Why Europe needs a better cybersecurity strategy

On 7 February 2013, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented their Cybersecurity Strategy of the European Union.

Presentation of EU Cybersecurity Strategy, February 2013

Neelie Kroes, European Commission Vice-President for the Digital Agenda; Catherine Ashton, High Representative of the Union for Foreign Affairs and Security Policy; and Cecilia Malmström, EU Commissioner for Home Affairs (from left to right)

In view of the enormous Internet-related security challenges that citizens, businesses and public bodies are facing today, Europe definitely needs a strategy to deal more effectively with these growing challenges. Just think of cybercrime, disruption of critical infrastructures, cyber espionage and cyber warfare, and you get an idea of the variety and dimension of the threats coming from cyberspace. The annual damage for cybercrime alone amounts already to 750 billion euro per year, according to a McAfee study .

Does the strategy presented by Neelie Kroes, Catherine Ashton, and Cecilia Malmström meet the challenge? This depends on what you expect. It is debatable, whether the 20-page document they presented really describes a full-blown strategy.

Strategic priorities

The EU’s cybersecurity strategy is based on five “strategic priorities”:

  • Achieving cyber resilience
  • Drastically reducing cybercrime
  • Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP)
  • Develop the industrial and technological resources for cybersecurity
  • Establish a coherent international cyberspace policy for the European Union and promote core EU values.

These five “strategic priorities” are definitely worthwhile to achieve. The EU’s defensive approach to cybersecurity appears commendable and – if implemented well – may not have to be worse than the rather aggressive approach taken by the United States, who brace themselves against a “cyber Pearl Harbor” .

The main flaw of the “strategic priorities” is that they have not been defined as measurable goals and, thus, leave more room for interpretation than is advisable for an effective strategy. What does achieving “cyber resilience” really mean? 100 percent safety that cyber attacks could not harm a particular organisation or infrastructure? What does it mean to drastically reduce cybercrime? 10 percent? 50 percent? In which time frame? Given that the share of unreported cybercrimes is supposedly substantial, we may rather expect an increase in the reported cases, even if measures against cybercrime are successful.

Network and information security

Reporting of network and information security (NIS) incidents is one of the central measures of a proposed EU Directive on NIS, which is at the core of the EU cybersecurity strategy. This is the most concrete part of the EU strategy, and one of high importance. Without getting a clear picture on EU level about the dimension and specific features of cyber incidents, it is hard to take adequate action.

Parts of industry are not really enthusiastic about such a reporting obligation, as it would mean bad PR in the case of incidents that could have otherwise been kept private, and because it would mean additional effort and cost for handling the reporting. Although this attitude is understandable, everyone would finally benefit from detailed Europe-wide statistics on cyber incidents.

The other major point of the Directive is that all Member States should be required to adopt an NIS strategy and designate a national NIS authority. Probably half of the Member States don’t have this yet. This also makes sense, although having 27 national NIS strategies would not automatically lead to a common strategy that enables coordinated responses to cyber threats.

Other parts of the actions summarised under the EU cybersecurity strategy are the revamping of the European Network and Information Security Agency (ENISA), and the recent launch of the European Cybercrime Center (EC3) at Europol. What remains to be seen is how well ENISA and EC3 cooperate with each other and with their counterparts at Member States. Not having one main responsible body on EU level may make coordination of cybersecurity activities difficult.

Where the strategy gets really vague is where it describes how to “improve preparedness and engagement of the private sector”. The document suggest that the private sector should create their “own cyber resilience capacities and share best practices across sectors”.

Conclusion

All of these measures appear to be steps into the right direction. However, central parts of the proposed “strategic priorities” are too vague to be actionable, like, for example, the ideas on strengthening the private sector’s cyber resilience. In that respect, the current status of the EU cybersecurity strategy should be rather seen as a vision document for discussion among all relevant stakeholders.

In order to bring about an “An Open, Safe and Secure Cyberspace”, as the EU strategy envisages, more concrete steps are needed to achieve significant impact. Here are some suggestions:

  • Translation of the “strategic priorities” into measurable goals. In regard to reducing cybercrime this could for example mean to clearly define different areas of cybercrime with related metrics and set measurable objectives in terms of X percent by 201X.
  • Closer collaboration between EC, Member States and industry on important topics like security standards for ICT products and services or a European database of best practices.
  • Negotiation of a cybersecurity agreement among the G8. Although this will be difficult, as there are, for example, different views on the relationship between “open” and “secure” in regard to the Internet, it is nevertheless necessary, as many threats to cybersecurity are global, and they can only be contained, if the EC engages in a coordinated approach on global level. The G8 would be a good starting point, although such an agreement would have to be expanded, particularly including China.

Cybersecurity is critical for economic growth and welfare in Europe. Thus, it is of utmost importance to act now. The strategy presented by the EC is a first step that needs to be followed by further, more concrete steps. The EC, the Member States, and the major European ICT industry players should get together now and work on developing and implementing a joint strategy.

Further information

EC web page on the cyber security strategy

Storm cloud emerges from EU cybersecurity strategy – EurActiv, 8 February 2013

The EU’s cyber hodgepodge – Thorsten Benner, Deutsche Welle, 8 February 2013

Understanding cybercrime: Phenomena, challenges and legal response. ITU, September 2012 (pdf)

About Milon Gupta

Marketing and PR Manager at Eurescom
This entry was posted in Commentary, European Union and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *