BRUSSELS – Priorities are crystallising within the work group of the EU’s Network and Information Security (NIS) platform that is charged with identifying future research goals. A number of its preliminary recommendations will be firmed up by June, according to participants.
The work group on secure ICT research and innovation, known as WG3, met here on 29 April prior to the wider plenary of all three NIS work groups the next day. (See related story in this issue.) The platform is tasked to feed recommendations on developing cyber-resilience, industrial capacity and information-sharing to the Commission by end-2014, though that will likely slip to mid- 2015, according to EU officials.
WG3 has settled on four main deliverables: how to create a Secure ICT landscape; reviewing business cases and “innovation paths”; creating an education & training “snapshot” for workforce development in cybersecurity; and finally a Strategic Research Agenda (SRA). Here below we briefly summarise the presentations for each topic:
* Secure ICT landscape. The aim is to map existing technologies in the field of cybersecurity and privacy. The deliverable will define technologies, identify threats and existing defences, map existing tools used in technologies, and pinpoint some of the research gaps. The latter will be fed into the SRA. According Evangelos Markatos of the University of Crete and a WG3 participant, texts are “flowing in, and quality assurance is running in parallel with the text. The deadline for the finished product is to be the end of June .”
* Business cases and innovation paths. The goal is to ensure that EU-funded collaborative cybersecurity research is exploited rapidly and effectively for European business and society. An initial sample market will be chosen and subjected to industry analysis, from which a selection of high-impact use cases will be chosen and subjected to cost-benefit and economicincentive analyses. At the same time a survey of best practices in innovation will be carried out.
Two main areas of focus will be to identify long-lived fundamental resources, and determine how to turn process into results. “There was some good progress initially, but it then slowed. We now need to reinvigorate the group and engage all contributors fully,” said one of the deliverable’s editors Paul Kearney, Chief Security Researcher at BT Innovate and Design. The plan is to have an initial release for consultation in June this year, with a full report to be issued in December he added.
* Education & training snapshot for workforce development. This deliverable will address learning and awareness gaps in cybersecurity. This hangs on the provision of accurate data by stakeholders about the cybersecurity courses currently available in higher education across the EU28.
However, “data is insufficient for a very thorough analysis, but it can act as an initial stepping stone,” Claire Vishik, Intel’s trust & security technology & policy manager and an editor for this deliverable, told the meeting. “There appear to be very few courses that are truly dedicated to cyber security: they are mainly security courses that touch upon cyber at some point in their curriculum. Moreover, the courses are not multidisciplinary.” This deliverable group also aims to have its draft snapshot available for circulation in June 2014.
* SRA. The Strategic Research Agenda will be one of the big deliverables of the NIS platform as a whole, and will reflect industry’s preferences for security research in 2016-2017. All three NIS WGs will feed ideas into it.
The WG3 sub-groups for this topic are exploring three “areas of interest”: individual digital rights and capabilities, resilient digital civilisation, and trustworthy (hyperconnected) infrastructure. Each is trying to forecast the cyber threats Europe might face in 2025 and thus a priority for the SRA. The latter is due for release in March 2015.
Industry appears to have an approach/ avoidance stance toward the NIS forum, depending on the topic. Incident-reporting has sparked avoidance. But the notion of future standards in cybersecurity is a crowd-puller. During the WG3 meeting on 29 April, for example, the European Telecommunications Standards Institute (ETSI) announced it will set up a technical committee on cybersecurity, with the first meeting pegged for 27-28 May. More than 130 requests have come in from industry to participate, according to ETSI. Meanwhile, it is encouraging to see the three main WGs and their sub-groupings aim for complementarity of content and timing between their agendas. But the question here is: to what end? While unlikely that the Commission would ignore all NIS stakeholders’ suggestions, the fact that it is not obliged to take any of them into account as it drafts legislation is not an incentive for participants
Perhaps the Commission should turn back to the EU’s established “wise men” approach for producing an advisory report? Yes, the stakeholder base is much smaller, but the effort is more concentrated too.