[BLOG] Why we need to start taking cybersecurity seriously

The cyberattack on the US government must act as a wake-up call. With digital transformation come extra risks, especially when transferring sensitive data. That’s why international collaboration on cybersecurity is so important, writes Director-General Cecilia Bonefeld-Dahl.

One of Europe’s top priorities emerging from the COVID-19 pandemic is to help businesses and governments digitalise. The digital economy is growing two and half times faster than the rest of the economy. And as we’ve seen over the past months, those businesses able to move online were more resilient to the economic slump caused by the pandemic. On the public sector side, there has been a surge in demand for government services delivered remotely.

But with digital transformation come extra risks, especially when transferring sensitive data is concerned. As businesses and governments move online, so too do criminals. Last week we saw one of the largest cybersecurity attacks in history – the ‘SolarWinds’ attack. Hackers targeted vital US government departments like energy and the treasury, as well as several private companies.

Cross-border cyber threats call for closer international cooperation

Countries must not overlook their cybersecurity strategies and must invest in maintaining and upgrading the safety of their digital infrastructure. Furthermore, cyber threats are almost always cross-border, and a cyberattack on one country can affect the system as a whole.

We have seen cyber attacks exponentially increase as the pandemic unfolded. Ransomware attacks on critical health facilities remain widespread. The US ‘SolarWinds’ hack is just one example. Earlier in December, a cyberattack hit the European Medicine Agency just while it was processing critical health data to swiftly approve the COVID-19 vaccine.

There is an international consensus that we need to better coordinate our response to cyberthreats. The attack on the US government must act as a wake-up call. NATO – historically focused on traditional military and defence capabilities – is now fully embracing preparedness against cyber warfare. In my role as advisor to NATO on emerging and disruptive technologies, I’m hoping to bring a new perspective on the need for agility and innovation – essential in the private sector, often lacking in the public one – when it comes to dealing with an ever-changing technology landscape.

Yet, in an increasingly interconnected world, I strongly believe we should take bold steps forward. We have seen good progress on global challenges like climate action thanks to diplomacy and international commitments. The Paris Call is the equivalent international convention on cybersecurity and counts today 79 signatory countries. It’s a start, but works remain to be done in tech diplomacy. In the meantime, cybersecurity is certainly one of the key areas we have identified where the EU can work with the new US administration when it enters office in January.

We can’t unlock data’s potential without trust

When it comes to digital, the EU is picking up the pace, unveiling strategy after strategy on everything data-related. Just last week, the European Commission published its Cybersecurity Strategy. This is good; it’s also about time.

As a member of the Stakeholder Cybersecurity Certification Group at ENISA, the European cybersecurity agency, I’ve been part of efforts to simplify and harmonise European cybersecurity requirements so that they become more accessible and streamlined for businesses. It’s not an easy job: a Europe-wide certification scheme must be practical and accessible for all companies – from small to large – but it also needs to be flexible and future-proof, since technology is continuously evolving.

Yet requirements, standards and rules alone won’t accomplish much if we lack skills and infrastructure. When it comes to cybersecurity, we’re only as strong as our weakest link. And what if the weakest link is human? Cyber awareness is not in a great shape, across Europe. The last studies on the topic tell us that almost one in four small businesses don’t have a formally defined ICT security policy. At the same time, we are now lacking 350,000 cybersecurity professionals in the continent.

The recently approved recovery instrument Next Generation EU, together with the EU long-term budget, is a precious opportunity to bridge this gap, by enhancing competences, creating jobs, and strengthening smaller businesses while providing economic growth for Europe. Of course, much of its success will depend on whether Member States actually include robust cybersecurity investments in their national spending plans.

Cybersecurity is vital for small businesses

I want to end with an example of why cybersecurity is so important for business. Cellwood is a Swedish company that produces machinery for the paper and pulp industry. It has over a hundred years of experience, during which has grown beyond Europe’s borders. Despite belonging to a very traditional industry, it has embraced digital transformation, integrating data and predictive maintenance in its production line. A true European success story.

Data is the driving force of the digital economy. For innovation to happen, businesses need to be able into tap this data, to share it, and learn from it. But modern business models like Cellwood’s also rely on the ability to handle business sensitive data safely and securely. If their data is hacked, that could spell disaster for the company and its employees. We therefore need a system based on trust, which is why cybersecurity is so important.

Companies like Cellwood need a stable and secure online environment so they can do business and help bring Europe out of recession. But beyond the business impact, cyber threats have the power to endanger lives by attacking our critical infrastructure. It is high time that leaders in Europe and further afield take these issues seriously.