Strategy
An expert interview with Prof. Udo Helmbrecht, Executive Director of ENISA

Cyber security in Europe

Prof. Udo Helmbrecht, Executive Director of ENISA
The European Union Agency for Network and Information Security (ENISA) is a competence centre for cybersecurity in Europe. From its headquarters in Greece, it contributes to improving network and information security in the European Union and promotes the further development of awareness and the security culture in European society. Executive Director Prof. Udo Helmbrecht has been working for ENISA since 2009. The German national was previously President of the Federal Office for Security in Information Technology – BSI for short. Previously, the PhD physicist occupied several positions in the private sector and, since 2010, he holds an honorary professorship at Bundeswehr University. He gives us an insight into the current topics of his institution.

Prof. Helmbrecht, what is the importance of cyber security for EU leaders?

Its significance has grown immensely. There are naturally many pressing issues from different policy areas on the agenda of the commissioners. However, it is clear that cybersecurity is taken very seriously and that there is a desire to protect Europe in a comprehensive way. The EU GDPR, NIS Directive, Cybersecurity Act or EU Cyber Diplomacy Toolbox are some examples that show that such efforts lead to far-reaching legislation and comprehensive action.

How does ENISA help to make Europe safer?

On the one hand, we help Member States with the implementation of EU regulations. A particular focus here is on small countries. On the other hand, we are also the source of ideas or dialogue when it comes to identifying technologies that will be so important in five or more years that they should be regulated at the European level. About eight years ago, cloud computing was such an issue. And you can see today how important it has become in the real world.

Today, the discussions revolve around blockchain, or quantum computing. Another focus of our activities is specifically concentrated on critical infrastructure and strategically important topics. A major challenge focusing particularly on the healthcare sector is an initiative that we actively support. On the other hand, the lack of experts is an issue in which we act in an advisory capacity. For example, when it comes to defining who will be required today and in the future at the EU level. We cannot “clone” anyone, and we need to be aware that it may take several generations to train the required number of experts.

The EU GDPR has been in force for several months in all EU countries. How has this been from your perspective?

It is too early to draw any final conclusions. It was noticeable that, although there were some companies that prepared themselves early for the start date, many companies waited until “the last minute”. They did not take a closer look at the new legislation until the spring. All in all, it has been and is very positive for me to see that the focus on data protection and IT security has increased sharply. We already had, even before the EU GDPR, data protection laws, corresponding processes and responsibilities in companies as well as in public authorities.

However, since May 2018, the topic has gained momentum again. There is a lot going on. State governance structures in the Member States were also created or expanded. It is much easier to see today who the contact persons are in the different countries. Another positive factor is that the legislation is receiving international attention. In contrast, the development of “warning lawyers” worries me. This problem can lead to difficulties, especially for small businesses.

Prof. Helmbrecht, are we currently living in a golden age for hackers?

If you compare the gold rush mood in the Wild West with the advent of new business models such as blockchain and the like, you could see it that way. Criminals are and have always been around. Today, they make use of the internet and sometimes even carry out state-sponsored attacks. At the same time, institutions such as the police are substantially increasing their pool of experts and Europol has established the Cybercrime Centre. Governments are thus investing. And so are companies. The level of investment in prevention and response are increasing, thereby improving abilities to fend off attacks.