Cybersecurity, disastrous effects from the Russia-Ukraine war: for Europe it is time for a strategy

The game is played on the computer even before the military one. And the interdependence of global systems, together with the growing socio-economic digitization, increases the chances that an attack will cross national borders and spread like wildfire. We need to prepare for a scenario similar to, if not worse than, NotPetya's. The creation of an emergency fund is being studied 14 Mar 2022 Paolo Grassia Director of Public Policy Ethno

"The recent cyber attacks that hit Ukraine, in a context of growing geopolitical tensions, have demonstrated the importance of the cyber dimension in contemporary conflicts. The possible fallout of these cyber attacks on European networks at the same time highlights the need for the EU to draw up an ambitious and comprehensive plan for its own cybersecurity ". These are the words that open the joint declaration of the telecommunications ministers of the 27 countries of the European Union, who met last week in Nevers, Burgundy, as guests of the French Presidency of the Council of the EU. A decisive appeal, that of the Telecommunications Council, to equip itself with the tools necessary to protect the critical infrastructures of the EU, starting with telecommunications networks. Because the Russian attacks against Ukraine, starting from the 2014 Crimean crisis, are played out on the computer level even before the military one. And the interdependence of global information systems, together with the growing socio-economic digitization, increase the chances that a cyber attack will cross national borders and spread like wildfire, with disastrous effects. It is therefore necessary to prepare for a similar, if not worse, scenario to NotPetya, without ignoring the possibility of a direct attack on EU countries in response to the escalation of sanctions. The challenges of cybersecurity and the responses of EU ministers The proposals put forward by the declaration of 9 March are left to the legislative power of the EU institutions and to the formulation of recommendations by the competent agencies, together with generic calls for greater cooperation and an appeal to digital companies to fight pro-Russian disinformation. On the other hand, cybersecurity intersects with national security, a sensitive issue on which Member States retain exclusive competence. Attempts to team up often have to deal with national resistance to European coordination. Among the initiatives of the ministers, however, the creation of an emergency fund for cybersecurity that allows the EU to face future large-scale attacks stands out. However, the details of this Fund, which will have to be outlined by the Commission, are not yet known. Strategic issues for the resilience of EU critical infrastructures were also discussed at the Nevers meeting, attended by Internal Market Commissioner Thierry Breton. Among these, "digital sovereignty" - a theme dear to the French Commissioner - affected by the growing investments of American and Chinese technology giants in submarine cables that carry the flow of world data, and the IT risks due to 5G and the virtualization of telecommunications networks. All challenges that require long-term reflection, beyond the needs dictated by the ongoing conflict. The role of telcos and European regulation In any case, it must be taken into account that the telecommunications sector enjoys a very high level of maturity in terms of security. This is obviously due to the very nature of telecommunications networks and services, but the role that regulation has played in consolidating the safety standards of the sector at European level should not be underestimated. For decades, the EU regulatory framework has imposed stringent safety requirements on operators, with meticulous risk management measures and intervention and reporting obligations in the event of an accident. This extensive regulatory body, which is about to be updated with the revision of the European Directive on the security of networks and information systems ('Nis 2'), makes no further legislative action necessary. At the most, telco operators and public authorities would benefit from a general harmonization of the regulatory system that has gradually been stratified, leading to the multiplication of rules - sometimes conflicting - and to a bureaucratic burden. The Nis 2 has this goal, but it is still in the gestation phase. In shorter times, the promotion of European certification schemes and more coordination between national agencies, as underlined by the Nevers declaration, could favor convergence and consequently the effectiveness of the measures taken in the face of cyber risks on a transnational scale. The knot of the supply chain Regulatory intervention, on the other hand, would be desirable in order to strengthen the security of the technological supply chain, which is increasingly complex and globalized. The big SolarWinds attack has shown that the vulnerability of a small piece can endanger the entire supply chain. According to ENISA estimates, almost 40% of cyber-incidents in telecommunications are caused by software and hardware problems. The virtualization of 5G networks will make it increasingly urgent to acknowledge that the security of critical infrastructures must be a responsibility shared by all the players in the digital ecosystem. Another challenge for the future of European cybersecurity.