Speech: Remarks by Commissioner King at the 4th Annual European Cyber Security Conference in Brussels

Three weeks ago, a Distributed Denial of Service attack took down Dyn, a central name service provider, disabling access to Twitter, SoundCloud, Spotify, Reddit and a number of other popular services for hours at a time. The attack managed to reach unprecedented size by harnessing the collective firepower of so-called Internet of Things devices — often poorly secured printers, security cameras, digital video recorders or other tools that are connected to the internet for remote access and control by their users.

Now I am not a digital native. So I was surprised to discover that pretty much anyone - including me - could have perpetrated this attack. The malware that was used to create the botnet is available for free online. Or - instead of building my own botnet - I could have simply rented a ready-made botnet by the hour at very affordable rates and specified my target in the easy-to-use interface. In fact, rented botnets were used in the attack. But let me assure you - it wasn't me.

Now why am I telling you this story? It illustrates some of the key weaknesses of our system.

First of all, name services such as Dyn are not recognized as a critical infrastructure. And yet when they go down the sites that they provide services for are rendered inaccessible. So we clearly still have work to do in making our laws 'technology neutral'.

Secondly, a lot of the devices that were used for the attack have their user name and password hard coded. That means that users cannot change them even if they were savvy enough to realize the need to do so. It is the equivalent of a wide-open door for anyone wanting access. This shows that we have a long way to go in security by design.

And third, it shows our dependence on private actors for key services. While most of us can survive a day without access to Twitter or SoundCloud, such an attack could also affect web-based services that are of greater critical importance to our daily lives. And as our reliance on the Internet increases, so does our vulnerability. We benefit from the vast potential of the Internet, but we also expose ourselves to threats. In connecting ourselves, we give up control over our vulnerabilities and put ourselves at the mercy of the vulnerabilities of the weakest link in the chain - which we don't control.

The uncomfortable truth is that Europe is currently facing an unprecedentedly high and growing level of cyber threat originating from hostile state and non-state actors who are skilled at exploiting these vulnerabilities. The most acute threat stems from cyber-espionage from hostile states. However, we also face the threat of destructive cyber-attacks from capable state and non-state actors, such as cyber-criminals and political hacktivists. Such attacks fall into the category of hybrid threats. The most technically advanced, persistent and aggressive threats are aimed manipulating public opinion particularly during election campaigns in order to destabilise or undermine and it is safe to assume that such attacks will continue to be used to try to influence elections in Europe in 2017.

Tackling the threat requires concerted, collective action to build resilience, to contain threats, to mitigate the impact of successful attacks, and to respond to them. The Commission is playing an active part in this work.

Cyber security has been at the heart of this Commission's political priorities and is a central element of the Digital Single Market Strategy, while the fight against cybercrime is one of the three pillars of the 2015 European Agenda on Security.

Cybersecurity matters. An old adage has it that there are only two types of companies in the world; those that know they've been hacked, and those that don't. Just to give you one recent example, half of businesses in EU Member States have already experienced a successful ransomware attack.

The response cannot be to disconnect. Instead, it must be based around three pillars: (i) strengthening the fight against cybercrime through increased cooperation and a reinforced legal framework; (ii) strengthening resilience against cyberattacks; and (iii) promoting and supporting technological innovation including by making use of the EU's research funds to drive new solutions and to create new technologies.

(i) Strengthening the fight against cybercrime

Through increased cooperation: the role of EU agencies

With regards to cooperation, the European Cybercrime Centre (EC3) at Europol has already become a central hub in the network of actors fighting cybercrime. Two good examples of successful cross-border and cross-sector cooperation in the fight against cybercrime illustrate that; just last month, the EC3 supported an operation resulting in the detention of 193 individuals for having travelled with tickets bought using stolen credit cards. 43 countries, 75 airlines and 8 online travel agencies were involved in this global operation which took place at 189 airports across the world.

A further example is the work EC3 has been doing with the Dutch National Police and Kaspersky on Ransomware - malware introduced into a computer forcing its owner to pay a ransom to get their data back. The 'No More Ransom' initiative provides victims with free advice and decryption tools that can recover information encrypted with one of seven ransomware strands. More than 2500 devices have already been successfully decrypted for free.

We need to improve and expand our cooperation. Eurojust has a key role to play when it comes to supporting and linking national judicial authorities in the fight against cybercrime. Eurojust has taken a key step towards reinforced cooperation by volunteering to support the new European Judicial Cybercrime Network. This network will hold its kick-off meeting in a week, on 24 November. We hope that it will help bring cooperation between Member States' judiciary authorities to a new level.

And we have many budding public-private partnerships at national level, like the UK Global Cyber Alliance or the German Allianz für Cybersicherheit (Cybersecurity Alliance). At EU level, the work that the EC3 has been doing with its private sector advisory groups has opened up new possibilities for more effective law enforcement. Conferences and other initiatives organised jointly by the EC3, ENISA, CERT-EU and other agencies have brought together actors across communities and facilitated both strategic and operational cooperation. We need to expand and build on these efforts. As mentioned before, the private sector is the key partner for law enforcement and such cooperation is essential.

Through a reinforced common legal framework

In the fight against cyber-enabled criminal or terrorist act, digital evidence has become key as it is often the only existing lead.

Access to digital evidence is essential for criminal investigations; however, it is often difficult to obtain as it is stored on servers operated by private service providers often outside the jurisdiction of the investigating law enforcement agency. The Commission has launched an expert process to help identify options. The Commission also plans to improve Mutual Legal Assistance by simplifying and accelerating requests. Other existing mechanisms to obtain cross-border access to electronic evidence also need to be improved, including direct cooperation with service providers.

We also need to make sure that internet-based communication services providers, so-called OTTs (over-the-top service providers) have the same obligations as the telecom operators, particularly concerning cooperation with law enforcement authorities regarding criminal investigations. This is why the Commission intends to present a revised e-privacy Directive early next year. It will help level the playing field and align the scope to that already adopted in the telecoms package.

(ii) Reinforcing cyber security and increasing cyber-resilience across the EU

A key part of our response to cyber threats must be based on identifying and closing off vulnerabilities making the EU a much less attractive target. The recently adopted Network and Information Security Directive lays the groundwork for improved EU level cooperation and cyber resilience. The framework is designed to support and facilitate strategic cooperation and the exchange of information among Member States, and to promote operational cooperation on specific cyber security incidents and sharing information about risks. Under the directive, Member States have to identify businesses of strategic importance for society and the economy and ensure that they take appropriate cyber security measures and notify serious incidents to the relevant national authority.

We now need to work together to ensure swift implementation of the NIS Directive, covering all relevant actors. As the Dyn attack shows, it is easy to overlook actors that are close to invisible in daily operations but essential to the functioning of the internet.

The private sector has an important role to play in standard-setting through the NIS Platform and other mechanisms. Security by design, including for the Internet of Things and devices such as those abused for the attack on Dyn, is just one of many topics that it has already covered.

(iii) Promoting and supporting technological innovation

Our close cooperation with the private sector can also help advance and strengthen the EU cyber security sector. In July the Commission launched a €1.8 billion Public Private Partnership on cyber security with industry. The EU is investing €450m with cyber security market players - and I see many of you in the room here today - represented by the European Cyber Security Organisation (ECSO) expected to invest three times this figure. The partnership also includes representatives of national administrations. The aim is to help drive technological innovation and solutions for key sectors such as energy, health, transport and finance.

In parallel, the European Commission is working to strengthen industrial capabilities in Europe, by addressing the current cyber security market fragmentation. The European Defence Action Plan will be presented to the Council of Ministers in early December. It will be coupled with a new European Defence Research Programme, focusing on defence research and development using the EU budget for the first time. These initiatives reflect the European Commission's enabling and facilitating role for a competitive European defence industry and European defence cooperation.

Beyond these large-scale initiatives, the Commission has also taken steps to make sure that Horizon2020 funding is available to support smaller projects. Future calls and the next annual programmes should have a heightened focus on counter-terrorism technology and capabilities, drawing on the work of the European Counter Terrorism Centre, the European Cybercrime Centre as well as national law enforcement and intelligence communities. Cybercrime in particular is an exponentially evolving problem requiring coordinated action of law enforcement authorities, policy makers, industry and researchers. As such, cybercrime is a priority area in the Fighting Crime and Terrorism strand of Horizon 2020.

Creating effective cyber security, from the micro-level of one app or one device - such as the cameras and video recorders used in the attack on Dyn - to the macro-level of an entire organisation or beyond is a challenge no country and no sector can face alone. So we look to you, the private sector, to give us new ideas and to develop new solutions to the common challenge we all face together. I look forward to your discussion today on these issues, and to the outcome of this 4th EU Cyber Security Conference, as we work together to address cybercrime and cyber security issues across Europe in a more effective manner.

SPEECH/16/3801