After ten years at the head of the European Union Agency for Network and Information Security, recently renamed the EU Cybersecurity Agency, Udo Helmbrecht is about to retire at the end of the year. On the sidelines at an industry event co-organised by the Free State of Bavaria to the European Union, he provided us with his observations on how efforts are progressing. (Interview by Sophie Petitjean)
Sophie Petitjean: Is the European Union properly prepared for cyber attacks? Can we say that it is cybersecure?
U. Helmbrecht: It’s difficult to say what is the level of security. But I think what you can say is that the Member States, which are in charge for their national cybersecurity, are doing a lot in this area. At the European level, there have been many things done in terms of regulations, awareness raising, cooperation, etc. So, if you compared with years ago, I think we have improved a lot, yes. There have been no major incidents of the Wannacry type (2017) for several years, and the European elections went smoothly. This shows that with good preparation you mitigate risks.
Today, discussions are focused on Chinese equipment manufacturer Huawei. Does it represent a danger to Europe, in your opinion, and should it therefore be banned?
Banning? That’s a political decision. But it seems that people have just woken up and realized that we don’t have the suppliers any more in Europe. Those who used to work for Nokia and Ericsson work now for Huawei. European companies missed their chance when Nokia was bought by Microsoft, and Microsoft turned Nokia down. The challenge is not that we do not have enough talents in Europe, the question is: where to innovate in Europe with this talent, and why is this innovation done by American or Chinese companies? (...) The answer, for me, comes from a different mindset: whereas in Europe we look at a company's income before investing, in America or China, they look at the future value of the company. We need more venture capital, more risk appetite, more innovation, and not just sitting on the successes of the past decade.
ENISA's role and missions are changing with the Cybersecurity Act. Where are we at in its implementation?
The Regulation will enter into force on 26 June. It establishes a European certification framework, which is in preparation. Two special groups still need to be established: the European Cybersecurity Certification Group (ECCG) and the Stakeholder Group for Certification (SCCG) [...] ENISA will then be asked to establish the certification scheme. And then when the scheme is defined, we will have a so-called implementing act. [...] But we are not starting from nowhere: what we have today, the common criteria certification, (SOG-IS), there are about 14 Member States already doing this. The idea is that we start with this and harmonise it for the Twenty-Eight. Then it’s about cloud certification, because we already have voluntary certification schemes through the Cloud Security Alliance. Then we will also have a big discussion about the Internet of Things.
And as far as strengthening ENISA's mandate is concerned, will this help you deal with the lack of resources?
At the moment, we have about 83 people, but we should have 126 by 2020. I think this growth of the agency will attract new people. It's not easy, you know, to attract new talent! Clearly, there is a need for more people to be trained in cybersecurity.
And while we are on the subject of the Agency and its staff, how did you react to the publication of the survey revealing that sexual harassment was a concern for a third of the Agency's members?
We did a lot of actions internally, especially awareness raising. Staff has also the possibility to go anonymously to confidential counsellor. So there are couple of things.
We had also an external assessment where somebody from the agency network came for a few days. And despite the rumours, this assessment didn’t reveal real cases, evidences based cases. The problem is that sometimes, it’s a question of culture: there is this grey area with different perceptions of the same behaviour. What we need to do is to elaborate a code of conduct to say what is allowed and not allowed. And we are working on it. It will be available in a few months.
And beyond the Cybersecurity Act, what is missing in Europe today?
Something about liability! This principle exists in certain areas, such as aviation safety and the financial sector. But in the IT field, there is nothing. We should develop some kind of liability, so that when someone markets a computer device, they are also liable for its security features. When you buy a car, you know that the manufacturer is liable for it and, if something happens, there is a recall mechanism in place. But it doesn't exist for IT products; there is no corrective mechanism patching for security features. I think we should act on that. We should start with the Internet of Things and household devices. But, unlike consumer associations, it’s true that the industry doesn’t want it. We need real politicians who are committed.
Is that a discreet request?
Yes, it is a call to the next European Parliament and the next Commission to get involved in this area. The Commission is aware of the problem, but there's not too much pressure.
You will leave ENISA at the end of the year (October), after 10 years as its head. Do you have any advice for your successor?
I think ENISA has achieved what was expected of it. In this atmosphere in Brussels, it’s difficult to survive in this Parliament/Commission/EU Council/agencies network. So what I would say to them is that it’s important to understand how this system works and also to find your role in the eyes of the many lobbyists who gravitate around it.