Mediaboss Marketing

As the transition to a digital society is accelerating in recent years, especially after the coronavirus outbreak, the expectations of the European Citizens for a safer digital environment are growing. There is then an urgent need to combat cybercrime. In a previous article published on Lexology on this topic we had started to discuss of the ransomware attacks. We had thus described the relevant phenomenon and we had pointed out the legislative and policy frameworks in place in the European Union for facing this issue. In this second contribution, reference will now be made (always in an EU perspective) to the main actors in charge of dealing with the ransomware attacks (Chapter 2); we will then look at the strengths and weaknesses of the current system of EU defence from this invasive form of cyber-criminality (Chapter 3); finally, we will try to make some recommendations for improving the security of the Citizens within the European Union in such area (Chapter 4).

As already highlighted in our previous contribution[1] the first step towards the creation and development of an EU cybersecurity ecosystem was the adoption of a cybersecurity strategy in 2013[2]. This strategy identified the achievement of cyber-resilience and the development of industrial and technological resources for cybersecurity as its key objectives. As part of this strategy, the European Commission proposed the EU Network and Information Security directive2016/1148 (NIS Directive)[3].

We will now look at who are the main actors in charge of implementing the NIS Directive as well as the other initiatives advanced by the European Union to tackle the ransomware attacks.

In the first place, it shall be reminded that the NIS Directive has provided only that the EU countries shall put in place legal measures to boost the overall level of cybersecurity in Europe. This in essence with the intent of protecting the European critical infrastructure[4].

On the other hand, the NIS Directive has left basically to the free initiative of the Members States the regulation of aspects such as the sanctions to be imposed to the offenders in case of ransomware attacks. In addition, the NIS Directive did not impose on the EU Countries any obligation to share the information systematically with one another in case of cross-border ransomware attacks.

The above means that nowadays the single States of the European Union are the most important actors in the fight of the ransomware attacks. They indeed decide singularly on crucial aspects such as: (i) how the ransomware attacks shall be punished within their single jurisdiction; (ii) whether there must be any cooperation with the other Member States in case of ransomware attacks involving more countries.

It is then worthy to mention another important player which comes into consideration in the field of the cybersecurity in Europe, i.e. the European Union Agency for Cybersecurity (ENISA). ENISA contributes to the EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow [5].

ENISA was not entrusted with specific competences in the tackle of the ransomware episodes in the NIS Directive, but it is playing an important role de facto moving down the following directions:

Finally, it must be stressed that on 23 June 2021 the European Commission laid out a vision to build a newJoint Cyber Unit[8]. The Joint Cyber Unit will be a new body (with its own resources and offices) intended to provide full support to ENISA in ensuring an EU coordinated response to large-scale cyber incidents and crises such as the ransomware attacks. This new initiative is an important step which will allow ENISA (together with the Joint Cyber Unit) to further achieve a higher common level of cybersecurity within the European Union[9].

Finally, it is worth to be mentioned also the role played by the Council in tackling the cyber-crimes (and thus the ransomware attacks).

In this regard, in our previous contribution on this topic[10] we had reminded that the EU tried to reinforce its global response to the cyber-attacks (including ransomware) by establishing a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (the so called Cyber Diplomacy Toolbox)[11]. This framework basically allows the EU and its Member States (by way of an initiative to be taken by the Council) to use all necessary measures ... to prevent, discourage, deter and respond to malicious cyber activities [and thus also to the ransomware attacks] targeting the integrity and security of the EU and its member states .... In particular, the Cyber Diplomacy Toolbox gives the possibility to the Council to impose ... sanctions on persons or entities that areresponsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or materialsupportfor such attacks or who areinvolvedin other ways ... [12].

It is noticeable that, based on the Cyber Diplomacy Toolbox, the Council has been able to imposerestrictive measures againstcertain individualsand entitiesresponsible for or involved in theransomware-attacks publicly known asWannaCry andOperation Cloud Hoppe[13]. The sanctions imposed to the entities involved included severe measures such as thetravelban and theassets freeze.

Of course, it must not be forgotten that it is not particularly simple for the Council to take collective actions (such as the ones indicated above) based on the Cyber Diplomacy Toolbox. And indeed, the European Unions decision-making process to be activated in these cases is the same one to be applied for the foreign policy matters, requiring thus the unanimous decision of all EU governments. This is certainly a very high threshold not easy to be reached[14]. It follows that it is rather complicated for the Council to issue sanctions based on the Cyber Diplomacy Toolbox.

Being understood all the above, we will now try to summarize the main strengths and weaknesses of the European Union framework put in place for fighting the phenomenon discussed.

In the first place, it must be noted that the implementation of the NIS Directive and of the Cyber Diplomacy Toolbox has been very important at least in raising awareness in the European States regarding the cyber-criminal activities such as the ransomware attacks.

The NIS Directive has indeed given an incentive to the Member States to increase their cybersecurity capabilities for protecting themselves from these forms of criminality.

The Cyber Diplomacy Toolbox has, in turn, granted the possibility to sanction directly certain entities and individuals which have committed, inter alia, ransomware crimes.

On the other hand, both the legal frameworks mentioned above have their downsides.

The NIS Directive resulted in fragmentation at different levels across the internal market (given that for example such directive did not provide for a system of harmonized sanctions to be applied in the European Countries). In addition, the ENISA has not been given enough powers to help the EU Member States to tackle issues such as the ransomware attacks.

Further, the Cyber Diplomacy Toolbox requires a too burdensome process for dealing with the cyber-crimes. Indeed, as we have seen above, the Council can focus just on the major events and, in any case, the unanimity of the EU Countries is required to take actions against offenders committing for example ransomware attacks.

As it may be appreciated the phenomenon of the ransomware attacks is quite a complicated one. In the EU the battle is open and efforts are indeed spent by the different stakeholders involved to combat this issue effectively.

On the other hand, there is certainly room for improvement.

Based on the above findings (and on what has been discussed in the other article published on Lexology on this topic[15]), we will then try to suggest some recommendations aimed at tackling the ransomware phenomenon in a more efficient way within the European Union. In this regard it is noted the following:

Finally, apart from the above actions and recommendations (which are indeed directed at bolstering the fight of the specific kind of cybercrime at subject matter) one final consideration is worthy to be made.

It shall indeed not to be forgotten that issues such as the ransomware attacks in many cases can be avoided at the very beginning explaining to the users how to avoid them.

It is thus of the utmost importance that are continued to be promoted specific initiatives and dialogues with the EU Citizens regarding the common ransomware attack scenarios with the effect of aiming to raise awareness and share good practices and practical recommendations [18]. This with the final goal to eliminate the issue even before the crime is perpetrated counting on the fact that the EU Citizens (if properly trained) should be able not to fall into the traps posed on their way by the cybercriminals.

Read the original:
The European Union's efforts to tackle the phenomenon of ransomware attacks (Part II) - Lexology