The European Union has set ambitious targets in terms of green and digital transitions, which requires state-of-the-art, more efficient and more energy friendly digital networks (5G, FTTH). Orange is fully engaged on this path and in supporting actively the green transition of other sectors.
But digitalising a huge part of our lives, economy and activities cannot go without ensuring trust and hence a high level of cybersecurity for the citizens and businesses across the EU. The never-ending increase of cyber-threats and attacks is a constant challenge.
As highlighted by ENISA in its Threat Landscape 2021 Report1, “cybersecurity attacks have continued to increase through the years 2020 and 2021, not only in terms of vectors and numbers but also in terms of their impact.” Similarly, Orange Cyberdefense, our expert cybersecurity business unit, that provides managed security, managed threat detection and response services to organisations around the globe, revealed in its last December report Security Navigator 20222 the following:
There has been a 13% increase in cyberattacks on companies over the past 12 months, with a strong focus on SMEs – 75% of ransomware victims being SMEs – and, for the first time, a noticeable wave of attacks targeted at mobile devices.
This trend won’t stop or stabilise; therefore, we need at the same pace or even faster, to develop common European tools to protect, detect, fix, and fight against cybersecurity attacks.
Over recent years, the EU has started to improve the rules and its capabilities in terms of cybersecurity (notably with its 5G toolbox, EU competence centre, draft directives on the resilience of critical entities, or network information security 2 – NIS 2). We consider that additional measures are needed quickly to reinforce the EU resilience and cybersecurity. We will focus here on three aspects: (i) strengthening the European cybersecurity ecosystem, (ii) setting up common rules governing the ICT value chain, and (iii) better monitoring of cyber rating agencies.
The European cybersecurity ecosystem needs to be strengthened
Developing a European cyber security toolbox should go hand in hand with an enhanced investment in European solutions. This includes the possibility for European actors to develop offers that will ensure compliance with European rules in terms of privacy and security, including trusted-cloud solutions, immune from extraterritorial legislation. Such cloud initiatives, currently based on existing solutions, are starting to develop e.g. the “Bleu”3 project gathering CapGemini, Orange and Microsoft. Sovereign solutions should become a key element of the EU technological autonomy. We therefore welcome the initiatives taken at European level such as GAIA-X, the Alliance on data, cloud and edge, and the Digital Europe Programme, with its dedicated stream for cybersecurity.
Gathering and allowing European actors to cooperate is essential. On this matter, Orange Cyberdefense is one of the founding members of Campus Cyber4 in France.
It’s a cybersecurity hub that will bring together the main national and international players in the field (private companies, government, training organisations, research players and associations), in order to federate the cybersecurity community and develop synergies between these different players on a project by project basis. Developing a network of similar hubs present in the various EU countries could contribute to the development of a vivid European ecosystem.
In addition, increasing our cybersecurity requires relevant human skills. As highlighted by the European Commission DESI report5, “In key areas, such as cybersecurity or data analysis, there are constantly hundreds of thousands of vacancies”. Hiring and keeping cybersecurity experts is a true challenge, leading to the skills objective of the “Digital Decade” draft decision. While Orange contributes to the skilling and reskilling of people notably through its Cyberdefense academy6, it’s clear that a more global investment should be done by public and private entities to develop the relevant training and fill the human gap.
All main stakeholders of the ICT value chain should be governed by the same rules
Within the ICT value chain, network operators are ruled by cybersecurity provisions enshrined in the European Electronic Communications Code, and tomorrow in the NIS 2 Directive.
Operators have to implement measures in terms of security risk management and breaches’ reporting that will be extended to new rules to secure the ICT value chain. While it is fair and justified in the field of cybersecurity to think globally in terms of value chain, it would also be fair to target all key actors of that value chain. In other words, it would not be proportionate to impose on network operators to secure the whole value chain while they don’t design, implement, or manage some of its products and services.
That’s where the current EU rules face an inherent weakness: they fail to cover some of the key products and services used by network operators, namely key software providers.
This is even more problematic that electronic communications networks (5G, FTTH) will more and more rely on cloud, edge, AI and hence on software – that are often provided by non-European actors. All key actors of the ICT value chain should be ruled by the same principles and be clearly responsible for their own assets.
We therefore call the EU policy makers to urgently tackle that substantial weakness in the EU cybersecurity framework and ensure key software providers abide by the same rules as network operators.
Cyber rating activities require a common set of rules to be more transparent, robust, and legitimate
Cyber rating initiatives have been booming over the past five years and there are now several US-based agencies producing cyber ratings, such as Security ScoreCard, BitSight, RiskRecon, VisibleRisk etc. Those ratings are becoming more and more impactful as they are used by companies when considering entering into business arrangements, or by EU governments.
Supporting the Paris’ call vision7 promoting Trust and Security in Cyberspace, Orange does consider that there is a merit in developing such ratings as they can allow a better understanding of the cybersecurity level attached to our complex digitalised world. However, this makes sense only if the methodologies used are transparent, reliable, and somehow standardised. This is currently not the case.
For instance, and as highlighted by the European Telecoms Association ETNO8, several issues or biases are noticeable for ratings done on telecom companies:
– rating agencies are performing controls without any mandate and based on what they can derive from the information on the internet – i.e. without exchanges with the rated companies;
– the technical scope used is not always relevant9;
– the rating from several agencies can lack comparability as the attack surface can differ from one to another, etc.
Considering the growing impact of such ratings, we strongly believe there is a need to better design and control the methodologies used by the agencies in order to ensure a more accurate and fair assessment of European businesses. This is also part of our common goal to strengthen EU sovereignty.
We therefore call for policy makers to regulate such activity; it could for instance take the form of an EU cybersecurity scheme applicable to rating agencies, and/or a common set of rules applicable to them as is done in the finance sector by ESMA.
By nature cybersecurity risks and attacks will continue to develop, and so should our European toolbox and best practices to protect, detect, neutralise, defend and dissuade. To conclude, we totally concur with Commissioner Breton10 statement when he highlights “our only option is to act together, at European level. In an interconnected single market, we are only as strong as the weakest link. We must therefore improve our level of security collectively.”
2 https://www.orange.com/en/newsroom/press-releases/2021/number-cyberattacks-against-organizations-increases-13-noticeable-rise ; this is based on a detailed analysis of more than 50 billion security events analyzed daily over the past year (October 2020 to October 2021) by our 18 Security Operation Centers (SOCs) and 14 CyberSOCs across the globe
7 https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in 7 24 September, 2021 : Cyber Security Rating – a rising challenge for EU industries : https://www.etno.eu/library/positionpapers/443-cyber-security-rating-a-rising-challenge-for-eu-industries.html
8 For instance, for operators, currently all technical assets are taken into account for a rating but agencies do not know if the assigned public IP ranges are used by the telecom company itself or by its clients, which biased the outcome as operators cannot manage or control IP address security issues of private customers.