Study of EU's cybersecurity approach highlights need for sharing
The increase in cyberthreats means the public and private sectors of European Union member states need to collaborate, but only a fraction of them have set up partnerships, working groups or forums, a new report found.
Although cooperation between the sectors is high, only 10 of the 17 EU countries and one European Free Trade Association country studied have institutionalized ways to work together to protect critical information infrastructure, according to a Jan. 21 report by the European Union Agency for Network and Information Security. To encourage more teamwork, the report recommended six action areas, including policy and legislation, effective governance and more information sharing.
One example of a country with a strong relationship with the private sector is the Netherlands, the report said. Within its National Cyber Security Centre, several partnerships exist to detect, respond to and analyze threats. The Cyber Security Council is made of representatives from public and private entities and serves as an independent advisory board.
Germany has set up several information-sharing schemes. Its National Cyber Response Centre facilitates sharing between law enforcement and intelligence agencies, while UP KRITIS, a public/private partnership, is responsible for establishing critical information infrastructure protection communication and cooperation between the private and public stakeholders on strategic and operational levels.
Germany has also established the CERT-Verbund, an alliance of public and private Computer Security Incident Response Teams, or CSRITs. Each is responsible for its own constituency, but they share information and support one another in incident handling, the report stated.
In some countries, governments have encouraged cooperation by taking a decentralized approach to protection. Sweden, for example, leaves the identification of vital services and critical infrastructures, the coordination and support of operators, regulatory tasks and measures for emergency preparedness to various agencies and municipalities, the report said.
The country set up the Cooperation Group for Information Security to foster communication among the different groups responsible for critical information infrastructure protection. The group meets several times a year to discuss national information security.
Other countries, however, are more centralized. France's ANSSI is the main authority for information system defense and can order its "Operators of vital importance" to comply with security measures and other requirements.
A third structure is co-regulation, such as the Netherlands's approach. Its National Cyber Security Centre, or NCSC, serves as a central information hub and cybersecurity specialist. "The NCSC consists of several partnerships between public and private actors, such as various Information Sharing and Analysis Centres and the ICT Response Board which analyzes the situation during a large-scale IT crisis or threat," the report said. "The NCSC emphasizes that cooperation with private stakeholders is based on equality and trust."
Overall, the report made 11 recommendations to EU member states and the European Commission:
Increase institutionalized cooperation with the private sector
Align the management structure for protection with existing national crisis and emergency management structures
Participate in or host international exercises
Establish mandatory security incident reporting
Conduct national risk assessment
Use best legal framework practices for protection across sectors
Examine the use of incentives to invest in security
Conduct an assessment of member states' protection readiness
Support information sharing among states' CSIRTs
- read the report