The COVID-19 pandemic has changed societies’ functioning in an unprecedented way. Nearly all industries were forced to adjust to the new reality in order to meet imposed safety measures and match customers’ needs. Businesses and governments have seen their reliance on technology grow in every aspect of their activities. The crisis is particularly challenging for critical sectors, including health, energy, or telecommunications, which have now become even more indispensable. COVID-19 turned out to be a trigger accelerating (and forcing) digitalisation processes across all the sectors of our economies – something that had been in the making for a long time but not achieved yet. At the same time, digital transformation exposed new vulnerabilities that we were not prepared for. This steadily evolving threat environment demands from us strategic, political, and operational responses.
We are still at a stage where it’s too early to capture the ultimate impact of this accelerated digitalisation. Preliminary conclusions are being drawn, but only with the perspective of time will we be able to assess to what extent the “new” normal will resemble the time before the pandemic. The ICT sector is particularly challenged. It has to ensure that everything is not only up and running but also as secure as possible. As we are reliant on technology in an unprecedented way, we are witnessing a perfect demonstration of why cybersecurity matters.
COVID-19 IMPLICATIONS FOR THE CRITICAL SECTORS
In our digital times, there is a need to define – and maybe rethink – what a critical infrastructure is. In the first decade of the 21st century, the focus was more on physical infrastructure like power plants or water facilities. It must be underlined that the scope of what is considered mission-critical has grown significantly, while the priority areas have evolved. Individuals and organisations have now made an accelerated move towards digital solutions and people are feeling more and more comfortable with digital tools. Even with the return to offices possible after the peak of the pandemic passes, the majority of employees often choose to keep working from home. Accordingly, there is a greater reliance on online services, specifically on video conferencing and cloud storage. To give an example, in the first weeks of lockdown, the use of collaboration tools (such as Microsoft Teams, Zoom, or Webex) has increased by more than 12,000%.
COVID-19 has highlighted cybersecurity threats and coincided with the increase of cyberattacks against critical sectors and data extractions through breaches. However, another effect of the crisis is also that companies have significantly less money and have shifted their priorities to keep the wheels turning. At the same time, funding is absolutely crucial to increase cybersecurity. Therefore, policy-makers need to be able to balance the need for more security and the risk that some companies might disappear (simply because their business models have been devastated by the crisis). Governments and industries will face growing financial problems, which needs to be taken into account in future policy strategies and recovery plans.
NEW APPROACH TOWARDS CRITICAL SECTORS
With critical sectors and services changing dynamically, we can observe how digital transition has speeded up over the last months and how ICT tools are, most likely irreversibly, converging with our physical realm. COVID-19 implications added new services to the list of the ones that we now see as critical, for instance: cloud services, telemedicine, online learning, or mobile networks. The telecommunications sector has experienced a tremendous strain in the recent months and turned out to be absolutely crucial as people started working from home and began to put new demands on the networks.
An increasing amount of hostile activities against the telecommunications infrastructure has also been observed. As an example, on 15 June, there was a major outage in the US for T-Mobile (overall, the infrastructure was offline for 7 hours). At the end of June, there was a five-hour telecommunication services outage in London. These case studies are a cause to sound the alarms. We have finally started to understand that telecommunication infrastructure is in fact critical to nearly all activities. Therefore, with the growing dependency of other critical services and sectors on the telecoms, the deployment of next-generation networks must unquestionably take into account the reliability, resilience, and security of their equipment. For sure there will be winners and losers of the current crisis, but the choice which infrastructures have to survive must be made according to dependency on them. Then, once the new critical services are determined, we must make sure that their whole supply chain is also secured, otherwise the risk of disruption is still too high. It is the entirety of the critical industry ecosystem that needs to be kept in mind.
THE REVIEW OF THE NIS DIRECTIVE
The NIS directive was conceived at a time of more “traditional” thinking about critical infrastructure, when the list of critical sectors was shorter and digital services were still relatively new.
It was mostly rooted in incident-based thinking with the underlying question of what might happen if there is a major incident and how severe can the damage get before an infrastructure is declared critical. Nowadays, other challenges are coming into the picture (whereas previously they were left out of the NIS directive). For instance, in the discussion on fake news and the role of social platforms one might say that these platforms are critical for our countries’ autonomy and for democratic values.
Considering today’s realities, there is a need to look at whether the current NIS Directive is fit for purpose. The question of its scope is very much pertinent to the discussion and a part of the current open consultation by the European Commission is dedicated to seeking ways to adapt and expand the directive. In that sense, the COVID-19 crisis teaches us a very useful lesson. Indeed, we realised, to a greater extent than ever before, how profoundly important telecom networks and Internet access (including mobile one) are. We have also experienced the importance of the health sector, emergency services, food supply, and delivery services. The role of digital service providers must also be reassessed as their importance is bigger than four years ago.
Concerning the digital infrastructure, the review of the NIS Directive will also have to take into consideration what other elements of the surrounding ecosystem are critical for the effective and secure functioning of the Internet. So far, the NIS approach was to put the burden on the companies which are providing essential services, and which have a critical function in the society and economy. Today, an area to consider is the cybersecurity of products – the cybersecurity-by-design principle and supply chain issues.
THE ROLE OF THE PRIVATE SECTOR IN POLICY-MAKING
Public-private sector cooperation varies from country to country. In some of them, the engagement is very close, in others it is not seen as an immediate priority.
While sharing the information, there has to be an element of trust between the entities and sometimes information sharing is the most effective on the national level, as this is where a closer level of trust can be built. As an example, in the UK the National Cyber Security Centre is actively engaged with various sectors where a lot of information is shared; the systems that help examine threats come both from the NCSC and from individual sectors.
Given the international character of activities of big tech companies and digital services providers, public and private sectors should also cooperate more on the international level (for instance in reviewing the NIS Directive), especially considering that the private sector has a lot of valuable information to share. There is an underlying issue – the public administration views security (generally speaking) as a matter that only concerns the government. Though it might be true for security in the sense of border controls or the police, it is no longer the case for cybersecurity, which is, in reality, mainly a private market. The public administration can benefit from the knowledge that the private sector can provide concerning various threats. If we want an economic recovery from the current situation, we strongly need to spare no effort to bring the industries into that dialogue as well.
Join us at the panel discussion at the CYBERSEC GLOBAL 2020 (28–30 September) which will further explore the topic of critical sectors.
- Izabela Albrycht– Chair, The Kosciuszko Institute; President, Organising Committee of the European Cybersecurity Forum – CYBERSEC
- Bonnie Butlin– Co-founder & Executive Director, Security Partners’ Forum
- Jakub Boratyński– Head of Unit, Cybersecurity & Digital Privacy, DG CONNECT, European Commission
- Tadeusz Chomicki– Ambassador for Cyber & Tech Affairs, Security Policy Department, Polish Ministry of Foreign Affairs
- Sorin Ducaru– Director, European Union Satellite Centre (SatCen); Former Assistant Secretary General for Emerging Security Challenges, NATO
- Melissa Hathaway– President, Hathaway Global Strategies, LLC; Former Cybersecurity Advisor, George W. Bush and Barack Obama administrations; Expert of the Kosciuszko Institute
- Robert Krawiec – Project Manager, Defence & Security Unit, Department for International Trade, British Embassy Warsaw
- Robert Muggah– Principal, SecDev Group
- Florian Pennings– Cybersecurity Policy Manager, EU Government Affairs, Microsoft
- Stuart Peters – Head, EU Cyber Security Team at Department for Digital, Culture, Media and Sport (DCMS), United Kingdom
- Magdalena Petryniak– Communication Advisor, The Kosciuszko Institute
- Luigi Rebuffi– Secretary General, European Cyber Security Organisation
- Andrea Rodriguez– CYBERSEC 2019 Young Leader; Researcher and Project Manager, Barcelona Centre for International Affairs (CIDOB); Associate Member, Observatory for the Social and Ethical Impact of Artificial Intelligence (OdiseIA)
- Barbara Sztokfisz– CYBERSEC Programme Director
- Paul Timmers– Research Associate, Oxford University; Former Director, Sustainable & Secure Society Directorate, DG CONNECT, European Commission
- Jean-Christophe Le Toquin– President, Cybersecurity and Cybercrime Advisors Network; Coordinator, Encryption Europe