Advisory Services as well as in Security Training Services. SMEs seem to be less active in domains like Cloud Security and MSS (likely demanding more resources).
Larger presence of EU companies is in Data security and Services like audit, planning and advisory services in general.
We recall that in this analysis we have not classified the many research centers and universities dealing with cybersecurity that, in certain countries, can have an activity even more important than local companies (e.g. Austria, Italy, Estonia, Finland, …).
The analysis per country can give interesting results. Without wanting to give an “exhaustive” result, this analysis is nevertheless statistically indicative of the development of “genuine” EU cybersecurity companies in the different countries and / or of the easiness to find on the web such companies with a sufficiently clear explanation of their activity (important for those companies that want promote their image / products).
Without surprise, we find in the first three places France, Germany and UK. These countries have a good ICT environment and their cybersecurity companies are well supported by local / regional organisations and the national administration.
Finland, considering the number of habitants, is well represented, both for its high‐tech tradition and for the facility to find national companies belonging to the FISEC organisation.
Spain and Netherland are also at quite good level, even if Spain is just organising its internal network of cybersecurity industries, while The Netherlands have already started thanks to the Hague Security Delta.
Italy has a low presence in our analysis, both due to the delay of the country in the trusted digital market and for the lack of national organisation among cybersecurity companies (today, a national coordination exists mainly at university level). Very visible are here the non‐EU companies, like in Sweden, that maybe also thanks to the low visibility of local products are taking a large part of the national market.
Denmark, Portugal, Ireland and Belgium are in a quite good position considering their size and interest in the domain (likely, there could be more Irish and Belgian SMEs present, with a deeper search).
A specific comment should be deserved to East European countries. In these countries, cybersecurity is a growing sector, but there is a limited number of national companies. This is happening even in cyber‐advanced countries like Estonia. In these countries (Poland, Czech Republic, Romania, Bulgaria, Hungary, etc.), despite the presence of few competent industry like Balabit, the presence of large non‐EU companies is quite important (both on markets and as image, e.g. sponsoring main national events). Few mittle‐European actors are contrasting the non‐EU presence, but it is quite impressive to see how EU companies seem to neglect or have difficulty to enter these markets.
In the following figure, we have tried to place the different categories of industrial (supply) stakeholders according to their competitiveness level with respect to their specialisation, integration or services offer.
We have also tried to show market trends of these groups, including merging or purchasing of companies for market consolidation and competitiveness.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 15
SWOT ANALYSIS
The following analysis is presenting the different SWOT elements recognized in the study leading to suggestions (here indicated with ) which are then further declined into specific recommendations.
Strengths
European Aspects:
‐ Trust in the security and privacy of EU‐based technologies, solutions and products Leverage upon EU‐based technologies to better address EU needs and requirements
Market and Business:
‐ Highly diversified cybersecurity SME industry serving local markets / needs Wide competence in EU (but not always competitive due to fragmentation and local offer)
‐ Strong relationship of “national trusted companies” (stemming from defence / professional business) with local administrations Get political support to further develop “EU sovereign” solutions
‐ EU among leaders in ICT / cyber markets such as encryption and smart cards / ID authentication Further develop global leadership in these sectors
R&I and Technical:
‐ Huge academic work gathered from EC projects Transform basic R&D in business opportunities
Education and Skills:
‐ Growing initiatives in universities or private institutes / companies for professional training Develop linkage across EU between national / local training initiatives to educate and train a new generation of European ICT security experts
Policy and Legal:
‐ Privacy regulation fostering trust Regulations for application in ICT security solutions would then foster market
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 16
‐ Legal and regulatory framework enforcing security requirements for critical national infrastructures and supporting free and open cyberspace Regulations in sector specific and sensitive applications
Weaknesses
European Aspects:
‐ Different cybersecurity strategies at MS level (not all MS have such strategies and often they are not updated) ENISA could support MS to define their own strategy and update it when needed
‐ Link between cybersecurity solutions and MS sovereignty leading to lack of cooperation and exchange of information (also on cybersecurity approaches) and market fragmentation across EU Improve trust & information exchange procedures; develop EU sovereign components
Market and Business:
‐ Fragmented and uncoordinated development strategy, particularly for EU funding along the value chain Develop and implement a SRIA also led by competitiveness issues
‐ Unfavourable IPR conditions and State Aid Rules in the EU (in particular for research) Improve legal measures to help EU industry
‐ Administrative / financial burden for starting new activities / companies in the EU Simplification at MS level
‐ Lack of sufficient awareness of market developments Create an EU observatory to widely inform on the evolution of market needs
‐ Not sufficient visibility of EU ecosystem solution / service offerings Improve users’, operators’ and integrators’ knowledge of EU solutions and services
‐ Few large companies in EU and many niche players (very large number of SMEs) lacking critical mass that need nurturing (market fragmentation, also due to MS domestic procurement / national solutions, not competitive enough at global level) Market consolidation
‐ Global market dominated by global suppliers from North America for software and from Asia for hardware Reduce the weakness of the EU supply chain by developing a genuine EU cybersecurity industry
‐ Lack of global competitive EU companies positioned on emerging subjects: cloud security, big data, threat intelligence, IoT security Further development of solutions in emerging sectors and consolidation of offers
‐ Lack of mass‐market offers Develop offer in few strategic areas (not possible to make huge investments to cover all mature markets)
‐ Limited access to venture capital: less attractive Venture Capital ecosystem in Europe versus other leading NIS regions (US, Israel) Development of venture capital funds supporting the different phases of the EU cybersecurity industry
‐ Limited export capability by SMEs Gather SMEs’ offer; provide political and marketing / sales support; provide financial and administrative support
‐ Limited or no coordination of public procurement for speeding up market uptake of innovative products Harmonisation of needs across MS via increased dialogue and public / private cooperation
R&I and Technical:
‐ Insufficient EU and MS funding to support emergence of EU solutions in strategic sectors (e.g. wrt US investments) Increase EU / MS funding to develop strategic products
‐ EU heavily dependent on non‐EU solutions in many domains in the ICT and cybersecurity field Reduce the weakness of the EU supply chain by developing genuine EU ICT / cybersecurity technologies / solutions for increased digital autonomy, like routers, SIEM, IDS etc.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 17
‐ Long cycles from innovative ideas to commercial products: slow innovation process and lack of significantly sized demonstration and commercialisation actions to accelerate transfer from laboratory to market Simplify procedures at high TRL and access to market; smarter use of research funding to support innovation with high TRL
‐ Adoption (formal or de facto) of cybersecurity standards mainly coming from the US Develop, where needed, EU standards and interoperability tools to facilitate data exchange, limiting “US driven” standards
‐ Slow standardisation and certification Simplify standardisation and certification procedures
‐ Lack of testing / testbed facilities develop regional / MS / EU validation facilities
‐ Stronger and more advanced innovation ecosystems exist around the defence/military sectors in other regions, leading to more advanced R&D and better innovation outcomes in NIS (US and Israel in particular) Strengthen synergies in EU and its MS on cybersecurity and cyberdefence basic technologies
Education and Skills:
‐ Only few MS have started education / awareness of citizens on ICT security issues at school level Start children’s education on ICT, cybersecurity and IT threats at school level supported by EU programmes and funds
‐ Shortage of the right skills: lack of sufficient skilled personnel in ICT / cybersecurity Create structures to educate students and professionals to grow the expert base
‐ Limited collaboration culture between security companies Increase effective cooperation between academia and EU cybersecurity companies, in a clear carrier development path
Policy and Legal:
‐ Rules and regulations are fragmented across Europe Advocacy with the European Parliament
‐ Delayed adoption of Data Protection Directive delaying deployment of innovation Advocacy with the European Parliament
‐ No laws facilitating / harmonising business development for EU industries (rules and laws are different in different MS for setting up / managing companies) Create an EU cybersecurity Industrial Policy supported by adequate EU legislation
Opportunities
European Aspects:
‐ Wide EU market Potential creation of a “critical mass” for EU products
‐ Growing interest in ICT and cybersecurity at MS and EU level Attract political and economic support to proposed initiatives on cybersecurity
‐ Wide SME base (users and suppliers) Untapped innovation and growth reservoir: strengthen the European market, by consolidating SMEs and key industries
‐ Leverage EU market development upon cybersecurity needs for vital / important EU and MS infrastructure and services limit procurement, when possible / needed for high security reasons, to genuine EU industry
‐ Specific European cultural assets EU solutions better fit to EU needs (e.g. privacy, sovereignty)
‐ Different cybersecurity needs and best practices in different EU countries, cultures and applications Positive synergies to be exploited for the creation of a global competitive offer
Market and Business:
‐ Rapidly growing market place Attract EU investors
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 18
‐ Fast changing threat landscape and needs creating new market opportunities, especially for niche players Support innovation with administrative, legal and economic measures
‐ Cybersecurity provides competitive advantages to vital industries in Europe and is a differentiation element that increases value of products and services when cyber‐secured (especially for market where Europe is leader: energy, transport ‐ automotive, aeronautic ‐ financial services, retail, telecommunications, leisure, consumer goods, …) Support application of cybersecurity to protect leading EU markets
‐ Increased need of ICT solutions in different economic sectors and increased volume of data Wide development of innovative applications in all market sectors
‐ Increased need for specific and tailored security solutions for EU Industries ‐ in particular for SMEs on emerging markets: IoT, Big Data (Data Analytics for Cybersecurity and Intelligence), Industry 4.0 ‐ innovative ICS and “Smart Europe”, Cloud, Mobile and embedded systems, smart grids As these market are still relatively young, there are more opportunities for Europe to attain leadership in these areas than in more mature markets
‐ Digital forensic (with support of experts, opportunity for SMEs …) Strongly growing market to be supported by ICT forensic technologies and services, also to control in Europe the information on cybercrime (Europol to increase cooperation with genuine EU companies)
‐ Services for cybersecurity Local opportunities for SMEs
‐ Cyber clusters at national / regional level Cooperation among SMEs can drive wider SMEs engagement in the market and common offer in wider bids
‐ EU policies in leading EU markets (energy, transport, aviation , …) Support sectoral policies with application of cybersecurity solutions
‐ Increase of needs concerning criminality and terrorism Enhance development of EU / MS cyber intelligence as support to fight against terrorism and crime
‐ New eIDAS regulation Increase of business opportunities in the EU market for IAM
‐ NIS directive Solutions for incident reporting will be needed for the implementation of the Directive
‐ Development of the cyber insurance market Increased opportunities for security auditing, certification and risk management services
‐ Export opportunities, particularly in non‐EU emerging markets, due to good reputation of EU products Create political and economic measures to support export of EU solutions
‐ Capacity building in third countries on cyber security (e.g. training organised by EEAS) Exploit facilitated access of EU cybersecurity solutions in those countries
R&I and Technical:
‐ Large number of European research projects Capitalise on innovation from EC projects (and ICT Labs …) as differentiator (EU specificities: privacy, transparency to users of data, trustworthiness …)
‐ Contextualisation and personalisation of data Development of “ad hoc” and privacy aware solutions
‐ Cybersecurity still mainly focused on threat detection and reaction Develop stronger “prevention” approach leveraging upon EU strength (e.g. access control technologies, security by design etc.)
‐ Strong cloud development Develop of competitive EU solutions for Software Defined Networking
‐ Certification and first quality – trust labels at MS level Create an EU cybersecurity label leveraging upon national certifications, also allowing mutual recognition
‐ Many solutions (equipment / software) coming from non‐EU providers could embed trust weaknesses Develop hardware and software solutions (e.g. sandboxing) to validate and made “secure” external solutions.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 19
Education and Skills:
‐ Continuously evolving technologies Training focused on innovation in cybersecurity
‐ Growth of training activities at local / MS level Coordination of efforts in training to consolidate the basis of the future European cybersecurity ecosystem
Policy and Legal:
‐ EU Digital Single Market Strategy Wide market to be protected
‐ EU Cybersecurity Strategy Coordination of cybersecurity measures (legal, economic etc.) at EU level could increase efficiency and competitiveness
‐ European cybersecurity industrial policy Increased European Strategic Autonomy
Threats
European Aspects:
‐ Massive cyber‐attacks in different European / national sectors could create major damages to the society and economic loss Urgent to equip European MS with adequate prevention and protection capacities
‐ Europe does not have a strong cybersecurity investment culture Develop awareness on cybersecurity as protection to data and economy as well as financial investment
Market and Business:
‐ Economic crisis still slowing investments Give better visibility to the public and decision makers of the cybersecurity market, having a higher growth than the average, thus encouraging investments
‐ Low‐cost off‐shore manufacturing and manpower (India has, for example, successful Managed Security Services Providers due to their low‐cost with educated man power) Easy labour costs in ICT / cybersecurity in European countries in trusted companies
‐ Largest cybersecurity firms are located overseas, creating dependability on solutions Develop a genuine EU cybersecurity industry and offer
‐ Dynamic and low‐cost products (e.g. with less constraints on privacy) from non‐EU countries (quality, trust and reliability of these products?) Give priority to procurement of EU solutions to sensitive application and create, when needed, regulations imposing “quality criteria” (e.g. for privacy)
‐ Several barriers to market entry or growth for SMEs Simply administrative and financial procedures for SMEs, provide support to SME growth in accelerators
R&I and Technical:
‐ Threats continuously renewing (a challenge more than a threat) Continuous investments in innovative solutions
‐ Massive investments by foreign competitors in core areas to improve their competitiveness and develop new solutions Increase EU investments for developing capabilities and competitiveness
‐ Uncertainty in needed future development in HW / SW technologies, limiting investments Harmonise needs at EU level and put them in a short/medium/long term strategy, providing clear visibility of this strategy to decision makers and investors
Education and Skills:
‐ Many skilled professionals leave Europe to work in other regions: there is a risk of a “Brain Drain” in Europe Develop cybersecurity carriers opportunities with adequate remuneration
Policy and Legal:
‐ Regulatory and certification requirements for indigenous products in emerging markets Create local subsidiaries and / or cooperate with local companies / bodies
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 20
‐ Increasing regulatory burden (conflict with operators and incumbent) Use regulation when it can boost the market for EU solutions and better protect EU citizens / economy
‐ Ethical and privacy issues could increase costs of products wrt non EU competitors if not imposed by regulation or supported financially EU regulations for adoption of privacy compliant solutions
RECOMMENDATIONS (in Annex, the full details of these recommendations are given)
Public Private cooperation, information sharing and awareness
Public Private Cooperation at MS and EU level for an end‐to‐end approach
Public Private Partnership at EU level for an end‐to‐end approach
Cooperation at Member State and European level for an harmonised development of a European single cybersecurity market
Develop international cooperation to share best practices
Information Sharing between MS, CERTs and Users to increase monitoring and advising on threats
Enhance collaboration for information sharing between Member States
Strengthen cooperation between CERTs (public national and / or private) and industries
Creation and effective development / use of ISACs (Information Security and Analysis Center)
Create a Malware Information Sharing Platform at the European‐Level
Create an EU Cyber Situation Centre
Education / Training / Awareness raising / Exercises: development of a cybersecurity ecosystem
Education of students and citizens in cybersecurity starting from school level
Cybersecurity Academia
Education, training and awareness of professionals
Involve the private supply sector in EU / MS cyber crises exercises
Cybersecurity awareness campaigns for citizens, SMEs / companies and users
Guidelines, Regulations, Standards and Methods
Legislation: implementation of the NIS Directive and market driving Regulations
Take into consideration cybersecurity aspects in every policy/decision taken at EU level
Support implementation of the NIS Directive at MS level
Adopt specific regulations, when needed, for the different economic sectors to better assure cyber protection of the DSM and critical infrastructures
Adopt an EU regulation to drive the use of cybersecurity & privacy compliant solutions and services
Standardisation for key products / applications / services – NIST like Laboratory for guidelines adapted to the EU market
Develop European standards in key sectors / products / applications / services
Creation of a European “NIST‐like Laboratory” for EU standardisation, certification and definition of guidelines adapted to the EU market
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 21
Application of Risk Management methods and standards and use of an effective metrics to evaluate the threats
Apply key recommendations of the NIS‐P WG1 on Risk Management
Support the creation and use of effective metrics for vulnerabilities, threats, incidents, mitigation functions and their financial implications defining the robustness of the chain against attacks
Adopt an EU regulation to address the problem of outdated and vulnerable hard‐ and software in operation
Adopt an EU regulation for the telecom sector to fight cybercrime
Data traffic originating and terminating in Europe should remain in Europe
Implementation of cybersecurity, trust and privacy by design
Strengthen security by design through the establishment of a European trust certification / EU trust label (also following EU regulations / standards) for sensitive IT components.
Anticipate / avoid possible misuse of a new technology
Improve security and privacy by design leveraging upon R&I projects
Adopt Privacy Enhancing Technologies
Development and certification of EU trusted solutions for increased digital autonomy
Increase of EU Digital Autonomy for ICT and cybersecurity solutions
Deeply analyse EU market needs, existing competence, strategic / critical technologies and needed developments to control the supply chain and vital assets
Increased EU cybersecurity technology autonomy as a priority for research funding under Horizon 2020
Creation of a list of trusted EU companies and if possible, of EU trusted products
Increase participation of genuine EU companies to digital forensic
Storage of EU data in trusted European solutions
Strategic Research & Innovation deployed to the market
Continuously update, in a structured and coordinated way, an EU Strategic Research and Innovation Agenda (SRIA)
Define future Research & Innovation priorities for EU projects with strategic view to support competitiveness of the EU cybersecurity industry and the DSM
Use efficient vehicles to finance projects with high TRL (bring research and innovation to market)
Strengthen synergies in EU and its MS on cybersecurity and cyberdefence basic technologies
Create a “technical and innovation intelligence” service
Create a technical and functional recommendation service by an EU independent organisation
EU Certification / Trust Label and validation platforms
Establishment of a European trust and privacy certification compliance framework
Establishment of an EU cybersecurity quality / trust label
Establishment of EU / MS certified and independent validation platforms
Priority procurement of EU trusted solutions
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 22
Create a committee to streamline the procurement of “EU trusted solutions”
Support cybersecurity procurement for sensitive EU / MS applications / infrastructure
Set requirements to use the purchasing power of public administrations for public procurement of IT security solutions limited to "EU trusted companies"
Market development, competence and competitiveness increase, adequate investments
Wide support to SMEs
Use sectoral SME clusters as mechanism at local level and beyond (Regional / MS) to develop the market, support cybersecurity SMEs and as multiplier of EU initiatives.
Link cybersecurity SMEs with their innovative products to concrete needs identified by a wider platform
Establish a representative group of cybersecurity SMEs or a representative body to serve as a communication channel to SMEs in the EU
Develop regional / local SOCs to help cybersecurity SMEs and clusters
Common procurement calls made by public authorities and companies, to allow cybersecurity SMEs selling their niche products at larger scale.
Explore the possibility of a European Cybersecurity Small Business Act
Develop a certification program for cybersecurity SMEs
Help SMEs (as suppliers and users of cybersecurity solutions) to find skilled expert resources
Further promote specific Research & Innovation mechanisms for SMEs in the cybersecurity sector with adequate financial support
Set up a European accelerator for cybersecurity start‐ups
Appropriate and focussed funding from research to capacity building, innovative financing & fiscal incentives
Increase funding from EU Institutions and MS to support the development and competitiveness of a genuine EU cybersecurity industry and implementation of users’ capacities
Finance capability development at MS and EU level
Develop new models for venture capital in Europe adapted to the current economic environment: set up European or national investments funds for IT and IT security
Link H2020 with other EU and MS procurement funds in a strategic end to end approach
Organise a regular presentations to investors of the results stemming from cooperation between industry, RTOs and users, as well as innovative cybersecurity start‐ups
Create financial incentives and favourable fiscal conditions to ensure the development of businesses in certain strategic areas and to make sure strategic assets and companies remains in Europe
Financial / fiscal incentives should be considered by MS when financing IT / IT security capacity procurement
Analyse the possibility of protecting critical European companies from foreign acquisitions
Cyber Insurance using EU certified products & Risk Management Compliance
Develop cyber‐insurances business models leveraging upon cybersecurity Risk Management and using EU certified products
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 23
Compliance of companies to cybersecurity risk management procedures
Consolidation of European companies to support the creation of EU cybersecurity champions
Update European merger rules to cybersecurity market needs
Consolidation of SMEs
Consolidation of SMEs and large companies
Consolidation of large companies
Ad hoc clusters for competitive partnership (EU champions / trusted companies along the value chain)
Priority Investments in strategic solutions and services to support European competitiveness in market leading sectors
We have identified those areas that are critical or strategic for Europe and its countries. These areas should be considered of key importance for technology/ product/service as well as for economic / industrial / societal vital sectors.
Criteria of choice are based upon sovereignty / national security + economic strategy + societal importance. After having identified which of these areas are « strategic » to be mastered by Europe, priority is given to those areas / competence in which Europe is leader (keep EU leadership while cyber is growing and pervasive in all sectors). We have then identified those areas / product that should be mastered (with investments) to gain that increased autonomy guaranteeing a higher level of risk mitigation and data control.
Cybersecurity solutions / services (considering both EU competence availability and competitiveness)
Cybersecurity application in main economic sectors for Critical infrastructure, Protection and Resilience, Smart Manufacturing
Priority investments for European leadership in market leading / sensitive sectors with strategic solutions and services: concrete projects
Urgent concrete projects
Member States should identify specific cybersecurity capacity needs and flag them in their priorities for EU funding or other kind of private funding. We have identified hereafter a group of projects that, following the analysis in our study, would allow the development of sovereign components and national capacity building.
o European capability building:
Advanced encryption technologies
Enhanced development of cyber intelligence capabilities as support to the legal and proportional fight against terrorism and organised crime
EU cybersecurity academia and education at MS level for the development of a sustainable and informed ecosystem of users and customers
o European capacity building:
European trusted and secure routers
European trusted Security Information and Event Management (SIEM) solutions
European trusted Intrusion Detection System (IDS)
Open source operating systems for trusted services
o National capacity building
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 24
Sovereign clouds
Multi‐sovereign probes
SOCs (Security Operation Centers)
Cybersecurity control centers (connected across EU)
EU / MS validation platforms
It is also paramount to urgently set up and support cybersecurity awareness of professionals and decision makers as well as the development of solutions which respect citizens’ privacy
PROPOSED BUDGET OF THE EU CYBERSECURITY FLAGSHIP
We have made an initial tentative estimation of a needed budget for the different envisaged activities. The estimation should be further refined, likely within future flagship activities.
This budget estimation has been made for two 5 year periods: 2016‐2020 and 2021‐ 2025, as we consider that this will be the needed time to reach full speed in the different initiatives and bring European cybersecurity at the desired global competitive level.
In order to allow European cybersecurity companies to reach by 2025 a global competitiveness, as suggested in the objectives of this Flagship, Europe needs to call for a coordinated spending for R&I and capacity building of an overall budget slightly higher than € 13 bln in the next 10 years, both from the public and the private sector. This would represent about 6 % of the EU cybersecurity market for the next 10 years (or about 15% share of this market when considering only the market share owned by “genuine” European industries).
This amount is actually relatively low, when compared with the investment made by the US public administration but also when compared with the estimation of the European cybersecurity market (even considering an average yearly growth of about 6% in the next 10 years). In fact, we see that the needed budget is less than 6% of the European market in the 2016‐2025 period, if we consider the whole European market, or about 15% of this market when we consider only the market part linked to genuine European industries.
The following question is who (public or private, users or suppliers) is going to contribute to these budgets and under which programme, at European or national level. A tentative methodology is proposed hereafter. Tentative figures are given for the research part for the first period (2016‐2020) which could be included in the cPPP budget, while for the capability deployment part the analysis and discussion is still ongoing with EOS members and is not presented in this public synthesis.
2016‐2020 Cybersecurity Flagship Budget M€
EU MS Private Users & Operators
Private Suppliers Banks Insurances TOTAL
Research (H2020, …) 500 TBD TBD TBD TBD TBD TBD
CEF Digital TBD TBD TBD TBD TBD TBD TBD
ESIF TBD TBD TBD TBD TBD TBD TBD
EFSI TBD TBD TBD TBD TBD TBD TBD
ISF (Internal Sec Fund) TBD TBD TBD TBD TBD TBD TBD
IfS TBD TBD TBD TBD TBD TBD TBD
TOTAL TBD TBD TBD TBD TBD TBD TBD
A specific EU fund for cybersecurity (similar to the Internal Security Fund – ISF) could also be created to stimuate capacity investment in MS, when following the strategy agreed under this Public ‐ Private approach.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 25
To activate the funding on capacity building which is one of the main objectives of this Flagship, we should not wait for a “higher level governance” following the cPPP (in the 2021‐2025 period) but we should manage to allocate and coordinate spending in those critical / sensitive areas suggested by our recommendations for “concrete projects”. For this, Member States should identify specific cybersecurity capacity needs and flag them in their priorities for EU funding or other kind of private funding. Hereafter, we give a tentative breakdown of the envisaged budget for the research and deployment of these key projects (in green) and of the other activities presented in the Flagship recommendations.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 26
INITIAL STEPS FOR THE FLAGSHIP IMPLEMENTATION: A EUROPEAN CYBERSECURITY PPP
EC requirements for a contractual PPP on cybersecurity (as understood from our informal discussions with the EC)
‐ Compliance with EU rules for democratic dialogue and transparency: creation of a Stakeholder Platform open to all members
‐ Compliance with EU rules on H2020 for projects referring to the PPP (participation in projects from all allowed countries)
‐ Allow high visibility to main regional / national / European security organisations
‐ Allow high visibility of SMEs organisations / associations / clusters
‐ Main members from National and EU Associations / Organisation
‐ Possibility of direct membership of single industries, RTOs, etc. (also when belonging to the previously mentioned organisations) but in particular to represent those countries that do not have national cybersecurity organisations.
‐ Participation of MS (public) bodies, as cybersecurity is a sensitive issue (sovereignty reasons, different from other PPPs). This should also ensure link and continuity with the present participation of MS representatives in the H2020 Secure Societies Programme Committee for R&I priorities. Effective appetite of MS administrations to participate and contribute at this EU wide dialogue and cooperation should be stimulated. The complexity of a PPP between MS and private sector (industry, RTOs, universities), makes that this PPP is not only “industry led” as the others.
‐ The “leverage ratio” (investment from the private + public sectors with respect to the investment from the E.Commission) should be considerably higher than 1 to be considered as an efficient PPP.
‐ Link with existing initiatives (IoT, big data, smart cities, … EIT ICT Labs)
‐ Link between the NIS – Platform and the Stakeholder Platform of the PPP (it cannot be the same body, as the NIS‐P is managed by the EC / ENISA and is “free”, while the PPP should be based upon an Association that will request fees to be operational and effective). The NIS‐P and the Stakeholder platform would be open to any stakeholder and work towards the establishment of R&I priorities (SRIA) and an EU Cybersecurity Industrial Policy.
A public consultation organised by EC will be launched December 2015 to provide further suggestions in order for the processed be based on openness and transparency and ensure the adequate involvement of all relevant stakeholders in the preparation of the inputs to the Commission.
In our latest discussions with the Commission, we have understood a Communication is expected to be issued, likely mid‐2016, to launch at the same time the cPPP and the beginning of a possible cybersecurity industrial policy. Hence, the cPPP effort would be complemented by a wider approach to increase industrial competitiveness.
As first steps, the proposed implementation of the cybersecurity flagship leverages upon the cPPP, as requested by the DSM strategy.
Private sector requirements for a contractual PPP
Our vision of the PPP goes beyond the traditional objectives for a Strategic Research and Innovation Agenda (SRIA). Indeed, a “traditional” PPP would not satisfy at all the objectives of the Cybersecurity Flagship.
Therefore, not only the SRIA should be tackled, but also actions towards business / capacity building and link with other EU and MS budgets (not only H2020) in an end‐to‐end approach as in European Innovation Partnerships (EIPs).
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 27
The PPP should also support the creation of an EU cybersecurity industrial policy and its elements (e.g. standards, certification for trusted products / companies – EU label, etc.).
To reach these objectives, a “higher level governance” (for instance a JU) could be needed in a following step.
More in detail, the identified requirements for the private sector (EOS) are the following:
‐ Not only SRIA and research in the PPP (also requested by some MS): towards business / capacity building and link with other budgets (not only H2020) for “close to market” actions
‐ Support creation of a EU cybersecurity industrial policy and its elements (e.g. standards, certification for trusted products / companies – EU label, …)
‐ The “leverage ratio” should be reasonable with respect to the effective market dynamics. Security is not an open market as consumers or other professional markets. The EC would like using a similar ratio of 4 from the private sector wrt its investment as in the Big Data Value PPP: need to be better explained, as not contribution would not come only from R&I but will anyway be quite challenging. Only if the PPP will have other objectives than R&I the leverage ratio could be higher than 1 (otherwise, the H2020 rules should be applied)!
‐ The European industry would more easily invest in this PPP and commit to its objectives if these objectives will be realistic and if the PPP governance will be driven by “genuine” EU organisations and companies.
‐ Companies / bodies not originating from the EU should have the possibility to participate in the dialogue (EU companies are usually cooperating with those not originating from the EU: dialogue at this level should allow better coordination for the EU market development)
‐ Provide a real strategy to future R&I work programmes, better showing the industrial strategic path, not like in the past and present approaches in FP7 projects (and NIS‐P) that have a more traditional analysis proposing gaps and gap fillers, yet without showing a full strategic / competitive picture.
‐ Find good balance between H2020 Security Societies approach looking in priority to societal issues and the ICT approach looking for competitiveness (more suitable to support the growth of a genuine European cybersecurity industry).
‐ Possible link with EP (maybe with a “high level advisory group”) to ease adoption of legal rules supporting implementation of European cyber solutions in our countries
‐ Effective interest for members to participate and invest in the PPP: this could be spoiled if evaluators of H2020 proposals do not take into consideration the objectives and the strategic approach of the PPP.
‐ Need to link the different structuring FP7 and H2020 projects providing research agendas or similar.
Objectives of the PPP
‐ Support the DSM strategy and the EU cybersecurity Strategy
‐ Definition and update of the SRIA, in cooperation with the NIS Platform (as described previously)
‐ Provide information on the SRIA for calls and streamline proposals towards SRIA objectives; support to the implementation, coordination and valorisation of results from H2020 projects.
‐ Definition of a EU cybersecurity industrial policy and implementation of its activities in order to develop a genuine EU cybersecurity industry and increase its digital autonomy
‐ Link between R&I funds (EU and national) and implementation funds for capacity building
‐ Dialogue and cooperation between stakeholders at technical and market level, public and private, demand and supply
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 28
‐ Support the creation of an EU ecosystem for cybersecurity (training, awareness etc.)
‐ Cyber “acceleration” space for SMEs and innovation: Cyber Labs; link across Cyber Clusters and Cyber Academia.
Approach
The proposed PPP should have a governance similar to those of other PPPs, but its objectives should be similar to those of EIPs. With this mix PPP/EIP approach we hope to gather the consensus of both the public and the private sector for reach the ambitious objectives Europe urgently needs to reach in this domain.
Partners and role
With cybersecurity, we are in a domain dealing with “security issues” and we cannot simply duplicate PPP objectives and structures in other commercial areas (e.g. existing EU PPP for big data value, photonics etc.). Some restrictions should be imposed on the governance for developing a genuine European cybersecurity industry. At the same time, we should guarantee an access and dialogue with national public administrations that have strong sovereignty concerns on exchange of data. Companies / bodies not originating from the EU should have the possibility to participate in the PPP (EU companies are usually cooperating with those not originating from the EU: dialogue at this level should allow better coordination for the EU market development).
A list of possible initial members (contacted or to be contacted) is presented in the following. As presented elsewhere, the criteria for this initial choice are to gather:
‐ National Associations / Clusters, in those larger countries that have such organisations
‐ Individual companies / RTOs particularly from those countries not being organised in associations / clusters
‐ National Administrations
‐ Other EU Associations
PPP members could be divided into:
‐ “Full Members”: interested genuine European companies + RTOs / Universities + Associations / Organisations / Clusters at national and EU level (including EOS, but also TeleTrusT, Hexatrust, ATC, LSec, HSD, Malvern, etc.), independent bodies and the public sector;
‐ “Associate Members”: Companies and SMEs, RTOs, Universities, clusters, associations
thus allowing the requested openness of dialogue at the Stakeholder Platform level (linked to the NIS‐P).
All these members would be part of the General Assembly and can participate in H2020 calls according to the rules, but only the Full Members have the right to vote and have the right to be part of the Board of Directors. “Genuine EU companies” should be defined to take into consideration different interests. A possible solution could be to adopt (and adapt) the criteria used by Germany and France for delivering their IT Security label, i.e. 1) The company is headquartered in Europe; 2) The company offers trustworthy IT security solutions; 3) All the PPP relevant company's IT security R&D and design are conducted in Europe; 4) The company is compliant with European data protection law.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 29
Link / cooperation with other activities
The cooperation with the NIS Platform would allow the PPP to leverage upon its work on information sharing, risk management and R&D to fill technical gaps (hopefully enlarged towards the recommendations given in Annex).
The given scheme also shows that the PPP would leverage upon existing initiatives, like the other cPPP that need ICT security solutions for their specific applications (and it would be preferable to avoid duplication of efforts in developing solutions / services) but also on the activity of the EIT ICT Labs on trust and security.
As the NIS Platform will not disappear with the advent of the cPPP on cybersecurity, there is a need to clarify the workshare between the NIS‐P and the open base of the PPP, if this open base will be constituted in Working Groups as the NIS Platform and as other PPP Associations have built up their working process.
The PPP should coordinate with the NIS Platform (WG3 or other) for the development of an EU cybersecurity industrial policy which would tackle, among other things, issues like the creation of an EU cybersecurity label, improved certification procedures, support to SMEs and the funding of ambitious technology innovations.
A “simplistic” solution would be to leave all the work to establish and update the SRIA, to the NIS‐P, while the PPP would only a body to further “filter” priorities – a role which is at present the one of the Advisory Group and of the Programme Committee. This could not necessarily be accepted by the different parties.
We think that the NIS‐P and the PPP should look TOGETHER at the constitution of an EU cybersecurity strategy and of the evolution and implementation of the SRIA.
The solution could be given by tackling priorities in a matrix approach: transversal on products / services (data security, cloud security, network systems security, IAM, MSS, …) and vertical on application areas (transport, energy, finance etc.).
The NIS‐P could look more at the transversal approach, as more “basic technology”, while the PPP (also structured in WGs) could look at the vertical sectors, being them closer to the market, to the structure of the Commission (different DGs) and MS administrations (different ministries) and final users (different customer sectors with different needs).
At last, with the limited available budget, we cannot support all the applications. DG CONNECT could be interested in supporting only the development of the basic (transversal) products and leave the
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 30
development of products / services more specific to a certain application to the funding of other DGs, MS ministries and operators need that kind of product. Yet, the more we are close to “basic research” the more it will be difficult to find “other” money (fresh or not).
Funding of basic / disruptive research could remain as one of the objectives, but the “way to market” is still today so complex that there is no trust in investors when the TRL is low.
‐ The NIS‐P WG3, under the coordination of the EC, will continue to update its SRIA from a technical / product point of view. The participants in the NIS‐P would mainly be research /technical experts working on technology gaps and threat / risk evaluation. The WG3 could be structured in sub areas according to an agreed segmentation for products / services (e.g. the one proposed in this study) considered as the transversal sectors. The results will be then given to the PPP for review and link with the different applications.
‐ The PPP would work on the different vertical sectors (applications), a Working Group for each of them, defining the specific needs and looking how well the proposed new or existing technologies and solutions would answer to specific needs. The participants in the PPP WGs would mainly be marketing / users / operators experts. They would review the work of the NIS‐P and drive their (of the NIS‐P WGs) future activities according to effective market needs. The PPP Association would then consolidate the input from the NIS‐P and the PPP WGs to deliver to the Commission a SRIA that is considering at the same time the technical and market aspects.
Suggestions from the NIS‐P and the Stakeholder Platform for all topics and in particular for the SRIA, would be validated by the Board of Directors before being transmitted and discussed with the European Commission at the PPP Partnership Board.
Other suggested activities of the PPP: EU Industrial Cybersecurity Policy; bring innovation to market; Cyber Lab; Linking Cyber Academia
The PPP, as composed by market / industry experts, will also develop the elements / activities of an industrial cybersecurity policy, likely in dedicated WGs. When needed (e.g. for standardisation or certification issues) support will be requested to the NIS‐P for technical issues.
A dedicated activity of the PPP will then work to better disseminate / put in value R&I work and link research funds to other funds leading to effective procurement (an activity outside the PPP). In this activity,
Industrial
Control
Systems
Energy /
Smart GridsTransport Finance
Public Services
/ eGovernmentHealthcare
Smart &
Secure Cities
ICT
Infrastructure
OTHER (including
future / emerging
applications)
Governance, vulnerability and
cyber‐security management
Identity and access
management
Data security
Cloud Security
Applications security
Network systems security
Hardware (device/endpoint)
security
Audit, planning and advisory
services
Management and operations
services
Managed security services ‐
MSS
Security training services
OTHER (incl. basic research on
new solutions)
NIS Platform WG2:
Information Sharing
NIS Platform WG1:
Risk Management
Application sectors
Solutions /
services for
security
NIS Platform WG3
EU Cybersecurity PPPEIT ‐ ICT Labs Activities
Activities from sectoral PPPs
Results from EC Projects
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 31
an important involvement of market experts, users / operators, investors and public administrations is expected.
Similarly to what is happening in certain clusters (e.g. HSD in NL) or national organisations (SIA Lab in France) the PPP could build up a cyber lab in Brussels to allow all its members to regularly exhibit and demonstrate results from EC R&I projects as well as new own technologies to integrators, users and operators, in order to promote and rapidly identify new EU trusted solutions to be implemented within a short period in the market.
Linking and promoting activities initialised at MS / local level on Cyber courses (e.g. Cybersecurity Academy The Hague; International Master’s programme in Cyber Security of the Tallinn University ‐ TTÜ).
Proposed PPP Governance
As presented in the previous scheme, the Cybersecurity PPP Association will be composed by Full and Associate Members, all participating in the Stakeholder Platform. The Board of Directors should be composed by representatives from EU bodies (when an association, the representative should not belong to a “genuine EU company”): private sector (Industries, RTOs, Academia) + MS + representatives from “Associations / Organisations”. The PPP Partnership Board will gather representatives from the PPP Association and the European Commission.
High level advice (and political support) could be seek with the creation of an “informal” PPP High Level Advisory Group with participation of MEPs, High Level representatives from the E. Commission and Council, High Level delegates from MS Ministries or Public Administrations, CEOs, Institute Directors etc.
Parallel to this approach, we are preparing a tentative draft of:
‐ the PPP contract with the Commission (there is a “fixed scheme” with limited latitude for changes: it should be adapted to the cybersecurity approach and objectives to be agreed);
‐ the Statues and Bylaws (internal governance rules) for the chose model of Association signing the contract with the Commission;
‐ the SRIA (input form the NIS‐P SRIA and other EC projects like CAPITAL)
As said, these documents are based upon similar documents for previous contractual PPP and adapted to the cybersecurity case, with the elements exposed previously.
The proposed Secretariat to the PPP Association
EOS with many of its partners, has worked for almost 3 years on a FP7 project called CYSPA for the creation of a Cybersecurity Alliance focussed on cybersecurity protection of sensitive infrastructures. The project has ended and the Alliance is going to start.
As a conclusion for the possible PPP governance, we have a scheme developed by EOS and its partners in a FP7 project called CYSPA, proposing the creation of a Cybersecurity Alliance focused on cybersecurity protection of sensitive infrastructures. We suggest using this Alliance and all its background with its investments from the Commission and private side, as the basis to build up the Association that will sign the cybersecurity PPP with the Commission. The advantage is that CYSPA already has a widely established network, business scheme and activities. It could easily enlarge its objectives and structure to the objectives and structure of the PPP and of the relative Association. In the original CYSPA scheme, EOS has been providing a secretariat. Similarly to NESSI that was at the origin of the Big Data Value Association, EOS could provide the secretariat to the CYS PPP. Again, this solution can provide a simple, professional and fast answer to the many requirements in setting up the Association at limited costs.
EOS is a well‐established, independent and recognised organisation in Brussels, with a solid background in security and used to manage (or in this case support) wide and complex environments / partners. EOS
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 32
would be one of the founding members of the PPP, at the same level of other Associations / Companies / Bodies as proposed in the following scheme.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 33
ANNEX
Detailed Recommendations structured around the
creation of an EU Cybersecurity industrial policy
Europe should build its cybersecurity approach around the Digital Single Market Strategy and more in particular around a few major projects that could gather the interest of all main European stakeholders and give, thanks to the results of these projects, international leadership.
For this target, an EU Cybersecurity Industrial Policy is needed to develop and support competitiveness of European IT solutions in critical fields of cybersecurity and cyber technology, software and hardware, with a strategic presence in all the key steps of its supply chain.
This EU Cybersecurity industrial policy would target future ICT / DSM challenges with specific actions, in markets where Europe is a leader: energy, transport ‐ automotive, aeronautic ‐ financial services, retail, telecommunications, leisure, consumer goods, … leveraging upon emerging applications such as IoT, Big Data (Data Analytics for Cybersecurity and Intelligence), Cloud, Mobile and Cyber Physical Systems, Industry 4.0 (smart ICS), smart grids, smart and resilient cities for a “Smart & Secure Digital Europe”. It would also help the development of the European cybersecurity market, the creation of a level playing field and the growth of genuine European cybersecurity industrial champions.
In the following, we present a list of recommendations that stem from this study, drawing also from discussions with EOS members and with other EU cybersecurity stakeholders as well as from the Advisory Group to Commissioner Oettinger.
Public Private Cooperation at MS and EU level for an end‐to‐end approach
Public Private Partnership at EU level for an end‐to‐end approach
Establishment of a lasting public – private cooperation beyond the NIS‐Platform (but linked to that) among all European stakeholders: industry / university – research centers / users at EU / MS level:
o Creation of a PPP under the lead of genuine EU stakeholders to drive coordination of R&I and foster coordinated procurement of existing solutions, open at the basis to recommendations from all stakeholders.
o Creation of a “higher level governance” for an end to end approach as proposed in this flagship programme, to drive coordination of capacity building and implementation of activities of the EU Cybersecurity Industrial Policy.
Cooperation at Member State and European level for an harmonised development of a European single cybersecurity market
These are the key success factors to facilitating the development of a European single cybersecurity market:
o Cooperation and transparency between Member States on CERT activities to reinforce European added value and expertise (incident reporting, regulatory obligations, threat intelligence).
o Increased cooperation with EU Institutions, including ENISA, which could provide stronger support to industry on trust certification, clustering, support to SME, EU (virtual) academy …
o Cooperation in the definition of selection criteria for cybersecurity products/solutions/services and application of European cyber guidelines and labels (definition of European criteria following the SOG‐IS certification scheme in coordination between MS administrations).
Develop international cooperation to share best practices
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 34
Envisage cooperation at international level with bodies like the CCD‐COE in Tallinn, but also entities in Japan, US and Israel, to share best practices and discuss on measures for global cybersecurity.
Information Sharing between MS, CERTs and Users to increase monitoring and advising on threats
Enhance collaboration for information sharing between Member States
Definition of the type of information shared, legal requirements (when the incident report has sufficient legal evidence) and process to share personal data (such as IP addresses) and the reactivity requirements, protection mechanism concerning the usage of critical information. This process should encourage traditional MS sovereignty to allow increased information sharing and take common decision, leading to better cooperation between MS but also MS and EU Institutions.
Strengthen cooperation between CERTs (public national and / or private) and industries
Cooperation between CERTs will help to increase exchange of information about threats and quick reactions in case of attacks. While an exchange at wider EU level would be the ideal solution, we can understand that initial bilateral exchanges (for sensitiveness or other reasons) would more easily take place. Mechanisms (legal, procedure, etc.) should be found to facilitate this development and public – private dialogue / exchange of information, if needed, with the support of EU and National Agencies.
Such cooperation would encourage and facilitate security information exchange between Members States and Industry critical sectors to improve the EU cyberspace for businesses and citizens. This would include:
o Confidential sharing of cyberattacks; malware, etc. between Member States and Industry / CIPs;
o EU support to Member States not having CERT infrastructures, to build their own CERT, so as to allow EU‐wide response capabilities (cybersecurity capacity building supported by the EU);
o Member State‐level harmonization of CERTs, where multiple CERTs exist.
Creation and effective development / use of ISACs (Information Security and Analysis Center)
Exploit EU‐wide knowledge of cyberattacks and the value of security information sharing among organisations for the benefit of businesses and citizens alike. This has proven a successful and effective tool to combating cyberattacks, as seen in industry‐led initiatives such as ISACs. While a global / EU‐wide and Member States‐driven ISAC may be difficult to implement (due to reluctance to share critical and confidential data with other Member States), an initiative in the spirit of existing ISACs could be promoted by the Commission:
o In the form of an EU‐level ISAC for voluntary participation of public administrations and private sector companies;
o In the form of sector‐specific ISACs (cross‐border) in Europe. A Financial Services ISAC (FI‐ISAC)1 already exists and is run by ENISA, trying to mirror the successful Financial Services ISAC (FS‐ISAC)2 operating in the U.S.
Create a Malware Information Sharing Platform at the European‐Level
Threat Intelligence is a key issue as monitoring emerging threats and attacks and analysing them is crucial to the detection and to the protection of the society. In the US, President Obama has announced an Executive Order to push for Threat Intelligence Information sharing between the industry and the government. Besides this, the US industry has set up a Cyber Threat Alliance in order to share threat information. The goal of the group, founded by Symantec, Palo Alto Networks, Intel Security (McAfee) and Fortinet, is to disperse threat intelligence across all member organizations in order to raise the overall situational awareness of group members and to allow member‐vendors to better protect their customers.
1 https://www.enisa.europa.eu/activities/cert/support/information‐sharing/european‐fi‐isac‐a‐public‐private‐partnership 2 https://www.fsisac.com/
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 35
If European stakeholders would be ready to share non‐competitive information, we could adapt and adopt this initiative setting up a malware information sharing platform at the European‐level, under the patronage of an independent EU body (e.g. ENISA), gathering cybersecurity community and stakeholders (universities, research centers, private sector, CERTs, public agencies). This would increase the level of knowledge on the latest malwares and attacks and consequently improve the detection mechanisms and technology in a virtuous circle.
Create an EU Cyber Situation Centre
An EU Cyber Situation Centre with its own capacity and linked with external sources, when needed, could provide a real time overview of the situation and give advice to all citizens and EU companies. The centre could also conduct consolidated awareness measures etc. It could foster the willingness of companies – also SMEs – to establish functions responsible for cybersecurity within their organization. This EU Cyber Situation Centre should be linked to National and European CERTs and could be supported by ENISA.
Application of Risk Management methods and standards and use of an effective metrics for evaluate the threats
Apply key recommendations of the NIS‐P WG1 on Risk Management3:
o Establish Risk Governance Structures. Establish a proper governance structure to assure and ensure that risk management practices are implemented in organisations, including minimum requirements for companies.
o Establish Overall Organisational Requirements and Responsibilities. Executives within all organisations must be sufficiently aware of their organisation’s network and information assets, and their legal responsibilities for protecting that information, including when that information is hosted, held or managed by a partner organisation.
o Apply Core Risk Management Methods and Standards. Apply a core or minimum set of risk management methods and standards appropriate to the organisation, sector and stakeholders within the supply chain.
o Apply a Core Set of Cybersecurity Controls. A minimum set of controls should be applied across all organisations to mitigate against specific threats such as insider threat prevention, user account management and access control, anti‐malware, patch management, network hardening.
o Agree Cybersecurity Risk Appetites. Clearly state, understand and communicate levels of risk appetite and risk tolerance between Member States of the EU and also between members of the same supply chain, identify common risk scenarios and agreement on criteria to allow comparison between different risk assessment methods.
o Apply a Core Set of Risk Metrics. Apply a core set of metrics appropriate to the organisation, sector and stakeholders within the supply chain.
o Awareness and Education: Three tiers of implementation will be needed for increasing and maintaining awareness and education: EU/EC, Member States and individual organisations. This should include incentives to facilitate the take‐up of risk management best practices.
Support the creation and use of effective metrics for vulnerabilities, threats, incidents, mitigation functions and their financial implications defining the robustness of the chain against attacks
ENISA is already defining a “threat landscape”4: this could be proposed on a sectorial basis, so as to guide industry on the most important threats in their business area. ENISA could also help provide
3 https://resilience.enisa.europa.eu/nis‐platform/shared‐documents/3rd‐plenary‐meeting‐april‐2014/3rd‐plenary‐wg1/at_download/file 4 http://www.enisa.europa.eu/activities/risk‐management/evolving‐threat‐environment/enisa‐threat‐landscape/enisa‐threat‐landscape‐2014
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 36
recommendations supported by suitable metrics that can define and evaluate a “protection landscape” with cost efficient solutions (need for an analysis of available and expected capacities and competence in the EU) to counter those threats based upon resilience of systems and services.
Education / Training / Awareness / Exercises: development of a cybersecurity ecosystem
Governments, public agencies and private sector are struggling to recruit and keep cybersecurity workforce due to the rarity of cybersecurity specialists. Therefore, Europe should encourage and finance cybersecurity educational programmes. This should not be focused only on technical fields but also include strategy and geopolitics. Besides, such initiatives should also finance various programme levels – for citizens / users as well as for professionals (technicians and engineers).
Education of students and citizens in cybersecurity starting from school level
Education and awareness can and should start earlier: cybersecurity has to be an integral part of the school education and form part of a broader “Citizens Cyber Skills” curriculum. The understanding of issues like personal privacy, rights and responsibilities when acting in the cyber world should be part of the general societal maturity aspects of the school education and not just part of using IT technology as such. Teachers should be supported by being equipped with specific material for the different school grades. A voluntary EU‐wide campaign could provide a kind of “big bang” and prevent discussions about mandatory embedding into the curriculums.
Cybersecurity Academia
o Create an EU Cybersecurity Academy or a network of national cybersecurity “academies” with the support of European industry leaders to provide common basic input elements and mutual recognition of a basic diploma that could facilitate creation and movement of jobs across Europe in this sector.
Cybersecurity has to become part of general university education. Akin to technicians having to learn basic economic rules, it has to be ensured that also business students (company leaders in the future) and engineers in general are well aware of the implications of cybersecurity. It is necessary to ensure professionals will be conscious about cybersecurity when entering the workforce, whether in management positions or in production environments. The community cannot expect that a small number of cybersecurity experts will cover the demand for this discipline.
ENISA could provide support to those “less advanced” countries needing a development of national cybersecurity academies. ENISA could also provide support to the wide academic ecosystem in general.
o Evaluate collaboration mechanisms to enable universities in the EU to provide multidisciplinary degrees when a certain specialisation is not available at the degree institution.
Education, training and awareness of professionals
o Support multi‐disciplinary curricula and training, with clear goals for professional preparation, to ensure that the future workforce is capable to address complex cybersecurity problems. Besides, Europe does not only have a lack of cyber experts but also of cyber technicians, therefore, it is also important to support the implementation of formation from different levels.
o Support threats understanding / awareness by decision makers to consider implementation and use of cybersecurity solutions: cybersecurity at the core of enterprise governance
o Create a network of cybersecurity experts associations across EU, in cooperation with ENISA
o Create an online reference for independent cyber‐experts (hopefully in a growing number) across Europe (develop a “linked‐in type” portal for security experts) and / or a portal with a similar structured offer from cybersecurity companies with a view to be able to mobilise ad‐hoc teams to rapidly tackle attacks with pre‐defined governance / terms (it would actually be a service of “vetted” experts to companies, particular useful for SMEs).
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 37
Involve the private supply sector in EU / MS cyber crises exercises
To better understand the challenges and the performance of existing solutions and services and identify further improvements according to exercise results.
Cybersecurity awareness campaigns for citizens, SMEs / companies and users
o Encourage Member‐States and the European Institutions to organise trans‐European awareness campaigns around cybersecurity particularly dedicated to SMEs and citizens. ENISA could play a role in these communication actions.
o Develop, possibly with the support of ENISA and in coordination with public and private companies, material for market awareness and board room “education “better suited for European businesses (large and small), while also supporting Member States with less developed capabilities in cybersecurity through European training and awareness programmes.
o Provide and regularly update a review of European cybersecurity companies and their services to ensure that European companies have an overview over interesting start‐ups all over Europe: visibility to EU companies and their products, in particular for SMEs but also for larger companies.
Legislation: implementation of the NIS Directive and market driving Regulations
Take into consideration cybersecurity aspects in every policy/decision taken at EU level
Support implementation of the NIS Directive at MS level
o Fast transposition and enforcement of the NIS Directive at MS level and effective implementation of measures to develop and defragment the market, eventually with the support of ENISA for correct interpretation and use of standards linked to the NIS Directive.
o Develop a confidential central (EU) incident registry portal managed by an EU Institution to support NIS reporting obligations (interest / feasibility to be verified with MS and operators).
Adopt specific regulations, when needed, for the different economic sectors to better assure cyber protection of the DSM and critical infrastructures
Different procurement requirements are present in each Member State. Harmonisation is needed EU‐wide so that a cybersecurity product, solution or service delivered in compliance with a single set of requirements can be compliant throughout the EU. The first priority is critical infrastructure protection (e.g. transport: civil aviation …; energy, etc.). Other domains such as autonomic drive, car‐to‐car communication, telematics and mobile health services, navigation and positioning should also be considered in the near future.
Comments: In some situations, voluntary self‐regulation cannot be the tool of choice, as it was not effective in the past. In certain cases, there is maybe the need for a legislative approach. Any possible regulatory measures have to be proportional to the risks to be addressed and the related market segments. Where necessary, a differentiation between markets (e.g. Defence Government or financial market) has to be put in place as each one may have different regulators and specific security risks. Civil markets shall be part of the Digital Single Market meaning same standards, compliance methods and principles for regulatory oversight shall apply across the EU. Regulations in sectors other than defence and space, even if non‐commercial as CIIP, are usually not accepted by operators claiming higher costs and pushing media and the public sector to defend the openness of the web and of the systems (lower prices, openness to competition, but also openness to threats: is any compromise possible?). In Europe, we are basing our Digital Market on a liberal model which can be good for the market dynamics (data exchange at international level is based upon a liberal exchange) but which is de facto favouring incumbent solutions and approaches which are benefitting from large subsidies, larger structured market and support in their original countries. Europe is not yet structured, organised (politically, economically, standards / procedures, etc.) and have a mature market and awareness as the US, and still does not have the large and competitive technology offer coming from US and East Asia.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 38
Adopt an EU regulation to drive the use of cybersecurity & privacy compliant solutions and services
A voluntary approach would not be sufficient to guarantee procurement of privacy aware solutions facing non‐EU potentially cheaper but not necessarily privacy‐compliant solutions. In addition, adoptions of voluntary standards on privacy without a proper regulation / directive to “guide” the use of these solutions could not lead to the expected results. This regulation should help the development of solutions that will progressively be competitive also at global level (the international market is increasingly sensitive to privacy issues: e.g. in the US). This regulation would compel technology suppliers, service providers and companies providing online services to develop and issue “secure by design” products and software in the same way as the rest of “physical” markets such as automotive, construction, retail, etc.
Adopt an EU regulation to address the problem of outdated and vulnerable hardware and software in operation
HW and SW of critical infrastructures and digital services are increasingly attacked. Manufacturers of hard‐ and software as well as critical infrastructure providers should be required to resolve vulnerabilities or mitigate or control the risk derived from them following compliancy rules (see also later recommendation on compliancy).
Adopt an EU regulation for the telecom sector to fight cybercrime
o Harmonise legal frameworks to combat cybercrime: enabling law enforcement agencies throughout Europe to share a common base to work with, as well as easy sharing of information that facilitates the identification of the sources of criminal activity.
o Develop the appropriate legal framework for telco operators and other service providers to proactively protect (i.e. block access to proven malicious / illegal sites) both citizens and companies online activities.
Data traffic originating and terminating in Europe should remain in Europe
o A European legislative approach is necessary to enhance trust and a more secure infrastructure: data traffic that has its origin and its destination in the EU should not be diverted through other judicial areas. This could combine national security needs (Critical Infrastructure, Lawful Interception, Confidential Governmental communication etc.) and the possibility to run multinational networks from only one or several countries. At the same time, the Internet remains open: unjustified restrictions to the free flow of data within the EU should be avoided; access to servers located outside Europe must not be impeded or blocked5.
Standardisation for key products / applications / services – NIST like Laboratory for guidelines adapted to the EU market
Develop European standards in key sectors / products / applications / services
European standards should be developed in key sectors / products / applications / services (when needed, in a realistic development time compliant with International market requirements) to avoid being constraint to use non‐EU standards and products (the market is global, but this is not a good reason to accept “a priori” non EU standards, mutual recognition and interfaces for interoperability are always possible) and increase interoperability.
As suggested in the EP resolution – topic 91 – of March 12th 2014, the newly developed European IT capability should be based, as much as possible, on open standards and open‐source software and if possible hardware, making the whole supply chain from processor design to application layer transparent and reviewable.
A cross‐European unified and recognised standardisation could provide the following benefits:
5 There are current R&D works that are performed in order to know the path followed by the data and to automatically guide the data between the routers in order them not to circulate in certain areas.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 39
o Same level of security for “made in Europe” products and solutions
o Support to export
o Protection of European excellence
European standardisation could be based on the European SOG‐IS certification scheme, in order to provide:
o Standardisation of Common Criteria protection profiles and certification policies between European certification bodies ;
o Development of protection profiles whenever the European Commission launches a directive that should be implemented in national laws.
As suggested in the mentioned EP resolution – topic 94 – it is called the development of minimum security and privacy standards and guidelines for IT systems, networks and services, including cloud computing services, in order to better protect EU citizens' personal data and the integrity of all IT systems.
European companies (including SMEs) should combine their forces and act as representatives for the EU in standardisation committees to transfer the heavy‐weight of the EU to the European industry experts and make them heard on a global level.
Creation of a European “NIST‐like Laboratory” for EU standardisation, certification and definition of guidelines adapted to the EU market
An EU NIST‐like laboratory could be dedicated to the definition of cybersecurity standards and guidelines adapted for the European market. Its activity should also be extended to certification of European and non‐European solutions (see later the certification topic). This “EU NIST” could leverage upon the present activity of ETSI and the competence of ENISA. Considering sovereignty interests, it should leverage upon national and EU standardisation bodies and provide a common level playing field (if national sensitiveness would limit this path, the EU NIST could be an almost virtual body, linking the national bodies). It could provide the needed support to mutual recognition of national certification (not all MS can afford a certification procedure) in particular for cybersecurity issues linked to critical infrastructures, in order to provide trust to operators.
Increase of EU Digital Autonomy for ICT and cybersecurity solutions
Increase the European Digital Autonomy: development of a European cybersecurity supply chain for a higher level of technological independence at MS / EU level (from national sovereignty to European sovereignty to tackle common security challenges).
Deeply analyse EU market needs, existing competence, strategic / critical technologies and needed developments to control the supply chain and vital assets
o Commission funding market studies made by genuine, trusted and competent EU consultants, expert in cybersecurity / ICT, (see also later recommendation on “intelligence”) identifying real needs of EU operators (not necessarily those identified in “traditional” market studies often based upon US market needs) and made a fair comparison of different companies (including European SMEs), products and operational requirements. The creation of a "European Gartner" to improve understanding of the positioning of EU cybersecurity companies following an independent European view, could also be envisaged.
o Support an EC financed project to identify European cybersecurity / ICT assets, competence, main products and suppliers (with a much deeper analysis than the one made in this voluntary study). Identify those that are strategic or critical (according to criteria to be defined) to improve the European digital autonomy.
o Create an Observatory for independent and regular update and market analysis, monitoring trends and new segments in international cybersecurity, and identifying the evolution of products and
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 40
new services as well as the development of new segments in cybersecurity, both from a qualitative and quantitative point of view.
o Identify key cybersecurity vulnerabilities with regard to critical (to EU/MS security) technologies, software and hardware, including architecture of systems, and make recommendations on how a European offer could be stimulated.
o Identify which critical assets are not owned / under the control of MS or EU bodies and that could need special attention in case of threats and a need for emergency patching.
Increased EU cybersecurity technology autonomy as a priority for research funding under Horizon 2020
o Make an increased EU cyber technological autonomy a priority for research funding under Horizon 2020, not only with regard to cybersecurity, but also for IT more broadly. While the US spend 3 billion US dollars a year for cybersecurity R & D, Horizon 2020 has 1,7 billion for all of security over seven years. Also, R&D funding on this topic at MS level should be better harmonised (as proposed by this flagship approach) to provide higher synergy of results.
o Develop a full chain of trusted solutions for the main application sectors, with trusted label agreed by MS. EU industries (SMEs and large companies) have already established cooperation with large non EU companies (Europe cannot develop all components and solutions) which should satisfy agreed trusted criteria. The supply chain should be transparent in its compositions and possible evolution of its elements.
o Not all technologies exist / are developed in each EU country: we will need to stimulate a number of (EU) integrators having in their portfolio all needed (and certified) technologies and ability to always choose the most suitable technologies to be used as “national plug‐ins”.
o Develop hardware and software solutions (e.g. sandboxing) to validate and made “secure” external (non‐EU trust labelled) solutions
Creation of a list of trusted EU companies and if possible, of EU trusted products
Creation of a list of cross‐certified (meaning that national certifications are equivalent) products that need to be pushed at EU level in particular for public procurement (for example, recommendation to use trusted products in EU bids), to obtain a “trusted supply chain” recognition (if some products of the chain are not “trusted” the chain cannot be qualified as “trusted”), as suggested also in the EP resolution – topic 91 ‐ of March 12th, 2014.
Trusted companies / products should be distinguished from those EU companies / products which carry the inherent risk of backdoors (e.g. with EU trust certification, following EU criteria, regularly audited; this could also allow link with insurance, better define liability issues, and improving the business model for acquisition of security solutions). This database would also increase visibility of SMEs to allow an informed procurement. This list could be managed and regularly updated by ENISA allowing wide consultation.
Increase participation of genuine EU companies to digital forensic
Control the information on cybercrime in Europe (Europol to increase cooperation with genuine EU companies) with the support of experts (opportunity for SMEs) in a rapidly growing market.
Storage of EU data in trusted European solutions
o Store data of European institutions and agencies in Europe, using EU trusted solutions, to increase security and strengthen the European industry for data storage and software.
o Encourage and promote the establishment of a trusted European cloud to promote European IT industry better protect data of European citizens.
EU Certification / Trust Label and validation platforms
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 41
Establishment of a European trust and privacy certification compliance framework
Such trust and privacy certification compliance framework should follow EU regulations and standards (as an evolution of the present Common Criteria, also leveraging upon the work of the SOG‐IS, widening its scope and encouraging all MS to be part of the agreement) associated accreditation and audit organisations for sensitive IT components and services and integrated systems.
Establishment of an EU cybersecurity quality / trust label
A European trust label for cybersecurity products, services, and mutual certification, respecting EU values / sovereignty (complement to MS trust labels) should be created to help identify trusted European products and services: it could be develop using existing labelling procedures in this domain as in Germany or France (“IT security made in Germany”, “France Cybersecurity”). Support of lightweight certifications should also be considered, when needed.
Creation and operation of European Cybersecurity Labels, a certification mechanism against a published set of criteria or requirements. This would benefit label holders as a seal of guarantee of security in the company’s products or services, and would help corporates and consumers identify secure providers. Labels can be built on best practices and other internationally recognised existing certifications. The added value of this European label resides in its EU‐wide recognition and acceptance, thus helping in the defragmentation of the European market, and creating competitive advantages with the creation of stronger market positions for trustworthy companies.
Different levels of labels can be devised, corresponding to increasing levels of security in the organisation’s products and services. End users, consumers, customers or companies of these products would not be obliged in any way by law or regulation to buy security products with these specific labels. Where labels have been used, compliance to the label requirements should be monitored and regularly checked. The set of requirements, the methodology and process for the certification of trusted solutions, ought to be defined at the EU level, coordinated by an EU‐level agency (e.g. ENISA, or the suggested EU NIST) in agreement with national security agencies of Member States, while enforcement checking could be delegated to national agencies in charge of cybersecurity practices. The set of requirements will be a single one for the whole of Europe (baseline). Some critical infrastructures at the national level might require some specific local criteria. In this case, additional local criteria would come on top of the baseline criteria. Compliance validation would be conducted in the same manner by any one national agency, and would be recognised EU‐wide. The setting up and operation of this label mechanism would imply some costs, so resources should be allocated to put this mechanism in place. The requirements for each level of label could be defined by an EU‐level agency.
Establishment of EU / MS certified and independent validation platforms
This could be supported by the suggested EU NIST approach (eventually linking trusted / qualified national laboratories following common agreed procedures agreed by the national cybersecurity Agencies – which will be developed in all EU countries as requested by the NIS Directive) for test, validation and certification of EU cybersecurity solutions. The platforms, developed with the support of EU funds (e.g. structural, scientific infrastructure, …) should be used for static and dynamic code analysis, security validation, proof of concepts and demonstrations. The testbed will allow to test security solutions and this will be especially profitable to SMEs which do not always have the resources to pay the necessary hardware to test and validate concepts and innovative solutions. Moreover, SMEs have a lack of demonstration platforms because it requires space. It will increase collaboration within the European cybersecurity industry and interoperability of European solutions. In addition, it can also be a vitrine to showcase European solutions and could thereby increase market visibility.
The mentioned independent platforms could also provide assessment of non EU components / equipment / services / software that cannot be mastered (developed or produced) in Europe (for whatever reason) but that are used in critical European / national systems (validation of all links of the security chain). This assessment infrastructure should guarantee that the components used in our systems are secure (secure certification / quality label and respective of EU values / sovereignty).
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 42
Comment: Basic / common requirements could be established at EU level to facilitate a level playing field for mutual recognition. This common level for trust could be fostered by ENISA with the support of the National Agencies and operationally coordinated by the proposed EU NIST (past / ongoing coordination of certification methodologies by the JRC have been handled with too slow pace to be of interest for the market: for this reason we think that a body, more specifically specialised in ICT/cyber issues should coordinate at EU level this issue in this sector). At the same time, National Agencies could ask for stronger level of certification at national level, depending on the local / national security needs. This model has been proven quite successful in the civil aviation sector under the coordination of ECAC6 and will soon become EU legislation (under discussion at the European Parliament).
We would recall in the following a similar but less demanding (voluntary) approach for certification proposed in the “Recommendations on Cybersecurity for Europe” by the Cyber Security Advisory Group to Commissioner Oettinger (Draft version – July 27, 2015).
Implementation of cybersecurity, trust and privacy by design
Strengthen security by design through the establishment of a European trust certification / EU trust label (also following EU regulations / standards) for sensitive IT components.
Anticipate / avoid possible misuse of a new technology (e.g. encryption software) that while protecting privacy could allow unlawful use, evading national security (intelligence).
Improve security and privacy by design leveraging upon R&I projects better integrating software and hardware systems and following established guidelines.
Adopt Privacy Enhancing Technologies
E.g. as proposed in the following suggestions from CAPITAL:
o Enhancing privacy including fine‐grained access to personal devices and services, protecting data, protecting identities and anonymisation and privacy.
o Type‐safe languages and application verification, and tools for establishment of identity or authentication.
o Build in data protection measures already at the development stage, particularly for emerging areas such as Big Data and IoT, in order to maintain a high level of trust (as suggested also in the EP resolution – topic 72 – of March 12th 2014).
o Access control management, and monitoring and compliance verification mechanisms to allow for informed trust of the entire transaction path.
o Hardware mechanisms that support secure boot load and continuous monitoring of critical software.
o Support for application‐aware anonymity to allow for anonymous web access, and platform security mechanisms and trust‐in‐platform.
Strategic Research & Innovation deployed to the market
Continuously update, in a structured and coordinated way, an EU Strategic Research and Innovation Agenda (SRIA)
Update and support implementation of the SRIA with the support of the NIS‐Platform and the PPP for coordination of its implementation, taking into account previous projects for lessons learned.
Define future Research & Innovation priorities for EU projects with strategic view to support competitiveness of the EU cybersecurity industry and the DSM
6 https://www.ecac‐ceac.org//activities/security
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 43
A strategic approach to efficiently develop EU solutions, the EU cybersecurity industry and protect the EU DSM should be used, rather than, like in the past, foresee the development of generic gap fillers bricks.
Use efficient vehicles to finance projects with high TRL (bring research and innovation to market)
Not only research “as usual” (slow speed in EC R&I projects). Innovation should be brought to market as soon as possible. An example could be the French model of “Projets d’Investissement d’Avenir”7 in order to finance projects with high TRL, i.e. which are ready for market deployment.
The E. Commission is strongly supporting in H2020 the use of Pre Commercial Procurement (PCP) and Public Procurement of Innovative Solutions (PPI) to bring innovation to market. We still have to verify the efficiency at EU level of these instruments, as they could not be well adapted to the security sector and contracts could suffer from long negotiations on IPR issues. We think that a “flagship” approach with coordination of operational needs, objectives and use of resources for capacity building could give better results to foster coordinated pre‐procurement (and procurement).
Incentives and policy conditions to translate R&I results into commercial solutions, not only for cybersecurity, but also for ICT products more broadly.
Accelerate time to market through technical collaborations to test new solutions / services created by encapsulating pre‐existing solutions and prototypes together.
“Intelligence” (early information gathering) at ENISA could help to identify valuable innovation at early stage: provide support from R&D to operational and business applications, providing market intelligence, competitive analysis and innovation screening, investment and support to early stage development, etc.
Strengthen synergies in EU and its MS on cybersecurity and cyberdefence basic technologies
Cyberdefence contracts from the public administration are providing US companies with innovation and huge competitive advantage. Why should this not be possible at a higher level than is the case today in Europe?
Create a “technical and innovation intelligence” service
Europe is often late compared to the United States or Israel because we do not foresee innovations and anticipate market needs. To help identify innovations and needs at the earliest stage, ENISA could create an intelligence service (gathering information) to monitor technical inventions, market innovations and fundamental research in the field of cybersecurity, leveraging upon a closer dialogue with industry.
Create a technical and functional recommendation service by an EU independent organisation
The US NIST regularly publishes recommendations for the industry to improve their cybersecurity posture. A possible EU NIST (see later) could replicate it at the European level. In addition, the US NIST publishes technical and functional requirements and recommendations that cybersecurity products and services and architecture must comply with. It is very powerful to shape the products as you want them to be and easier to control them if needed. As the United States are the first market for cybersecurity by far, all providers comply with the rules written by the NIST. In many other industries, Europe has developed its own regulatory requirements and the idea is to replicate it for cybersecurity through the EU NIST.
Priority procurement of EU trusted solutions
Create a committee to streamline the procurement of “EU trusted solutions”
7 http://www.enseignementsup‐recherche.gouv.fr/cid55892/comprendre‐le‐programme‐investissements‐d‐avenir.html
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 44
This approach could be developed in parallel or within the PPP and consistent with the proposed flagship approach) (at least recognised at national level) to be purchased in the next years using EU, MS and private funds and immediately provide a European protection the growth of the DSM.
Support cybersecurity procurement for sensitive EU / MS applications / infrastructure
Use EU cybersecurity trust labelled products for instance, in EU bids and first of all for in EU infrastructure (space, transport, energy, communication etc.) and as a tool to support emerging tools and services, as suggested in the EP resolution – topic 91 – of March 12th, 2014.
Comment: EU technology can be of good quality but often cannot be bought because it is more expensive than US technology that is selling in larger quantities. MS and EC should help and facilitate this financially. Public procurement rules should ensure that secure products are preferred over cheap “non‐trusted” products. Cybersecurity cannot always be a fully liberal market when dealing with sensitive (economic, political, personal/societal) security information and impacting EU or MS sovereignty or vital services (for this, we could leverage upon the mentioned Defence and Security Procurement Directive). EU competition laws should be revised in order not to be an obstacle for the implementation of industrial policies that are EU sensitive.
Set requirements to use the purchasing power of public administrations for public procurement of IT security solutions limited to "EU trusted companies"
The revelations of Edward Snowden have demonstrated that foreign companies, products and services cannot always be trusted as they cooperate ‐or are forced to do so‐ with the intelligence services of their home country. Public administrations should look for procurement of IT security using "EU trusted companies" (which should also commit not to share data outside Europe) thus supporting the market for European solutions. The idea is to allow specific public services that require confidentiality due to their strategic missions to introduce selection criteria in their calls for tenders based on the place of conception or production of the products, legally derogatory to the general competition rules. Besides strengthening the cybersecurity of Europe’s most strategic public services, would support the growth of European manufacturers. In the Galileo project, ESA has protected the supply chain by creating a qualification of “European producer”. The same or a similar approach to reserve procurement to “trusted companies”, for critical sectors as defined by the public/private NIS platform could be explored and as suggested in the EP resolution (topic 91: “where security or other vital interests are involved”) of March 12th, 2014.
Wide support to SMEs
Use sectoral SME clusters as mechanism at local level and beyond (Regional / MS) to develop the market, support cybersecurity SMEs and as multiplier of EU initiatives.
Link cybersecurity SMEs with their innovative products to concrete needs identified by a wider platform also for opening new and wider market together and have easier access
Establish a representative group of cybersecurity SMEs or a representative body to serve as a communication channel to SMEs in the EU to suggest solutions for SMEs and small market players.
Develop regional / local SOCs to help cybersecurity SMEs and clusters (public or privately owned, depending on the business model, also with support of regional funds).
Common procurement calls made by public authorities and companies, to allow cybersecurity SMEs selling their niche products at larger scale.
Explore the possibility of a European Cybersecurity Small Business Act to facilitate oriented procurement oriented towards SMEs.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 45
Develop a certification program for cybersecurity SMEs (in the image of PCI‐DSS8), vetting SMEs for products and services, beyond ISO 27000 to protect and facilitate SME business (avoiding high certification costs and dull procedures)
Help SMEs (as suppliers and users of cybersecurity solutions) to find skilled expert resources (registry of cybersecurity experts) – e.g. accreditation by ENISA or by another organisation. Help users’ SMEs to better define their cybersecurity needs.
Further promote specific Research & Innovation mechanisms for SMEs in the cybersecurity sector with adequate financial support: e.g. the H2020 SME Instrument of the European Commission9 and COSME. An extension of this approach, better linking SMEs with other companies, even large to reach the market and have easier access to funds, could be provided by the creation of a European programme similar to the French RAPID (see§4.3.3.2) for civilian applications. Specific support for the use of these instruments, helping cybersecurity SMEs, as well as SMEs cybersecurity users, could be provided with the creation of a specialised cybersecurity officer position.
Set up a European accelerator for cybersecurity start‐ups to support development of excellence and reduce risks of failure in the first years of operation. An accelerator for European cybersecurity start‐ups could provide mentoring, entrepreneurial support, innovation management and funding capabilities with the support of academic centers, universities, governments, private sector and European Commission, to foster technology development for the European market and to share these results among the companies in Europe.
Appropriate and focussed funding from research to capacity building, innovative financing & fiscal incentives
Increase funding from EU Institutions and MS to support the development and competitiveness of a genuine EU cybersecurity industry and implementation of users’ capacities
Increased funding from EU and MS (for R&I as well as infrastructure ‐ as suggested in topic 98 of the EP resolution of March 12th 2014) should be used to better face huge investments in external (non EU) countries. EU funds could be used also for procurement of national infrastructures / capacities (including for setting up national cybersecurity agencies).
Comment: to ensure the development of businesses in certain strategic areas and to make sure strategic assets and companies remain in Europe and do not relocate outside the EU to operate their business once developed. This is particularly the case of data hosting services in order to enforce privacy European regulation and to keep the data, which is often said to be the petrol of the 21th century. Moreover, it would also be very relevant for work‐consuming businesses, such as MSSP business, to avoid offshoring trends (labour costs in ICT / cybersecurity in European countries in trusted companies could be easied). Current mechanisms to apply for loans and venture capital supported by the European Union 10 provide relatively limited support (with respect to funding in US) and demand a non‐negligible administrative effort.
Finance capability development at MS and EU level
Identify the areas of supply that need to be improved and analyse that the critical components are essential for Europe and then finance the development of such components or the purchase of such competence.
Develop new models for venture capital in Europe adapted to the current economic environment: set up European or national investments funds for IT and IT security
Europe suffers from a technological dependence on American or Asiatic –mainly Chinese, Japanese and Korean‐ products in almost all IT segments. Such dependence can only be overcome by massive investments that no European country or industrial can afford alone. We suggest setting up entrepreneurial
8 Standard for payment card industry 9 https://ec.europa.eu/programmes/horizon2020/en/h2020‐section/sme‐instrument 10 http://europa.eu/youreurope/business/funding‐grants/access‐to‐finance/index_en.htm
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 46
(private fund), venture capital (bank / financial entities), investments funds up to crowd funding (depending on the objective to be reached, from start‐up / innovation to development, export, purchasing and infrastructure deployment), to back up innovations, start‐ups and projects. These funds should support industry (in particular to allow SMEs an easier access to funds) and innovation in IT and IT security, to bring innovative solution to full maturity and stabilize / develop SMEs.
Objectives for investment of funds could be:
o Investments for building up infrastructures (e.g. Junker funds, structural etc.)
o Support to all companies via public equities (interest for banks and institutional investors – pension funds, insurances federations)
o Specific support to SME (with private or public equities);
- Start‐up funds (incubator and accelerator), private equities
- Development funds
- Growth (export etc.)
- Purchasing funds to avoid purchasing from non EU investors (if SME are ready to open their capital to private funds)
Link H2020 with other EU and MS procurement funds in a strategic end to end approach
Funding for R&D from H2020 should be linked with other EU and MS procurement funds (European Fund for Strategic Investments ‐ EFSI, European Structural and Innovation Fund ‐ ESIF, Connecting Europe Facility – CEF, etc.) as proposed in the Cybersecurity Flagship for an effective and strategic end‐to‐end approach.
Organise a regular presentations to investors of the results stemming from cooperation between industry, RTOs and users, as well as innovative cybersecurity start‐ups
Specific events could be regularly organised with the support of the envisaged PPP on cybersecurity and ENISA. We could also envisage in Europe the creation of a kind of SINET11 that in US (but now moving also to Europe) is a community builder, strategic advisor and catalyst whose passion is to promote innovation, small and large business growth, and enhanced awareness of early stage and emerging growth companies.
Alternatively, it could be envisaged to organise roadshows around Europe to present innovative cybersecurity start‐ups to investors.
Create financial incentives and favourable fiscal conditions to ensure the development of businesses in certain strategic areas and to make sure strategic assets and companies remains in Europe
This approach should contribute to avoid companies to relocate in US or Asia to operate their business once developed (e.g. lower taxes on labour costs for Managed Security Service Provider businesses operated in European countries to avoid offshoring trends). This is also the case of data hosting services in order to enforce privacy European regulation and to keep data in European ownership.
Financial / fiscal incentives should be considered by MS when financing IT / IT security capacity procurement
Incentives should be considered for public administrations purchasing EU certified solutions following a security & privacy by design approach. Provide preferential fiscal / tax treatment for the development, purchase and use of European cybersecurity products and services (in particular from EU cyber SMEs).
Analyse the possibility of protecting critical European companies from foreign acquisitions
The US model of CFIUS is efficient to authorise foreign investment while protecting national interests in sensitive sectors. There should be a discussion whether and how such protection could be achieved at EU level. Some Member States such as France already have a national policy and might be reluctant to delegate the authority about investments to the EU level. Others who do not have such legislation yet and
11 http://www.security‐innovation.org/default.htm
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 47
are interested could explore enhanced cooperation with the European Commission. There should also be a discussion whether national CFIUS require derogation from internal market rules, or whether the distinction between EU acquisition (always authorized) and non‐EU acquisition (scrutinised) is sufficient to respect EU internal market rules. Best practices could be shared and harmonisation of national rules could also be explored.
Cyber Insurance using EU certified products & Risk Management Compliance
Develop cyber‐insurances business models leveraging upon cybersecurity Risk Management and using EU certified products
This could help to create a shared "marketplace" approach linking risks to insurance for improved cybersecurity market development. Organisations and insurer providers could collaborate on addressing the increasing need to develop sector oriented cyber insurances ‐ meaning adapted to the activity domain of the organisation.
Compliance of companies to cybersecurity risk management procedures
Companies could be legally required to add cybersecurity risks to their balance sheets. This “compliance” mechanism would encourage investment in cybersecurity and mainstream the issue into the overall strategic management of the company. Critical (infrastructure) companies could also be legally required to get insurance to cover the IT risk. If not compliant, financial measures could be taken against the company.
Comment: companies would have to better evaluate the reality of the IT risk increasing the cybersecurity awareness of the Board of a company, not only the CIO but also the CEO and other top management. Insurance companies are starting to develop expertise in the auditing of IT risk that would allow the internal audit by companies to be made more objective. This would encourage the critical (infrastructure) companies to optimise the business model, reaching the good balance between insurance and investments in cybersecurity protection reduce their insurance costs and hence their vulnerability to IT risk. We should look for improved protection for the user and increase market size for insurance and security solution suppliers (a wider and more structured market with lower prices could be better than a small market having limited profits.
Consolidation of European companies to support the creation of EU cybersecurity champions
In the market / suppliers analysis, we have seen that there are in Europe a considerable number of large and small companies covering more or less well the spectrum of the needed solutions for the different applications sectors and emerging areas and often quite active, but only in local / regional areas or for national markets. It was not the intention of this study to provide a detailed analysis of the level of performance and competitiveness of each company and each product. We can say that Europe has a fair presence in all market but a relatively weak level of competitiveness across the sectors / products. There are different ways to increase competitiveness. One of these is market consolidation, where competitors are merging (or are purchased) to reach a larger and more competitive size (and possibly complement / strengthen their offer).
Update European merger rules to cybersecurity market needs
Market consolidation should be positively considered in the field of cybersecurity to allow most competitive European companies to scale up faster and efficiently and allow keeping pace in front of dominant US players. European mergers rules must be adapted accordingly. The facilitation of mergers must enable European operators to achieve the economies of scale that are needed to invest in future network infrastructures and to compete with “Over The Top” providers. Mergers will have also an immediate effect from R&D budget that will be able to do more for the same money rather than developing competing technologies in competing companies.
Consolidation of SMEs
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 48
There are thousands of SMEs working on cybersecurity and / or on related ICT technologies or security applications needing cybersecurity (being it pervasive). Consolidation of these SMEs could be envisaged not only in local clusters but also in networks (maybe in a JV scheme) across Europe to provide a wider, competitive and lasting offer to better face non‐EU competition and facilitate export. Consolidation of SMEs to increase the maturity level could lead to European champions in certain areas. This could be particularly needed in cloud security, application security and governance, vulnerability and cybersecurity management as well as training services which are also sectors where there is a considerable number of SMEs (possibly carrying innovation).
Consolidation of SMEs to increase the maturity level and reach a higher competitiveness is particularly needed in the following areas where a considerable number of SMEs (not necessarily sufficiently competitive) is present in Europe: cloud security, application security, governance, vulnerability and cybersecurity management, training services.
Consolidation of SMEs and large companies
Consolidation could also occur among more mature (global) companies in these areas to increase competitiveness (and their competence), or also with suppliers from the defence and professional electronics. Many innovations are being created in SMEs. SMEs should be given the time to mature their products before being purchased (if any) by larger companies, or there could be the risk that absorption by a large companies could “kill” a not mature enough product (for different organisational reasons of large companies wrt SMEs). Once an SME is sufficiently stabilised, the European market should help their possible integration / consolidation (if needed) with larger European companies.
Consolidation of large companies
Envisage the possibility of creating one or more large conglomerate, maybe in a JV form, of main EU cybersecurity companies (the old idea of an “Airbus‐like” company for cybersecurity is interesting as speculation, but the market structure is quite different here) which could play a full leadership and driving role in Europe and at international level. In this case, consolidation would be made among companies having mature products and markets. Yet, European competition laws should allow the consolidation of certain larger companies to reach a better competitiveness at international level.
Ad hoc clusters for competitive partnership (EU champions / trusted companies along the value chain)
A temporary gathering of companies (large and SMEs) could be considered to provide complementary competence to better and competitively answer challenging requests, thus creating a kind of “temporary leadership”.
Priority Investments in strategic solutions and services to support European competitiveness in market leading sectors (following the EU market / company offer analysis)
Investments are not happening by chance. We have identified some interesting paths for investment that are reported hereafter, but to reach these goals we think the appropriate conditions should be established to bring together the different stakeholders (banks, companies, users, customers etc.) in order to start an effective cooperation and mutual beneficial investment. This is one of the main goals of the flagship and the envisaged PPP could be one of the first concrete steps in this direction.
Creation of a specific EU fund for cybersecurity
A specific EU cybersecurtity fund (similar to the Internal Security Fund – ISF) could be created to stimuate capacity investment in MS. This fund could be used as an instrument to bring innovation of EU solutions to market and deploy needed capacities in MS.
Cybersecurity solutions / services (considering both EU competence availability and competitiveness)
o to raise from low competence and competitiveness level:
- Training services
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 49
o to raise from average competence / low competitiveness level:
- Governance, vulnerability and cybersecurity management (including Big Data Analytics for Cybersecurity and Threat Intelligence)
- Network Systems Security
- Management and operations services
o to raise competitiveness to reach market leadership:
o Cloud security, in particular cloud security brokers and homomorphic encryption which allows to proceed operations on encrypted data without decrypting it
- Hardware device / endpoint security (including security of mobile and embedded systems and Internet of Things)
- Application security (including software analysis, verification, and certification)
- Managed Security Services
o to reinforce leadership:
- Identity and Access Management
- Data Security
Cybersecurity application in main economic sectors for Critical infrastructure, Protection and Resilience, Smart Manufacturing
As cybersecurity is becoming a key element in the value chain for all market applications, we should consider the competitive position of Europe in the different industrial sectors (in particular for Industrial Systems) as well as the strategic importance of the sector, to suggest priorities for actions and investments.
Investments in emerging market like IoT, Big Data (Data Analytics for Cybersecurity and Intelligence), Industry 4.0 ‐ innovative ICS and “Smart Europe”, Cloud, Mobile and embedded systems, smart grids etc. could provide more opportunities to Europe to attain leadership than in more mature markets.
o To increase relatively low level of competence or competitiveness:
- Protection and Resilience : Smart & Secure Cities
Smart & Secure Cities is still an emerging market and growth should be supported as directly impacting the majority of the European population which lives in cities
o To reinforce medium level of competence or competitiveness:
- Critical Infrastructure: Energy / Smart grids; Healthcare; ICT infrastructure; Transport
Cybersecurity in the energy sector is vital but market growth is relatively slow and investments could follow a reasonable pace; for Healthcare, the market is still in an early phase, but hacking of sensitive personal data is largely increasing and urgent investments are needed; investment in the transport sector are urgent and critical, as Europe is leader in aeronautics and car manufacturing and ICT infrastructure investment are strategic for control of data exchange
To support higher level of competence or competitiveness:
- Critical Infrastructure: Banking and Financial Services
Europe is leader in these services (also for products like smart cards) and its position should be constantly reinforced with due investments
- Smart Manufacturing: Industrial Control Systems
The leading European Industry 4.0 approach for more efficient and smart manufacturing should be protected from cyber threats and foster global competitiveness of EU products
- Protection and Resilience : Public Services / eGovernment
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 50
While Public Services (law enforcement and first responders) are usually a good market for trusted national suppliers it could need support for considering the relevance of “legal intelligence” in the fight against terrorism and crime; eGovernment could need support to increase competitiveness with respect use of non‐EU solutions.
Priority investments for European leadership in market leading / sensitive sectors with strategic solutions and services: concrete projects
Following our analysis of the European competence wrt critical solutions for increased digital autonomy, we recommend to finance adequately the development and implementation of European solutions of strategic cybersecurity solutions in the following areas:
o H/W, S/W Innovations: Next generation of network protection and next generation software analysis tools
o Cyber Security and Privacy by Design Engineering (including online trust and transparency for privacy)
The following specific topics cover technologies that do not require fundamental research and could lead to commercial products with a strategic impact for Europe and generate business opportunities for European companies with a positive impact for the European economy.
We can identify a few major projects that should take place at European level due to the complexity and the amount of budget involved. These projects should allow the creation of competence and competitiveness in strategic NIS elements (also to increase EU digital autonomy ‐ as suggested in topic 90 of the EP resolution of March 12th 2014) and global leadership.
Member States should identify specific cybersecurity capacity needs and flag them in their priorities for EU funding or other kind of private funding. We have identified hereafter a group of urgent concrete projects that, following the analysis in our study, would allow the development of sovereign components and national capacity building.
o European trusted and secure router (such development requires significant investments which no country and private company can afford alone, though it is one of the most strategic elements in the network) as suggested in topic 107 of the EP resolution of March 12th 2014
EU project: Consortium of EU companies to develop upon basic technologies from e.g. Alcatel,
Nokia, Ericsson etc. a EU router, integrate security solutions, test / validate & certify and make it
competitive at global level (competition: CISCO, Huawey) €150 mln development costs +
marketing costs
o European trusted Security Information and Event Management (SIEM) solution as event correlation is a strategic activity in terms of attacks monitoring (as suggested in topic 93 of the EP resolution of March 12th 2014 – detection capabilities).
EU project: Based upon few techno bricks existing in EU (e.g. from start‐ups) by EU consortium
(competition: HP, IBM, Splunk, …) €100 mln development costs + marketing costs
o European trusted Intrusion Detection System (IDS) host terminal and network based, to ensure detection rules can be trusted: design should be adapted also to cloud architecture (as suggested in topic 93 of the EP resolution of March 12th 2014 – detection capabilities).
EU project: Based upon few techno bricks (large companies and SMEs) by EU consortium
(competition: HP, IBM, Fire Eye…) €100 mln development costs + marketing costs
o Enhanced development of cyber intelligence capabilities as support to the legal and proportional fight against terrorism and organised crime
EU project: Added value depends on quantity and quality of security sources, security events; need to cover several countries sur to spread of attacks: EU consortium. Mutualisation of information (based upon trusted infrastructure and legal procedures) – including big data security, creation of
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 51
laboratories to analyse the feeds and to create rules to detect new attacks €100 mln development costs + marketing costs
o Open source operating system for trusted services (as suggested in topics 91, 98, 107 of the EP resolution of March 12th 2014 for open source solutions)
EU project: Based upon few existing techno bricks (large companies and SMEs) by EU consortium
€150 mln development costs + marketing costs
o Advanced encryption technologies (need for encryption is mentioned in several topics – 95, 106, 107, 109 – of the EP resolution of March 12th 2014)
EU projects: Emerging technologies, like homomorphic, still need R&D funding €20 mln (per
technology)
o Sovereign clouds (need for EU clouds is mentioned in topic 64 of the EP resolution of March 12th 2014)
National projects: (beware of increase of fragmentation) based upon national trusted suppliers;
€50 mln (per country)
o Multi‐sovereign probes (as suggested in topic 93 of the EP resolution of March 12th 2014 – detection capabilities)
National projects: (beware increase of fragmentation) based upon national trusted suppliers; adapt
commercial IDS to answer sovereign and government needs €10 mln (per country)
o EU cybersecurity academia and education at MS level (need of an EU IT Academia is mentioned in topic 100 of the EP resolutions of March 12th 2014).
EU and MS projects: Creation of an EU cybersecurity academy, with links across MS and
development of local / national education on cybersecurity
o EU / MS validation platforms (as suggested in topic 110 of the EP resolution of March 12th 2014)
EU and MS projects: Creation of national validation platforms (laboratories) to test trust of
solutions and provide MS / EU security labels
o National capacity building: SOCs (as suggested in topic 93 of the EP resolution of March 12th 2014 – detection capabilities)
National projects: Creation of SOCs based upon national trusted suppliers (beware increase of
fragmentation across MS) e.g.; SOC: €5 ‐ 20 mln (per project and country).
o National capacity building: Cybersecurity control centers (connected across EU)
National projects: Establish and link national cybersecurity control centers to facilitate information sharing and common tools, also leveraging upon CEF (Connecting Europe Facility) e.g. €5 ‐ 20 mln (per project and country).
Disclaimer
The full study is referred to as European Organisation for Security (Ed.): Cybersecurity for a trusted EU Digital Single Market EOS Market Study for a Cybersecurity Flagship Programme – An EOS Strategic Initiative. Information gathered from EOS members and external sources, November 2015.
Originally, this study was made for internal use. The present public summary of the full study was made to better justify the proposed recommendations.
The full study is freely available to EOS Members. Should you request to have access to the full study, please contact EOS at info@eos‐eu.com.
EOS has exercised reasonable care in collecting, processing, and reporting this information trying to avoid conflicts in data ownership but has not independently verified, validated, or audited the accuracy of data or completeness of the information collected.
EOS STUDY FOR AN EU CYBERSECURITY FLAGSHIP ‐ Extended Public Summary ‐ December 2015 52
Acknowledgements
Study Editors - Luigi REBUFFI – EOS
- Mathieu MOREUX – Thales
- Mari KERT – EOS
Contributors:
Aymeric Simon AIRBUS Tom Koehler IABG
Frederic Polycarpe AIRBUS Sandra Mezzadri IABG
Gunther Schwarz AIRBUS ‐ through ASD Jorge López Hernández‐Ardieta
INDRA
David Jackson ALTRAN Vasilis Tsoulkas KEMEA
Aljosa Pasic ATOS Rob van Dort NIDV ‐ through ASD
Florent Kirchner CEA Angeloluca Barba SELEX E.S.
Mark Miller CONCEPTIVITY Yves Lagoude THALES
Nuno Guerreiro EDISOFT Olivier Bettan THALES
Veronique Pevtschin ENGINEERING I.I. Pascal Bisson THALES
Dario Avallone ENGINEERING I.I. Robin de Haas TNO
Nina Olesen EOS Will Fitzgerald UTRC
Thomas Usländer FRAUNHOFER IOSB Menouer Boubekeur UTRC
Tony Kenyon GUARDTIME Filipe Custódio VISIONWARE
Anna Piperal GUARDTIME
We thank all EOS Woking Group members that have directly or indirectly contributed to this study, as well as the EOS Board of Directors that has initiated, supported and promoted it.
We would also like to thank all those with whom we had discussions to present elements of this study and that provided, when possible, useful suggestions.
Jacques Roujanski CICS ‐ Conseil des industries de confiance et de sécurité (FR)
Ramon Moerl itWATCH / TeleTrusT
Fabio Martinelli CNR / NIS Platform WG3 Ulrich Seldeslachts LSEC
Pierre Chastanet E.COMMISSION Emma Philpott Malvern Cyber Security Cluster / UK Cyber Security Forum
Paul Timmers E.COMMISSION Christian Ehler MEP
Udo Helmbrecht ENISA Tunne Kelam MEP
Steve Purser ENISA Rainer Baumgart SECUNET
Gilles De Kerchove EU COUNCIL Mika Lauhde SSH / FISC ‐ Finnish Information Security Cluster
Clement Castano Hexatrust ‐ Cybersecurity and Digital Trust Alliance
Jean‐Marie Letort THALES / Advisory Group to Commissioner Oettinger
Ida Aisma HSD ‐ The Hague Security Delta