Europe: a bastion of cybersecurity
Published on: 04 08 2020
There was a time when, during the Cold War, the major powers were racing to conquer space. Now the race is to conquer cyberspace. The issues between the powers remain basically the same, but the rules have changed: now the game is about dominating your opponent by controlling the new playing fields occupied by cyberspace and its associated security issues. The opposing teams include the United States, China, Russia and Israel. Although it is competing, Europe seems to be playing from afar; in place of offensive and defensive strategies, it prefers the values of transparency and trust—which may one day take it to the top. It already has the tools to get there.
The geopolitics at the heart of digital technology
It is impossible to talk about digital technology and telecommunications these days without thinking about politics and geopolitics. For a few years now, we’ve seen the major powers, such as the United States, China, Russia and Israel, develop offensive and defensive strategies in the name of cybersecurity.
Now more than ever, the most powerful tech actors seem to be at the mercy of states: while the cosiness between the NSA and the US government is well-established, its Russian counterpart can often only be accused of interference when sophisticated cyberattacks occur. “On the Chinese side, it is public knowledge that an entire building near Shanghai houses officers of the Chinese army who are trained to deal with cyberattacks. On the Israeli side, the digital ecosystem is largely driven by former soldiers from Unit 8200, an intelligence unit of the Israeli armed forces. This shows that both offensive and defensive ‘cyber forces’ have risen to the highest levels of national strategic interest”, says Pierre-Yves Hentzen, CEO of Stormshield. Where does Europe fit into these cyber power games?
The Covid-19 crisis has laid bare Europe’s dependence on these major powers when it comes to issues of digital sovereignty. However, “sovereignty doesn’t mean closing oneself off or withdrawing from the world; it actually represents freedom: the freedom to make your own choices and take your own actions, without living under someone else’s yoke. That’s why I like to say that sovereignty shouldn’t be viewed from a domestic perspective. I often hear people say ‘we need to protect and support our French companies’. That’s a counter-productive and highly reductive way of looking at it. What we need more is a global movement for a strong Europe with international esteem”, insists Pierre-Yves Hentzen. “It’s good to have European digital infrastructures, but their integrity and independence cannot be assured if we use non-European cybersecurity technologies to protect them. With these geopolitical issues and the mistrust they evoke, it is clear that origin criteria outweigh purely technological criteria when it comes to choosing a security product. Europe needs to shift course and assert its agency. It has the means to do so; it has proven it in other areas, when it moved to combat the health crisis and prop up the economy. Now it must also take action when it comes to cybersecurity.”
The need for financial and governmental support
The Covid-19 crisis has also revealed how much Europe lags behind when it comes to issues of digital sovereignty. “We weren’t ready. With video-conferencing solutions, for example, it’s been American companies like Zoom that have reaped the benefits, with an explosion in user rates that have reached peaks of more than 200 million users a day. European solutions do exist, but they’ve proven to be functionally limited, sometimes for security reasons. And on top of that, they’re struggling to stay afloat due to a lack of funds”, notes Pierre-Yves Hentzen. A potential side effect of these security costs is a reduced level of investment in functionality. “It’s not just the quality of the products that drives people to buy American, it’s also the fact that they’re better promoted and marketed, adds Pierre-Yves Hentzen. And it’s all because they have the financial support needed to do so.”
It’s not just the quality of the products that drives people to buy American, it’s also the fact that they’re better promoted and marketed. And it’s all because they have the financial support needed to do so.Pierre-Yves Hentzen, CEO of Stormshield
This seems to be changing, however: in France, for example, it was announced that around twenty investors would be injecting six billion euros to fund French Tech startups. This isn’t public money, but money given by the largest French investment funds. The problem is, in Europe, it seems easier to invest in technologies with immediate returns. However, applications that require substantial R&D investments will not be profitable within a single year. Today, the world’s top players that can afford such investments in cybersecurity are either American or Israeli. “US companies in the sector are generally listed on the Nasdaq and heavily bankrolled by private equity funds, which allows them to invest hundreds of millions of dollars each year in R&D and marketing in order to capture market growth and dominate the field. Their strategy isn’t to seek immediate returns, but to gain market share, which drives up their valuation. And unfortunately, our own decision-makers in France, whether they’re public or private buyers, are feeding this well-oiled machine by mostly buying American technologies”, says Pierre-Yves Hentzen. For an example from the French health care industry, he points to Health Data Hub, which initially turned to Microsoft for its data hosting. This decision rightfully provoked an outcry: the French company OVHcloud invests heavily in this area, and could have been a more appropriate strategic choice to host such sensitive data. This matter will be one to watch—along with the controversy surrounding Photonis. This company, which supplies sensitive high technologies to the armed forces, was nearly acquired by an American firm. The French Ministry of the Economy and Finance vetoed the sale. The company is still looking for French and European investors, but if they fail to find an acceptable solution on this side of the Atlantic, the deal may land back in American hands.
The importance of regaining control
Financial support and infrastructure control go hand in hand. China’s internet is controlled by domestic firewalls in order to avoid dependency on the West, and on the United States in particular. Last year, Russia followed suit by isolating its internet from global servers. The move was deemed a success by the Russian government, which sought to pass a law establishing its own “sovereign Internet”. “Infrastructure control has become a power game, and this also means controlling how the infrastructure is protected. The US, China and Russia understand this. A few months ago, Israel tested whether it could block all access to the Internet, to see if the country was capable of operating independently. This capability was clearly demonstrated”, says Pierre-Yves Hentzen. The move represents a form of isolation and seclusion that raises issues of trust.
Still, today we can see how prevalent the problem is becoming: it is increasingly clear that some powers would not hesitate to use these methods to destabilise our very foundations. But with its values of openness and transparency, Europe has a few cards of its own to play. While the GDPR seeks to protect individuals and their individual liberties, the Cloud Act in the US allows the government to snoop through anyone’s data, even outside of US soil. Compared to this intrusive system and the one in China, which is increasingly shutting itself off from the outside world, Europe comes across as open and trustworthy – even more so after the Privacy Shield was struck down by the European Court of Justice.
Establishing a common European regulatory landscape
While the GDPR is emerging as a model for other nations, the rest of the European regulatory landscape seems more disparate. Against this international backdrop, three European powers seem to stand out just ahead of their peers, mainly through their security agencies. All three of these organisations—the ANSSI in France, the BSI in Germany, and the NCSC in the United Kingdom (if we still take a broad view of Europe)—are globally recognised and accredited for their rigorous standards when it comes to IT system security and defence. However, Europe is a fragmented market, with different languages and cultures, as well as a sense of national allegiance that is still going strong in the various member states. That is why cybersecurity contracts are predominantly granted in the country of residence.
Breaking out of this comfort zone would require greater effort and investment. For example, companies would need to carry out translations, gain access to previously unknown media outlets, and adapt the product or service to different countries. A level of effort and investment that only the major players can currently afford. This fragmentation is an object of trepidation for the European Commission, particularly as it implements the NIS Directive. Indeed, with the creation of Operators of Essential Services (OESs), the directive “has served as catalyst in many Member States paving the way for real change in the institutional and regulatory landscape with regard to cyber-security”, as noted in one of its recent reports. Nevertheless, “there are diverging interpretations by Member States as to what constitutes an essential service. This makes it difficult to compare the lists of essential services.” To repair this fragmentation, regulations will need to be harmonised. In this effort, the ENISA will play an important role in building a single, secure digital market, the tech equivalent of the single market for goods and people.
Accordingly, under the Cybersecurity Act, European certification schemes will be designed to establish a common framework on the market. The first candidate certification scheme for cybersecurity products, which is based on pre-existing frameworks, has just been presented. This scheme was drafted by the ENISA, which relied on the expertise of member states and stakeholders—including Stormshield. “The goal is to reduce this fragmentation, steer companies away from adopting a certification scheme based on the country where they want to market their firewalls, for instance, and limit the proliferation of national standards”, confirms Philippe Blot, Lead Expert Certification at the ENISA. “The idea is to create European pathways, a European form of governance, where all stakeholders agree on the rules of the game. Certification is a key element of trust. It subjects the product to a sort of trial by fire overseen by a third party. This party must be accredited and independent from the party that’s submitting the bid, and must be supervised by the national authorities established under the scheme. This increased trust will help foster greater transparency in the bids. It will also help open the market to 500 million people.”
The idea is to create European pathways, a European form of governance, where all stakeholders agree on the rules of the game.Philippe Blot, Lead Expert Certification at the ENISA
The next step will involve cloud technology, as the ENISA has been tasked by the European Commission with preparing a European cybersecurity certification scheme for cloud services. The project is similar to Gaia-X, the European cloud platform that aims to create a reliable, secure data infrastructure for Europe, particularly for the health care industry. “The encryption technologies used must be trustworthy, and the keys must be held by the company itself or by a trusted partner. I should be able to retrieve my data wherever it is stored: this notion of reversibility is essential, and Europe needs to work in this direction”, says Pierre-Yves Hentzen.
A Europe that is all too modest
But might Europe be just a bit too modest? “The US, Asia and Israel have developed a strong culture of entrepreneurship: launching a startup over there is considered a real career opportunity. Their governments help and encourage them toward it, and the regulations there are more flexible than in Europe. The big tech players are more likely to emerge over there”, says Markus Braendle, Head of Airbus CyberSecurity.
Still, Europe has nothing to be ashamed of. It is home to a number of highly competent cybersecurity firms. It also has world-class universities for cybersecurity research, with highly talented cyber engineers. “I think we’re too modest and we under-estimate our traditional capacities. We’re also at the centre of a new industrial revolution—Industry 4.0—with industrial leaders in aerospace, automotive manufacturing, pharmacology and chemistry, which are the envy of many. We have unrivalled know-how and unique expertise, which means even more cyber risks. As such, Europe must ask itself how dependent it wants to be on others for its cybersecurity, and find the right balance”, Markus Braendle concludes.