A special delegation of seven Members of European Parliament is in Washington this week to discuss with US politicians and experts how to address hybrid threats, cybersecurity, and foreign information manipulation. In an interview with EU Perpsectives, cybersecurity expert Ari Schwartz explains why transatlantic cooperation remains crucial and where Europe’s weaknesses lie.
The EU and the US face similar challenges from hybrid warfare, cybercrime, attacks on critical infrastructure and foreign information manipulation and interference. Cyber incidents increasingly pose national security, economic and public trust risks, yet many countries still lack a coherent, actionable strategy.
MEPs have held discussions with representatives of the Department of Justice, the US Congress, and the Federal Bureau of Investigation as well as with leading experts on cybersecurity. One of those experts is Ari Schwartz, Executive Director for the Center for Cybersecurity Policy and Law. Mr Schwartz is a former member of the White House National Security Council, where he served as Special Assistant to President Obama and Senior Director for Cybersecurity.
Similar problems on both sides of the Atlantic
In a recent report titled Developing a National Cybersecurity Strategy, the Center for Cybersecurity Policy and Law lays out concrete steps governments can take to assess cyber risk, clarify roles, engage the private sector and build durable governance. That is, moving beyond high-level rhetoric to implementation.
He explained that the problems faced on both sides of the Atlantic are still very similar. “I wouldn’t say that one side has the problem solved and the other one is struggling. I think it is a big problem for both the EU and the US. In some ways, we are relying on each other in terms of protecting cybersecurity,” Ari Schwartz says.
You might be interested
That will be music to the European delegation’s ears. A recent resolution by the European Parliament underlined the importance of transatlantic cooperation, stating that a strong partnership with the United States and Canada within NATO remains central to the European security architecture.
Different frameworks, common goals
Mr Schwartz told EU Perspectives that cooperation is important as is understanding the different frameworks. “It is important to work together and that remains the case even if in other areas the US regulatory structure generally tends to be more industry-specific. The US approach relies on either new cybersecurity rules for specific industries or existing security rules that are then applied to cyber. Whereas in Europe, you have the new regulatory structure that kind of overlays it all. The Cyber Resilience Act (CRA) is the newest one, but also Network and Information Systems (NIS) I and NIS II as well. The Digital Operational Resilience Act (DORA) is probably closer to an example of something the US has had in the past,” he said.
“But in general, we are just seeing the regulatory structure being put into place in Europe. And even when you talk to the regulators, they say “we have done the regulating. Now we have to make sure that it works,” Ari Schwartz continued.
Focus on security, not compliance
One area that Mr Schwartz is keen to stress with MEPs is around simplification. “You really don’t want to have a structure where all of our security work is spent on compliance and not actually doing security,” he said.
“I think most people understand that at this point. But to give an example in the US, in the financial world, where there are different kinds of regulation fitting together, you could have six to eight requests for audits a quarter and that quickly adds up. Over a year that’s around 30 audits, as opposed to one audit that can be used 30 different times. I think that would make more sense to everybody involved,” explained Mr Schwartz.
And he had a warning for the EU. “I think we are at the stage in Europe where we are starting to see a similar situation where we could end up spending a lot more on compliance. I do not think that that is anyone’s intent. So the question is, how do you go about building the structure so that you do not end up with lots of people doing compliance, and not that many people doing actual security?”
You need to build regulations in a way that can work for both small countries and big countries and to understand why the strategies need to be flexible. – Ari Schwartz, Executive Director for the Center for Cybersecurity Policy and Law
“You do not want a situation where you have three people that focus on a particular type of cybersecurity in a specific sector, and all they are doing is auditing and not figuring out what technologies they need and how to get them or even how to build them from scratch if they need to. So that is what I mean by real security versus compliance. You need to build regulations in a way that can work for both small countries and big countries. You need to understand why the strategies need to be flexible,” Mr Schwartz added.
National security as highest priority
Researching the report he said that national security remained the highest priority for most people he talked to in Europe and around the world. “It is because you have the biggest risks there,” Mr Mr Schwartz stressed.
“We still see a lot of discussion about technologies that are well past their end of life, being used in the critical infrastructure space, which is pretty scary. In the past if you wanted to cause havoc with critical infrastructure, you would need someone physically on the inside. But now, because it is connected to the internet, you can see what version is running, and when it is out of date, and it is probably not patched, so you can take advantage of that. It is true there are still a lot of older technologies that are very bespoke, and therefore harder to hack, but that is not always the case,” Ari Schwartz said.
EU-level strategy crucial
Overall Mr Schwartz was sure there absolutely is value in EU-level strategy. “There’s value in having an idea of what a strategy looks like across the region and what trends should look like across the region. But I think there needs to be enough flexibility as well to understand a smaller country that has not focused on some of the things that some of the larger countries have. You are going to have different viewpoints. So you don’t want it too rigid. I think you need to be able to move the different pieces around it within a strategy. But building regulation for critical infrastructure, and deciding what is most important, I think, is of great value.”
Building regulation for critical infrastructure, and deciding what is most important, is of great value. – Ari Schwartz, Executive Director for the Center for Cybersecurity Policy and Law
In terms of specific policies such as the newly introduced ICT Supply Chain Security Toolbox developed by the NIS2 Cooperation Group, Mr Schwartz said the focus on supply chains is imperative.
The toolbox outlines risk scenarios and recommends mitigation measures, including the assessment of critical suppliers, the importance of multi-vendor strategies and approaches to overcome dependencies on high-risk suppliers.
Critical role of supply chains
“Supply chains are critical,” he agreed. “But we are also thinking, right now, in terms of quantum computing, and the risks down the road of the ability to hack existing cryptography, the ability to get access and then store it. So the more access that third parties have leads to greater risk. So the combination of several different things, I think are leading to a lot more discussion about the critical supply chain risk and how you go about dealing with it, which sometimes leads to sovereignty questions, sometimes leads to standards questions. I don’t think we have the full solution yet,” he concluded.
The European Parliament delegation is led by Special Committee on the European Democracy Shield’s chair Nathalie Loiseau (Renew, FRA). It comprises Lukas Mandl (EPP, AUT), Tomáš Zdechovský (EPP, CZE), Christel Schaldemose (S&D, DNK), Jaroslav Bžoch (PfE, CZE), Beata Szydło (ECR, POL), and Helmut Brandstätter (Renew, AUT).
