Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses

Close-up view on white conceptual keyboard - European Union (key with flag)

Background

The European Commission published the European Union Cyber Security Strategy along with an accompanying proposal for a Network and Information Security (NIS) Directive in 2013. Since the proposal was published, the cybersecurity landscape has continued to evolve, leading to questions regarding the nature and seriousness of the cyber-threats faced by the EU, the capabilities of Member States to manage these threats and respond to incidents, and the effectiveness of these capabilities.

Goals

The European Parliament commissioned RAND Europe to study cybersecurity threats in the EU. The project had five objectives:

To identify key cyber-threats facing the EU and the challenges associated with their identification.
To identify the main cybersecurity capabilities in the EU.
To identify the main cybersecurity capabilities in the United States (US).
To assess the current state of transnational cooperation.
To explore perceptions of the effectiveness of the current EU response.

Methodology

To carry out this study, the research team employed the following data collection and research approaches:

A review of six key threat assessments.
A targeted review of academic research and literature and media reports on cyber-threats and attacks.
Interviews with officials at major national crime agencies including, amongst others, the European Cyber Crime Centre, the Federal Bureau of Investigations and the United Kingdom National Crime Agency.
Development of case studies of instances of transnational cooperation, based on publicly available information.

Recommendations

The research team suggests the following policy options for the European Parliament’s consideration in terms of EU action on cybersecurity:

Encourage ENISA, EC3 and others involved in European cyber-threat assessments to investigate further harmonisation of threat assessments, which can effectively incorporate information from Member States and other EU agencies.
Make use of existing structures as much as possible. One of the concerns identified by the study team – from a review of existing literature and in interviews with experts – was the tendency of the Commission to develop new structures and exclude existing initiatives and agencies.
Consider reinserting law enforcement in the Network and Information Security (NIS) Directive. The attempt to overcome fragmentation at the EU level is hampered by the exclusion of law enforcement from provisions in the proposed NIS Directive.
Ensure Europol has speedy and more direct access to information from the private sector. Speedy access to relevant information from the private sector is essential for Europol to combat transnational cybercrime.
Assess what capability gaps actually exist between the Member States and measure progress. Despite the claims about gaps between Member States, our research suggests that there is very little empirical evidence to indicate which States are more advanced than others and in what areas.

Publication

Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses November 18, 2015

Nicole van der Meulen, Eun A Jo, Stefan Soesanto
The study seeks to better understand cybersecurity threats and existing cybersecurity capabilities in the European Union and the United States, examining in tandem transnational cooperation and perceptions of the effectiveness of the EU response.

Note: This study was commissioned, overseen and published by the European Parliament's Policy Department for Citizens' Rights and Constitutional Affairs at the request of the Parliament's Committee on Civil Liberties, Justice and Home Affairs. It is republished by RAND Europe with the kind permission of the European Parliament.

Project Team

Nicole van der Meulen
Eun A Jo
Stefan Soesanto

RAND Europe Cyber Research

Are You Sitting Comfortably? Understanding the Security and Privacy Implications of the Internet-Connected Living Room

The modern living room contains a range of Internet-connected devices. This increased connectivity comes with privacy and security concerns, threats to consumers, and challenges for industry.

Examining Data and Security Breaches and Cyber-Security Strategies

Current EU-level efforts to address network and information security may not be as robust as they could be. A review some of the provisions of the Commission's 2013 proposals for a Network and Information Security Directive highlights specific concerns, including the relationship of incident notification achieving the outcomes of the directive, potential for overlapping regulation and definitions of covered entities. It would be helpful to clarify what kind of incidents the Directive is aimed to address.

The European Cyber Security Strategy: Too Big to Fail?

The European Cyber Security Strategy is remarkable because it tries to co-ordinate policy across three areas whose competences and mandates were formerly very separate: law enforcement, the 'Digital Agenda', and defence, security, and foreign policy. The strategy also brings under one framework the contributions of defence and foreign policy to cyber security, which is perhaps its most noteworthy characteristic, writes RAND Europe research leader Neil Robinson

Analysis of Cyber-Threats Informs Swedish Strategy

How do governments characterise cyber-threats? What role does law enforcement play in tackling cyber-crime in different countries? These are some of the questions RAND Europe investigated on behalf of the Swedish National Defence College’s Center for Asymmetric Threat Studies (CATS) as part of a rapid comparative analysis of the integration of cyber-security within national and transnational defence and security frameworks. This study supports CATS in their assignment to gather evidence to inform the development of the Swedish Cyber Security Strategy.

Good Practice Guide Addresses Network and Information Security Aspects of Cybercrime

The sharing and exchange of information between Computer Emergency Response Teams (CERTs) and the law enforcement community in Europe face several legal and operational barriers. A range of factors can hinder information exchange, including the different character of each community, different objectives and ways of working. Concrete efforts to foster greater trust include sharing information on capabilities and services offered. RAND Europe offers recommendations both for CERTs and law enforcement and also for policy-makers in Brussels.

Evaluation of the California County Resentencing Pilot Program

America's Opioid Ecosystem

Healthy Nation, Safe Nation: Build Health Security into National Security

Improving Inclusion of Women Veterans

RAND Experts Discuss the First Year of the Russia-Ukraine War

The Policy Currents Podcast

Helping Coastal Communities Plan for Climate Change

Managing Escalation in Crisis and War

Measuring Wellbeing to Help Communities Thrive

Assessing and Articulating the Wider Benefits of Research