Foreign Policy Blogs

Where does the EU stand on the development of a cybersecurity strategy?

Where does the EU stand on the development of a cybersecurity strategy?Imagine all the traffic lights going off, no more electric power, a shut down of all communication systems, disruption of nuclear power plants, and a nuclear launch all at the same time with one problem, the government is not in control and has been a victim of a cyberattack. What would be the consequences? Cybersecurity has been at the heart of the intelligence agenda these last several years. But, where does the EU stand on the matter? Does the EU have a cybersecurity strategy?

The wake-up call for Europe was back in spring 2007, when Estonia suffered from a cyberattack against it military and civilian structures. It appears that Russia was behind the cyberattack in reaction to the relocation of a statue commemorating Soviet soldiers in Estonia. This led to a shut down of the government, banks, newspaper and other websites costing between $27.5 and $40.5 million. Back in March 2011, the French government’s computers were hacked forcing the government to unplug 10,000 computers. The EU, EEAS, UN, private companies and governments’ websites have been hacked at a growing rate in recent years by either individual hackers or government sponsored hacking units locating in China, Russia, and in other countries. However, it raised one question in Brussels: is the EU ready to face a major cyberattack?

Estonia has been one of the main drivers in leading the discussion on cybersecurity in Europe. Back in June, a meeting took place in Brussels, counting representatives from the European Parliament, the European Defense Agency (EDA), NATO, and private sectors discussing the development of an unified EU cybersecurity policy. Estonian defence minister, Mart Laar, who led the meeting argued that “If we are serious about the possible damage that bombs and bullets can cause, then we should also give serious consideration to the dangers that can be sent through global networks, because they can be used to strike at a country’s energy security, and damage its economy and intellectual property.”

Back in 2008, the EU expressed the need to discuss and develop a joint action plan in the fight against cybercrime (Baltic News Service. 2008. EU Planning Joint Cyberdefense action plan. July 24). One of the points underlined was the need to foster cooperation between legal/government bodies and the private sector. But, quite frankly, the EU and the Member States need to figure out who should be in charge of fostering a strategy. Does it fall under the Commission’s authority? The Council? EU agencies? It is unclear who is doing what. However, the confusion is mostly likely similar at national levels, where governments are still trying to figure out which ministries, security agencies, intelligence services and so on should be in charge of monitoring cyberthreats, fighting cybercrime and cyberattacks and establishing a cyberdefense. An example of this institutional cacophony took place when the President of the Commission José Manuel Barroso declared before the European Parliament that the EEAS should be the one coordinating cybersecurity across Europe. This statement created reactions within its own institution, the Commission, as some experts and especially Commissioner Cecilia Malmström have been working on developing a cybersecurity strategy.

The EU developed the agency European Network and Information Security Agency (ENISA), which became operational in 2005. ThisWhere does the EU stand on the development of a cybersecurity strategy? agency is located on the island of Crete (Greece), and its mandate is “to advise, coordinate and assess cyber risk, but it does not extend to the domains of national security, law enforcement, defense, IT-terrorism, cyber-crime, personal data protection, and critical information infrastructure protection.” ENISA is a real work in progress and lacks of power in the field of cybersecurity. However back in 2010, Commissioner Malmström, during a hearing before the House of Lords, underlined the desire by the EU to expand the competences of ENISA. Because of the gap in the degree of preparedness against cyberthreats between EU Member States, as only a small group of Member States has adopted a strategy, the EU has been talking to develop a Computer Emergency Response Teams (CERTs) in order to increase the cooperation and act in times of crisis. Institutionally, the EU is working on developing a European Cybercrime Center by 2013. Some experts have also called for the creation of a post of ‘Cyber czar’ as it exists for counterterrorism. The EU has also been trying to develop different instruments in order to prevent a ‘digital 9/11’ (SC (Secure Computing) Magazine. 2008. “Security body warning.” July 1).

The truth is that cybersecurity is an extremely hot topic. International, European, and national laws need to be adjusted in accordance with this new threat. Can a state declare war against another state because of a cyberattack? Is a cyberattack an act of war? These questions are fundamental and should be tackled not by the military, but in public fora. In last year Lisbon summit, NATO members adopted a new Strategic Concept, which for the first time included the question of cyberdefense. In the section defense and deterrence, NATO members claimed to: develop further our ability to prevent, detect, defend against and recover from cyber-attacks, including by using the NATO planning process to enhance and coordinate national cyberdefense capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations. NATO has held since then a series of workshops, conferences trying to answer the following question: could a cyberattack against one or several NATO member(s) lead to the use of the Article 5? It could certainly be considering NATO Secretary General Anders Fogh Rasmussen’s description of cyberattacks as “a new form of permanent, low-level warfare.”
The cybersphere does not have borders and remains in the gray area of law. Fighting cybercrimes and preventing cyberthreats can only be done at the regional and international levels in multilateral fora and meetings.

Where does the EU stand on the development of a cybersecurity strategy?However, a distinction needs to be made between cybercrime and cyberattacks. For example the 2010 Internal Security Strategy identified cybercrime as a threat and risks facing the EU along with terrorism, organized crime, drug and human trafficking. It defines cybercrime as “a global, technical, cross-border, anonymous threat to our information systems and because of that, it poses many additional challenges for law-enforcement agencies.” The institutional structure becomes problematic as soon as one talks of cybercrime as opposed to cyberattacks. Cybercrime is another dimension of the problem, and it is linked to organized crime and seen as a growing problem. Mr. Wainwright, director of Europol, estimates that in 2009 around 100 billion Euros of VAT fraud was committed by enterprising criminals online. In order to fight cybercrime, ENISA’s mandate would ultimately need to be increased, or Europol could become the lead center for fighting cybercrime. Commissioner Malmström argues that the cybercrime center would be set up at Europol as it has already some competencies on the matter. ENISA does not deal with crime.

The question around the creation of a EU cybercrime center is at the heart of the security debates taking place in Brussels and European capitals, as the cyber world is clearly challenging the security and authority of the state. Cooperation between national intelligence services and EU agencies and institutions on the question of counterterrorism against jihadi terrorist groups is already extremely complex and contentious; no reason to think that it will be an easier task for cybersecurity. However, many have argued that the EU does not need additional structures and should instead do better with what it already has. This is why, the EU and Member States need to seat down and discuss the question of cybersecurity as whole. Without drafting a strategy outlining the different threats linked to cybersecurity, identifying the legal constrains, and laying out a clear strategy for the next decade, it would only be a quick fix than establishing new agencies or adjusting the existing institutions to deal with cybersecurity without a long-term vision. But as terrorism, the main driver to foster integration, coordination and cooperation has unfortunately been an attack as it was the case in Madrid in 2004 and London in 2005. Let’s just hope that a cyber 9/11 won’t be necessary.



Maxime H.A. Larivé

Maxime Larivé holds a Ph.D. in International Relations and European Politics from the University of Miami (USA). He is currently working at the EU Center of Excellence at the University of Miami as a Research Associate. His research focus on the questions of the European Union, foreign policy analysis, security studies, and European security and defense policy. Maxime has published several articles in the Journal of European Security, Perceptions, and European Union Miami Analysis as well as World Politics Review.