ENISA is tasked with helping EU member states develop policies and strategies around cybersecurity, but what does that entail?
ENISA (European Union Agency for Network and Information Security) is a centre of cybersecurity expertise in Europe. It is seated in Heraklion, Crete with an operational office in Athens.
A boost for ENISA
In July this year, European lawmakers voted in favour of giving more power and a larger budget to ENISA. The vote also made ENISA the sole reference point for a new EU-wide cybersecurity certification scheme.
Ahead of a busy period for the body, ENISA’s head of core operations, Dr Steve Purser, spoke to Siliconrepublic.com about future plans, wider cybersecurity issues and the challenges ahead. Having been with the agency for a decade, Purser has seen some major changes in the cybersecurity space over time.
According to Purser, two of the biggest security steps taken in the EU include the 2009 policy on Critical Information Infrastructure Protection and the adoption of the 2010 Internal Security Strategy for the European Union. These changes, along with others, laid the groundwork for the EU’s security model today.
ENISA itself works in a specific way. As opposed to undertaking cybersecurity strategy management in each member state, it acts as a catalyst and provider of expertise: “We take our resources and use them to leverage resources out in the member states.”
This involves everything from massive cybersecurity exercises to managing European Cybersecurity month, making policy recommendations and liaising with both political and industrial figureheads in each member state.
For Purser, it is about “making sure that people don’t reinvent the wheel and ensure that they do things not only in the best way from a security perspective, but also in an economical and realistic way”.
New threats and technologies
Developments over the past decade have been rapid. Purser said: “In the last 10 years, we’ve seen a huge movement towards distributed technologies.”
The “huge proliferation of devices at a consumer level” has also radically altered the threat landscape, enlarging the attack surface.
Working together with member states is an integral element of ENISA and Purser’s work: “We actually liaise with member states on several levels.” Each project is a collaborative effort, which requires the creation of an expert group to guide the agency.
ENISA is now also tasked with cybersecurity certification, which is huge in scope. Everything “from toasters to atomic submarines” needs to be certified.
Initially, ENISA will need to set up the correct governance system before developing processes to make it work, as well as relevant timelines.
Criminals will become more sophisticated
Purser noted the calibre of attackers and cyber-criminals has increased and become more refined over time: “They are getting more sophisticated. This won’t change.”
Looking to the future, he predicts cyber-criminals will become even more organised, particularly in the economic sense. He noted how things changed about 15 years ago: “People stopped attacking systems to make a name for themselves and started making money out of it.”
Social engineering is an ever-present tool used by online criminals, and one that is still widely deployed. While Purser says more work needs to be done in terms of regulating artificial intelligence, he believes it will be at least another five to 10 years before quantum computing becomes a sizeable threat to cryptographic systems.
Bridging the gap
Another challenge is the skills gap. While there is always going to be demand for the likes of cryptographers and protocol analysts, Purser says cybersecurity needs people with “good practical experience of implementing security in real life”.
The economics of cybersecurity is also a pressing issue, as cyberattacks have a “knock-on effect on industries”. Purser says consistent data on the subject is difficult to find, as many studies use different metrics.
Cybersecurity affects every company and organisation, and he says risk management is the main driver. Understanding what the key risks are is paramount, then mitigation is the next step.
At the implementation phase, “it is best to go at baby steps. Identify the shortcomings and don’t forget to put in a plan to actually tackle these shortcomings”. Verifying and testing is no good when you are not actually solving the problems identified.
The baby steps method is important in the case of the agency. The nature of ENISA’s work is that often the impact of its strategies do not materialise for a number of years.
This is something Purser is extremely conscious of, particularly given that political priorities can change fast. “Part of the work of ENISA is to ensure that we remain suitably independent,” he said.
With the spotlight firmly on cybersecurity as public knowledge of the issues grow, ENISA remains a crucial resource.