In a globalised marketplace, Europe is faced with challenges that sometimes exceed its admittedly broad economic and industrial capabilities. Within the area of information and communication technologies (ICT), network and information security (NIS) thrives.
Most infrastructure components are developed and produced in third countries. In some cases, these infrastructure components are installed and relied upon for years, without necessarily paying due consideration to unresolved security issues. Seeing as these components are often used to control portions of our networks, the problem is obvious.
A 2012 ENISA report on supply chain integrity suggested that a breakthrough is yet to be seen. If components remain unchecked, foreign powers might have enhanced means for eavesdropping. This would threaten the standing of European industry and breach EU citizens' rights to confidentiality, privacy and personal data protection.
The EU must look to its past for inspiration on how to tackle the issue. Certain success stories continue to offer up benefits, both in terms of growth and employment. There are lessons to be learned from industrial applications used by civilians and non-civilians alike.
The Airbus project changed the fate of the air industry in the EU and gave it a global reach. European companies need an innovative business model that will enable them to produce cybersecurity products and services with a similar reach.
The commission's cybersecurity strategy, as well as the draft NIS directive, are certainly ground-breaking in terms of policy guidance. However, they leave a lot to be desired with regards to a coordinated industry policy response to the challenges the NIS sector faces. Of course, this is not surprising considering these documents were not written with this particular goal in mind.
The most advanced components of network infrastructure are used and produced in most member states. Yet the dependency on imports from third countries is disproportionate. The European ICT industry, and hence the NIS industry, are lagging behind the United States and China.
Had this been an observation on just any other industrial application area, this might have gone unnoticed. However, information security is an exceptional case, because the infrastructure that is used for civilian purposes is also open to stakeholders in home affairs, defence and other sensitive policy areas.
Concerns about the security of products and technologies such as backdoors and compromised cryptographic algorithms, for example, could undermine the usability and the effectiveness of electronic communications networks. As a result, risks to the internal market and global internet coverage might emerge. In the long term, this could result in a fragmentation of the internet.
"Lessons learned from the Airbus model, if they are correctly transposed into the area of cybersecurity, could be used as a generic blueprint for improving European competitiveness and stimulating job creation and growth"
Similarly, the EU should ensure that the cost of implementing NIS legislation and policy does not penalise European companies when pursuing access to global markets.
The limited influence that Europe has on internet governance exacerbates challenges related to the response to threats on the infrastructure.
Lessons learned from the Airbus model, if they are correctly transposed into the area of cybersecurity, could be used as a generic blueprint for improving European competitiveness and stimulating job creation and growth.
Therefore, technical standards should be implemented, so as to set a mandatory compliance framework for producers and service providers alike. In addition, an associated certification scheme could foster the application and use of standards in a way that all products and services within their scope remain firmly under control.
This approach is already in place in other sectors. No aircraft, train, or car can be brought out of production without the approval of a national or international regulatory body. As long as these standards are applied worldwide, we can expect them to have a deep impact on the international stage and a competitive position within global markets.
It is now up to policymakers to decide. They can choose to implement EU funded research programmes that are more closely tied to key policy objectives, in order to allow European communities of researchers to come up with solutions that respond to policy goals.
Within the framework of the world trade organisation rules, EU funding could seek to encourage information security research that would contribute significantly to the development of products and services. Based on that research, the industry could then step in to develop and market prototypes on a global scale.
The European way of life can be defended more effectively if we provide European solutions to the global challenges that NIS product and service providers are facing. Millions of industry stakeholders and citizens are looking upon policymakers for a way out of this crisis. The EU must act now, so that good NIS security in Europe equals good business for Europeans.