EUFINACCO

Financial Accountability in the European Union

About EUFINACCO

A new, informal network of academics from various disciplines (political science, public policy, law, economics, sociology, criminology), as well as practitioners, all working on issues related to financial accountability in the EU. Please join us at https://eufinacco.wordpress.com/.

The Author

We are a burgeoning network of 29 scholars from various academic disciplines (political science, public policy, law, economics, sociology, history and criminology), all working on issues related to financial accountability in the EU. We are recognised as a UACES (University Association of Contemporary European Studies) collaborative research network for the period 2015-2018. List of contributors.

EU Cybersecurity – A Swiss Cheese That Can Be Served as a Fondue?

eufinacco | 29 June 2022

By Thomas Ewert

An earlier article about asset restitution suggested the European Union (EU) takes its example from Switzerland. In cybersecurity, the EU’s institutions appear to be very Swiss – but unfortunately in the sense of a Swiss cheese full of holes. The European Court of Auditors (ECA) has recently investigated the level of cybersecurity of the EU’s institutions, bodies and agencies (EUIBAs). The conclusions are concerning – but there is hope.

The hungry mice: cybercriminals

The EU Cybersecurity Act defines cybersecurity as “identifying, preventing, detecting, responding to and recovering from cyber incidents” and to preserve the “confidentiality, integrity and availability of information” physically and electronically. This involves technical controls, government arrangements and cyber awareness programmes.

The number of cyberattacks against EU institutions is increasing. Their aims include espionage and stealth attacks (‘advanced persistent threats’). These have “political implications, harm the overall reputation of the EU and undermine the trust in its institutions.” The main field of action is digital, where attackers gain the first access to networks. The COVID-19 pandemic made the EUIBAs increase their digital information exchange, which enlarged the ‘attack surface’ for potential attackers. The EUIBAs reportedly used 15 different videoconferencing tools.

Between 2018 and 2021 the number of incidents increased tenfold. In the past 2 years, 22 EUIBAs have been hit by significant incidents. For example, data from the European Medicines Agency was leaked and manipulated in a way as to undermine trust in vaccines. Most cyberattacks require more than a single step to reach their final target and are not always direct. Many involve making staff download malware through phishing or social engineering.

The fridge: EUIBAs

The survey analysed the European Commission, the EP, the ENISA, the EBA, the EMSA, the EUAM Ukraine and the IMI JU. It was complemented with video meetings with the CERT-EU, the Information and Communication Technologies Advisory Committee (ICTAC) and the Interinstitutional Committee for Digital Transformation (ICDT).

The EUIBAs’ weakness is their inevitably high interconnectedness. Cyber criminals can invade one barely secured institution and use this as a door-opener to gain access to other EUIBAs. Overall, the EU’s institutions are not prepared enough against attacks. Their level of preparedness is very heterogenic and each EUIBA is responsible for its own cybersecurity.

Only 58% of the surveyed EUIBAs have an IT security strategy that involves its top management. Some 78% have an information security policy of which 75% are up-to-date. Admittedly, the EUIBAs’ security strategies are aligned well with their business objectives. Though only the Commission has structured procedures for monitoring its compliance with IT security policies. 60% of EUIBAs have no Chief Information Security Officer (CISO) and only in the large ones that position is independent of the institution’s IT department. The smallest EUIBAs have no cybersecurity experts at all and this area is managed part time by employees with an IT background. Some 58 of 65 EUIBAs follow a risk assessment strategy, but with no common framework. Of 7 institutions, only 2 carry out risk assessments that are not limited to their most important IT systems, but include their entire IT environment.

The chefs: EU staff

It is a major challenge is to find cybersecurity experts. They are scarce. EUIBAs compete for them against each other and the private sector. Recruitment procedures are lengthy, contract conditions uncompetitive and lacking attractive career prospects. All the more depends on regular employees. Some 95% of EUIBAs provide cyber-awareness training for all staff, 41% especially for managers and 29% for the heads of IT systems that contain sensitive information. In the past five years, 55% of EUIBAs organised simulated phishing campaigns. The Commission’s cyber awareness actions represent a good practice available to other EUIBAs. The ENISA and CERT-EU promote cooperation, but can only support and assist the EUIBAs.

The tests performed by CERT-EU have overall increased between 2014 and 2020. Penetration testing was introduced in 2014, Red team exercises and Phishing campaigns in 2017 and Vulnerability Assessment (Web apps) added in 2020. Vulnerability Assessment (IP ranges) increased more than ten-fold since 2019.

In the offices, sensitive information is not offline when not used. Mobile endpoints are a weak link, lacking security solutions. Patching policies and encryption could be more systematic. Strong points are the used firewall solutions and anti-virus programmes. However, key systems are being backed up. Between 2015 and 2021, only 34% of EUIBAs experienced no IT security audit. In the last five years, 69% performed a proactive test of their cyber defenses. Some 46% conducted Red team exercies involving multiple systems. Unfortunately, the EUIBAs do not always share their best practices with each other. The level of engagement in the cybersecurity subgroup (CSSG) of the ICDT is decided individually. Lacking a service catalogue, newly created agencies have to build their IT security from scratch. Some EUIBAs have neither a solution for exchanging sensitive non-classified information, nor common markings. And 20% of them have no encrypted email service at all.

The recipe book: recommendations

In order to bring the EUIBAs closer to the ideal, as envisaged by the Information Systems Audit and Control Association (ISACA), the ECA recommends three things:

Shift CERT-EU’s and ENISA’s focus onto less mature EUIBAs until the fourth quarter of 2022.
Have the Commission promote further synergies among EUIBAs in the ICDT and increase encryption use. Introduce common rules for sensitive non-classified information and economies of scale for common cybersecurity service contracts until the first quarter of 2023.
Increase resources for CERT-EU and introduce common rules for all EUIBAs. Have the Commission include in its forthcoming proposal on cybersecurity regulation the appointment of independent Information Security Officers and an overarching entity monitoring all EUIBAs’ compliance until the fourth quarter of 2023.

Exploring Europol – the agency’s reaction to its own limitations (Part 2)

eufinacco | 17 May 2022

A country’s location at the EU’s Southern and South-Eastern border is an important factor when it comes to smuggling. Naturally, migrant smuggling is much more common in these areas adjacent to non-EU states than in landlocked states and/or countries in Europe’s North. The importance of cooperation for information sharing Europol is reliant on information from […]

Exploring Europol: the European Union Agency for Law Enforcement Cooperation (Part 1)

eufinacco | 28 March 2022

Europol’s mission and characteristics The European Union’s (EU) body for law enforcement, Europol, was created in 1999 and has its headquarter in the Netherlands, Den Haag. The agency’s role is to help EU member states in combatting the smuggling of migrants. In that task, the agency is one of the main actors in EU policy-making. In its […]

Recovery and Resilience Facility and Cohesion Policy: a different kettle of fish?

eufinacco | 23 November 2021

In May 2020, following the outbreak of the COVID-19 pandemic, the European Commission proposed the creation of a novel recovery instrument, the Next Generation EU, aimed at ensuring a sustainable recovery across the EU. The Recovery and Resilience Facility (RRF) constitutes the most massive area of the Next Generation EU’s resources amounting to €723.8 billion in loans (€385.8 […]

The work programme of the European Court of Auditors: adjusting audits and special reports to Covid-19

eufinacco | 26 June 2020

On 30 October 2019, the European Court of Auditors (ECA) published its Work Programme for the year 2020, listing all the upcoming priorities, main challenges and key concerns for the EU’s finances. The 2020 Work Programme covers a wide range of areas and related problems the EU is currently facing, among them: the sustainable use of natural resources, migration, […]

The MFF 2021-2027: what role for the EP, what impact on citizens?

Ideas on Europe | 27 May 2020

By Chiara Russo A look to the (not so far) future While the UK has reported the highest number of deaths due Covid-19, countries like Italy are entering into “phase 2”, relaxing strict measures a little and allowing people, not only to meet their nearest relatives and friends, but to take their beloved espresso directly at a café. However, […]

What role for the ECB? Bringing symmetry to asymmetrical risk in the EU

eufinacco | 14 May 2020

What are the features of ESM Pandemic Crisis Support? On 23rd April 2020, EU leaders endorsed the Eurogroup agreement of 9 April 2020, which established three safety nets for workers, businesses and Member States, amounting to a package worth 540 billion Euros. Besides the three safety nets, this Eurogroup Report also agreed to establish the “Pandemic Crisis Support”. […]