Annegret Bendiek is a senior associate at the German Institute for International and Security Affairs (SWP).
The European Union’s approach to the foreign policy and defense aspects of cyber policy is a mix of good intentions and guidelines. Currently, four policy documents guide the EU approach: the 2013 Cybersecurity Strategy, which sets out the EU’s cyber diplomacy; the 2015 Digital Single Market Strategy, which aims to bring down digital market barriers within the EU; the 2016 Network and Information Security Directive, which sets baseline cybersecurity measures and institutions every EU member state should have; and the “cyber diplomacy toolbox,” which provides foreign policy responses to cyberattacks against the EU.
Despite the flurry of policy work, it is still unclear how Europe would respond in the event of a major cyber incident disrupting the bloc’s critical infrastructure. Suspected election meddling in France and the Netherlands went unanswered. Even if the EU did respond, it is unclear which of the alphabet soup organizations would be involved in the response (e.g. ENISA, the EEAS, EUROPOL, EDA, the Council of the EU), and how they would coordinate with organizations in the member states affected and NATO. What is needed is a coordinated EU approach to determine who will do what before an incident happens.
Now is the perfect time to develop a comprehensive EU cyber defense strategy given that Europe's foreign policy and defense establishment is currently debating the future of its common foreign and security policy. Earlier this year, the European Commission—the bloc’s bureaucracy—made the case that Europe should strive to achieve what it calls "strategic autonomy"—the ability to defend itself and deter external threats without needing to rely on NATO or the U.S. security umbrella.
The Commission’s push for strategic autonomy is an appealing aspiration, but it is completely at odds with the way cyberspace works. Responding to cyber incidents requires collaboration given that attack infrastructure can be located anywhere in the world. Furthermore, attributing cyberattacks requires a robust information sharing infrastructure between the private sector and government, and between governments. Europe doesn’t have the capability to do this on its own, and will always need to rely to a certain extent on NATO, the United States, and the United Kingdom (when it eventually leaves) for these services.
Instead of pursuing strategic autonomy, the EU should strive for strategic interdependence. The bloc’s 2014 Cyber Defense Policy Framework was almost prescient on this point. It encourages EU Member States to review their cyber defense capabilities and ensure they are compatible with the EU Common Security and Defense Policy and NATO alliance commitments, where applicable. Another example of strategic interdependence is the EU-NATO coordination in combating hybrid threats—a term often used to refer to Russia’s mix of active measures and cyber operations campaigns. Finland, the EU, and NATO are collaborating to support the European Centre of Excellence for Countering Hybrid Threats in Helsinki.
If the EU decides to pursue a strategic interdependence approach, it should work with NATO to agree on what triggers the right for self-defense in cyberspace. There has been a lot of policy work done over the years to identify how states should act in cyberspace, particularly at the UN Group of Governmental Experts and the Organization for Security and Cooperation in Europe. There has also been progress in developing the tools to respond to an incident below the threshold of an armed attack, like the EU cyber diplomacy toolbox. However, there’s little guidance in Europe whether a serious attack on critical infrastructure should also allow for an immediate military response, either through cyberspace or through conventional means. There has been little talk at the European level on how members would reach consensus on attribution and whether a common EU response would preclude a member state, especially the victim of a catastrophic cyber incident, from acting on its own.
Finally, if the EU wants to be taken serious in the cyber defense space, it needs to pool its defense capabilities into a single agency. Currently, the European Network and Information Security Agency (ENISA) is responsible for ensuring member states are capable of responding rapidly in emergency situations and fostering EU-wide cooperation. However, the exchange of cyber threat information is weak between its member states and the EU, and among EU agencies such as Europol, Eurojust, the European Defence Agency and ENISA. These organizations do not have formal cooperation mechanisms given that they are often limited by the frequency and nature of the information member states choose to share with them. The EU cannot have a successful digital single market if the threats to the market are not widely shared within the bloc, and response mechanisms are ad hoc.
Europe’s approach to cyber defense is at a crossroads. Russia is getting more aggressive in its active measures campaigns, and rudimentary but effective cyber operations, such as WannaCry, can temporarily knock out critical infrastructure. It is likely that the EU will face a cyber-related crisis and its current organizational structure is ill-equipped to respond to the challenge. Reforms are needed now to ensure that Europe can properly defend itself.