The European Cyber Security Strategy: Too Big to Fail?
February 8, 2013
Yesterday's publication of the much-anticipated European Cyber Security Strategy reflects a realisation that co-ordination across a range of policy domains in Europe is necessary to respond to challenges like cyber-security, which crosses many domains. The strategy is remarkable because it tries to co-ordinate policy across three areas whose competences and mandates were formerly very separate: law enforcement (under Commissioner Cecilia Malmström), the 'Digital Agenda' (Commissioner Neelie Kroes), and defence, security, and foreign policy (High Representative for Foreign Affairs and Security Policy Catherine Ashton).
The strategy is necessarily a high-level document with such goals as improving the resilience and capacity of EU member states, strengthening the fight against cybercrime, addressing and developing structures and capabilities for EU cyber defence, and formulating an international policy on cyber security to help build capacity outside the EU.
An important aspect of this initiative will be efforts to harmonise the cyber security capabilities of European member states. This has been defined as ensuring that EU countries properly equip themselves to tackle network and information security. The strategy will require, via accompanying legislation, that each EU member state possess a well-functioning national-level computer emergency response team (CERT) and a competent authority to speak on behalf of the country in European-level discussions. Recent research by RAND Europe illustrates that this is easier said than done: Countries have varying types of responding authority, and not all can formulate a national-level response. The jury is still out as to whether promoting incident response teams—organisations with a reactive mind-set—will influence how a country tackles these issues at a national level, undermining a more proactive approach. Our analysis of the culture and practice of CERTs suggests that where they lack a strong legal basis, CERTs regularly find themselves operating in the dark with respect to what data they can and cannot share across borders and even with other organisations (such as law enforcement).
The strategy also aims to strengthen cooperation between the public and private sectors, encourage the development of public-private partnerships, and take advantage of other initiatives, such as the European Public-Private Partnership for Resilience (EP3R). The EP3R has been in existence for several years now, but it faces challenges over its direction and participation, and it lacks a sufficiently robust and diverse group of stakeholders (especially end users of technology). In 2013, it is attempting to reenergise its activity under the facilitation of the European Network and Information Security Agency. It is not clear to what extent industry has been motivated to engage in the EP3R by the perception that it is a suitable channel to influence policymakers in Brussels.
Finally, the European Cyber Security Strategy also brings under one framework the contributions of defence and foreign policy to cyber security. This is perhaps its most noteworthy characteristic, given that defence and security are policy domains in which EU member states have traditionally been highly protective of their sovereignty. Some would say this engagement is long overdue. The strategy calls for concepts, structures, and capabilities for cyber defence at the EU level. Under the European Union Military Staff, the EU already has a nascent cyber defence concept for 'Common Defence and Security Policy' missions. To support this, RAND Europe is providing the European Defence Agency with a benchmarked assessment of the levels of military cyber defence capability across many European countries. Our findings, due to be released shortly, point to wide disparities across the EU and plenty of opportunities for member states to seek advice and assistance across a range of domains of military capability, such as doctrine, organisation, training, and interoperability.
Although the European Cyber Security Strategy will attract attention because of its sheer breadth, two significant issues remain. First, institutional turf wars will need to be managed in order for the strategy to become a practical reality. Any Brussels insider will agree that the inter-institutional battles between different directorates can be discouraging. Second, the strategy will undoubtedly need an accompanying action plan to detail how it will work in practice. This is particularly the case in the current climate of austerity. The action plan should also contain guidance for evaluation to identify and robustly measure the effect of the strategy. Otherwise, the high-sounding remarks about cooperation might start to sound very hollow indeed.
Neil Robinson is a research leader at RAND Europe, a division of the nonprofit, nonpartisan RAND Corporation. He conducts research in areas such as cyber security, privacy, and the socioeconomic implications of the information society.
This commentary appeared on RAND.org on February 8, 2013.