Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses
Background
The European Commission published the European Union Cyber Security Strategy along with an accompanying proposal for a Network and Information Security (NIS) Directive in 2013. Since the proposal was published, the cybersecurity landscape has continued to evolve, leading to questions regarding the nature and seriousness of the cyber-threats faced by the EU, the capabilities of Member States to manage these threats and respond to incidents, and the effectiveness of these capabilities.
Goals
The European Parliament commissioned RAND Europe to study cybersecurity threats in the EU. The project had five objectives:
-
To identify key cyber-threats facing the EU and the challenges associated with their identification.
-
To identify the main cybersecurity capabilities in the EU.
-
To identify the main cybersecurity capabilities in the United States (US).
-
To assess the current state of transnational cooperation.
-
To explore perceptions of the effectiveness of the current EU response.
Methodology
To carry out this study, the research team employed the following data collection and research approaches:
-
A review of six key threat assessments.
-
A targeted review of academic research and literature and media reports on cyber-threats and attacks.
-
Interviews with officials at major national crime agencies including, amongst others, the European Cyber Crime Centre, the Federal Bureau of Investigations and the United Kingdom National Crime Agency.
-
Development of case studies of instances of transnational cooperation, based on publicly available information.
Recommendations
The research team suggests the following policy options for the European Parliament’s consideration in terms of EU action on cybersecurity:
-
Encourage ENISA, EC3 and others involved in European cyber-threat assessments to investigate further harmonisation of threat assessments, which can effectively incorporate information from Member States and other EU agencies.
-
Make use of existing structures as much as possible. One of the concerns identified by the study team – from a review of existing literature and in interviews with experts – was the tendency of the Commission to develop new structures and exclude existing initiatives and agencies.
-
Consider reinserting law enforcement in the Network and Information Security (NIS) Directive. The attempt to overcome fragmentation at the EU level is hampered by the exclusion of law enforcement from provisions in the proposed NIS Directive.
-
Ensure Europol has speedy and more direct access to information from the private sector. Speedy access to relevant information from the private sector is essential for Europol to combat transnational cybercrime.
-
Assess what capability gaps actually exist between the Member States and measure progress. Despite the claims about gaps between Member States, our research suggests that there is very little empirical evidence to indicate which States are more advanced than others and in what areas.
Publication
-
Nicole van der Meulen, Eun A Jo, Stefan Soesanto
The study seeks to better understand cybersecurity threats and existing cybersecurity capabilities in the European Union and the United States, examining in tandem transnational cooperation and perceptions of the effectiveness of the EU response.
Note: This study was commissioned, overseen and published by the European Parliament's Policy Department for Citizens' Rights and Constitutional Affairs at the request of the Parliament's Committee on Civil Liberties, Justice and Home Affairs. It is republished by RAND Europe with the kind permission of the European Parliament.
Project Team
Nicole van der Meulen
Eun A Jo
Stefan Soesanto