A Sting Exclusive: “Cybersecurity Act for safer European Industries and Consumers against cyberthreats”, by MEP Niebler

Ms. Angelika Niebler is Germany’s MEP for EPP and the European Parliament’s Cybersecurity Rapporteur (Copyright: Angelika Niebler, 2019).

This article was exclusively written and published for The European Sting by Ms. Angelika Niebler, Germany’s MEP of EPP and European Parliament’s Cybersecurity Rapporteur. The opinions expressed in this article belong to our distinguished writer.

Many people still think of cyber-attacks as science fiction and a story that makes for a good Hollywood movie. But this is certainly not the case anymore. One of the major hacks that shook the world already happened in 1999 when a 15-year-old hacked NASA and the US Department of Defence Threat Reduction Agency that is countering nuclear, biological and chemical weapons threats. In 2014, Sony Pictures suffered a cyber-attack suspected by North Korea after the release of a movie that depicts the violent death of Kim Jong Un. In 2015, the Ukraine power grid got hacked leaving 230.000 people in the dark for up to six hours. In 2016, Russians allegedly hacked US Democrats leaking thousands of E-Mails. In 2017, the attack “WannaCry” happened, that infected 300.000 computers in 150 countries demanding users to hand over money in exchange for keys to de-encrypt files and finally in 2019, hundreds of members of the German Bundestag and some members of the European Parliament were hacked.

These are only six of the most known hacks in the past years but studies show that the number of ransomware attacks is growing more than 350 percent annually targeting large companies as well as small and medium sized ones. In particular, the number of attacks on utilities and critical infrastructures is increasing heavily. While in the past, hacking efforts have been more about spying and stealing information, attacks now are aimed more towards sabotaging our critical infrastructure such as electricity and communication providers. In Germany, the national cybersecurity authority, BSI, recorded 157 attacks in the second half of 2018 – 19 of which were against the electricity network. However, the actual number might be much higher as mid-sized infrastructure attacks are thought to go unreported.

These developments put us at an even higher risk as ever before and has put the topic of cybersecurity and how to build up cyber-resilience at the top of the political agenda in the European Union.

As the responsible rapporteur for the Cybersecurity Act in the European Parliament, I took these developments and risks very seriously and made it my mission to make sure that the European Union is acting together to create more cyber-resilience. Europe needs a cyberspace that is safe and secure and the Cybersecurity Act contributes heavily to this target.

With the Cybersecurity Act, I wanted to tackle in particular two issues. The first issue relates to the increasing number of attacks on our critical infrastructure, which means on all aspects of our daily lives – electricity, communication, water etc. The second issue relates to the increasing number of internet of things-devices and the user’s mistrust in the safety and privacy of their devices. The European Parliament fought hard for ensuring that with the Cybersecurity Act, we make progress on both issues in order to create an environment for Europe to be a leading force on cybersecurity.

In the last year, 80% of European companies fell victim to at least one cybersecurity incident. In some Member States, half of all crimes committed are cybercrimes. These developments threaten our society as a whole and our way of living. An attack on a major electricity provider can paralyse entire cities and thousands of citizens. The EU needs to react in this regards and with the Cybersecurity Act, it does! The European Parliament worked hard to ensure a strong European response to the increasing number of threats. The result is the establishment of a European cybersecurity certification framework, which will be voluntary at first, but the European Commission has a strict obligation to assess whether particular cybersecurity certification schemes shall be made mandatory, in particular in view of critical infrastructures. We have also strengthened the stakeholder involvement in the certification process; have obliged the European Commission to come up with a work programme on upcoming certification schemes for more transparency for the industry and strengthened ENISA, the European cybersecurity agency.

My other mission was to make sure that all users of internet of things-devices could place trust in the safety and security of their products. With more and more devices and services connected to the internet, users are increasingly put at risk of cyber-attacks. Europe is becoming more digital with every passing day. Over 80% of the EU’s population have internet connections and by 2020 the vast majority of our digital interactions will be machine to machine with tens of billions of internet of things-devices. As we all know, humans are often the biggest security risk. We do not change our passwords regularly, protect our home routers and smart home appliances and most people do not patch often enough. However, the user is part of the effort of creating a safe environment and needs to play an active role. Our task as the European legislators is therefore to provide a framework that creates more trust in the security of these devices. I think we have achieved this! The European Parliament insisted that product information for users for smart devices must be provided, so that users are given guidance and are provided with recommendations on secure configurations and maintenance of their devices, availability and duration of updates and known vulnerabilities. If users follow these recommendations, we will together provide for more cybersecurity and resilience. 

In the end, we all want to live in a cyberspace that is secure and safe. So let us fight for a safer Europe together!