The wake-up call for Europe was back in spring 2007, when Estonia suffered from a cyberattack against it military and civilian structures. It appears that Russia was behind the cyberattack in reaction to the relocation of a statue commemorating Soviet soldiers in Estonia. This led to a shut down of the government, banks, newspaper and other websites costing between $27.5 and $40.5 million. Back in March 2011, the French government’s computers were hacked forcing the government to unplug 10,000 computers. The EU, EEAS, UN, private companies and governments’ websites have been hacked at a growing rate in recent years by either individual hackers or government sponsored hacking units locating in China, Russia, and in other countries. However, it raised one question in Brussels: is the EU ready to face a major cyberattack?
Estonia has been one of the main drivers in leading the discussion on cybersecurity in Europe. Back in June, a meeting took place in Brussels, counting representatives from the European Parliament, the European Defense Agency (EDA), NATO, and private sectors discussing the development of an unified EU cybersecurity policy. Estonian defence minister, Mart Laar, who led the meeting argued that “If we are serious about the possible damage that bombs and bullets can cause, then we should also give serious consideration to the dangers that can be sent through global networks, because they can be used to strike at a country’s energy security, and damage its economy and intellectual property.”
Back in 2008, the EU expressed the need to discuss and develop a joint action plan in the fight against cybercrime (Baltic News Service. 2008. EU Planning Joint Cyberdefense action plan. July 24). One of the points underlined was the need to foster cooperation between legal/government bodies and the private sector. But, quite frankly, the EU and the Member States need to figure out who should be in charge of fostering a strategy. Does it fall under the Commission’s authority? The Council? EU agencies? It is unclear who is doing what. However, the confusion is mostly likely similar at national levels, where governments are still trying to figure out which ministries, security agencies, intelligence services and so on should be in charge of monitoring cyberthreats, fighting cybercrime and cyberattacks and establishing a cyberdefense. An example of this institutional cacophony took place when the President of the Commission José Manuel Barroso declared before the European Parliament that the EEAS should be the one coordinating cybersecurity across Europe. This statement created reactions within its own institution, the Commission, as some experts and especially Commissioner Cecilia Malmström have been working on developing a cybersecurity strategy.
The EU developed the agency European Network and Information Security Agency (ENISA), which became operational in 2005. This
The truth is that cybersecurity is an extremely hot topic. International, European, and national laws need to be adjusted in accordance with this new threat. Can a state declare war against another state because of a cyberattack? Is a cyberattack an act of war? These questions are fundamental and should be tackled not by the military, but in public fora. In last year Lisbon summit, NATO members adopted a new Strategic Concept, which for the first time included the question of cyberdefense. In the section defense and deterrence, NATO members claimed to: develop further our ability to prevent, detect, defend against and recover from cyber-attacks, including by using the NATO planning process to enhance and coordinate national cyberdefense capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations. NATO has held since then a series of workshops, conferences trying to answer the following question: could a cyberattack against one or several NATO member(s) lead to the use of the Article 5? It could certainly be considering NATO Secretary General Anders Fogh Rasmussen’s description of cyberattacks as “a new form of permanent, low-level warfare.”
The cybersphere does not have borders and remains in the gray area of law. Fighting cybercrimes and preventing cyberthreats can only be done at the regional and international levels in multilateral fora and meetings.
The question around the creation of a EU cybercrime center is at the heart of the security debates taking place in Brussels and European capitals, as the cyber world is clearly challenging the security and authority of the state. Cooperation between national intelligence services and EU agencies and institutions on the question of counterterrorism against jihadi terrorist groups is already extremely complex and contentious; no reason to think that it will be an easier task for cybersecurity. However, many have argued that the EU does not need additional structures and should instead do better with what it already has. This is why, the EU and Member States need to seat down and discuss the question of cybersecurity as whole. Without drafting a strategy outlining the different threats linked to cybersecurity, identifying the legal constrains, and laying out a clear strategy for the next decade, it would only be a quick fix than establishing new agencies or adjusting the existing institutions to deal with cybersecurity without a long-term vision. But as terrorism, the main driver to foster integration, coordination and cooperation has unfortunately been an attack as it was the case in Madrid in 2004 and London in 2005. Let’s just hope that a cyber 9/11 won’t be necessary.