The Cybersecurity Act entered into force on the 27 of June 2019 is just the last act (for now) in a flurry of policy and operations- level activities carried out in recent years by the European Commission, by agencies and in member states regarding cybersecurity. This high level of activity is based on several reasons. On the one hand, cyber threats have finally been recognized as a major hazard and something that will not go away if left alone, with numbers on the growth and financial impacts of “hard” cyber risks that continue to be staggering. On the other, if we also consider the soft side of the threats, i.e. the risk areas, the attack vectors, the social impact, we are bringing to the stage even more worrying risks, from electoral interferences, to deep privacy violations, to the manipulation of individuals, to outright social control.
The flurry of activities mentioned above is therefore a (positive) consequence of this situation: it is evidence of policy-makers’ recognition that we are fighting for time, facing a new virtual space tied to a clock that is constantly ticking and much faster than normal legislative tempo; something that cannot be defined holistically once in a while, but must be constantly analyzed, managed and updated.
Cyberspace is, in fact, the largest creation of human ingenuity, not only growing at a rate that far surpasses any type of growth that humanity experienced in history, but also impacting practically every human activity. This fact alone makes evident yet another reason why a huge level of effort is required at the policy level, since a variety of fields, disciplines and bodies must be involved in managing cybersecurity. Here we are not fighting for time, but for space, i.e. to create a puzzle where all the right pieces fit together. In other words, a place where all those who need to talk to each other, to be informed, to cooperate, to decide and to act, have a way of doing so.
Leaving behind the clock and puzzle metaphors, we can try to understand how the Cybersecurity Act fits into the growing corpus of policies related to cybersecurity at the European level and what type of impact it will have on different stakeholders, in particular on the industry that builds and implements cybersecurity in Europe.
The European Union started to create the above-mentioned corpus in 2013, with the creation of the first EU Cybersecurity strategy and with the regulation creating the European Network Information Security Agency (ENISA) as a temporary agency initially supporting the process of generating awareness at the central and member states’ levels. With the Network Information Systems Directive (NIS) in 2016 the European Commission, while mainly addressing the need to identify those actors providing services that are essential for the continuity of social and economic life, also identified additional activities for ENISA, making it a mandatory and fundamental support to the network of Computer Security Incident Response Teams (CSIRT). The 2019 Cybersecurity Act will now give additional responsibilities to a now permanent ENISA, tasked with creating schemes to certify those devices, components or solutions whose security (i.e. integrity, availability, confidentiality, continuity) will be considered important for the Union and its citizens.
But is ENISA the answer to the complexity described above? Is the Cybersecurity Act filling the gaps in the cybersecurity policies’ corpus? Is a permanent and reinforced agency the glue that will integrate cybersecurity at the European level?
As pointed out before, in the six years since the first EU strategy, many things happened and many bodies (both legislative and operative in the EU and at a wider international level) have realized that the cybersecurity issue must be faced and dealt with. This led to a situation quickly (and only partially) outlined in the following table, which shows some of the entities active on several levels in the cybersecurity space and some of the many tools (e.g. structures, resources, policies, funds) they have at their disposal to work on the subject.
The table above depicts just a small part of all the activities going on in building, regulating and managing cybersecurity, at a general level and in some vertical cases, and, though it is not represented as a puzzle, it clearly shows the level of complexity of what is happening, considering that any of the entities above may have one or more reasons to establish contact points with each other, either temporary or permanent, and that in some cases these points are mandatory, because they directly descend from the responsibilities placed upon them by the regulators. Furthermore, many of the institutions have their counterpart or counterparts at a national or industrial sector level, thus multiplying European complexity by 28, or even more.
Let’s then go back to the original question: is ENISA the answer to the situation only partially described above? Is the undoubtedly extensive list of tasks that the Cybersecurity Act confers upon ENISA enough to stitch everything and everyone together?
It looks like the European Commission itself thinks the answer is negative, since the cybersecurity policies’ and bodies’ creation is continuing, for instance with the future European Cyber Competence Center and its related National Network, currently under discussion, that could add some lines to the table, as follows:
What, then, is the role of the cybersecurity industry? What can the industry do to support the building of a working response to cybersecurity threats in this one goal / multiple stakeholders scenario?
The cybersecurity industry is obviously a key element in this picture because it is the industry that must provide the tools and services required to implement policies and measures, which are either enforced or freely selected, to manage the threats we all face. But the task of the industry in regard to the puzzle described above is daunting, since it must not only provide tools and services, but also interpret the context in order to provide the right set of tools and services.
The strong and insistent demand from the industry to be part of policy making and of the investment selection process derives largely from the complexity of the scenario in which it has to move: being part of the process helps, being aware of evolution and changes as early as possible helps, being in a position to contribute to simplification helps, being able to make proposals to address research, developments and deployment helps. This participation can be carried out in a fair and “pre-competitive” approach, i.e. without hampering competition or providing undue benefits to any particular player within the industry, with the only goal that of a general improvement in the clarity of the way forward and with better understanding among stakeholders. The intrinsic complexity of the market is per se an enforcer of competition, since the market is huge (€120 billion worldwide), fragmented (no player has more than a very small percentage of the market), fast-growing (double digit for several years to come) and fast-changing (low entry barriers and large spaces still to be conquered) and all these characteristics make it naturally open to strong competition.
Recognizing these facts, institutions should be encouraged to increase their cooperation with the industry to define a way forward: it can be done with no prejudice to market fairness, and can help bring efficiency and efficacy to a complicated act.