The head of the EU’s flagship cybersecurity agency has warned that its incident reporting system is too bureaucratic and “does not work”, and called for a more resilient system, as well as a better legislative environment and information sharing with member states.
Juhan Lepassaar, the executive director of the European Union Agency for Cybersecurity (ENISA), voiced his concerns at a roundtable on cybersecurity on Tuesday (26 April).
Other cybersecurity experts have also raised concerns over the effectiveness of the mechanism for reporting and responding to cyber threats. An update of the EU Directive on Security of Network and Information Systems (NIS), which should address these shortcomings, is currently being negotiated.
“We need something which is agile, that works and where information can be shared in a secure manner,” Lepassaar added. “More resilience in critical sectors is definitely something we need to look at.”
Bart Groothuis, the EU lawmaker leading the revision of the NIS directive, told EURACTIV that besides the problem of information sharing, also the computer security incident response teams (CSIRTs) need to be improved via the revamped legislation.
Reporting cyber incidents
According to ENISA, cybersecurity breach reporting is vital, not only for the public but also to help authorities recognise and respond to current trends and weaknesses. In 2018, the NIS directive introduced cybersecurity incident notification rules for operators of essential services in critical sectors.
Nevertheless, for ENISA’s executive director, the current legislative environment is not working. For example, in 2021, zero cross-border incidents were reported under the NIS directive, even though the SharkBot Trojan attacked a number of banks and there was an attack on a European e-ticketing platform.
“The problem is that we are dependent on the information that we get from the member states,” added Lepassaar, noting that lack of information sharing jeopardises the agency’s ability to respond and improve Europe’s cybersecurity and resilience strategy.
In its current state, the cyber incident reporting system is too “cumbersome” and “bureaucratic”, according to Lepassaar, which explains why member states would refrain from using it. He calls for a more agile approach, better communication and for more resilience in critical sectors.
Including the private sector
Regarding member states’ willingness to engage in information exchange, Luukas Ilves, the chief information officer of Estonia, stressed that the situation has improved considerably and that he endorsed the increasing use of automated information exchange.
Yet, according to Ilves, much remains to be done. Besides collaboration between EU institutions, member states and various public sector bodies, “equally important is the reporting of incidents by the private sector.”
A similar point was made by Anouck Teiller, a senior official of France’s National Information Systems Security Agency (ANSSI), who emphasised that the private sector should play an increasing role both in preventing and responding to cyber threats.
Iva Tasheva, a cybersecurity expert at CyEn consultancy, told EURACTIV that “ENISA’s annual threat landscape should be extended with sectorial threat landscapes”.
Also, organisations sharing information and analysing threats should come together with industry and government agencies to “discuss the technical and organisational vulnerabilities and how to fix the threats”.
Improving reporting and responding
Currently, an update of the directive, the NIS2, is being negotiated, with the next talks between the European Parliament, Commission and Council expected to take place on 12 May.
Bart Groothuis told EURACTIV that he understands ENISA’s concerns and that the Commission has therefore proposed to include mandatory reporting of potential threats and near misses.
However, Groothuis voiced doubt that this would solve the problem.
“If you have too much bogus data, the significance of the output is too low,” he explained. Instead, he aims to negotiate a system in which significant data is reported and to ensure there is an ecosystem that acts operationally on that data.
Apart from too little being shared, the computer security incident response teams (CSIRTs) should also do more to “meaningfully act on that data sharing and prevent, mitigate and assist society with that information,” Groothuis said. Thus, he added, both the reporting and responding need to be addressed in the NIS2.
In order to improve the reporting, best practices should be shared and a “significant incident” threshold set at the EU level, Iva Tasheva added.
[Edited by Luca Bertuzzi /Zoran Radosavljevic]