Emily Schimelpfenig // 9 August 2017

In a world where the rapid development of information and communication technologies (ICTs) permeates every aspect of our daily life, the threat of cyber-attacks is still largely underestimated. These attacks today span from personal devices to private companies and the public sector. National governments and businesses are discovering the growing necessity of good cyber security. However, it seems that their efforts have not been very successful, thus far.

A recent break in cyber security in Sweden led to the resignation of two ministers. They suffered from the political fallout from the release of sensitive personal information to Eastern European countries. The Swedish Prime Minister, Mr Löfven, refused to call an early election. This attack was neither something like the hacker job that occurred on 13 March and which affected computers in nearly 150 countries nor similar to the hacking activism which is currently disrupting economic activity in Ukraine. However, the story serves to highlight how governments are missing some of the basic security provisions to protect their own citizen’s data.

The situation in Ukraine shows just how far hackers can go. Recently, they have darkened parts of the country by attacking its energy infrastructure. Ukraine is trying to make improvements through the use of a cyber police team (supported by the British government) but for the time being it has been unable to prevent the long-lasting waves of attacks.

According to the Financial Times, wind farms and factory robotics are at risk from hackers, too. For example, the lack of cyber security on wind turbines means that they are prone to attacks which could lead to a form of hacking that withholds energy for ransom. Hackers are also able to remotely attack medical devices leading large companies such as Johnson & Johnson and Philips to hire extra staff to boost the security of devices like pacemakers, insulin pumps, and glucose monitors.

All of this paints a dark picture of the world. Although both governments and businesses are taking action to increase their cyber protection, they are still ill-equipped for the onslaught of cyber-attacks. In 2013, the European Union launched its new cyber security strategy. This program includes a project on fighting bonnets and malware, which provides a framework for coordination and cooperation among the Member States and private sector organisations. The Commission also asked the European Network and Information Security Agency to assist the development of national cyber resilience capabilities of EU countries. By September 2017, the European Commission will review this strategy and propose additional measures on cyber-security standards, certification and labelling.

To tackle this issue, businesses are trying to develop new technologies as well. Non-for-profit organisations like Cyber Threat Alliance have started building platforms for companies to share information about common threats. Callsign, a UK tech firm, has raised the equivalent of $35 million for research that allows for user identification through a simple swipe. The company’s Intelligent Driven Authentication (IDA) system uses analytics of devices, locations, and behaviour alongside biometric knowledge and knowledge based indicators to paint a complete picture of the authentication and authorization event. This allows people to protect themselves against cyber threats in real-time, through continuous authentication.

Whilst these developments go in the right direction and are indeed truly innovative, firms and public administrations are still lagging behind. First, there is a need for a higher degree of cooperation among platforms. Governments and private actors need to collaborate more effectively with each other in order to combat hackers. Second, there is a need for more forward-looking norms that set the rules and boundaries of state-craft hacking, especially as hacking capabilities become available to more governments. Finally, innovation – such as the one developed by Callsign – needs to allow for high level of security that does not overburden technology users.

On 1 July, Estonia, a country often praised for its cyber security expertise, obtained the presidency of the Council of the EU. Since the 2007 cyber-attacks, the little Baltic nation has developed a strong national cyber space, which ranks first in Europe and fifth in the world. Thus, given the success of Estonia’s cyber security system, it will be interesting to see if the Commission learns some lessons from Tallinn before the upcoming review of the European Cybersecurity Strategy takes place.