ENISA Tackles CybersecurityAgency Director Helmbrecht on Bridging International Silos
With the extension of ENISA's mandate into 2013 by the European Parliament & Council, the agency can continue to educate and collaborate with other nations on cybersecurity issues, an area of constant importance.
"IT security will be a hot topic at least for the next decade and beyond," says Prof. Udo Helmbrecht, ENISA's executive director, in an interview with BankInfoSecurity.com's Tom Field [transcript below].
Past efforts to improve cybersecurity efforts include a pan-European cyber exercise that brought all the member states of Europe together at ENISA's branch office in Athens. "This was very successful and showed how Europe can work closely together ... to improve communication and find some kind of best practices and how one can support the member states," Helmbrecht says.
In November of this year, ENISA is teaming up with the United States for the first US/EU cyber exercise. Aside from that, ENISA hopes that Europe and other networks all over the world can operate together to tackle the common threats facing organizations.
In an exclusive interview about cybersecurity challenges in Europe, Prof. Helmbrecht discusses:
- What it means that the European Parliament & Council have voted to extend ENISA's mandate into 2013;
- The current threat landscape in Europe;
- How ENISA is helping to encourage a pan-European approach to cybersecurity.
Prof. Udo Helmbrecht is the Executive Director of ENISA since 16 of October 2009. Prior to this, he was the President of the German Federal Office for Information Security, BSI, for six years, between 2003-2009.
Prof. Helmbrecht was nominated by ENISA's Management Board, from a list of candidates proposed by the European Commission, after a presentation of his visions. He was appointed after making a statement to the European Parliament and replying to MEPs' questions on 16 April, 2009. Prof. Helmbrecht is assisted by a Permanent Stakeholders' Group and ad hoc Working Groups on scientific and technical matters.
Between March 2003 and October 2009, Helmbrecht served as President of the (German) Federal Office for Information Security (BSI) in Bonn. He successfully developed the agency's central service provision for information security within the German Federal Government. In addition, he spearheaded the cooperation between BSI and the IT security industry, as well as raised public awareness of information security issues.
Extending ENISA's MandateTOM FIELD: Professor, in the news, the European Parliament and Council have voted recently to extend ENISA's mandate. What are the implications here for your agency?
UDO HELMBRECHT: There is an extension by 18 months until autumn 2013, and ... the tasks remain the same as in our current regulation.
FIELD: What do you hope to accomplish within the agency before the mandate does expire in 2013?
HELMBRECHT: We currently are having a discussion in the European Parliament on a longer extension of the ENISA mandate because these procedures take some time. They made this ... extension and then it will be out at the end of the year, beginning of next year, decided on by the new regulation.
Europe's Threat LandscapeFIELD: Professor, what can you tell us about the current threat landscape in Europe? Where do you find there to be heightened risks?
HELMBRECHT: I would say this is not only for Europe; it's the same in the entire world what we are facing today. What we see is that we have botnets which are used to get data. We have criminals misusing the Internet through so-called phishing. We have espionage on the Internet. We've had cases in the past all over the globe, examples where private data is stolen or money is stolen. Basically, what we have on the Internet is a similar situation like in our everyday lives where criminals are trying to take advantage.
FIELD: What do you see as the role of organized crime behind these incidents, and how are you fighting back as an agency and then as a group of nations as well?
HELMBRECHT: If you look at the reports done by member states in Europe or investigations by other organizations, they give some detailed statistics about cybercrime on the Internet. What we at ENISA are doing is working on the prevention side. This is giving the member states, industry, the private sector and its citizens some guidance and best practice, from examples like how to behave on the Internet. What does it mean if you are going to cloud computing? We have the challenge of having 27 member states and 23 official languages, so it's always a challenge to work together to find the same approach. But this is a situation where we at ENISA are in a good [position] because we have [representatives] from different member states. We are working together with the private sector and with academia to get input from different stakeholders. By this we are building a community among the European member states and institutions together with the private sector to work on prevention aspects for cybersecurity.
ENISA's SuccessesFIELD: What are some examples of what ENISA is doing to encourage a pan-European approach to cybersecurity now?
HELMBRECHT: Last year we did a pan-European cyber exercise where we got nearly all of the member states of Europe together for a tabletop exercise in our branch office in Athens. This was very successful and showed how Europe can work closely together with a national government computer emergency response team, how to improve communication and find some kind of best practices and how one can support the member states. What we are doing this year is also working together with the United States for the first US/EU cyber exercise, which will take place in November.
FIELD: One of the topics that is enormous in the United States right now is breach notification. How is that same topic being handled by the agency and within the member nations?
HELMBRECHT: If you look into the European legislative procedure, we have on a European level so-called directives which are then put into national law by the member states. In the case of telecommunication about notification of incidents and data breaches, ENISA has the commission to prepare such directives and if they are assigned by the parliament and the Council then ENISA has the member states implement this. This is one of the tasks we are supporting here, the member states implementing European directives into national law. If you talk about data breach notification, this is something which reflects Article 4 of the Privacy Directive, and we are also working together with the European data protection supervisor to support them.
Top Priorities for 2011FIELD: Professor, just a final question for you. As you look to the remainder of 2011, what would you say are ENISA's top priorities before the new year?
HELMBRECHT: We have a work program which is defined with the representatives of the management board. We are working heavily on the implementation of this so-called Article 13. This is about reporting security breach incidents to the commissioner at ENISA. We are working on cloud computing regarding framework, assurance framework and looking into these aspects to support governments and how the security is maintained when they go into the cloud. We did a report on botnets, where there's still some work. We had last year the so-called Stuxnet incident.
FIELD: It's very clear then that ENISA's work is not going to be done by 2013.
HELMBRECHT: Yes of course. IT security will be a hot topic at least for the next decade and beyond, because it's the same like safety in other areas such as the manufacturing of cars. The discussion at the European level is: what will you do on a European level and what is the responsibility of the member states? In the discussion about our extension of the mandate, for example, it's how to fight cybercrime, how to support law enforcement and doing prevention in this area. We have a lot of interesting discussions on cybersecurity issues in the political area.