As one of the largest intergovernmental organizations, the European Union (EU) identifies cybersecurity as a high priority. They have established the European Union Agency for Cybersecurity (ENISA). ENISA works with member states to deliver security advice and solutions as well as support for the development of policy and law relating to network and information security. ENISA also creates certification schemes as mandated by the European Cybersecurity Act (Regulation 2019/881). These certification schemes establish rules of certification for IT products and services. Through the formation of the ENISA, the EU can protect its citizens by improving the resiliency of critical infrastructure.
Critical Infrastructure are assets, systems, and networks, whether physical or virtual, that are essential for the functioning of society (e.g., emergency services, transportation, or electrical grids). Critical infrastructure is generally used in reference to government but the same security principles can be applied to the mission critical systems of a business or for personal privacy. An example of a critical infrastructure in Europe is the European global satellite-based navigation system (Galileo). Without a primary navigational system, society could experience catastrophic consequences across transportation and communication sectors. The €10 billion project provides global navigation between the European Community, its Member States, and Ukraine. It enables European independence from U.S. GPS, or Russian GLONASS systems. Once a critical infrastructure like Galileo is identified, countries, companies, or intergovernmental organizations can look to increase their cyber defense by increasing the cyber workforce, deterrence, private sector partnerships, and by following security best practices.
Four simple security best practices
The following best practices can be used by anyone and can make any critical system significantly more resilient:
- End-to-end Encryption
- Multi-factor authentication
- Law of least privilege
Redundancy ensures that in the event of a shutdown, there are backup systems or data. In order to execute fault tolerant redundancy, one must take proactive steps to copy data across physical locations with multiple power supplies. Not only does redundancy prevent system or data loss in cyberattacks but during natural disasters as well. Cross replicating data across servers in different geographic locations ensures that the takedown of one physical facility doesn’t mean complete data loss. Cloud Service Providers (CSPs) such as Amazon Web Services (AWS) or Microsoft Azure often provide data redundancy and cross replication as part of their service and we have seen an increase in government — CSP partnerships as a result.
End-to-end encryption (E2EE) is a system of communication where the communicating users or devices can read their messages or data transfer but no one else can. Using E2EE ensures that only the desired recipient receives a message. This can occur between individuals, organizations, or even computers. The basic principle is that data sent over a network is scrambled and unreadable using cryptography. Only the sender and receiver have the ability to unscramble the data with a specific key. Of course with any technology comes some controversy. While E2EE is great for protecting everything from financial transactions to health data and confidential communication, it allows terrorists and other malicious actors to network and communicate with obfuscation. Obfuscation technology like E2EE and the Tor browser can impede the ability of intelligence organizations to prevent terror and solve crime. Presently, the European Commission has not legislated on encryption and it will likely be up to the new commission (2019–2024). Of course, it is necessary that legislation will need continual updates as new technologies such as quantum encryption/decryption become developed.
Multi-factor authentication (MFA) is another effective security system. MFA (aka two-step verification) is a way of ensuring only users with the correct privileges to use a computer are the users using the computer. MFA achieves this by requiring authentication in two forms of identity verification. For example, these identity verifications could include any combination of passwords, text message verification, email verification, fingerprint scans, etc. MFA makes cyberattacks more difficult by requiring an additional complicating step.
Law of least privilege
Another method to ensure that only the correct individuals have access to what they are allowed to use is by practicing the law of least privilege. This concept is practiced by allowing an individual the least access they need to complete their job function. This ensures that only high clearance individuals have access to CI systems or data.