The state of cybersecurity in the EU: what plans for the future?

For a few years now, the European Union has strived to develop its cybersecurity capabilities amid multiplied cyberattacks on both European businesses and public services. According to EU sources such as the Parliament or the Commission, the Union wants to create an ‘open, safe and secure cyberspace’ for all to use and thrive on. This idea was first mentioned in 2013, when the High Representative for Foreign Affairs and Security Policy at the time, Catherine Ashton, put forward with the help of the Commission, a policy document related to enhancing cybersecurity in the EU. Since then, a particular emphasis has been put on improving cybersecurity means in the EU, both at state and supranational levels. In 2017, when Jean-Claude Juncker made his state of the Union (SOTEU) address, he clearly stressed the need for the European Union to go even further into this process, suggesting that more efforts and investments will be dedicated to this specific issue.

This sudden burst of interest for the matter is not simply part of a prevention strategy. In fact, the European Union has been the target of several cyberattacks over the past few years, both at private and public levels. The threat that cyberattacks pose endangers both the Union’s security and its economy, especially since more and more people, companies and public institutions rely on the Internet to save their files, share data or schedule their day-to-day activities. It thus seems essential for the Union to develop its cybersecurity defences as quickly and efficiently as possible, as it intends to do now. This has however not always been the case, and the EU has in the past been credited as ‘lagging’ behind other institutions regarding the cyber world and its safekeeping.

Defining cybersecurity: which definition for the EU strategy?

In a 2015 publication, the European Union Agency for Network and Information Security (ENISA) sought to define what cybersecurity meant for us Europeans, combining different definitions from numerous stakeholders in order to fully grasp what the concept represents. It therefore does not give one single definition for the concept. For instance, the report would take into account the understandings of the term ‘cybersecurity’ from a plurality of security and telecommunication actors, such as NATO or the European Telecommunications Standards Institute. Furthermore, it would also differentiate the multiple aspects encompassed within the word ‘cybersecurity’, for example the notions of ‘Information Security’ and ‘Public/National Security’. The former represents the “Protection against the threat of theft, deletion or alteration of stored or transmitted data within a cyber system”, while the latter the “Protection against a threat whose origin is from within cyberspace, but may threaten either physical or cyber assets in a way which will have a political, military or strategic gain for the attacker.” Thus, there are several elements which need to be taken into account when reflecting upon the notion of cybersecurity. The report nonetheless endeavours to put forward what has been seen as a common understanding for it, alongside the comprehension which is usually acknowledged as the benchmark for the European Union and its cybersecurity strategy. The whole purpose of the report was actually to create a better comprehension of cybersecurity, for policymakers and stakeholders to use as they legislate in this particular area of interest.

For the common understanding, the report draws upon the work of The Oxford English Dictionary, where cybersecurity – or cyber security, as a debate exists on the spelling of the term – is defined as “The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this”. This definition is a very narrow one, and brings with it a few inquiries, as highlighted and answered in the ENISA paper. The agency indeed underscores the different aspects comprehended within the expression, as mentioned above, to try to compensate for the narrowness of this definition. It more specifically distinguishes the different kinds of security that are to be taken into account for the term ‘cybersecurity’ and its implementation in concrete terms. These five types of security are presented as following: ‘Communications Security’, ‘Operations Security’, ‘Information Security’, Physical Security’ and ‘Public/National Security’. Each type of security represents a specific domain supposedly covered by cybersecurity as understood by ENISA, which should therefore be included within the EU’s strategy for enhanced cybersecurity.

When the report narrows down its scope to concentrate on the European case, it first of all underlines the importance of bringing all stakeholders and policymakers together to improve the quality of cybersecurity legislations at the EU level. Moreover, it insists on the fact that the EU institutions should most of all follow advices and recommendations made by the Cybersecurity Coordination Group (CSCG), composed by three different officially recognized organisations specializing in cybersecurity standardisation at the supranational level. The CSCG recommended that:

“The European Commission (EC) should establish a clear and common understanding of the scope of Cyber Security, based on an initiative the CSCG plans to launch to clarify the key terms and definitions used in the standardisation of and communication related to Cyber Security within the European Union. To establish clear understanding, the CSCG recommends that the European Commission should harmonise its usage of the key terms “Cyber Security”, “NIS” and “cybercrime” across the EU on the basis of existing definitions. Official communications currently use all three terms without distinguishing between them, which risks them being interpreted differently in different EU Member States (or languages). The CSCG recommends that the European Commission should not limit its clarification to definitions but should also establish an agreed understanding of the interdependencies and relationships between the three areas in question. The CSCG also recommends that the Commission should establish and enforce a suitable governance model for the three areas, with special emphasis on avoiding working in silos on topics that are inherently intertwined.”

Here, this recommendation describes three distinct elements that must be considered together when cybersecurity is mentioned within the framework of the EU. First comes the term ‘cybersecurity’ which, for the CSCG, needs to be commonly defined at the level of the EU. Even though the ENISA report concludes that the notion is somewhat too complex and encompasses too many aspects to be simply and plainly defined, it still acknowledges the need for a common European understanding of cybersecurity. This is why ENISA decided to push forward several definitions which are currently being used by international organisations, so that the European Union and its member countries could all agree on a mutual signification and thus standardize their grasping of this particular concept. Secondly, the recommendation indicates that the NIS should also be a key term which needs standardisation across the EU. The NIS, which is an acronym for Directive on security of network and information systems, is a first step toward more regulation of the European cyberspace at the supranational level. It has been debated at the European Parliament and has eventually been adopted the 6^th July 2016, therefore making it mandatory for Member States to transpose it into national laws within 21 months (until 9^th May 2018) after its adoption at the Parliament. The overall goal of this Directive – which will be explored later in this article – is to improve cybersecurity at the level of the EU, trying to make it a supranational concern and no longer a prerogative only kept by nation-states, as it is usually assumed cybersecurity is part of state security matters. Finally, the CSCG stresses the need for a European definition for the notion of ‘cybercrime’, which also requires to be understood in a similar manner by each EU Member State if the Union seeks to effectively enhance its cybersecurity capacities. Thus, before acting and legislating on the main cybersecurity issues, a joint comprehension of some terms and expressions is required at the European level, as ENISA and CSCG strived to achieve.

Cybersecurity in concrete terms: what are the real threats to the European Union?

When the European Commission started off its cybersecurity improvement strategy back in 2013 – with a document entitled The Cybersecurity Strategy of the European Union – An Open, Safe and Secure Cyberspace – it sought to answer a growing menace to many Europeans. Indeed, more and more people are facing cyber threats, in terms of violation of their personal data, which are stocked up in a company’s datacentre for instance, or considering their public duties, such as online voting. The strategy therefore classifies four major priorities to enhance cybersecurity at the supranational scale, and hence citizens’ security within the European cyberspace:

“Freedom and openness: the strategy outlines the vision and principles on applying core EU values and fundamental rights in cyberspace.
The EU’s laws, norms and core values apply as much in cyberspace as in the physical world: responsibility for a more secure cyberspace lies with all players within the global information society, from citizens to governments.
Developing cyber security capacity building: the EU engages with international partners and organisations, the private sector and civil society to support global capacity building in third countries. This includes improving access to information and to an open internet, and preventing cyber threats.
Fostering international cooperation in cyberspace: preserving open, free and secure cyberspace is a global challenge, which the EU is addressing together with relevant international partners and organisations, the private sector and civil society.”

These priorities embody the Union’s wish to counter most of the cybercrimes and threats, while protecting citizens’ rights at the same time. In other words, cyber protection must not occur to the detriment of people’s rights, nor to the detriment of European norms and values. However, this is no easy task, especially since most Member States still believe cybersecurity is part of their own national security agenda. In order to work, this European initiative will need the support and willingness of all EU member countries, so that a common and efficient cybersecurity policy can be implemented. And now that the NIS Directive – the first EU-wide piece of legislation on cybersecurity – has been adopted by the EU Parliament, it will be transposed into national laws; this could be a good starting point to a better joint effort at the EU level regarding cyberspace regulation and protection. The Directive is expected to beef up the overall level of cybersecurity in the EU, through several elements such as:

“Member States preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority,
Cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks,
A culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.”

While reviewing these points that have been put forward in the NIS Directive, it seems rather obvious that cybersecurity at the EU scale is not only meant for European citizens, but also for European businesses and public services. Furthermore, there seems to be a real need for cooperation between European Member States and private stakeholders, as both ENISA and CSCG already recommended a few years ago.

In addition to the direct threats cybercrimes pose to EU citizens, there are also a lot of economic downsides to a lightly protected cyberspace, which is why the EU seeks to improve its cybersecurity capacities too. For example, according to a survey used by the European Commission – but conducted by an American private entity – at least 80% of companies thriving in Europe have suffered from cyberattacks between 2015 and 2016. Moreover, taking into account all industries worldwide, the number of cyber incidents has risen by about 38% between 2014 and 2015 only. The European Commission also claims that “Cybersecurity incidents cause major economic damage of hundreds of billions of euros each year to European businesses and the economy at large.” It adds that “Such incidents undermine trust in the digital society. Theft of commercial trade secrets, business information and personal data breaches, disruption of services and of infrastructure result in economic losses of hundreds of billions of euros each year.” These data could in fact become a lot more substantial, as the EU launched a huge project called the European Digital Single Market in 2015, which will entail a lot more exchanges among EU countries and individuals using the European cyberspace. This new digital market will supposedly generate wealth at a similar extent to the European Single Market, if it is well enough protected from cyber threats which would hamper its development, as well as the economic benefits stemming from its creation. Matti Maasikas, the Estonian Deputy Minister for European Affairs said during a General Affairs Council dated from the 20^th November that:

“Cybercrime and state-sponsored malicious cyber activities are one of the largest global threats to our societies and economies. We already lose around €400 billion globally every year due to cyber-attacks. This clearly underlines the need for the EU to use the available tools to increase stability in cyberspace and respond to large-scale cyber incidents. The EU simply has to stay ahead of the game. Increasing our efforts and investment in cybersecurity is a pre-condition for building a strong and trusted digital single market for our citizens.”

Thus, in order to protect European industries and businesses from harm coming from the cyber domain, it is essential for the Union to reinforce its cybersecurity services and capabilities, as Juncker stressed again in his state of the Union address in September. The EU Commission has now put forward a clear thread of action, which will be set up in the coming years and that will require coordination and cooperation between all EU Member States.

The EU’s strategy regarding cybersecurity: what is to be expected for the near future

As previously stated, Jean-Claude Juncker made a clear reference to the EU’s plan – more notably the EU Commission’s plan – to beef up cybersecurity across the European Union in his state of the Union address dating from September 2017. He said:

“Over the past years, we have made marked progress in keeping Europeans safe online. New rules, put forward by the Commission, will protect our intellectual property, our cultural diversity and our personal data. We have stepped up the fight against terrorist propaganda and radicalisation online. But Europe is still not well equipped when it comes to cyber-attacks.”

Once again, the emphasis is put on the efforts that are currently being set up to counter cyber menaces, while still stressing the fact that the Union is a bit lagging behind in terms of cybersecurity capabilities. The president of the European Commission added that:

“Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks. Last year alone there were more than 4,000 ransomware attacks per day and 80% of European companies experienced at least one cyber-security incident. Cyber-attacks know no borders and no one is immune. This is why, today, the Commission is proposing new tools, including a European Cybersecurity Agency, to help defend us against such attacks.”

When Juncker mentions this European Cybersecurity Agency, he actually makes a reference to already existing ENISA. The Commission’s strategy indeed encompasses in its main priorities the overhauling of this European Agency, giving it more funding, staff and room of manoeuvre to help Member States dealing with cyberattacks in a more efficient way.

The increasing of power ENISA will witness is only but a part in the Commission’s strategy for enhanced cybersecurity for the European cyberspace. Other priorities have been put forward to deepen the cooperation between Member States and to eventually end up with a European-wide cybersecurity policy, as the overall purpose is to give a common EU response to any more cyberattacks on our cyberspace. More specifically, the EU Commission seeks to create cybersecurity ‘safety labels’, which are going to take the form of EU-wide certificates for ensuring the safety and security of cyber services. These labels would have the same purpose as food safety labels for instance, but in this case the certificates will be applied to networks, connected devices, or anything related and connected to the European cyberspace. Furthermore, the European Union would like to develop and coordinate a single European response to cyber threats, and no longer rely on Member States’ national strategies to counter cybercrimes. In order to do so, ENISA will have the task of organizing joint crisis simulations and cybersecurity exercises at the scale of the Union, to better prepare and synchronise European countries in case of a real emergency in this domain. Alongside this initiative, the EU seeks to further their existing partnerships with other international organisations such as NATO as well as foreign countries, and to reach new ones with new partners abroad, to join forces and better comprehend and protect people against cyber threats. Finally, the European Commission would like to adopt a new Directive on the combatting of fraud and counterfeiting of non-cash means of payment for reinforcing criminal law response to cybercrime. In other words, the Commission wants to create a more effective legal framework surrounding this kind of means of payment to avoid and combat cyberattacks targeted at them.

Therefore, the European Union clearly endeavours to improve cybersecurity across Europe. Doing so will require a common European answer, better cybersecurity means at the EU level, and more cooperation and coordination between Member States. While this seems achievable on paper, the fact remains that member countries usually assume cybersecurity should stay within their own national security agendas. Convincing these countries will not be easy task, but should benefit the Union as a whole if reached.

Raphaël Moncada

For further information

AFP: https://finance.yahoo.com/news/eu-launch-cybersecurity-safety-labels-161637167.html

ENISA: https://publications.europa.eu/en/publication-detail/-/publication/fece9d1d-f717-11e5-abb1-01aa75ed71a1/language-en/format-PDF/source-53746255

ENISA: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map

EU Commission: http://europa.eu/rapid/press-release_MEMO-16-2322_en.htm

EU Commission: https://ec.europa.eu/commission/commissioners/2014-2019/king/announcements/commissioner-kings-speech-eu-cybersecurity-conference-digital-single-market-common-digital-security_en

EU Commission: https://ec.europa.eu/commission/state-union-2017_en

EU Commission: https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive

EU Commission: https://ec.europa.eu/digital-single-market/en/news/resilience-deterrence-and-defence-building-strong-cybersecurity-europe

EU Commission: https://ec.europa.eu/digital-single-market/en/news/communication-cybersecurity-strategy-european-union-–-open-safe-and-secure-cyberspace

EU Reporter: https://www.eureporter.co/frontpage/2017/11/20/eu-to-beef-up-cybersecurity/