Steve Purser: ENISA helps best cyber security practices to spread across member states and across communities

He is Head of Core Operations Department of the European Union Agency for Network and Information Security

Steve Purser was born in the UK and attended the universities of Bristol and East Anglia where he obtained a BSc. in Chemistry and a PhD in Chemical Physics respectively. He started work in 1985 in the area of software development, subsequently progressing to project management and consultancy roles. From 1993 to 2008, he occupied the role of Information Security Manager for a number of companies in the financial sector. He joined ENISA in December 2008 as Head of the Technical Department and is currently responsible for all operational activities of ENISA. Steve is currently a member of several Steering Boards and Advisory Committees, including notably the Steering Board of the CERT EU and the Programme Board of the EU Cyber Crime Centre.

Tell to our audience in simple terms what the European Union Agency for network and Information Security is doing? How does ENISA protect the European citizens?

ENISA is the European Cyber Security Agency, so the organization has a very wide mandate. In theory we can do anything in private security, but in practice of course we try to do only those things which we do better than others. So that is the first point, we are very careful about the kind of projects we undertake. We do everything by working hand in hand with other communities. But our way of working is that every time we come up with something we need to do, we create a group of people taken from cooperational communities, we work together with them. We tend to concentrate on pragmatic economically viable solutions. To give some examples – we do work in the area of educating the citizens through the European Cyber Security Month. We do work in terms of securing what is known as critical infrastructure. Critical infrastructure is the infrastructure that member states need to keep running in order to be able to go about their daily lives. So these are things like energy grids, hospitals and the communication systems etc. And our job is really to identify where people are doing things well, something we call best practice, and our approach really is help best practices to spread across member states and across communities, so that people won’t need to invent the wheel and so that people learn from each other.

Now we have three types of work. We create some other papers, which are recommendations, essentially - we do about 50 a year, and they are all on our website. They are also free and you can find them. And these are on a variety of subjects, ranging from new things like Internet of things. They give very pragmatic recommendations on what to do about particular problems. We support policy implementation. An example - Europe had a number of what are called security breach notifications running at the moment. And we help to design the process in such a way that it can be done within reasonable time, cost and in such a way that we get benefit from it, so that is so supporting policy implementation; and then last but not least – we do a lot of what we call hands on work which is things like planning the cyber security exercise, which we believe is the biggest cyber security exercise in the world, all 28 member states play.

You mentioned European member states and European communities and countries, but are you as well cooperating with European mayors? Do they support your efforts?

We would be very open to cooperation, but this does not ring a bell. That is not to say that we are not doing it, but we have a lot of projects, and I don`t know every stakeholder and every project by heart, but certainly it sounds like if we are not cooperating with mayors, then certainly we will be open to it.

In September, ENISA launched the Cybersecurity Strategies Evaluation Tool. How does ENISA help EU member states with their cybersecurity strategies?

I think it is very illustrative of the way the ENISA works. So, again, If you think about the way that institutions work, the Commission comes up with legislation, either with policy and strategy. We of course support them in this, so we give input in all these processes so as to make sure that the future legislation and policy is done in the right way. But a lot of what we do is much more practical, so we are really trying to provide advice on a daily basis with things people are struggling with at the moment. So we look at how the high level statements that you would typically find in a piece of legislation or in a policy can be translated into very concrete choices and that is exactly what this kind of guidance does. It tells people how to select particular control and how to design particular process and how to use particular tools based on the way they analyze their own risks. This is very important because ENISA believes very strongly in risk based security so there is no one solution for everybody. You have to help people to pick the right solution for their particular problem. Now by giving them the available options and guiding them in the use of those options, we believe it is the best that we can do.

ENISA is now also tasked with cybersecurity certification, this means that everything from toasters to atomic submarines needs to be certified. At what stage you are in achieving this goal?

This is something that is in our new mandate. At the moment under the current mandate of ENISA we do not have certification responsibilities so we are preparing for this once the new mandate comes into force. But indeed as you said it is very big thing it is very important change, a huge change for ENISA, and at the moment we are considering how to set the governance framework. So again it will not be ENISA that is doing this on its own in an ivory tower. We are doing this together, working with the experts in the member states, the public and the private sector. In Europe for instance at the moment we are already doing high level security certification and it works very well.  We have no intention of changing this or reinventing the wheel, we will work hand in hand with them. I think where the big opportunity is, is when you look at the lower risk scenarios which are things like consumer electronics or even the use of IoT technology in factories, hospitals etc. It is still quite a high level risk but perhaps one of the highest risks is in nuclear power stations, etc. And here I think, there is a lot of scope for creating something new. Say, for example consumer electronics area - there is nothing. So if you were to decide to install a new IoT monitor in your home, there is no certification scheme for these things. So we are working together with particular industries at this risk level if you like. We are trying to decide how we can do it in a way which matches the time’s market and scalability of these products. So Gartner thinks there will be 20 billion devices by 2020 which gives you an idea of the scale of the thing. And the times the market is very short and competitive, and cost as well. So you can’t spend a fortune certifying something under these conditions and that is where we are working together with the industry to try and define the best way forward.

October 2018 is a European Cyber Security Month - what initiatives and campaigns ENISA has implemented?   

Well ENISA rather works together with all the 28 member states to help them organize this. So the idea is that for a whole month we are keeping security in light so we are making sure that there is always something going on. And we work together with all the member states to try and get them to work together so they pass the message, then that message may be stuck in the UK , and then France picked it up and maybe Germany, so there are lots, and lots of initiatives that are going on and some of them are electronically given by the website, some of them are comprehensive that are done in the members states but our job really is to encourage people to participate, to bring them together, to set the teams so every month there is a certain set of teams. And to provide the framework for the whole thing.