Abstract
Cybersecurity in Europe as the rest of the world has been legislated for only 20 years. Numerous governmental institutions such as councils offer electronic services through their recently created electronic offices. In all of them, the volume of citizens who register temporarily or permanently to request online services related to the processing of documents and services with the government has increased significantly since the pandemic. Confinement has forced users to request numerous online services where authentication is one of the most relevant aspects to access safely and securely. European Union through the Connecting Europe Mechanism, CEF projects of the European Health Executive Agency, and Digital HaDEA has allowed numerous institutions to connect through the eIDAS created to establish trust in electronic transactions between individuals, organizations, and government entities across European member states.
TopIntroduction
This chapter shows the importance of digital services for public services around the world and in particular to Europe. The European Union has been working on the regulation and control of secure digital transactions in Europe for more than 20 years and it will mention the existing regulations including the concepts Electronic identification (eID) and Electronic IDentification, Authentication and trust Services (eIDAS) used by both companies as public institutions.
Due to confinement, the increase in electronic services in public electronic offices worldwide has increased enormously and therefore it is necessary to pose new challenges in the control and management of sensitive data of citizens who access and share their data with administrations public.
On the other hand, the problems related to cyberattacks are very similar to those that we can find in private companies, therefore, the most important challenge for Europe will be, on the one hand, the detection of the types of massive attacks that can affect the use of data of citizens of the electronic headquarters and on the other the containment plans that are needed to control it at European level
Finally, we will mention examples of CEF projects that promote the implementation and use of the mechanisms offered by the European Union in the eiDAS regulation in electronic public services throughout Europe.
As cybersecurity remains a challenge for government websites: Only 20% of all URLs assessed meet half of the 14 basic security criteria evaluated. This underlines the importance of significantly enhancing website security levels to ensure that users can trust public sector websites and services. (EC, 2020)
In fact, e-Government refers to the use by national or local governmental authorities of ICTs that can reshape the relations with citizens and businesses. It contributes to the evolution of smart cities when ICTs are integrated in strategies for citizen participation to public services and policy, (Webster & Leleux, 2018).
The report e-Government Benchmark 2020 created by European Commission, shows remarkable improvements across the board. More than three out of four public services can be fully completed online (78%). Users can find the services they are looking for via portal websites 95% of the time, and information about these services online nearly 98% of the time. European countries should improve the implementation of digital enablers in eGovernment service delivery. Users use their own national eID for only half (57%) of the services that require online identification. Moreover, only half (54%) of online forms contain pre-filled data to ease completion. Users who want to obtain a service from another European country can do so in 62% of the services for citizens and 76% of the services for businesses. Citizens can use their own national eID solution for only 9% of the services from other countries. For businesses this number jumps to 36%. The cross-border use of digital public services are problems with access to procedures requiring authentication. Foreign national eIDs are accepted for only 9% of the services that citizens can access with a domestic eID. This indicates that the cross-border acceptance of eIDs still requires more research and implementation in national or local governmental institutions.
Key Terms in this Chapter
Network Security: Is concerned with hardware, software, basic communication protocols, network frame structure, and communication mechanisms factors of the network. Information Security in the network context deals with data integrity, confidentiality, availability, and non-repudiation while is sent across the network.
Risk Assessment: The product or process which collects information and assigns values to risks for the purpose of informing priorities, developing, or comparing courses of action, and informing decision making. The appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences.
Risk Management Process: Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring, and reviewing risk.
Malware: Malicious software designed specifically to damage or disrupt a system, attacking confidentiality, integrity and/or availability.
Blockchain: Is a digital record of transactions. The name comes from its structure, in which individual records, called blocks, are linked together in single list, called a chain. Blockchains are used for recording transactions made with cryptocurrencies. Each transaction added to a blockchain is validated by multiple computers on the Internet.
Electronic Identification (eID): Is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc.
Electronic Identification, Authentication, and trust Services (eIDAS).: Is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014. Ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services available online in other EU countries.
Fifth Anti-Money Laundering Directive (AML5): Is the standard for the prevention of money laundering and terrorist financing. AML5, entered into force on July 9, 2018 at community level, with effective application at national level on January 10, 2020.
Electronic Authorization: The security mechanism determining and enforcing what authenticated users are authorized to do within a computer system. The dominant forms of authorization are DAC, MAC and RBAC. DAC (Discretionary Access Control) manages access using ACL (Access Control Lists) on each resource object where users are listed along with the permissions or privileges granted or denied them. MAC (Mandatory Access Control) manages access using labels of classification or clearance on both subjects and objects, and only those subjects with equal or superior clearance are allowed to access resources. RBAC (Role Based Access Control) manages access using labels of a job role that has been granted the permissions and privileges needed to accomplish a specific job or role.
Cyberattack: Any attempt to violate the security perimeter of a logical environment. An attack can focus on gathering information, damaging business processes, exploiting flaws, monitoring targets, interrupting business tasks, extracting value, causing damage to logical or physical assets or using system resources to support attacks against other targets.
Network Resilience: The ability of a network to: (1) provide continuous operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged); (2) recover effectively if failure does occur; and (3) scale to meet rapid or unpredictable demands.
Cryptography: The application of mathematical processes on data-at-rest and data-in-transit to provide the security benefits of confidentiality, authentication, integrity and non-repudiation. Cryptography includes three primary components: symmetric encryption, asymmetric encryption and hashing. Symmetric encryption is used to provide confidentiality. Asymmetric encryption is used to provide secure symmetric key generation, secure symmetric key exchange (via digital envelopes created through the use of the recipient's public key) verification of source, verification/control of recipient, digital signature (a combination of hashing and use of the sender's private key) and digital certificates (which provides third-party authentication services). Hashing is the cryptographic operation that produces a representational value from an input data set. A before and after hash can be compared in order to detect protection of or violation of integrity.
Information Security Incident: Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
Distributed Ledger Technology (DLT): Is a digital system for recording the transaction of assets in which the transactions and their details are recorded in multiple places at the same time. Unlike traditional databases, distributed ledgers have no central data store or administration functionality. In a distributed ledger, each node processes and verifies every item, thereby generating a record of each item and creating a consensus on each item's veracity. A distributed ledger can be used to record static data, such as a registry, and dynamic data, i.e., transactions.
Identity Verification: Is a process that ensures a person’s identity matches the one that is supposed to be. Identity verification ensures that there is a real person behind a process and proves that the one is who he or she claims to be, preventing both a person from carrying out a process on our behalf without authorization, and creating false identities or commit fraud.
Vulnerability: A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard. Characteristic of location or security posture or of design, security procedures, internal controls, or the implementation of any of these that permit a threat or hazard to occur. Vulnerability (expressing degree of vulnerability): qualitative or quantitative expression of the level of susceptibility to harm when a threat or hazard is realized.
Electronic Authentication: The electronic process of establishing confidence in user identities presented to an information system. The process of proving an individual is a claimed identity. Authentication is the first element of the AAA services concept, which includes Authentication, Authorization, and Accounting. Authentication occurs after the initial step of identification (i.e. claiming an identity). Authentication is accomplished by providing one or more authentication factors—Type 1: something you know (e.g., password, PIN, or a combination of them), Type 2: something you have (e.g. smart card, RSA SecureID FOB, or USB drive), and Type 3: something you are (e.g. biometrics—fingerprint, iris scan, retina scan, hand geometry, signature verification, voice recognition, and keystroke dynamics).