October is European Cybersecurity Month, an annual advocacy campaign to raise awareness of cyber risks among citizens and businesses, and to share best practices in cybersecurity. This year’s campaign was launched at an event in Estonia, a country which both holds the current Presidency seat of the European Council and is well known as being highly cyber aware and digitally savvy.
It is fitting, therefore, that it is under Estonia’s Presidency that the European Commission announced a number of initiatives last month aimed at stepping up the European Union’s cybersecurity capacity and response to cyber attacks, while laying the foundations for increased cyber awareness and better cyber hygiene overall.
This EU’s Cybersecurity Strategy is a welcome initiative, as we already know that the overall cyber threat level is rising. At Cloudflare, we deal with a new type of DDoS attack every 3 minutes, and it has been that way for the last 6 months. This year alone, we've seen a DDoS attack that peaked at 300 Mpps and another at 480 Gbps. Furthermore, as DDoS mitigation companies like Cloudflare have become adept at handling 'traditional' DDoS attacks, the attackers have also adapted and increasingly try out new techniques.
A holistic approach to cyber resilience and a shared responsibility
In its Communication announcing the Cybersecurity Strategy, the European Commission sets out a multi-pronged approach to ensuring that Europe is better placed to face the rise in cybercrime, increasingly sophisticated cyber tools leveraged for malicious purposes, and attacks on critical infrastructure. The proposals range from educational initiatives to encourage increased cyber awareness and skills, to investment in research projects and public-private partnerships where technology in cybersecurity and industrial capabilities are developed, to encouraging the use of cyber secure tools in eGovernment operations.
Cybersecurity is a common societal challenge which should involve multiple layers of stakeholders, including industry, Government and individuals. The cybersecurity industry can, however, play a key role in helping the fight against cybercrime and attacks by providing training and educational information to better inform policy makers, politicians and law enforcement on what is happening on the ground, and highlight emerging technologies and best practices. Companies such as Cloudflare are on the front line, reacting and adapting to dynamic and evolving threat landscapes, such as that recently seen with infected IoT devices. We are, in a sense, in a somewhat privileged position, and we want to do and share what we can to help raise the bar.
Cloudflare has been actively participating in a number of European initiatives which feature in the Commission’s Cybersecurity Strategy. Earlier this year, we joined Europol's Advisory Group on Internet Security to share our knowledge on matters related to internet security and emerging threats, along with other industry peers. We are also participating in the IoT Security Group set up by the European Union Agency for Network and Information Security. We shared our well-known views and strong support for encryption during discussions held by the European Commission on cross-border access to electronic evidence, and we are now participating in some work related to software vulnerability disclosures in Europe, led by the Brussels think-tank CEPS.
Next year, the EU Network and Information Security Directive will usher in a new era of security awareness and protection in the EU. This new legal framework will ensure that security is an essential consideration for an even broader range of actors than before - such as companies in the banking, transport, energy and digital infrastructure sectors - and it asks that businesses take a risk-based approach in their cyber security activities and preparations. While most of the ideas are not new to a security-conscious company like Cloudflare, we are now in the process of preparing for this new framework.
There are numerous strands to the Commission’s Cybersecurity strategy and it will be important that all stakeholders work quickly and cohesively to make the words a reality. However, with all these initiatives in play, Europe will certainly be in a better position to address the latest cybersecurity challenges, while helping ensure that the internet remains open, secure and resilient.