EU and Cyber Security: New Player against Emerging Threats in Cyberspace – Part One of Three

Transport, energy, health, and finance are the most vulnerable sectors exposed to cyber-threats. Issuing the EU Cybersecurity Strategy in 2013 was an important step forward in developing a common framework; however, the strategy lacked the practical initiatives that would deliver tangible outcomes.

By Rusudan Zabakhidze

In the past decade, cyber warfare has become an exceptional phenomenon that has increased the vulnerability of individuals, non-state actors, and state actors to unprecedented levels. Businesses and governments rely on networks to provide their services across the EU. However, the cyber threat vulnerability of the world’s second-largest economy remains unclear. This article provides an introduction to the EU’s strategic cyber security vision by critically analysing internal and external challenges in the implementation of the recently published cyber security strategy: “Resilience, Deterrence, and Defense: Building strong cybersecurity for the EU.”

In the case of a cyber offense, the victimised country is often hampered to find a proper response because of the ambiguity surrounding the nature and origin of the attack. Since the cyber-attacks against Estonia in 2007, there have been growing concerns over the possibility of election hacking by foreign states, ransomware attacks, and other cybercrime. According to the statistics provided by the European Commission, 80% of European companies experienced at least one cybersecurity incident in 2017 [1]. Correspondingly, 86% of Europeans believe that the cybercrime risks are increasing [2].

The European Union is working on completing the Digital Single Market which will further extend the “four freedoms” (movement, capital, goods, and labour) by providing the rules of fair competition for the individuals and businesses of the Member States to engage in online activities [3]. Therefore, the costs related to cyber attacks are only expected to increase, creating a need for the development of effective preventive mechanisms. Some Member States have already included Cybersecurity in their National Security Strategies. Yet, the ambition of creating the Digital Single Market coupled with the highly interdependent nature of the EU economy indicates a need for action on the collective European level, rather than the individual national levels.

Transport, energy, health, and finance are the most vulnerable sectors exposed to cyber-threats [4]. Issuing the EU Cybersecurity Strategy in 2013 was an important step forward in developing a common framework; however, the strategy lacked the practical initiatives that would deliver tangible outcomes [5]. Necessary resources, for example, are still up to each Member State to acquire. In September 2017, the European Commission proposed a wide range of concrete measures that aim to further strengthen the EU’s cyber defense structures and capabilities, entailing more cooperation between the Member States. The updated strategy, “Resilience, Deterrence, and Defense: Building strong cybersecurity for the EU,” revolves around three principles: building resilience, developing legislative responses, and strengthening international cooperation [6].

While the implementation of the proposed initiatives is a long-term process, the EU has already taken its first steps regarding the security of its own institutions. An inter-institutional arrangement established a permanent Computer Emergency Response Team (CERT-EU) covering all EU institutions, bodies, and agencies.

The European Commission has created the EU Cybersecurity Agency for Network and Information Security (ENISA). This agency coordinates cooperation among member states against cyberattacks. The EU has created a blueprint that guides incident responses for large-scale cyberattacks. An EU-wide certification scheme is also in consideration to increase the quality and security of digital products and services. The EU plans to support Research and Competence Centers and to set up a cyber defense training and education platform. The EU also aims to develop a framework for a Joint EU Diplomatic Response to Malicious Cyber Activities and to deepen cooperation with the North Atlantic Treaty Organization (NATO) [7].

Even though the proposed initiatives cover a wide range of responses, there are a number of practical challenges that will significantly affect the speed, as well as the outcomes, of the mentioned initiatives. The EU has neither properly defined resilience or deterrence nor made sufficiently clear how it intends to overcome institutional fragmentation and lack of legal authority in cybersecurity issues [8]. Other tasks that lie ahead include finding consensus on what constitutes a cybercrime and building the capacities to trace the sources of attacks.

While updating the original cyber security strategy can be considered a positive step towards the EU’s increased resilience, the challenges posed by institutional fragmentation of the Union may hinder the implementation process. Ultimately, as the frequency and scale of cyberattacks increase, effective mechanisms are essential. Failure to implement the proposed initiatives will automatically result in the failure of the establishment of the Digital Single Market. Failure to adapt to the risks and realities of the 21st century could harm the EU’s credibility, and ultimately its viability, not only with its citizens, but worldwide.

Sources:

[1] European Commission. 2017. State of the Union. Cyber Security Factsheet. [online]

Available at: http://www.consilium.europa.eu/media/21480/cybersecurityfactsheet.pdf

[2] ibid

[3] European Commission. 2015. Shaping the Digital Single Market. [online]

Available at: https://ec.europa.eu/digital-single-market/en/policies/shaping-digital-single-market

[4] Council of the European Union. 2017. Reform of the Cyber Security in Europe. [online]

Available at: http://www.consilium.europa.eu/en/policies/cyber-security/

[5] European Commission and High Representative of the EU for Foreign Affairs and Security Policy.

2013. Cyber Security Strategy of the EU: An Open, Safe and Secure Cyberspace. [online]

Available at: https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf

[6] European Commission. 2017.

State of the Union - Cybersecurity: Commission scales up EU's response to cyber-attacks.

[online] Available at: http://europa.eu/rapid/press-release_IP-17-3193_en.htm

[7] European Commission. 2017. State of the Union. Cyber Security Factsheet. [online]

Available at: http://www.consilium.europa.eu/media/21480/cybersecurityfactsheet.pdf

[8] Bendiek, A, Bossong, R & Matthias Schulze. 2017. The EU’s Revised Cybersecurity Strategy.

German Institute for International and Security Affairs. [online]

Available at: https://www.swp-berlin.org/fileadmin/contents/products/comments/2017C47_bdk_etal.pdf