Munich, 7 February 2022
Keynote speech by Vice-President Schinas at the Munich Cyber Security Conference (MCSC) 2022:
Dear Chair Wintergerst,
Dear Mr. Easterly,
Ladies and gentlemen,
It is a pleasure to be with you today, for this year’s special edition of the Munich Cyber Security Conference when Germany’s “secret capital” becomes for a few days the beating heart of European security.
I call it a ‘special’ edition, not only due to its format as imposed by the pandemic, but also because the current geopolitical security context urges us to rethink how to equip our society and systems to fend off the attacks that may still come with devastating consequences.
Look around us.
At our direct eastern external border, in Belarus, we see an authoritarian regime using human lives to put pressure on our Member States and plant the seeds of division in our societies, also using information manipulation to advance its agenda, attacking the West and the EU, our values and everything we stand for.
Most recently, our neighbour Ukraine has been hit by a wave of cyberattacks targeting its ministries and banks, only aiming at destabilizing the country, with the risk of further escalating the already tense situation.
But these two events are not isolated situations. Every day we hear of a new cyberattack or attempted one on our soil, and in our neighbourhood.
This summer, it was the Irish health system that was paralysed by a cyberattack; then a supermarket chain in Sweden; and even local administration in my home town, Thessaloniki, in Greece. Last month, oil suppliers in Belgium, the Netherlands and Germany were targeted. Last week, a major telecommunications operator in Portugal.
And we know that our neighbours and partners across the world are also under attack.
This is not innocent. This is not business as usual. Just look at these attacks. Look at how pervasively they are evolving to reach the heart of our democracies.
Because not only their patterns but also the motives of these attacks have changed. They no longer just have an economic rationale. They target ever more sectors and entities that are critical to the functioning of our economies and of our societies.
And, when successful, behind these administrations, oil suppliers and hospitals, it is the lives of our citizens that are at stake. [And our citizens are increasingly becoming aware of this – as this year’s Munich Security Index indicates.]
In such an intense geopolitical context, we cannot fail to take this groundswell of threats seriously. We cannot allow these malicious actors to penetrate our defences, whether those of our institutions or those of our citizens’ daily lives. We cannot allow them to operate in the shadows to cripple our economies, instill distrust in our democratic institutions and pit our fellow citizens against each other.
[Bringing cybersecurity to the core of security]
What we need to do is to adapt our approach to security and our means to these protean threats. To move away from traditional, siloed visions of security; to disseminate security considerations across all our fields of action; and to mobilise all the means we have at our disposal, across the board, to provide a relevant and adaptive response to the threat. This is what we did in response to the crisis in Belarus. [This is what we stand ready to do with Ukraine, should the situation escalate further.]
And I think a key here is to mobilise the full potential of cyber security. Taking cyber out of its ‘tech’ silo and putting it at the core of our security and defence.
Because in the world we live in, before an unfriendly tank crosses your border or a plane violates your airspace, it is your networks that will have been tested and attacked – and at the same time there will have been attempts to convince your citizens through various media that you are not able to keep them safe.
This is what we are doing in the EU today. We are tapping into the immense potential of cybersecurity expertise, knowledge and information across our 27 Member States to build together our capacity to be prepare to, deter and respond to cyber and hybrid threats.
On the legal side, first. We have always been at the forefront of providing a clear and advanced legal framework to protect businesses and citizens against such threats. And, in the face of these new threats, we are taking this legal framework to the next level to make it future-proof.
Firstly, by equipping Member States with measures to ensure a high level of physical and digital security of our critical entities, across a wider spectrum of sectors, from industry to public administration. [This is our proposals for a revised NIS directive and for a directive on the resilience of critical entities.]
Then, by setting high standards for the cyber-resilience of our supply chains. ENISA, the EU Agency for cybersecurity, assessed that attacks on the supply chain have multiplied by 4 in 2021 compared to 2020. This is why President von der Leyen has announced the proposal of a Cyber Resilience Act before the end of the year. This Cyber Resilience Act will serve as to enhance the security of ICT products – those products that are most often the loophole through which malicious actors rush in to attack us.
But we also need to continuously upgrade our operational capacities to be able to detect coming threats sufficiently in advance, but also to provide a clear and robust response. This is why we are investing substantially in cyber-defence centres with new equipment for early detection, thus enhancing our EU cyber shield. We are also taking bold steps to bring together the EU’s cyber capacities across EU bodies and Member States authorities from the civilian, diplomatic, law enforcement and cybersecurity communities through the upcoming Joint Cyber Unit, to make sure they exchange timely information and can coordinate responses to cross-border cybersecurity attacks.
A vital aspect when it comes to strengthening our operational capacities is ensuring we have sufficient people with the skills to master cybersecurity tools, and to develop disruptive, breakthrough technologies for our cybersecurity. Today, Europe is short of the cybersecurity professionals it needs.
As Vice-President responsible for coordinating the EU’s work both in the areas of skills and security, I see the urgent need to boost the number of specialists in cyber-security in Europe. For this reason, I call on all of you to join forces and make concrete pledges to train professionals on cybersecurity skills. Time is of the essence. The Commission stands ready to support your ambition and commitments, through the Pact for Skills launched a year ago. And I will come next year to the Munich Security Conference, with results, to show that our commitments are being delivered on the ground. And that Europe will have the cybersecurity experts it needs to face future security threats.
One thing is clear: The emerging cyber-threat landscape is a global threat as no one is immune to cyber and hybrid attacks, and it challenges the basic principles on which our multilateral order has been build.
For this reason we need a common response, joining forces with like-minded partners, not just to project our unity in this complex geopolitical setting, but also to step up our preparedness and resilience.
Recent developments on our Eastern border show the EU-US partnernship at technical level can bring successful results. We now need to bring this technical cyber cooperation to the political level.
We need to set the global rules of the game, while at the same time providing fast, operational support to our friends, allies and neighbours to build up their resilience when facing threats.
In short, we need to pool our political, economic and technological resources to create a ring of resilience together, giving as little leverage as possible to malicious cyber actors.
Ladies and gentlemen,
These days we are reminded strongly of the reality of escalating geopolitical tensions both in the physical and cyber space.
What is at stake here is not mere economic or territorial gain, but our principles, our values, and foundations of our democracies.
Beyond words, we need actions. To face and respond to these threats. To “turn the tide”, to quote the title of this year’s Munich Security report.
Clouds are drifting, fast, that is true. But let’s not forget that every one of them has a silver lining. We need to join forces to address together these challenges in the cyberspace.
Thank you very much, and I look forward to the productive discussion at the conference.