ENISA at 10: The Next DecadeUdo Helmbrecht on Agency's Agenda for 2014 and Beyond
With a decade under its belt, ENISA enters 2014 with a mission to improve cybersecurity across Europe by collaborating with companion agencies around the world, says Executive Director Udo Helmbrecht.
Cloud computing and the evolving global threatscape are huge challenges for EU nations, but the region's cybersecurity agency is pursuing new strategies, including a coordinated cyber drill with the U.S. later this year.
In an interview recorded at RSA Conference 2014, Helmbrecht discusses:
- ENISA's major accomplishment in Europe;
- Security challenges for the year ahead;
- Strategies for growing the profession.
Helmbrecht has been the Executive Director of ENISA since October 2009. Prior to this, he was the President of the German Federal Office for Information Security, BSI, for six years, between 2003-2009. Helmbrecht was nominated by ENISA's Management Board, from a list of candidates proposed by the European Commission, after a presentation of his visions. He was appointed after making a statement to the European Parliament and replying to MEPs' questions. Helmbrecht is assisted by a Permanent Stakeholders' Group and ad hoc working groups on scientific and technical matters.
ENISA on Cybersecurity Challenges
TOM FIELD: Early this week you received the Cloud Security Alliance's Industry Leadership Award. Tell me a little about that and the significance of that award to you.
UDO HELMBRECHT: We from ENISA started in 2009 to think about Cloud Computing, challenges [and] opportunities. So it's a great pleasure that on my and my staff's behalf, we got it. We have very engaged people to bring forward this business of Cloud Computing.
FIELD: You've put forward guidelines on Cloud?
HELMBRECHT: The idea is, let's say, you are a small or medium company, or if you are a citizen, you don't the opportunity to negotiate the terms of conditions with big players. The question is then, how can you improve and put in IT Security? If you have the service level agreement, if you go for auditing [or] certification schemes, the intention is to give the end-users assurance that there is really IT security in Cloud Computing.
Top Priorities for 2014
FIELD: What do you see as your top priorities for 2014?
HELMBRECHT: We got an extension of our mandate, and one of the important points is that we got the additional task of standardization, and working together [to fight] cybercrime. If you look [at] Europe, we have Europol and the Cyber Crime Center, so the idea is really to work closer together. You have this organized crime on the internet, phishing, [and] identity theft, so this is one topic where we talk about identity management, [and] privacy to enhance it. The other big topic is new technologies in order to talk about smart cities, grids and meters in households [or] digital things; it's important that IT security are in [those]. Then, we are also working in the area of cross-cryptography and IT security. It's about computer emergency response teams. The interesting thing is that we are preparing, this year, a Pan-European exercise combined with the United States. We did it as a tabletop exercise a couple of years ago, so we want them to see how, from Europe and the U.S., we can see when there is an incident on a global level, [and] how we can cooperate.
Impact on the European Union
FIELD: How do you measure the impact of your agency on the European Union?
HELMBRECHT: When you say young agency, we are only 10-years-[old]. It is still young compared with other agencies. What we are trying to do is publish papers on topics like Cloud Computing ... and the tasks [that] bring together communities. For example, when we have European regulation, how to put it into member-state laws, so we don't have a KPI in this sense that is really measured. But what you can see is that when people pick up our recommendations or when we have a certain topic, let's say in data protection or cloud computing, that we get the community together. I think the best success for us is when people talk afterwards, take our recommendations and implement them into companies.
10-Year Span of Success
FIELD: What would you say in this 10 year span have been the key successes of ENISA?
HELMBRECHT: I think if you look into this IT security landscape, we have a much more political advantage then say, five years ago. I think what is really something where [we] are good in is supporting political processes. For example, if you have a parliamentarian, you have the committees, civil servants and the ministry, and the question is always: how do you build up a strategy of estates? Or, how do you look [at] data protection [from a] legal aspect and put expertise from technical side? What we would do is bridge the technical part and public part from the government with the private sector [and] industry. I think it is important if you do regulation or want to do frameworks, that those people make supportive decisions understanding what they do.
Challenges to Overcome
FIELD: What [are] some of the challenges that you have yet to overcome?
HELMBRECHT: If you look into our IT security business, it's a never-ending story. If you think you have solved this problem, another comes up. Just think about if you had [the] Stuxnet incident, where now you have dedicated text, the advanced persistent threats. You have targeted success there. On one hand, we are becoming better in fighting Botnets. In Europe we [put in a lot of] efforts to mitigate this, but if you have this infected website, it's something where users don't expect that. If you have an online shop, newspaper or media website that you say, "There's fraud behind there," this is something where it's really a challenge still to educate citizens or the CISOs in companies.
FIELD: What would you say looking at the global threat landscape right now?
HELMBRECHT: I think if you look at this picture, these companies [you] see [where] the threats [are] coming from...In the global scale it is coming from [the] U.S., Europe, Russia and China. But the problem is that you have then people sitting somewhere, and from our perspective, legal framework, where they don't care what our understanding of this [is]. Then it is very difficult to see how texts are going because if it's a command control server outside our legal jurisdiction, it cannot take anything everywhere. It's interesting how the text [is] going on to survive, this is a challenge. I think what is the real challenge is organized crime, because this goes on a global level. I think the challenge here is really that we don't have a legal cyberspace jurisdiction, and we have to work more to get it done together. The problem is, if you have an incident in the city, a policeman comes, but if it happens on a global scale, then it is difficult to run after.
Cyber Security Professionals
FIELD: When you look at 2014, where do you see the opportunities for organizations and cyber security professionals to stand up and make a difference?
HELMBRECHT: What we see is that, if you have organizations, small organizations who often cannot afford [an] IT security officer or a security department, really has an advantage when they are going to the Cloud because there they get professional services. IT security can scale there. This is an opportunity for young people to join in this field and say, "Okay, I want to do something in this area." Another point is that if you look to citizens from a European perspective, we try to educate them a lot. But if in Europe [there are] 500 million citizens, then you need the associations' multiplayers. There is a lot of starting from universities, to schools, to companies to do IT security [better] in this area. What [we] see is that the professionals sometimes should be organized better, or get organized better, because you need this governance structure also in that IT security field. I think there [are] a lot of chances to do something, and if you look to secure our communication privacy, they have a lot of technologies like cryptography, encryption, public infrastructures and electronic signatures. A lot of these things are not put in place, so there is a big challenge and chance to have services or products to help the people. We need simpler products or services that [are] easy for us to encrypt our emails. You see from this advantage rising to products and putting products in place, there are a lot of chances.