by Luca Bertuzzi
The European Commission and the EU’s diplomatic service are setting up two competing initiatives to collaborate with private companies on cybersecurity threats. Meanwhile, EU governments appear keen to keep sensitive intelligence for themselves.
In recent months, the European External Action Services (EEAS), the bloc’s diplomatic arm, has been working on updating its EU Cyber Diplomacy Toolbox, an initiative to coordinate a diplomatic response to malicious cyber activities.
The proposal, briefly previewed in the EU’s military strategy, the so-called Strategic Compass, was earmarked last year for implementing “preventive measures and sanctions on external actors for malicious cyber activities against the Union and its member states”.
As part of the revamping, the EEAS has engaged with cybersecurity companies and associations to develop a Public-Private Partnership, according to a series of documents seen by EURACTIV.
According to a discussion paper on the initiative, “the EEAS is exploring setting up a structured and regular engagement with the private sector, which could be a platform for the exchange of high-level observations on strategic cybersecurity trends in the context of foreign and security policy”.
Following the Ukrainian model, the idea is to create a ‘win-win framework’ for the private sector to pool in cyber threat intelligence to coordinate responses to malicious cyber actions.
Cyber Diplomacy Toolbox
The EU’s diplomatic service has organised in recent months closed-door workshops in collaboration with the European Cyber Agora, a multi-stakeholder initiative driven by Microsoft and the German Marshall Fund of the United States.
The first meeting in November was arranged at the premises of Microsoft, a leading company in the cybersecurity field that has regular intelligence exchanges with the US security services.
EU and US intelligence agencies have had a troubled history regarding intelligence sharing. Therefore, European companies are questioning to what extent the cyber threat information can be of high quality if Washington is involved, albeit indirectly.
The second workshop dedicated to using cases for cyber threat intelligence took place last Thursday (16 March).
The last workshop is expected in the coming week, focusing on testing identified solutions, with the final reform to be presented during the European Cyber Agora conference on 25-26 April.
However, with one month to go, the shape of this Public-Private Partnership remains undefined, as private companies currently do not see the advantage of sharing threat intelligence with the service, according to sources informed on the matter.
To make things worse, the European Commission is also working on a similar, but separate, initiative.
European Cyber Reserve
Next month, the Commission is due to present the Cyber Solidarity Act, a proposal to set up the legal framework for distributing financing from the cybersecurity emergency fund to provide incident response and cybersecurity audits to critical entities.
The private companies providing these services will have to qualify via a cybersecurity certificate and will form a Cyber Reserve. In return for this privileged access to publicly-financed contracts, the trusted service providers will most likely be expected to share threat intelligence.
A critical part of the Cyber Solidarity initiative is the establishment of a European Detection Infrastructure, intended to provide a secure platform for sharing threat intelligence.
However, the question is not only about raw data but primarily about the capacity to analyse it in real time. In this regard, the Commission recently allocated a grant to establish a situational room to manage cybersecurity incidents affecting Europe.
In other words, the EU executive is mostly focused on incident responses to large cyber-attacks, whilst the EEAS is merely interested in being able to attribute responsibility to the malicious actors to inform the EU’s diplomatic responses, like economic sanctions.
The two EU services are working on separate groups with different approaches. The EEAS invited the Commission to attend its second workshop, but the EU executive did not send a representative.
Meanwhile, member states are also trying to keep cyber threat intelligence in their hands.
Valued vulnerabilities
An essential part of cyber threat intelligence relates to exploited vulnerabilities, weaknesses that hackers exploit to gain unauthorised access.
How to deal with exploited vulnerabilities is a sensitive topic in the discussions over the Cyber Resilience Act, a draft law to introduce cybersecurity requirements for connected devices.
The original Commission proposal required product manufacturers to signal these vulnerabilities to ENISA, the EU cybersecurity agency.
However, many raised doubts that the EU agency might not have the capacity to manage such a volume of data, and a centralised repository of such sensitive information would be very appealing to malicious actors.
Instead, EU countries want these notifications sent to the national Cyber Security Incident Response Team (CSIRTs). In last week’s compromise text on the draft cybersecurity law, the wording was made even broader for a national CSIRT to refuse to share information with its peers.
Moreover, last week Heise reported that Germany’s federal police and Central Office for Information Technology have been working since October 2021 with authorities in France, the Netherlands, and Norway to identify zero-day exploits.
The project’s intent, coordinated by the French minister of interior and having its €4.2 million budget 90% covered by EU funding, is to find the type of vulnerabilities that allow law enforcement to crack passwords and spy on encrypted smartphones.
Zero-day exploits are the Holy Grail of vulnerabilities, as they are unknown to the software provider. They are considered highly sensitive as they can be used to hack not only criminal organisations but also sensitive targets in foreign countries.
*first published in: Euractiv.com