Bursting the Bubble

Time to Catch Up: The EU’s Cyber Security Strategy

4 March 2016 | by
Creative Common -Yuri Samoilov via Flickr

In recent years, cybersecurity has become a high ranking issue threatening stability worldwide. The age of mega-breaches has arrived, cybersecurity going hand in hand with fighting an almost invisible and unconventional enemy lurking in the shadows of an anarchic cyberspace. Cybercrimes are increasing because of global interconnectedness, coupled by inadequate protective measures exposing government and private organisations as well as infrastructures to cyber threats. The key solution is of course resilience, the necessity to build smarter and faster ways to detect attacks and to promptly counter them.

In response to growing worries concerning global cyber threats, the European Union (EU) and NATO have stepped up their cyber defence cooperation and recently signed a Technical Arrangement between the NATO Computer Incident Response Capability (NCIRC) and the Computer Emergency Response Team – European Union (CERT-EU) (10/02/2016). The milestone agreement signed this February enables technical information sharing as well as best practices exchanges between NCIRC and CERT-EU to advance cyber incident prevention, detection and response in both organisations, in line with their decision making autonomy and procedures. The EU-NATO collaboration in cyber security matters started in 2010, with high level staff-to-staff cyber defence consultations and informal meetings that now occur annually.

It is only recently that the European Union has defined its interest in cybersecurity.  This alarming lag is accounted for by: decreasing national defence budgets across Europe; unsatisfactory or inexistent national cyber defence policies; or the lack of coordinated EU-level cooperation necessary to build a comprehensive pan-European cybersecurity policy. It is high time for the EU to catch up on cyber issues and to prepare its Member States in terms of strategic, legislative, and operational capacities in order to effectively respond to cyber threats and to ensure the EU’s cyber resilience in the future.

Cybersecurity – a high ranking issue on the EU’s security agenda

The Cybersecurity Strategy of the European Union – An Open, Safe and Secure Cyberspace (February 2013) is the first comprehensive policy document put forward by the former High Representative Catherine Ashton and the European Commission related to cyberspace security issues. The Strategy is meant to prioritize several policy areas for the EU’s international cyberspace: from strengthening the information systems in the EU, confidence-building in online services, to capacity-building strategies involving international partners, the private sector and civil society. Developing cyber defence policies in conjunction with the Common Security and Defence Policy (CSDP) is given priority, as well as developing industrial and technological resources for cybersecurity. The Strategy intends to encourage the demand for highly secure Information and Communications Technologies products as well as to stimulate Research and Development plans by the EU Member States in collaboration with the European Defence Agency (EDA) so as to create competent and competitive technical resources for cyber defence. These include combined efforts by the public and private sectors to improve IT capabilities, promote greater cooperation between national and European Union institutions, and raise awareness among users about the threats of cybercrime.

The term cybersecurity advanced by the Strategy has remained vague and a blanket term that encompasses an array of issues ranging from responsibility, freedom and openness, trust, public and private industry collaboration, the protection of privacy, the combat of cybercrime, to ensure better cooperation between Member States and to encourage spending in cutting-edge cyber defence technologies. Cyber defence as the military dimensions of cyber security is put forward as a priority action by the EDA, ranking high as regards the EU’s capability development plan to protect key systems and services that support and enable military tasks and operations. In particular, aviation systems and Remotely Piloted Aircraft Systems (RPAS) are of highest importance in terms of safety and security, the main goal being to eliminate potential vulnerabilities open to attacks from hackers, cyber criminals and terrorist focusing on ‘the theft of information and general disruption to potential loss of life’.

Notwithstanding the lack of territoriality and borders in the cyberspace and cybercrimes, Member States still remain entrenched in the vision that cybersecurity is part of national security agendas. As well, the terminology used to define cybersecurity issues varies across national context, private industry, and civil society, leading to a fragmented understanding and the lack of a reliable international definition of the term. On top of that, it still remains unclear how responsibility should be distributed among stakeholders from either the EU institutions, national governmental bodies, or the private sector, as the most relevant drivers of a coherent plan of action.

In this respect, the Strategy was accompanied by proposals for a set of unified network and information security rules and demanding regulatory obligations to attempt the coordination of national cybersecurity policies, i.e. the ‘NIS Directive’ proposed by the European Commission in February 2013. On March 13, 2014, the European Parliament voted to adopt the draft NIS Directive as part of an EU cybersecurity effort of harmonization that targets the creation of uniform standards and levels of cybersecurity across the EU.

Also, the Cybersecurity Directive envisaged creating Computer Emergency Response Teams (CERTs) in each EU Member States as well as fostering cooperation and information exchange obligations between Member States and the Commission. However, the implementation of such standards depends on the Member States’ willingness to redirect funds specifically for cyber defence, to share critical information, or their determination to pass targeted legislation on cyber security.

This was made clear during the Latvian Presidency of the European Council in April 2015, when trust-issues and disagreements between EU Member States were holding up proposals for pan-European cyber security rules on the above-mentioned Directive on Network and Information Security (NIS). The subject under discussion was that the NIS Directive would force infrastructure-critical companies to report any cyber-attacks. Controversy surrounded the definitional aspects concerning such companies, a crucial problem being the extent to which US giants such as Google, Amazon and Facebook – so called ‘over-the-top’ companies – will be obliged by the directive to report cyber-attacks. Consequently, the Directive shortly after failed to be endorsed by the Council of the European Union.

The political debates surrounding the proposal for the NIS Directive were further stalled until December 2015, when the representatives of the European Parliament, the European Commission, and the Council (representing the EU Member States) signed the final agreement. Moreover, several parts related to cross-border cooperation were deleted from the final legal text, for example Article 9 on Secure Information Sharing System, Article 10 on Early Warnings, and Article 11 on Coordinated Response. This points out the fact that several Member States have wanted to keep cybersecurity policies as national competencies.

The pan-European Agency for Network and Information Security (ENISA) is envisaged to play a key role in the implementation of the NIS Directive. ENISA is the EU’s centre of expertise and according to its website, it is the ‘pace-setter’ for Information Security in Europe through exchange of information, best practices and knowledge. Critical voices have already started addressing the risks associated with such a centralized network, removed from public scrutiny and exposed to the influence of national security agencies or the lobbying interests of private sector companies.

Horizon 2020 and what it actually means for improving EU cybersecurity

From 2014 onwards, Horizon 2020’s comprehensive framework has become the go-to financial honeypot to address Research, Development and Innovation in the field of Cybersecurity and Online Privacy. For this end, there has already been a dedicated concern at EU level regarding research and planning initiatives to protect Europe’s cyber-future and to address its lack of digital security innovation. The Commission’s Working Paper Executive Summary of the Impact Assessment clearly articulated this problem back in 2011, expressing concern for the EU’s ‘structural innovation gap’ and the necessity to boost productivity and growth for creating breakthrough technologies.

Compared to its competitors, the EU’s innovation and performance lag makes it difficult to develop new competitive and cyber-secure products, processes and services. In the context of the EU’s security policy, Horizon 2020 has come as a timely and targeted financial instrument for bridging the ‘structural innovation gap’ and for encouraging innovation and the development of ‘the industrial and technological resources for cybersecurity’. The end goal would be the development of reliable Information and Communications Technologies (ICT) solutions that promise the creation of a secure and trustworthy digital environment in the EU and the protection of fundamental rights. The lofty purpose of the funding is ‘to help boost Europe’s knowledge-driven economy, and tackle issues that will make a difference in people’s lives’.

Horizon 2020 – The EU Framework Program for Research and Innovation is the biggest EU Research and Innovation program, with a budget of nearly €80 billion of funding available over 7 years (from 2014 to 2020), in addition to the private investment that this money will generate. Horizon 2020 follows on the EU’s Seventh Framework Program for Research (FP7) template, which ran from 2007 to 2013. It is expected that approximately 2.2% or €1.69 billion of the Horizon 2020 budget will be dedicated to the Security research, this being an increase of approximately 20% compared to FP7.

The Commission will utilize the Horizon 2020 framework to deliver improved coordination of funds and to address a range of areas in ICT security and privacy, from R&D to innovation and deployment, to supporting the development of instruments to fight cyber-criminal and terrorist activities. On 11 December 2013, the European Commission initiated a first call for projects under Horizon 2020, a budget of more than 15 billion euro being available for the first two years of the Horizon 2020 program. In these first two years, the program will prioritize three pillars: excellent science, industrial leadership, and seven societal challenges. For example, The European Commission – the Directorate General for Communications Networks, Content and Technology organized a Horizon 2020 information session (15/01/2014) on the calls for proposals addressing cybersecurity, privacy and trustworthy ICT research, development and innovation. Providing enhanced cybersecurity, ranging from secure information sharing to new assurance models, is tallied under the seventh Societal Challenge: (7) Secure societies – protecting freedom and security of Europe and its citizens.

Twelve focus areas (based on the Horizon 2020 societal challenges) have been emphasized in the first two years, among which Digital Security: Cybersecurity, Privacy and Trust, covering €47 million – the 2014 budget and €49.6 million – the 2015 budget. Digital Security in Horizon 2020 is given a substantial backing, from academic and laboratory R&D, the development of the economic and societal dimension of security and privacy, secure information sharing, security of eServices, to trustworthiness in the European digital ecosystem. Specifically, Horizon 2020 will fund research into activities which aim to bolster the security of current applications, services and infrastructures and incentivize the creation of market opportunities for the EU in the digital arena.

Conclusion

There is no denying the fact that concerted efforts have been taken at the EU level to upgrade its cyber security regime in a bid to offer competitive technological solutions to digital security. Nevertheless, the question still remains whether the EU joined the game too late and whether it will be able to impose a certain level of competence and standardization across its Member States in a timely fashion. Without any doubt, the best avenue is to collectively battle cybercrime and to collaboratively reinforce Europe’s resilience to cyber-attacks. To be sure, the economic and security future of the EU heavily relies on tackling cybercrime and cyber threats, due to the fact that interactions in key sectors are dependent upon open platforms for communication, data storing, and information sharing. Deeper cooperation at a global level and in close conjunction with the United States is another step closer to achieve such goals, especially considering the fact that the cyber domain is a global public good that transgresses territorial borders.

What do you think?