Alexander Klimburg is senior research fellow at the Hague Centre for Strategic Studies (HCSS) and an affiliate of the Belfer Center for Science and International Affairs at Harvard University.
It is close to two years to the day that the European Union published its first-ever Cybersecurity Strategy. The document included such high-flying mouthfuls such as “achieving cyber resilience,” “drastically reducing cyber crime,” and developing coherent cyberdefense and international cybersecurity policies. What has happened since?
A fair amount, as it turns out—though it is good to keep in mind that EU institutions generally stumble forward instead of marching in unison thanks to their highly fragmented mandates. The Cybersecurity Strategy set the direction for the three main legs of EU cyber policy: the Directorate General for Home Affairs (cybercrime), the European Council and European External Action Service (common foreign and defense policy), and the Directorate General for Economic Affairs (network and information security). As these three legs not only often fundamentally disagree with each other, but also are of different lengths—each has vastly different competencies according to the EU treaties, with Home Affairs the least integrated and Economic Affairs the most—it is a minor miracle that anything has happened at all.
Every leg can claim to be on solid footing. In foreign policy, the European Council, which represents the governments of EU member states is about to adopt a new Cyber Diplomacy Strategy—probably one of the first times this word has ever been used in an official context. The details of the strategy are still confidential, but it will include a commitment to supporting norms of responsible state behavior in cyberspace, Internet freedom and human rights, cyber capacity building as well as participating in Internet governance. The EU has made substantial progress on the capacity building front in the last twelve months. In collaboration with the Council of Europe, which is pushing for the adoption of the Budapest Convention on Cybercrime, the EU is starting to implement its first projects in Africa and in the Balkans. Internet governance—which will be a particularly decisive issue in 2015—will also be part of the European External Action Service mandate, although squabbles regarding the Internet Corporation for Assigned Names and Numbers’s new top-level domain policy (in particular dot-wine) have created strife among a few members of the Council. To date, the EU has also established five bilateral discussion groups with certain countries and has deepened cooperation with NATO on a range of cyber issues. These discussions have been assisted by the operational expansion of the European Cybercrime Centre, which facilitates law enforcement cooperation and is increasingly becoming a useful tool in cyber diplomacy.
The European Defense Agency (EDA), responsible for funding research into common defense requirements, has expanded upon previously extremely limited efforts to build both national and whole-of-the-union cyberdefense capabilities. This includes supporting research in areas outside of its core field, for instance supporting capabilities for common crisis response. It was revealing that the first major exercise of the new Integrated Political Crisis Response (ICPR) instrument, which itself fulfilled a long-standing demand to field a single EU point of contact for major crisis events, piggy-backed off a long-standing EU cyber crisis management exercise known as Cyber Europe in December 2014, and was supported by the EDA.
The EU crisis management capabilities are also being given a considerable boost by the planned Network and Information Security (NIS) Directive. The NIS Directive is not only much more ambitious than any other part of the Cybersecurity Strategy—it is further reaching then many similar national legislative proposals, including the ill-fated Cyber Information Sharing and Protection Act (CISPA) in the United States. In addition to a number of rather specific requirements for governments such as mandating the creation and minimum capabilities of national Computer Emergency Response Teams, the NIS directive makes significant demands on the private sector. Most remarkably, it states that all “market operators” will be forced to disclose serious cyber incidents on their systems to both their national regulator as well as to the European Network and Information Security Agency. The directive leaves the term “market operator” ill defined, making it unclear who needs to abide by the reporting requirement. While it would certainly include critical infrastructure operators and internet service providers, it could possibly also include social media companies such as Facebook or similar digital services companies. The exact definition of what constitutes a “market operator” is still a stumbling point, but the extensive lobbying on this issue will most likely not trip up the directive, which is expected to be enacted largely unchanged later this year. The most recent version of the directive seems to imply that the term has been replaced by the phrase "national critical infrastructure," which indeed would refer to a much tighter group of affected companies.
The EU Cybersecurity Strategy was intended to be comprehensive, and address both external as well as internal cyber challenges. Although the EU is still far away from projecting anything akin to “cyber power,” there is little doubt that significant progress has been made in its promotion of a cyber foreign policy, as a report pointed out in August 2014. The strategy’s most significant contribution is undoubtedly the NIS Directive. When enacted later this year, it will represent one of the most comprehensive pieces of cyber legislation anywhere in the Organization for Economic Cooperation and Development. While the EU treaties tightly limit how effective an EU cyber foreign policy can really ever be, developments such as the NIS Directive and the revised General Data Protection Regulation will represent significant developments in Europe’s cybersecurity, as well a potential challenge for the private sector. It shows that even stumbling forward can really get Europe quite far, even though some businesses might contend that it’s stumbling in the wrong direction.