Market forces are inadequate, in terms of generating the necessary incentives for companies to improve products from a cyber security perspective, Mariya Gabriel, the European Commissioner for Innovation, Research, Culture, Education and Youth, said in her opening remarks at the EU Cyber Direct conference, held virtually, on Monday.

“Firstly, there is relatively little competition”, she said. “For instance, the desktop operating system industry is dominated by two companies, while the mobile operating system environment is characterised by a duopoly, a trend which applies to most digital sectors. This absence of effective competition adversely impacts the incentive for developers to produce secure code.”

She explained that in markets with dominant suppliers, “users tend to have very little bargaining power. They are not able to exert much pressure on vendors to provide solutions to exposed vulnerabilities, resulting either in delayed releases of solutions or poor quality ones.”

“According to several of our studies, cybercrime will cost the world EUR 5.5 trillion by the end of 2020, up from EUR 2.7 trillion in 2015. The rise in cost is due in part to cybercrime activity during the COVID-19 pandemic. If it happens, it will be more profitable than the global trade in all major illegal drugs.” – Marya Gabriel, the European Commissioner for Innovation, Research, Culture, Education and Youth

Creating a Secure Digital Society by Design

The more devices we connect, the more vulnerabilities we open up,” Gabriel said during her opening keynote address. Highlighting societal challenges, she said that users pay less attention to digital credentials than their physical ID cards, and such decisions impact not just the daily usage of digital services, but strategic decisions. “This means that the number of citizens, organisations and businesses impacted simultaneously by a single attack can be huge.” The attacks are becoming more complex and more difficult to foresee and prevent. The capabilities are increasing with more computational power distributed across mobile devices and Internet linked appliances.

“Therefore, it is clear that it is as much a matter of education, culture, politics and policies as of technology. In other words, It is not only about adopting a security by design approach to products and services, and also building a security of a Secure Digital Society by Design.”

“Ensuring the privacy of our personal lives, the trust among businesses and digital services, and in digital services, as well as the protection against disinformation and hate speech are just some aspects which we can already see at large scale. This is why the discussion on cybersecurity and digital technologies must be looked at as a societal issue, and not only as a purely technological one,” she added.

Developing a Secure by Design digital European Society, she said, requires work on four complementary angles:

  1. Balancing cybersecurity with fundamental rights: “This requires a clear legal framework, as well as a clear guidance on as to how law should be interpreted and applied. The GDPR best practices for cybersecurity experts on how to interpret and apply the regulation, still needs to develop. We need policymakers legal experts, researchers, business leaders and cybersecurity experts to collaborate on ensuring the balance between cybersecurity and fundamental rights.”
  2. Adequate labour force of skilled people: “The job market is currently unable to respond to the growing demand for skilled people in the field of cybersecurity. Today, the visible consequence of this is the 1 million shortfall in employees, which is expected to grow further in the future. A shorter answer to this problem is to encourage existing workers to engage in a continuous educational program related to cybersecurity, leading perhaps to cybersecurity certification. A longer term solution is to integrate the teaching of cybersecurity skills into school and university curriculum.” Gabriel pointed out that we need more women in cybersecurity, and at present, they make up for only 17% of the sector.
  3. Accountability: “The third angle is about the industry standards that are needed to be able to hold companies accountable to their customers, and the legislators with the necessary flexibility on a case by case basis. Also, in a hyper connected world, we need to ensure the interoperability of products and services across all relevant players, across the whole lifecycle of the products and services.”
  4. Commercialisation of scientific knowledge: Europe, she said “needs to pay more attention to more efficient transfer of scientific knowledge into commercial products. We need to strengthen the capacity to turn the breakthrough the search results into disruptive innovations, we need an innovative and effective mechanism to coordinate research and commercialization activities across programs across European member states. This will allow us to better monitor and manage the impact of the European Union’s investments in strategic technologies, cybersecurity included. And it will also allow us to grow the portfolio of technologies and companies, and to capture the economic potential from emerging technologies.” She pointed out that the global market for cybersecurity products and services had been growing 15-20% annually, but only 14% of the top 500 global security providers were headquartered in Europe.

Gabriel suggested the establishment of “a European platform for vulnerability management”, saying that the proposed Horizon Europe program contains the tools and funding opportunities for cybersecurity, and pointed out that the European Commission has worked with member states to “develop the cyber diplomacy toolbox which we adopted in May 2019. You know that this framework consists of measures to prevent and deal with cyber attacks from external actors against the EU. It [also] includes the sanction regime against individuals and entities.”