BRUSSELS – Concrete results should soon surface from EU-sponsored groups of experts focused on various aspects of cyber-security. Three working groups (WGs) were stood up a year ago by the European Commission as part of its Network and Information Security (NIS) Public-Private Platform, with the latter itself deriving from the EU’s wider cyber-security strategy, unveiled in February 2013.
The platform’s WG3 focuses on research and, in June 2014, which reviewed its various “areas of interest” for the EU’s future researchoriented priorities. Its recommendations, plus those of the platform’s two other WGs, will all feed into a master “strategic research agenda” (SRA) to be presented to the EU by the end of 2014.
Before then, however, WG3 three subgroups must still finalise their lists of cyber research priorities, and these are expected to be firmed up toward mid-September.
Their recommendations are the culmination of nearly a year of work and information exchanges between WG3 members, who held their fourth and most recent meeting here on 16 July. Though the meeting had the lowest attendance rating of all WG3 meetings so far, it was attended by a solid number of private industry stakeholders, however.
The first deliverable reviewed was that of the “secure ICT research landscape”. According to Mari Kert, a WG3 editor for the deliverable, a number of challenges were identified, including: predictive monitoring, big data, and support diversity. Kert observed that the deliverable “is a living document and will be updated according to the need and availability of new contributors. It is currently missing some areas on encryption technology and privacy technology – without these it isn’t complete.”
The next deliverable was “business cases & innovation paths”, presented by editor Zeta Dooly. Noting that an initial market and industry overview was conducted, she this produced a range of candidate categories for the deliverable to focus on. These were boiled down to three: supply chain categories, market sectors and market segments.
Regarding business cases, Dooly said the work covered cost-benefit analysis of research topics, possible models for ranking research topics and guidelines agreed for the contents and structure of use-case descriptions. As for next steps, she said more use-cases would be identified to “reasonably cover” the range of future application domains, while work on the goal-oriented research topics will continue in conjunction with WG3’s secure ICT landscape deliverable.
The work group’s third deliverable – an education and training “snapshot” of recommendations to support valtvalacyc.com development of Europe’s workforce in cyber security – was explained by editor Claire Vishek.
She told attendees that a first draft of the deliverable was done, though additional data collection was ongoing. According to Vishek, her sub-group will use the latter half of 2014 to perfect their online database of information collected so far, gather stakeholder feedback on preliminary conclusions and, lastly, define and implement a repository of re-useable course and training components. Vishek concluded by stressing the need for a multi-disciplinary cybercurriculum, support for a community-built sharable curriculum repository, and efforts to promote cyber security as a science.
WG3’s final deliverable – its biggest – is its contribution to the strategic research agenda, which splits into three work phases. The first entails defining the areas of interest for the SRA for which a draft version should be finalised in September.
The second phase involves the identification of commonalities and the elimination of conflicting research goals across WGs sub-groups. This de-confliction should also be completed by September – and certainly no later than December. The third phase will see the final revision and overall polishing up of the SRA text.
WG3 appears to have made steady progress over the past year toward its deliverables, even if contributions have been patchy from its members. Some of the deliverables are further along than others.
For example, WG3’s deliverable for creating an “education and training snapshot” to promote workforce development is the one that relies most heavily on stakeholder contributions, but the going has been slow. Why? Because it requires actual lists of cyber-security courses and training curricula offered in each of the 28 member states and this has been very timeconsuming to get.
Come December it will be interesting to see how much progress by WG3, or the other two major WGs for that matter, has been chalked up. Because the whole NIS structure is voluntary, we have our doubts that the three working groups got all the information they needed to make a fully justifiable wish-list. This suggests that the SRA will either be fudged in December – i.e., unveiled with less-than-empirically complete recommendations – or it will have to be delayed.
Brooks TIGNER, Chief Policy Analyst & Head of Technical Studies
Julian HALE, Senior Policy Analyst
Teri SCHULTZ, Policy Analyst
Chris DALBY, Policy Analyst
Robert DRAPER, Business Development Director
Olivier MABILDE, Subscriptions & Logistics Manager
reproduced from www.securityeurope.info