Cyber security is as the same stage the automotive industry was in the 1920s, as public and private sectors need to come together in order to make security standards a reality.
Speaking at the Trust in the Digital World Conference in Madrid, Jakub Boratynski, head of trust and security at the European Commission, said that in Brussels there is a new challenge faced every five years with “new masters”, and while this is a challenge, it is also an opportunity to answer basic questions on “what can we realistically do make things happen?”
He said: “The fundamental problem is that we are dealing with unknowns and do not know if it is malicious and cannot predict when the next incident will happen, but we do know it will happen. We can make our masters aware of threats and we are now 20 years down the road in the age of the internet, but at an early age of the process.
“If you make a comparison of the car of the 1920s and see the progress made since, we are in the 1920s of internet security and this shows the importance of research and that is one of our major tools.”
Boratynski said that a main message is that the risk of cyber security cannot be eliminated or solved and the central element of response is risk management, which he said is the “cornerstone of the commission”.
“A huge challenge of policy makers is to move into the perspective of cyber security as it is dominated by tech guys and nerds who do not take into account the limitations of ordinary humans,” he said. “With ever longer passwords, despite warnings people still write them and these are the things to take into account and do well.”
He offered three proposals: to build defences at national level, put in place some infrastructure and architecture to enable cooperation between member states, and to directly affect industry risk management and obligations relating to incidents. He said that this will be enabled by three key actions (pictured).
“We want to ensure the directive is not an empty shell, and want to avoid a situation with a status quo,” he said. “It has to be a serious effort that national capabilities will grow and national CERTs are brought up to a higher level where we allow the facility to improve. We have a directive and want to avoid another lawyer-driven exercise.”
He concluded by saying that a big challenge to organise at European level is to come up with cohesion, but it is built on the Cyber Security Strategy, and he asked how different policy elements can be embedded, and asked if perhaps cyber security should be part of an impact assessment.
“We are not at the stage of formal consultations and at the start of strategy on who needs to be involved and how do we make it happen,” he said. “We see the NIS directive as a major opportunity and a new opportunity for products and solutions and it will engage a new relationship between the public and private sectors, as it will be a new set of obligations on both sides, and both sides need to work to make it happen.”