CONNECT meets with Alf Moens, GÉANT’s Senior Security Information Officer, to talk about the recent EU directives on cybersecurity and their implications for the international NREN community.
Alf, you recently attended the Science|Business Experts Roundtable on cybersecurity in Brussels. What are your main takeaway points of this event?
In the EU legislation space a number of directives and ‘acts’ for cybersecurity are receiving a great deal of attention. I am going to highlight two of them: the Cyber Resilience Act and the NIS-2 directive. DG CONNECT, the Directorate General for Communications Networks, Content and Technology, has rolled out a consultation regarding their upcoming Cyber Resilience Act. This initiative aims to address market needs and protect consumers from insecure products by introducing common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services. Though this is primarily aimed at protecting consumers, there will be parts of this act that touch on R&E networking and services. We are also currently waiting for the finalisation of the NIS-2 directive proposal whose text is currently being discussed in an EU trialogue.
In the discussions on cybersecurity in which I took part, one of the subjects of interest is the balance between national requirements and European collaborations. For instance, for the NIS-2 directive it is expected that a national body in each member state determines and assigns organisations to a specific directive. This body will also enforce the security standard that should be adopted by that specific member state.
How will these directives affect the international NREN community?
GÉANT’s intention and aim is to prevent the risk of being faced with too much diversity in the European cybersecurity legislation landscape. In fact, the number of differences in the role played by each NREN in their country is already quite high.
Small versus large
It’s the traditional divide between smaller and larger NRENs, where the smaller NRENs have less resources to dedicate to security and security collaborations. The extremes are considerable, from NRENs with a 100+ security headcount to NRENs with a security headcount of less than 1.
The role that NRENs play in security varies depending on non-R&E activities they are involved in, such as being responsible for the national Top Level Domain-registry, running a national Internet exchange, or also supplying network services. These roles may require different responsibilities in terms of compliancy needs.
Most NRENs are independent not-for-profit organisations, some are government agencies, and others are virtual entities operated by university employees. This has implications on manoeuvrability and compliancy demands.
Can you also talk to us about your participation in the high-level roundtable on cybersecurity organised by the STOA, the Scientific Foresight Unit of the European Parliament?
Discussions mostly focused on the considerable increase in the number of threats deriving from the cyberwar between Russia and Ukraine. The general opinion was that these cyberthreats will not stay within the Ukrainian and Russian territories but will be reaching the rest of Europe. This risk illustrates the need to exchange relevant threat information on a European scale and, as far as GÉANT is concerned, there is a strong plea to share threat intelligence across borders within Europe.
A great deal of the upcoming security legislation is aimed at implementation at a national level, but security troubles do not stop at national borders, we need collaboration at European level, we need information sharing whilst taking into account all national specifics and sensitivities.
What does this mean for GÉANT and the NRENs’ security priorities?
We must be very alert and vigilant. One of the priorities in the coming years will be to build a European R&E Security Intelligence Hub, with a joint workforce from security analysis and operation teams from all NRENs. Starting with a European intelligence exchange point we will work together to analyse and distribute security intelligence from different multiple sources. Together with our R&E partners we can establish a global early warning system that enables us to prepare and be ready to mitigate threats.