Hello. Welcome. Warm. Welcome. Also from my side, it's a pleasure to be here and it's thank you so much for this invitation. I want to start with an information. Today is the European public holiday. Today is the 9th of May, which is Truman's day, which is a public holiday for us. Several servants, maybe not for me today. Robert Truman is the former minister of France proposed in 1950, a common steel and coal union and the German prime minister chance LA responded. And a year later you had west Luxemburg, Netlands Belgium and Italy, the first supernational organization in Europe.
Then today you have the European union. So
I will talk a bit. Thank you for this. I will talk a bit about policy, background, European level about cybersecurity strategies in Europe, what we are currently doing in planning and at the end, some thoughts abouts. So if you look at just the questions, there's still the questions from the former panelist here. So I have to look here. So when we are a European level from Anza, we are basically supporting the member, state and implementation of legislation. You will see a couple of examples.
Later, we write at the bottom expertise about 50, 60 papers a year on different topics from smart cards, maybe a robotics artificial intelligence, also in the future on E heads, aerospace and other topics. And we are running the pan-European exercise. This is hands on every two years, which around 28 member states and 100 participants. So if you look on a European level, we have, which is positive for some years now, awareness on commissioners, director generals on the policy level.
So the challenge is then if you look from a government perspective, in which cases do you need legislation, in which cases does the common market work properly? In which cases is it self-regulation or the industry doing what you might expect?
So, but what we have, there is one area which is identity management. Another area is could infrastructure protection and another area is the telecommunication sector. So this are the areas. If you look on the other left, we have now the regulation, this is about certificates, trust centers. We have around 170 trust centers in Europe, and to have really a common legal basis there and implement this. I think the challenge is still today that we have electronic certificates. We have in Germany, for example, the electronic passport with the option to have a qualified signature on it.
But we don't have the business models there. The few there, it doesn't really fly. So the hope is that with this policy support that we will get more, let's say identity management, certification, qualified signatures there. The other thing, what you see there at the bottom is for some years now, the telecommunication package, article 13, a this is where the telecommunication providers have to report incidents.
The problem with this is that we, as their get reports from the national regulator, which get it from the telecommunication provider get per year around 150 incident reported one 50.
This is in then what is a severe or called a severe incident. But if you look into our report, a lot of this is just malfunction of base stations. A mobile base station, not working for half an hour is also an incident. This means the problem behind this, that we have a regulation. We have incident reporting, but we have threshold that we only get reported. The top of the iceberg. We have currently a new discussion about this next version of this regulation.
If you look then on the left side, we have a lot of activities in cyber resilience, which were started already 2009 was a commission on through infrastructure protection. We have on the right side, the general data protection regulation, which is enforced since last year was a lot of discussion about privacy obligation about also if industry doesn't implement it, property can cost you a lot depending on your revenue.
And then we have a top use cybersecurity strategy and NIS directive. I will talk later about the strategy and I will concentrate now more on the NIS directive.
So if you look into thes directive, it's the first time that in Europe, we have a law which covers three areas. One is governance structure, which means that every state in Europe, every one of the 20 member state needs a governance structure, ministry, responsibility agencies responsibility. The second part is incident reporting to do it better than the lessons learned from the telecommunication package. And the third part is information exchange. So the third part is information exchange that we have every governmental search exchanging information on incidents to help each other better.
And we from Anza are doing the secretariat and the platform for this. If you look into the incident parting, we have two parts. The one part on the right in that is that what you know, from classical critical infrastructures that you have transport energy, healthcare banking, finance infrastructure.
So this is when you look from a national government perspective or European perspective that you say what is important for the daily life of a citizen that it has to function.
Of course, we need electricity as a basic, we need water supply. We need it support energy healthcare. So this is the thinking of credit infrastructure protection, an important remark here. And maybe it's more so a personal remark. We needed around three years to have this legislation done on a European level. If you look into it, the origin of this is still nine 11. The strategy in the us, this is where in Europe, we started more than 50 years ago to think about what is critical infrastructure. It was the perspective of terrorist attacks.
Now, if you look in this past years, it's about the things which developed cyber crime, cyber attacks, and other stuff, but it's still past.
And if you look into the future, it doesn't cover such things like internet of things. Or if you look like the MIRI bot nets, which did this attacks end of last year. So this shows that policy is a bit behind legislation. So there will be future legislation. The discussions are there and some ideas I will present at the end.
So what you also see there is besides this classical critical infrastructure protection you have on the left side, this blue part, the over the top services, we call it. This is the business model, which established in the last 15 years like cloud computing, online marketplaces, digital engines.
If you look at this, everyone has a famous name behind this.
Now, a statement from a European perspective, I'm happy that we also have a lot of non-Europeans here. There's a challenge in Europe that if you look into this, that we are in, Europe's squeezed a bit like a sandwich between the big American companies who dominates the market, which are in this area and interesting enough, the Chinese. And if you look into this business sectors, the Chinese copy exact the same business model and build it up in the last 15 years. So if you talk, talk about Amazon, Google, Facebook, you have 10 cent Alibaba and others in China, but in another social system.
So if you talk about strategies, we have 20 at member states, we have 25 who have us European level cybersecurity strategy. We have the governance structure, the others are working on it.
So at least it's in good progress. Another topic is we are in here. 10 of Estonia. You could say, if you look into our business, we had 2017 Estonia attack on the government websites infrastructure. At that time, you had the discussions about was responsible. Is it NATO should be called for help? A lot of discussions there.
What is discussion a period of policy awareness on a high level, but we have 10 years after Estonia, still not a European cyber crisis management. We are hardly working on it. We have on the left, you see a couple of acronyms. This is something what you have in classical crisis management. If you talk about refugees, Euro crisis or whatever, we have procedures or natural catastrophes where you have support of member states. So in the classical way, we have procedures, but we have to adapt them to the cyberspace.
So we are working on this, how we can adapt classical cyber crisis management to EU cyber crisis management. So we have a so called blueprint project with the commissions there. So there will be something published during this year. What you also see here is if you look for example, in the aviation sector, you have the aviation agency, AZA sidestep. We have more than 40 agencies in Europe for foot drugs, medicine, flight, safety, trains. They're all spreaded around in the member. States. Anza is located in Greece, AR in Germany.
So you have Frontex, which is a border control does a lot in the refugee crisis is located in Vaal. So you have this traditional, let's say crisis management in this area of aviation border control and what we are discussing it here. How do we do it out of the CSUN? The third infrastructure with Analyst directives with an dig connect is the directed general in charge of this on a European level.
So the message is you will see something there. So there are a couple of points here. The slides will be published afterwards, summarizing a bit what I just said.
So what I also want to touch here is what is an initiative? What starts this year is about certification. If you look into certification, the problem is that if you look into you can also talk about liability. The problem is that every app from an app store, you can download it. Every garage can develop software without any software standards. If you use it, you use it. Big companies invest a lot into software development procedures, supply chain, et cetera, but you don't have the same supply chain quality as you, for example, in common manufacturing, aviation in our sector for other products.
So the question is then how do we deal now with certification, even toys you get into, let's say a country in Europe have a stem, which is called CE. And at least there's some quality standard behind the problem is that if you look into certification, we talk in certain areas about common criteria certification in governments, credit cards, other things, but this is a specific certification, expensive takes time. And we are looking for something which is very fast, which can then also be applied for commodity products.
Another topic, this busy slide is our public private partnership approach.
We have this now since July last year. The idea is that if you talk about research and development, how do you get innovation really into product startups and companies? So this is something where the strategy behind us to have public private partnerships. So this is an initiative where the European union from European research budget from horizontal 2020 in this area takes about 500 billion euros.
One point, well, and in the end 1.5 billion should come from industry so that we get in total 2 billion euros. And this is an organization which is founded by the industry to run all this projects, evaluation, doing the right project. And you have there a small box, which is a gray box. You see other Saria, this is a part where you link the industry research proposals with the public interests, and then have the discussion that government interests and private interest are somehow streamlined.
You have also here on the left side, the certification, if you look in the orange part, you have the on the left far left the standardization certification labeling there. So what I said before, it's also the interest to discuss together with the industry and the public sector is the best way forward for this. So to summarize a lot of activities, we do might not be known because there are a lot of events. And the challenge on the European level is if you are commissioner, your time is limited. Maybe you can talk in an event with 10, 12 bigger companies.
We from a Nissan have an average 60, 70 companies in our workshops, but we have hundreds of companies, small consultants in Europe. So the challenge is this information exchange. So therefore if you have some time, you can also look on our website. So we have so aim, as we said, to look for late with certification schemes, and we have this public private partnership.
I want to close with a couple of more generic remarks, because I said before, we have this strategy initiatives from European commission, we are 2013, the first us cybersecurity strategy, where we touched a couple of points like labeling product certification, but it didn't run by itself. So we had sent the legislation I mentioned, and we are now working on a new server security strategy, but there are couple of points where the world has changed in between. And you see it much more these days. So I mentioned 10 years ago, Estonia where 2010 stocks, net snitch. So what is stuck snit?
I think most people will call it cyber sabotage. But the problem is if you're in the real world and in the military field, a tank process, the border, you talk about war. So what is the difference? If a USB stick with malware crosses the border and does some harm, is this in warfare?
Maybe we don't talk about this enough because we don't have the solution. What happens these days is that the European action, external action services discusses and will publish cyber diplomacy, approaches, cyber toolbox.
So the question is, what do you do if you are attacked, it's difficult about the attribution. You sometimes might never been in the position to prove it, but how to react then? Yeah. What is the escalation procedure? What are sanctions in the end? We have a so called Thailand manual, which is coming from this, let's say military perspective, NATO perspective, cyber diplomacy perspective, where some ideas are proposed. So there will be more discussions how to deal with cyber warfare. If you want to call it like this in cyber diplomacy.
Another point is that if you talk about ethics, we talked before about artificial intelligence. If you look Arif artificial intelligence in the area of autonomous driving robots, who makes decisions in the end.
So this means if you talk about cyber ethics, the question is there is no ethical overall value. Ethics is culture. It's different in the east, in the west, in the north and the south. You talk about cyber norms on UN UN level. So the question, where does this discussion go? So this means we have a couple of challenges ahead.
We from Anza will publish in a couple of days, our ideas about cyber strategy to the future. So if you look to our website and single week, you will find a paper with our opinions. Yeah. Thank you for listening.
Thank you very much. Very enlighting presentation. One quick question that we had here from, from the audience is what do you think is the reason why the number of security incidents that are reported are so low? Is it because we don't know they're happening or, or because they're not reported.
Now, the question is that we have a discussion, which was the first time with the government and the industry. What is the threshold? And I think if you talk about incident reporting, it's on one hand that we from a government say, if you report something, then you will try to avoid reporting and do more security. So we said, then what is something that at least should be reported? And then the European process is something I would call everyone should be happy in the end because it's a compromise. And by this, sometimes it's a bit watered down.
So I think it's a combination of the first trial. We had the interest to get a bit done and then a bit of this compromise procedure.
Okay. Thank you very much again.
