02 December 2021
Roadmapping A Cybersecurity Strategy For Europe
A key aspect of the original call for proposals, which led to the funding of the four pilot projects including CyberSec4Europe, was the implementation of a common cybersecurity research and innovation roadmap – also referred to as a research priority list.
The motivation for and significance of this roadmap is that it should clearly identify the short-, medium- and long-term priorities to be addressed by the European Cybersecurity Competence Centre and Network, that is now being put in place under the direction of the European Commission. It will provide the strategic direction not only for the Horizon Europe and Digital Europe funding programmes but also for the work of ENISA, Europol and other EU agencies and bodies.
CyberSec4Europe’s response to this directive is to publish a yearly research and development roadmap which aims to explore emerging threats and prioritise research directions, mainly in the areas of the seven verticals associated with the project: open banking, supply chain security assurance, privacy-preserving identity management in higher education, incident reporting in finance, maritime transport, medical data exchange and smart cities. The first roadmap published in 2020 focused on outlining the cybersecurity research areas associated with these verticals and establishing the most important priorities and challenges in the following 12-month and 24-month periods and by the end of the project.
Now in its third iteration, the contribution associated with each vertical has expanded to providing a ‘big picture’, a scene setter for the scope of the business and/or technology area being addressed. Although the vertical sectors being reviewed are also the subject of the project demonstrators, the scope of the roadmapping exercise goes beyond those individual use cases. For each vertical, questions are asked as to what is at stake and what could go wrong – and consequently what needs to be protected and hence identifying where possible who the attackers might be. In this latest report, we also look at what were the major incidents that took place over the last 15-20 years. With some of the verticals the technology under the spotlight is sufficiently new that it hasn’t attracted any significant attacks, although we can only assume that this is just a matter of time.
The meat of the report looks at identifying and categorising the main cybersecurity challenges, also summarised in a detailed SWOT (strengths, weaknesses, opportunities and threats) analysis. The five to six challenges are analysed, both in terms of relevance to the ‘big picture’ as well as the mechanisms and tools needed to address them
Mindful of current events beyond the ‘normal’ purview of cybersecurity, the report also takes a look at specific topics of global concern: the impact of – and on – Covid-19 and other health issues, the green dimension as well as the vertical’s influence on addressing climate change issues. Equally relevant are the insights provided on what impacts there may be pertaining to democracy. Each vertical is asked to highlight sector specific dimensions, which in one case included Brexit!
Now that the project is entering its final phase, the objectives each vertical would like to see accomplished are now set out in three new periods: by the end of the project, by 2025 and, hardest of all given the pace of changes in technology and cybersecurity, by 2030.
The overall report concludes with a survey of other current cybersecurity roadmaps – from the other three pilot projects, ENISA and Europol, all of which have fed into the comprehensive approach taken in the EU Cybersecurity Strategy for the Digital Decade which focuses on the following ten areas:
According to some, a distinguishing feature of roadmapping is the use of structured visual representations both to communicate and articulate strategic thinking. With that in mind, the roadmapping focus group, composed of representatives from the four pilots plus ECSO (that first came together in June 2020) produced a distinctive visualisation of a common research roadmap which can be supported by the entire community. After consultations with the JRC (Joint Research Centre) and DG CONNECT, the group has created a set of research priorities which will eventually find their way onto the Cybersecurity Atlas website. Although the focus group delivered its first input during the summer of 2021, it is envisioned that the bulk of its activities will happen over 2022 reaching its pinnacle during the second semester of 2022.
In the diagram above, the prioritised focus areas are ranked in no particular order. They are seen as most notable yet non-exhaustive. As expected, these focus areas are generally intertwined with each other. Also, the current scope of the group’s work does not yet cover research priorities with respect to specific vertical sectors, an additional dimension that will be addressed in future releases.
It is gratifying to realise that the EU’s early objectives to create a common cybersecurity roadmap generated by the wider community is slowly but surely coming together.
For further reading, D4.5 Research and Development Roadmap 3 will be published in early 2022. The previous release of the CyberSec4Europe is D4.4 Research and Development Roadmap 2.