What do you get if you take an ENISA, add a sprinkle of CERT-EU, a pinch of EDA, a ladle of CyCLONe, a dollop of EU LE ERP, combine with the EEAS, sauté over a PESCO, a slice or two from your CSIRTs, stir with the spoon of an NIS Cooperation Group, add a J-CAT and an EC3, and slow bake over a horizontal working party?
The answer, ladies, gentlemen, boys and girls and non-binary friends, is apparently a European Joint Cyber Unit, ready to storm to the scene of the cyber crime, sometime in 2023, maybe.
If The Stack's inbox was any guide this morning, cybersecurity vendors are enthused by the fact that the European Commission (EC) has belatedly roused itself to a cyber threat that has now awoken all but the deepest of sleepers, and plans to create a Joint Cyber Unit with EU Rapid Reaction™ teams.
Do they smell oodles of money? Do they? They'll need to be patient.
The European Commission -- in its own predictable hodge-podge of documents supporting the news (who dipped into Annex 2 of the Second Progress Report under the EU Security Union Strategy? We did*) notes that the planned European Joint Cyber unit has been a long time coming: "It builds on the work started in 2017, with the Recommendation on a coordinated response to incidents and crises - the so-called Blueprint," the EC's release notes.
And therein lies the rub. Few things in Europe happen fast, even if it continues to cook up a mean alphabet soup. And the distinct risk remains that by the time the umpteen overlapping and sometimes competing organisations are brought together, nation states will have their own robust NCSC-equivalents in place anyway and not want a messy pan-European organisation sniffing about their critical infrastructure anyway.
Jens Monrad, Director, EMEA, Mandiant Threat Intelligence would not be as facetious and sceptical as we are perhaps being, but does point out in an emailed statement that: "EU countries still control their national security, and even within agreed EU treaties, there are exempts on law enforcement collaboration."
His wish? "Even stronger focus on private-government collaboration, similar to what we have observed in the United States. The rapidly evolving cyber threats and the future threat landscape calls for a more vital private-government partnership where information on threats can be shared and communicated effectively across EU member states." But Mandiant, like other vendors, might need to wait.
The European Joint Cyber Unit fact sheet suggests the EC hopes to get the private sector involved in sharing intelligence, sometime after June 2023, by which point it hopes to be able to "involve private sector partners, users and providers of cybersecurity solutions and services, to increase information sharing and to be able to escalate EU coordinated response to cyber threats." It's striking that this isn't happening yesterday, if not earlier.
If the European Joint Cyber Unit takes shape and starts taking names, it will, however, be a genuinely proud example of strong cross-border, multi-lateral cooperation -- and there are no doubt under-resourced member states which will be grateful of the help. As Steve Forbes, a government cyber security expert at Nominet, puts it: "The new cyber unit will set a powerful precedent for international collaboration as central to our future global cyber defence.”
And although the mills of the European Commission grind slowly, they also often grind exceedingly fine. Both the cybersecurity industry and public sector authorities across the EU would be wise to stay abreast of the plans..
The European Joint Cyber Unit: In brief
The Joint Cyber Unit will be up and running by June 2023. Think of it as a combination between a giant SOC and an incident response specialist. It will act as a platform to ensure a "EU coordinated response to large-scale cyber incidents and crises, as well as to offer assistance in recovering from these attacks", the EC notes.
It will "establish and mobilise EU Cybersecurity Rapid Reaction Teams"; "facilitate the adoption of protocols for mutual assistance among participants"; "establish national and cross-border monitoring and detection capabilities, including Security Operation Centres (SOCs); and more." Funding will primarily come from the Digital Europe Programme, with the possibility of further support for member states from the European Defence Fund.
*It reminds readers that the EC plans to adopt a Regulation on Common Cybersecurity rules for EU institutions, bodies and agencies in Q4: Missed the opportunity to feed back on these? Fear not, you're not alone. The European Commission lists just ONE response from industry: we think CrowdStrike deserves a smattering of applause.