Enhancing the security of cyberspace is a critical issue for governments, companies and citizens globally. Our economic and social lives increasingly depend on secure ICT solutions (351 million Europeans use the Internet every day across all areas of digital society). Worldwide, the number of mobile phone users is expected to reach 5 billion by 2019 and 26 billion of devices are expected to be connected by 2020. However, there is a growing perception that such a level of interconnectedness brings opportunities but also new vulnerabilities. All these devices could be at risk of potential cyber-attacks. Statistics show that the number and the severity of cyber security incidents have increased enormously. But, it all adds up also to a significant market opportunity.
The cybersecurity@CEPS initiative brings a multi-disciplinary policy prospective to the analysis of cybersecurity issues. Many scholars understand cyber-attacks as a problem of either criminal law or the law of armed conflict, whereas others take it as a software issue, or a business one involving reputation, trust, and insurance. Instead, it is important to understand that many firms that operate critical infrastructure tend to underinvest in cyber-defense because of problems associated with negative externalities, free riding, and public goods characterizing the cyber security market. Sharing information on data breaches is a case in point. The costs of this disclosure can be significant, while the benefits of improved disclosure – more efficacy and cost savings in security, usually are slow to arrive and benefit all firms (including competitors). The imbalance between costs (sustained by a firm) and benefits (occurring to all) generates a market failure. Therefore, it is clear that new conceptual approaches to cyber-security are required to make more incentive compatible the behavior of all players in this market.
CEPS also approaches cybersecurity as a management challenge. When it comes to cyber-attacks, the appropriate approach is: “it’s not a question of if, but a question of when”. Cyber security should not be seen as a technological problem to be delegated to technical experts but instead as an issue calling for a risk management approach shared among various units in each organization. This process should correspond to the willingness to master the risks linked to the use of information technologies and the costs generated by the protection of information systems from threats.
Cybersecurity@CEPS promotes research, conferences, collaborative efforts with the European institutions and other think tanks and universities worldwide.
Areas of activity
Software Vulnerability Disclosure in Europe
Today, software is embedded virtually everywhere: in our smartphones, our cars, our offices and our homes. This fact of 21stcentury life means that most software and software-based products are susceptible to vulnerabilities. It has been estimated that the average programme has at least 14 separate points of vulnerability. Each of those weaknesses could permit an attacker to compromise the integrity of the product and exploit it for personal gain. Therefore, software vulnerabilities and their timely patching pose a serious concern for everyone. What can we do to protect ourselves? Who should look for vulnerabilities and should the vendors or the users be informed about them?
The Encryption Dilemma
Digital technologies providing for online privacy and security have helped to create a certain level of trust among users, but those same technologies can also be misused. Encryption has been at the centre of a debate on the interplay between online security and the notion of national security, reaching a certain level of urgency. There are many open questions. Encryption is becoming widespread to protect data-in-motion and data-at rest. Today the majority of internet traffic is encrypted; end-to-end encryption is applied to mobile applications and secure devices. What are the implications of these developments? The movement towards a cloud-based environment is converting mobile devices into portals for cloud-based applications and data storage, thereby reducing the need for law enforcement access to encrypted data on the end-device. The challenge will be to identify and locate the relevant data under a warrant in the cloud, given that the data will be spread throughout the cloud across different geographical points and jurisdictions. Based on the available empirical evidence, can we observe encryption as a game-changer for criminal investigators or it is only slowing down the process of accessing the data? Are law enforcement agencies really ‘going dark’? How effective are the lawful government efforts to bypass encryption? Is the lack of clear and relevant policy and legal frameworks on encryption in the US and in Europe inhibiting the possibility of finding solid cooperation between law enforcement and technology companies to provide lawful access to data? CEPS has contributed to this discussion with an online conference and an event with the European Commission.
Trust-based relationships are essential to cybersecurity and resilience policy. A public-private, well-designed governance of emerging challenges, such as massive, pervasive state-sponsored cyberattacks, is becoming unavoidable. Yet global dialogue on these matters is not proceeding smoothly. Discussions about the introduction of global norms of responsible state behaviour, particularly the activity of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE), are stalled on key issues such as the right of self-defence and state responsibility for cyberspace. Likewise, the adoption of the Budapest Convention is progressing slowly: only 56 countries have so far ratified the Budapest Convention on Cybercrime, 16 years after its official adoption. How are EU member states responding to these challenges? Should the EU as ‘Norm Superpower’ step forward and play a greater role? CEPS is working intensively on these issues, reporting its views and findings via a commentary and a couple of events: a public seminar exploring the outlook for internet governance and a workshop to discuss cybersecurity in the context on new geopolitical trends in Europe.
The security of cyberspace has gradually become a key priority both for the protection of critical infrastructure and for military purposes. Cyberdefence, however, is often at a structural disadvantage to attacks, especially those of a global or cross-border nature. In Europe, this vulnerability is also due to the fragmented nature of defence strategies and capabilities, unevenly confined to the hands of national governments. At the EU level, this reality becomes even clearer as a result of the ongoing integration of the Digital Single Market. With the growing degree of interconnectedness, an enhanced level of cooperation and coordination in the defence domain is required. In March of this year, CEPS launched a Task Force on "Strengthening the EU's Cyber Defence Capabilities, chaired by Jaap de Hoop Scheffer, former Secretary General of NATO (2004-09). The Task Force's report will be released in late September.
Artificial Intelligence and Cybersecurity
As one of the key technologies of the 21st century, artificial intelligence (AI) is rapidly emerging as a game-changer in the economy and in society. AI is based on machine-learning algorithms that are run on computers and therefore, face security risks. What are the implications of current and future use of machine learning for cybersecurity and how is AI transforming information security?
Follow CEPS’ activity on this issue.
In June 2020, CEPS will host the 20th Annual Workshop on the Economics of Information Security. WEIS is the leading forum for interdisciplinary scholarship on information security and privacy, combining expertise from the fields of economics, social science, business, law, policy, and computer science.