When the systems of three oil and transportation companies in Europe and Africa were destroyed on February 2, 2022, Europe was preparing for an imminent war in Ukraine and the impact of tensions on the Russian border was beginning to be felt on global energy markets.
The cyberattack sparked a wave of concern that a war in Ukraine would quickly spread online, with critical infrastructure under threat. Less than a week after the attack on SEA-Invest, and just eleven days before Russian troops crossed the Ukrainian border, the European Central Bank has warned European banks to prepare for a wave of Moscow-sponsored cyberattacks .
It has been less than 18 months since a new European cybersecurity strategy was presented by the European Commission and critical infrastructure, such as hospitals, energy networks and railways, has been highlighted as a priority, but it also highlighted the risk to homes and offices on a daily basis.
“We need to be sure that our systems are reliable,” explained Tanel Sepp, Estonia’s roving ambassador for cybersecurity.
Estonia, one of the most digitally advanced European countries paperless in 2000 and established itself as a tech hub, having produced the popular video-calling company Skype, which was acquired by Microsoft in 2011. It recently launched an online residency program, inviting entrepreneurs to enroll in Estonia .
Sepp believes Estonia’s example can be repeated across the continent and prioritizes an open internet free from state control.
“We think the same way, we have the same principles,” he said.
Estonia was the target of a massive cyber attack in 2007, which destroyed government sites, banks and media, and Sepp organized a cyber defense drill for EU ministers in 2017.
“It was precisely to show politicians how cyber incidents can lead to situations that require political decisions,” he said.
Among the European Commission’s proposals is an EU-wide “cybershield” of security operations centers that use artificial intelligence and machine learning as an early warning system for cyberattacks and a unit to share information and collectively respond to threats.
ENISA, the EU’s cybersecurity agency, became a permanent agency in 2019 and received more money and responsibility for EU member states’ cooperation and coordination.
The EU passed a directive in December 2020 that required companies to address cybersecurity risks in their supply chains and relationships with suppliers and member states to carry out risk assessments.
Even when the attacks hit in February, the EU response team had time to help the Ukrainian government fend off cyberattacks. In January, Brussels staged cyberwar games featuring a fictional Finnish energy company to test Europe’s cybersecurity resilience and readiness, as part of a planned six-week exercise.
One of the ways Europe is working to combat cyber threats is by raising the cybersecurity standards of products through EU-wide certification processes, such as a quality mark.
Currently, a certification framework is being developed so that specific certification systems can be developed for specific product types.
“The great success of the EU, when you think of cybersecurity, is that it has gone from being a very technical security of information, computer networks and systems in the 1980s to something something that is now high on the political agenda of 27 countries,” says Tim Stevens, a professor at University College London.
This earlier approach to cybersecurity was more reactive, focusing on how to minimize disruption and ensure business continuity. Since then, his approach has shifted, he explains, from focusing on risk to focusing on specific threats, criminal gangs, nation states and everything in between.
As for being more proactive on defence, Stevens says that is more “uncomfortable” territory, as the EU was never created as a security and defense organization.
But while the bloc is also emerging as a “cyberdiplomatic actor”, exercising sanctions against some of these identified threats, such as Russia, China and North Korea.
“It really is a change of direction. In part, it was imposed on them by circumstances,” Stevens said.
“If your member states’ networks are regularly getting hammered by someone in Eastern Europe, then what are you going to do about it? Are you just going to sit there and just take it?
But Tanel Sepp wants to see the EU go further.
He would like to see EU member states commit a certain percentage of IT investment to cybersecurity and infrastructure, with the EU helping to calculate a fair contribution among members.
“We all want to advance our e-government and our services, but we all have to think about security,” he said.