Categories
cybersecurity

“EU’s Cybersecurity Strategy”

Shamil Danaiev, ФК-204і, KNEU

Introduction

Cybersecurity triggers the emergence of a new field of research in European law and policy (and perhaps also in European Studies more generally).

Whereas ‘law & technology’ in general has become an established field of study, EU law & technology and in particular ‘EU cybersecurity law’ still seems to be in its first infancy.

As the present contribution will reveal, this is partly due to two distinct factors.

First of all, cybersecurity can be seen as a cross-cutting policy area, which not only concerns by the Union’s security policy, but also policies related to, inter alia, the internal market and the Area of Freedom, Security and Justice (AFSJ).

This makes it difficult for specialists in any of these EU policy areas to provide comprehensive analyses and approach the topic as such. Secondly, despite the by now extensive number of policy documents, there is as yet not so much law for lawyers to analyse.

Yet, a shift is visible: it is increasingly acknowledged that “Current literature on the regulation of cyberspace is no longer focused on whether cyberspace can be regulated. Instead, discussion focuses on how cyberspace is regulated and who are the regulators

Cybersecurity is not mentioned as such in the EU Treaties as an area to be dealt with by the European Union.

The perhaps most obvious policy area to have mentioned cybersecurity, CSDP, largely developed (and intentionally so) as military and civilian cooperation to be used for “missions outside the Union for peace-keeping, conflict prevention and strengthening international security […]” as stated in Article 42(1) TEU.

Also the more specific list of tasks in Article 43(1) TEU does not include a reference to cybersecurity.7 The same holds true for the Treaty provisions on the internal market and on the AFSJ, which are equally silent on cybersecurity.

European Union is major international economic, political and military organizations. However, nowadays European Union is facing serious challenges and threats that occur in cyberspace every day.

This organization and its member states recognized the importance of strategic regulation of cyberspace many years ago. The European Union in its cyber security strategy, which was born in 2013, is planning to create the safest Internet environment in the world to enable the development of the digital economy.

The strategy itself is the EU’s strategic vision for preventing and responding to European telecommunication systems’ failures and attacks, as well as for responding to such cases.

The proposal for the strategy was published in two parts in the beginning of 2013, of which the first part is the Communication from the European Commission and the High Representative for Foreign Affairs and Security Policy on the EU cyber security strategy.

The second part is the European Commission’s proposal for a directive on network and information security which is one of the most important strategic directives on cyber security for the future of EU.

The main purpose of this work – is to define European Union’s Cybersecurity strategy, taking into account modern political, digital and IT factors that arise in nowadays world.

Main part.

The key objective of the European Digital Agenda is to create a unified digital market for EU member states, relying on sustainable economic and social benefits for all European citizens.

The Agenda is to explore and analyse the existing economic, social challenges and shortcomings of the European Union (i.e. segmentation of the digital market, interoperability challenges, the spread of cybercrime, lack of network investments, low level of R & D, low level of digital human capability) to make proposals for development and to define various actions (European Commission, 2010).

Based on the above mentioned findings of the European Digital Agenda, the EU Cyber Security Strategy was completed in 2013, referring to the dependence on information technology and information systems that are present in all segments of our society and economy.

Following a rather long and controversial negotiation and coordination process, in February 2013 the proposal for the strategy was published in two parts. The first part is the Communication from the European Commission and the High Representative for Foreign Affairs and Security Policy on the EU Cyber Security Strategy, which is the strategy itself, and the second part is the European Commission’s proposal for a directive on network and information security, which has become known as a package for the NIS Directive.

The strategy is based on five principles that will be priorities for the future of the European Union. It is very important to highlight the recognition that the EU’s official communications also emphasize: cyber security is equally important as security in the physical space. In accordance with the official text of the Strategy its five principles (priorities) are the following:

● “Achieving cyber resilience,

● Drastically reducing cybercrime,

● Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP),

● Develop the industrial and technological resources for cyber security,

● Establish a coherent international cyberspace policy for the European Union and promote core EU values.

In order to achieve cyber resilience, the strategy emphasizes the unity of public authorities and the private sector, and the development of cyber capacities, resources and efficiency.

However, achieving this goal cannot be imagined without improving the prevention, detection and management 17 of cyber security events and without coordinating them at EU level.

The strategy has a special and prominent role for ENISA (European Union Agency for Network and Information Security) to strengthen the cyber resilience across the Member States

On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy.

The Strategy covers the security of essential services such as hospitals, energy grids and railways and ever-increasing number of connected objects in our homes, offices and factories, building collective capabilities to respond to major cyberattacks and working with partners around the world to ensure international security and stability in cyberspace.

It outlines how a Joint Cyber Unit can ensure the most effective response to cyber threats using the collective resources and expertise available to the EU and Member States.

Legislation and certification. NIS Directive

Cybersecurity threats are almost always cross-border, and a cyberattack on the critical facilities of one country can affect the EU as a whole. EU Member States therefore need to have strong governmental bodies that supervise cybersecurity in their country, especially in sectors that are critical for our societies, and to work together with their counterparts in other Member States by sharing information.

They agreed with the EU to ensure this by adopting the NIS Directive (Directive on security of Network and Information Systems), which all countries have now implemented. This Directive was reviewed at the end of 2020.

As a result of the review process, the proposal for a directive on measures for high common level of cybersecurity across the Union (NIS2 Directive) was presented by the Commission on 16 December 2020.

Cybersecurity Act. The Cybersecurity Act (in force since June 2019) strengthens the role of ENISA: the agency now has a permanent mandate, and got empowered to contribute to stepping up both operational cooperation and crisis management across the EU. It also has larger financial and human resources than before.

ENISA – the EU cybersecurity agency. ENISA (‘European Union Agency for Network and Information Security’) is the EU’s agency that deals with cybersecurity. It provide support to Member States, EU institutions and businesses in key areas, including the implementation of the NIS Directive.

Certification

Our digital lives can only work well if there is general public trust in the cybersecurity of IT products and services. Therefore, it is important that we can see that a product has been checked and certified to conform to high cybersecurity standards. At the moment, there are various of different security certification schemes for IT products around the EU. Having a single common scheme for certification would be easier and clearer for everyone.

The Commission is therefore working on an EU-wide certification framework, with ENISA at its heart. The Cybersecurity Act outlines the process for achieving this framework.

Support for research and innovation: Horizon H2020 and cPPP; Horizon Europe. Research into digital security is essential to reach innovative solutions that can protect us against the latest, most advanced cyber threats. That is why cybersecurity is an important part of the Commission’s research and innovation funding framework programmes, Horizon 2020 and its successor Horizon Europe.

As part of Horizon 2020, for the period 2014-2020, the Commission has been co-funding research and innovation into topics such as cybersecurity preparedness through cyber ranges and simulation, cybersecurity for small and medium enterprises, cybersecurity in the Electrical Power and Energy System, and cybersecurity and data protection in critical sectors.

These topics fall under the cluster “Secure societies – Protecting the freedom and security of Europe and its citizens”.

In 2016, the H2020 contractual Public Private Partnership (cPPP) on Cybersecurity  was established between the European Commission and the European Cyber Security Organisation (ECSO), an association consisting of members from cyber industry, academia, public administrations and more.

In Horizon Europe, for the period 2021-2027, cybersecurity is part of the ‘Civil Security for Society’ cluster. The Work Programme 2021-2022 is currently under preparation.

Support for cyber capacities and deployment. Our physical and digital infrastructures are very closely intertwined.

Therefore, the Commission also invests in cybersecurity as part of its infrastructure investment funding programme, the Connecting Europe Facility (CEF), for the period 2014-2020. So far, CEF support has gone to Computer Security Incident Response Teams, operators of essential services (OES), digital service providers (DSPs), single points of contact (SPOC) and national competent authorities (NCAs).

This enhances the cybersecurity capabilities and the cross-border collaboration within the EU, supporting the implementation of the EU Cybersecurity strategy.

The upcoming Digital Europe Programme, for the period 2021-2027, is an ambitious programme that is planned to invest €1.9 billion into cybersecurity capacity and the wide deployment of cybersecurity infrastructures and tools across the EU, for public administrations, businesses, and individuals.

Cybersecurity is also a part of InvestEU. InvestEU is a general programme that brings together many financial instruments and uses public investment to leverage further investment from the private sector.

Its Strategic Investment Facility will support strategic ‘value chains’ in cybersecurity. It is an important part of the recovery package in response to the Coronavirus crisis.

Cybersecurity Competence Centre and Network; Atlas. To strengthen European cybersecurity capacity, the Commission proposed the creation of a new European Cybersecurity Industrial, Technology and Research Competence Centre and a network of national coordination centres.

The proposed centre would pool expertise and align European development and deployment of cybersecurity technology. It would work with industry, the academic community and others to build a common agenda for investments into cybersecurity, and decide on funding priorities for research, development and roll-out of cybersecurity solutions (through the Horizon Europe and Digital Europe Programmes).

Currently, four pilot projects are running to lay the groundwork for the Competence Centre and Network. They involve more than 170 partners.

To have a better overview of cybersecurity expertise and capacity across the EU, the Commission has developped a comprehensive platform called the Cybersecurity Atlas.

Policy guidance: Blueprint, Joint Cyber Unit, 5G, elections. Blueprint for coordinated response to major cyber-attacks.

The Commission’s blueprint for rapid emergency response provides a plan in case of a large scale cross-border cyber incident or crisis. It sets out the objectives and modes of cooperation between the Member States and EU Institutions in responding to such incidents and crises, and explains how existing Crisis Management mechanisms can make full use of existing cybersecurity entities at EU level.

Joint Cyber Unit. As a follow-up, Commission President von der Leyen has announced a proposal for an EU-wide Joint Cyber Unit. This initiative will aim at further coordinating cybersecurity operational capabilities across the EU.

Secure 5G deployment in the EU. 5G networks are planned to be rolled out across the EU. They will offer huge benefits, but also have more potential entry points for attackers due to their less centralised architecture, more antennas and increased dependency on software.

The EU Toolbox on 5G sets out measures to strengthen security requirements for 5G networks, apply relevant restrictions for suppliers considered high-risk, and ensure the diversification of vendors.

Securing the electoral process. Our European democracies have become increasingly digital: political campaigns take place online, and elections themselves often happen through electronic voting.

The Commission therefore issued recommendations for the cybersecurity of elections for the European Parliament, published in September 2018 as part of a broader package of recommendations to support free and fair European elections. A month before the 2019 European elections, the European Parliament, EU Member States, the Commission and ENISA carried out a live test of their preparedness.

Conclusion

Our society and economy are heavily dependent on information technology and cyber sphere. The more we rely on the cyber opportunities offered by cyberspace, the more we need to consider new types of threats that can significantly affect our everyday activities, the operation of critical infrastructures, and the access to various services.

To protect and defend the cyberspace and vital critical information infrastructure both the European Union needs strategic thinking.

The new EU Cyber Security Strategy, developed jointly by the EU High Representative for Foreign Affairs and Security Policy and the European Commission, was launched in Decemeber 2020.

This was the not the first comprehensive document created by the European Union in the field of cyber security, which determined the future of cyber era in the EU. The first program was launched in 2013.

The strategy identifies very clear goals and priorities for the EU’s cyber policy, including the promotion of freedom and openness, compliance, cyber security capabilities, and international co-operation on cyberspace. With this strategy and NIS Directive the EU defines a very definite and common direction for its Member States in the field of cyber security.

Cybercrime of the future today: Ransomware Attacks

Share

Leave a Reply

Your email address will not be published.