It’s a direct response to Russia’s aggression against Ukraine, Lorena Boix Alonso, the European Commission’s top cybersecurity official, told me in a recent interview.
The commission was already “very, very, very, very busy” over the last two years, Alonso said. But Russia’s war in Ukraine, which has featured some prominent cyberattacks, “pushed us to adapt our cybersecurity policy” and made the European Commission “more ambitious,” she said.
The biggest steps of late from the commission, which are far from the only ones, include:
- An update to its first European Union-wide cybersecurity legislation in 2016, known as the network and information system (NIS) directive. The NIS2 directive, which the Council of the European Union adopted in November, imposes rules on more sectors and kinds of entities. It includes a 24-hour deadline for those entities to report when they’re aware of a major cyber incident.
- Proposal of the Cyber Resilience Act in September. It would impose cybersecurity requirements on hardware and software manufacturers.
Those steps are more expansive than recent policymaking in the United States, where Congress last year passed legislation requiring reporting of major cyber incidents after 72 hours rather than 24 hours, and where an executive order in 2021 tackled the issue of secure design only for tech sold to the U.S. government.
But to hear Alonso tell it, the difference between the E.U. and U.S. approaches isn’t so stark.
“I think we operate well with the U.S.,” she said. “Honestly, I see a lot of commonality of interest. Sometimes we do it differently. The structures and powers are different, but we’re targeting the same things.”
- “I’m very diplomatic,” she said with a smile. “But I think it’s true.” She said, for example, that the U.S. executive order inspired some of the commission’s work.
The rules that Europe is advancing could have an impact on the United States. A similar phenomenon occurred when Europe advanced the General Data Protection Regulation, as sites operating in Europe even if they weren’t Europe-based had to play by its rules. That data protection regulation is why, for example, so many sites ask you whether you will accept cookies.
Alonso — whose full title is director for digital society, trust and cybersecurity in directorate general for communications networks content and technology — said at a September event that the Cyber Resilience Act stood to make Europe a leader on cybersecurity.
“This will impact not only the European Union,” she said, as reported by Luca Bertuzzi of Euractiv. “This will change the rules of the game globally, one way or another. Because they will copy us or because they will not have the tools to abide by our rules. This is good not only for the level of cybersecurity but for the competitiveness of Europe.”
That proposal stems from the conclusion that the majority of cyberattacks rely on exploiting tech vulnerabilities, Alonso said.
“Producers and developers don’t have much incentive to reduce these vulnerabilities,” she said, because the “cost is on users” when there’s an attack.
- “IT markets are very fast,” Alonso said. “If they take three more months to make it secure, they may lose the market.”
Under the Cyber Resilience Act, tech deemed the most critical would need to get a third-party assessment of whether it’s meeting E.U. security standards.
NIS2 tackles more subject matter, like supply chain security, responsibilities for corporate executives and the establishment of fines and penalties, in addition to the 24-hour reporting requirement.
But Alonso said the U.S. and E.U. standards are closer than they might appear. The E.U. initial notification requirement is 24 hours, with cyberattack victims having another 48 hours to provide more information. That gives victims a total of 72 hours to provide information to authorities. They have a month to produce another report.
Despite a number of steps imposing requirements on industry, Alonso said she hasn’t seen any “radical reaction” against it from the private sector.
- Alonso is also focused on developing a network of security operation centers across member nations to enhance detection capabilities and improve collaboration with the private sector. Alonso said that the Ukraine war has demonstrated the benefits of working together to counter cyberattacks.
Enhancing international cooperation, including with the United States, is another lesson from Ukraine, she said.
- Last month, U.S. and E.U. officials held a U.S.-European Union Cyber Dialogue to discuss resilience, cybersecurity frameworks, attacks in Ukraine and Albania, and more.
- The cyberattacks targeting Ukraine have “clearly shown we need to collaborate with like-minded countries,” Alonso said.
Ransomware gang apologizes after affiliate attacks Canadian children’s hospital
The LockBit ransomware group apologized around 11 days after the Hospital for Sick Children (SickKids) was hit in a ransomware attack, Bleeping Computer’s Lawrence Abrams reports. It’s not clear what caused the delay, and the gang said it “blocked” the “partner” that broke its rules against hitting hospitals. The group also released what it said was a free tool to decrypt affected devices.
LockBit has banned its partners from encrypting files in key medical organizations. “It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed,” the group’s policies state, per Bleeping Computer.
Hundreds of U.S. organizations were hit by ransomware last year
Cybersecurity firm Emsisoft’s tally of ransomware attacks in 2022 included more than 100 counties, 45 school districts, 44 colleges and universities, and two dozen health-care providers, Bleeping Computer’s Ionut Ilascu reports. But those numbers are almost certainly undercounts because some organizations don’t publicly say that they were the victim of ransomware.
Since 2019, the number of ransomware attacks on local and state governments, as well as the education sector, has remained relatively consistent, Emsisoft said. But only small city governments — and not larger ones — appeared to be affected by ransomware last year, Emsisoft said. The firm added that it’s “concerning” that there hasn’t been a drop-off in ransomware despite U.S. and international efforts to limit the spread of ransomware. “Despite these initiatives, ransomware appears to be no less of a problem,” the firm said.
Debates over TikTok bans spread to local governments
At least one city — Charlotte — has banned the app on city employee devices after an FBI warning, WCNC Charlotte’s Nathaniel Puente reports. Meanwhile, the Rapid City, S.D., city council is debating whether it should also ban TikTok from city devices and networks, but not all members of the council are on board, the Wall Street Journal’s Stu Woo reports.
The city-level debates come after a wave of Republican governors and other officials banned TikTok on state devices and networks last month. Last week, the U.S. House of Representatives banned TikTok on House-managed devices. A new federal spending bill bars the app from being installed on government devices. The Biden administration, meanwhile, is negotiating a potential deal with TikTok amid concerns over the company’s Chinese ownership.
TikTok spokesman Jamal Brown previously told The Technology 202 that the company believes that the concerns driving state TikTok bans “are largely fueled by misinformation about our company,” and that TikTok is “always happy to meet with state policymakers to discuss our privacy and security practices.”
Thanks for reading. See you tomorrow.