Cybersecurity and the EU's 2030 Digital Compass

Jochen Michels, Head of Public Affairs, Europe

‘Cybersecurity is not everything. But without cybersecurity, everything is nothing’. This pun is not from me (unfortunately, I don't know who originally wrote it), but it captures the reality quite well, at least from my point of view. This is also what I thought when I was reading the 2030 Digital Compass, the EU Commission’s Communication on Europe’s Digital Decade. To be clear about this: it is useful and goal-oriented to set clear and quantifiable targets so that progress can be continuously evaluated and new approaches can be developed where progress is deemed insufficient. The four cardinal points of the 2030 Digital Compass – (i) a digitally skilled population and highly skilled digital professionals, (ii) secure and substantial digital infrastructure, (iii) digital transformation of businesses, and (iv) digitization of the public sector – are also very well suited to translate the EU’s ambition for a successfully digitized Europe by 2030 into common concrete objectives. In addition, it is very reasonable to use the Digital Economy and Society Index (DESI) as a basis for measuring success, but to further expand and adapt it for this purpose. But…

As a global cybersecurity company with a strong European footprint, we at Kaspersky have examined the 2030 Digital Compass in particular with a view to the importance of cybersecurity and cyber-resilience. We did this especially because we believe that appropriate cybersecurity is a prerequisite and a success factor for digitization. This is why this point should be given due consideration in the 2030 Digital Compass. A simple assessment of the economic consequences of cybercrime illustrates this: according to the report ‘Cybersecurity – Our Digital Anchor’ by the Joint Research Centre (JRC) of the European Commission, the global annual cost of cybercrime has significantly increased, up from EUR 2.7 trillion in 2015 to EUR 5.5 trillion by the end of 2020.

The European Union and Member States are on the right track to increase cybersecurity and to foster cyber-resilience. But… we believe that it is imperative that this is translated into tangible forward-looking policy objectives that ensure that European citizens and businesses operating and investing in the European digital single market can enjoy the benefits of digitization without suffering from its harmful side-effects, such as data breaches, identity theft, ransomware attacks, etc. Let us have a look at the four fundamental fields or compass spikes:

Digitally skilled population and highly skilled digital professionals:

According to the (ISC)² Cybersecurity Workforce Study, already in December 2019, almost 300,000 posts for cybersecurity professionals in Europe remained unfilled, with 58% of organizations reporting unfilled vacancies that could negatively affect their ability to defend themselves against cyberattacks. And an ENISA report notes that this problem is probably here to stay, with 16% of cybersecurity vacancies going unfilled in 2020. Such a skills shortage is also expected to disproportionately affect SMEs and public institutions, in particular because they cannot afford the intensive price competition caused by the unfulfilled demand. The training of young cybersecurity professionals is a low-hanging fruit that is expected to generously repay any EU-level or national investment, both from economic and social perspectives.

As such, we recommend setting very ambitious targets here, adding cybersecurity to basic digital skills and setting a goal for the number of employed cybersecurity specialists. By adding dedicated IT- and cybersecurity courses to the school curriculum at an early age (for kids to better understand the workings of information technology and thereby strengthening overall skills in IT and cybersecurity), the success of the digitization process will increase in multiple ways. We also recommend referring to the number of students admitted to specifically cybersecurity-themed graduate programmed in Europe per year by 2030 and as a further goal for the percentage of university degrees that include a dedicated course in cybersecurity. We at Kaspersky and a lot of industry players stand ready to support these ambitious goals with cyber capacity building.

As stated in the 2020 Joint Communication on cybersecurity, around 40% of EU users experience security-related problems, and more than 70% feel that they are not able to fully protect themselves from cybercrime. Unfortunately, many citizens are not aware of the threats they face and the potential mitigation measures available. For example, according to the 2020 Special Eurobarometer, only 42% of citizens have antivirus software installed, only 29% use different passwords on different websites (and only 7% use a password manager), while only 21% regularly change their passwords. Given the ease and convenience of use of modern endpoint security software and password managers, as well as the fact that even such simple tools provide a level of security that is several orders of magnitude higher than having no protection at all, we feel that urgent and ambitious action must be taken to educate and help citizens improve their cyber hygiene.

Secure, reliable and sustainable digital infrastructure

Given that they serve as the backbone of Europe’s digitization, over the past few years, European institutions have rightfully emphasized the importance of secure and resilient digital infrastructure. Perhaps the most important aspect of ensuring the resilience of Europe’s digital infrastructure is building them with cybersecurity in mind from the design phase, thereby ensuring that not only the separate parts, but the systems and frameworks put together are secure and reliable. As such, the “security by design” approach has to be consequently followed and implemented. This could lead to a new concept and a change from cybersecurity to ‘cyberimmunity’.

As the Cybersecurity Strategy notes: All Internet-connected things in the EU […] need to be secure-by-design, resilient to cyber incidents, and quickly patched when vulnerabilities are discovered. ‘[…] [C]ybersecurity by design […] can mitigate risks, potentially reduce costs to companies as well as to wider society, and thereby increase resilience.’ Digital Compass policy targets in the area of cybersecurity should emphasize the importance of not making cybersecurity simply an ‘afterthought’, but including security-related considerations from the design phase. Although the cybersecurity of a system can never be ‘absolute’, reducing the attack surface and raising the costs of conducting attacks for malicious actors could greatly contribute to the overall resilience of EU digital infrastructure.

Digital transformation of businesses

As businesses adjust to the post-pandemic world and accelerate their efforts to move many of their activities and processes online, their risk of suffering cyberattacks has also grown significantly. The threat landscape has changed. One example is ransomware: On April 23, 2021, Kaspersky published global ransomware statistics, which showed a significant decline in the number of users who had encountered this threat. But these numbers should not be misinterpreted: while it is true that random individuals are less likely to become a victim of a ransomware attack than they used to, the risk for companies has never been higher. Ever eager to maximize profits, the ransomware ecosystem has evolved and has become a systemic threat for corporations all around the world.

In spite of this, cyber readiness among both businesses and individuals remains rather low. ENISA’s NIS Investment Report notes that ‘When comparing organisations from the EU to organisations from the United States of America, data shows that EU organisations allocate on average 41% less to information security than their American counterparts.’ Although investment does not always translate directly into more security, this statistic also indicates the generally lower level of awareness regarding cybersecurity risks in Europe, when compared to the United States. Naturally, the proposed revision of the NIS Directive should help to increase investment by entities of significant importance to the EU economy and society.

However, encouraging more cybersecurity investment also by other actors, especially SMEs, could greatly enhance the overall resilience of the Union against cyberattacks. We recommend setting an ambitious and future-proof target to be achieved 2030, e.g., goals for the percentage of cybersecurity budget of the overall IT budget and adding cybersecurity to the goals for businesses overall – and for SMEs in particular – and for running cybersecurity trainings at large businesses and SMEs. Why SME in particular? In a recent study on the preparedness of SMEs, ENISA found that more than 80% of SMEs process ‘critical information’, which – if stolen or lost – would lead to serious legal repercussions or even irreversible consequences. Indeed, 57% of the companies surveyed by the Agency stated that they would most likely become bankrupt if they faced such serious cybersecurity issues.

On further thought: according to the ENISA Threat Landscape Report of 2020, 84% of cyberattacks at least partially rely on social engineering. Given that a system is only as strong as its weakest link, employees of companies, especially SMEs, need to be trained in recognizing and reacting to potential cyber threats. This is all the more important as businesses are increasingly digitally interconnected and we see a development of “supply chain cyberattacks” targeting suppliers to reach larger organizations.

Digitization of Public Services

An efficient and customer-oriented public administration is an important prerequisite for economic, social and societal development in Europe and for trust of citizens and businesses in services and infrastructure. If the infrastructure of the public sector is compromised, it will inevitably undermine citizens’ trust in this infrastructure and the capability of the public sector to ensure reliable and secure online services. This is why trust and security are of particular importance for the digitization of the public sector.

At the same time, the public sector is a target for the most sophisticated cyberattacks, including advanced persistent threats (APTs) and targeted ransomware attacks (see for example the Kaspersky Security Bulletin – story of the year 2019: Cities under ransomware siege). But because of tight public budgets and the major shortage of skilled IT professionals, ensuring an adequate level of cybersecurity is an extremely challenging task.

Hence, we support an ambitious agenda for the protection of the evermore digitized public services of Member States and the EU. For example, targets could be set for increased investment in cybersecurity solutions and services (for instance by public procurement policies: setting thresholds of budgets dedicated to cybersecurity within IT new projects), innovative cybersecurity training and gamification approaches for civil servants (as an example, in the COMPACT project funded under the Horizon 2020 program special trainings for local public authorities were developed with the collaboration of Kaspersky), as well as minimum requirements toward information security management, for example based on international standards such as ISO 27001.

‘Cybersecurity is not everything. But without cybersecurity, everything is nothing’. The opening sentence also sums up. It would therefore be beneficial to further sharpen the 2030 Digital Compass in this area. Kaspersky feedback to the roadmap of the Digital Compass Policy Programme can be found here.