When the systems of three oil and transportation companies in Europe and Africa were dismantled on February 2, 2022, a cyber attack disrupted the activities of these facilities. Europe was preparing for an impending war in Ukraine and the impact of tensions on Russia’s borders began to become apparent on global energy markets.
The cyber attack has raised concerns that the war in Ukraine will spread rapidly online, with critical infrastructure at risk. Less than a week after the attack on SEA-Invest, and just eleven days before Russian forces crossed the border into Ukraine, the European Central Bank warned banks in Europe to prepare for a spate of Moscow-sponsored cyber attacks .
It is less than 18 months since the European Commission presented a new EU cyber security strategy, which highlights critical infrastructure, such as hospitals, power networks and railways, as a priority, but also the risks to homes and offices.
“We need to make sure our systems are reliable,” explained Tunil Sepp, the Estonian ambassador to cybersecurity in general.
Estonia is one of Europe’s most digitally advanced countries. Estonia became paperless in 2000 and established itself as a technology hub, after founding the popular video calling company Skype, which was bought by Microsoft in 2011. It recently introduced an electronic system, accommodation program. , and invites entrepreneurs to register in Estonia.
Sepp believes that Estonia’s example can be repeated across the continent and prioritises an open internet free of state control.
“We think alike, we have the same principles,” he said.
Estonia was the target of a large-scale cyber attack in 2007, which destroyed government websites, banks and the media. In 2017, Seb organized a cyber defense exercise for EU ministers.
“It was to show politicians how cyber incidents can lead to situations that require political decisions,” he said.
Among the European Commission’s proposals are an EU-wide “cyber shield” for security operations centers that use artificial intelligence and machine learning as an early warning system for cyber attacks, and a joint unit for information sharing and collective response to threats.
ENISA, the European Union’s cyber security agency, was established in 2019 as a permanent agency and provided more money and responsibility for cooperation and coordination between EU member states.
In December 2020, the European Union issued a mandate requiring companies to address cybersecurity risks in supply chains, supplier relationships and member states to conduct risk assessments.
Even when the attacks took place in February, the European Union’s response team said it was time to help the Ukrainian government repel cyber attacks. Brussels hosted cyber war games in January involving a fictitious Finnish energy company to test the resilience and readiness of cyber security in Europe, as part of a planned six-week exercise.
One of the ways in which Europe works to tackle cyber threats is by raising cyber security standards for products, through EU-wide certification processes, such as the quality mark.
A certification framework is currently being developed so that specific certification schemes can be developed for certain types of products.
“The great success of the European Union, when we think of cyber security, is that it has shifted from a high-tech state of information security, computer networks and systems in the 1980s to something that is now an important component of the political agenda in 27 countries, ”says Tim Stevens, a professor at University College London. College.
He adds, this previous approach to cyber security was more interactive, focusing on how to reduce disruption and ensure business continuity. Since then, his approach has changed and moved from focusing on risks to focusing on specific threats, from criminal gangs, nation states and everything in between.
As for being more active in defense, Stevens says it is an “uncomfortable” area as the EU was not created as a security and defense organization.
But with the bloc also emerging as a “cyber-diplomatic actor”, it is imposing sanctions on some of these specific threats, such as Russia, China and North Korea.
“It’s a big shift in focus,” Stevens said. “It’s kind of forced on them by circumstances.”
“If your Member State networks are regularly hit by someone in Eastern Europe, what are you going to do about it? Will you just sit there and take it?”
But Tunil Seb wants to see the EU go further.
He would like to see EU Member States commit to a certain percentage of IT investment in cybersecurity and infrastructure, while helping the EU to account for a fair contribution across members.
“We all want to make progress in our e-government and services, but we all need to think about security,” he said.