Joint Cyber Unit – enhancing cooperation in Europe

In January 2021, the Angers metropolitan authority was attacked by ransomware which paralyzed all its computers. A few months later, during the summer, the city of Rome had its IT departments targeted by a similar attack. These are just two examples among many others illustrating the rise of ransomware attacks (+255% in 2020 according to the latest report by the National Cybersecurity Agency of France, ANSSI), and the vulnerability of IT infrastructure. Companies, hospitals, town halls – everyone is threatened by this type of malware that knows no borders, for example WannaCry in 2017, which infected more than 300,000 computers in 150 countries by exploiting a Windows XP vulnerability.

To fight against major cyberattacks more effectively, the European Commission is reinforcing cooperation across the continent with a new entity: the Joint Cyber Unit.

There is a need for cooperation between companies, institutions and States because the attackers operate worldwide: they have no problem playing on all fronts and reaching all types of computer users in an attack.

The creation of the Joint Cyber Unit comes following the review of the European Network and Information System Security (NIS) directive, or NIS 2, which was published at the end of 2020 and concerns so-called operators of important or essential services. This Directive aims to strengthen the legal framework and harmonize the level of cybersecurity among countries and sectors of activity, with sanctions for non-compliance.

Reorganizing the troops

The new entity, which should be operational from 2022, is intended to “go further than existing initiatives such as the CSIRTs Network, which brings together national incident response teams at European level, or the more informal EGC Group (European Government CERTs).” The Joint Cyber Unit will further structure cooperation in the event of a cybersecurity incident. The European Union Agency for Cybersecurity (ENISA), which supports Member States in matters of cybersecurity policy, will be tasked with setting up the Unit, in cooperation with Europol.

Concretely, it will take the form of “a virtual and physical platform of cooperation” enabling a coordinated response to cyberattacks.

Its success could make a huge difference in dealing with an incident on a European scale. The success of the response to an incident depends on the prior organization of our crisis management capabilities. It takes preparation to get to know, identify and above all trust each other – because without trust, cooperation is not possible. This is arguably the biggest challenge that awaits the Joint Cyber Unit.

In France, for example, InterCERT-FR, an association of around fifty teams (internal CERTs from large corporations, institutional CERTs, commercial CERTs, etc.), is a real network of trust based on the pooling of information on the characteristics of an attacker or an attack, which can help everyone to deal better with any incidents that arise.

Unity makes strength

The Joint Cyber Unit’s crisis management process will include a mapping of all actors able to help: first those from the public sector, then members of the private sector. At present, it is difficult to respond without private sector support. National cybersecurity agencies cannot realistically come to the aid of all those who are attacked.

To facilitate this cooperation, it is important to specify each actor’s role and to ensure a consistent approach. The awarding of labels at European level could also help to establish a common framework conducive to a climate of trust. If we consider ANSSI certification identifying reliable actors in France, it makes sense to generalize this approach across Europe so as to be able to call on a private actor in another country with confidence, for example.

A “cyber shield” enhanced with AI

The joint approach should also improve the detection of attacks as early as possible, by setting up a “cyber shield” drawing on artificial intelligence. Thierry Breton, Commissioner for the Internal Market, described the Joint Cyber Unit as “the operational arm of the European Cyber Shield”.

The objective of the cyber shield is to further the expertise of SOCs (Security Operations Centers, responsible for monitoring, analyzing and protecting a company against cyberattacks) in Europe, and then to see how SOCs can interconnect to share more resources on detecting threats, although the notion of “shield” is contested.

This is particularly relevant since CERTs and SOCs continually face new challenges, starting with the rapid growth of the IoT, which is of particular concern to the European Commission. “If everything is connected, everything can be hacked,” said European Commission President, Ursula von der Leyen, in the State of the Union address on September 15. There could be 22.3 billion connected devices by 2024, representing as many targets for botnets (networks of bots) to exploit their vulnerabilities in order to gain control and deploy large-scale attacks. The race against time between hackers and operational cybersecurity teams is only just beginning.

Topics

Cybersecurity