In addition to technical vulnerabilities in systems and software, the emergent and changing properties of cyberspace itself, as a socio-technical ‘network of networks’, present a challenge. Vulnerabilities also arise from risky behaviour by individuals and organisations. Threats may come from a multitude of directions, whether nation-states, criminal networks or non-state actors.
The European Defence Agency (EDA) asked RAND Europe and the Fondation pour la Recherche Stratégique to conduct a stock-taking exercise of capabilities including concepts in the area of Cyber Defence across the 20 participating Member States. The researchers spoke to a variety of experts, developed a weighted cyber defence ‘maturity model’ and ran a questionnaire across the participating Member States. A standardised military framework was used to define ‘capability’.
The study found a broad relationship between a Member State’s awareness of cyber defence and the number of indicators it possessed of capability.
Many countries have set up organisations specifically to deal with cyber defence: 19 out of 20 had some kind of unit dedicated to cyber defence missions in their ministries of defence, and this was linked to the national Computer Emergency Response Team (CERT); in 18 out of 20 countries this was linked to other incident response capability (other types of CERT).
But doctrine is lagging behind (only 6 out of 20 states had a specific cyber defence strategy and 5 out of 20 had a cyber defence doctrine).
Training and learning also needs to be strengthened (9 out of 20 states had cybersecurity as a specific technical career path), as does interoperability (only 5 out of 20 participated in EU-wide exercises).
RAND Europe and others are now engaged on a number of follow-up projects to advise the EDA how different states could increase their cyber defence capability status.
The objective of this study was to establish a high level understanding of cyber defence capabilities across EDA's participating Member States (pMS) to support progress toward a more consistent level of cyber defence capability across the EU.
Neil Robinson, Research Leader, RAND Europe
Agnieszka Walczak, Associate Analyst, RAND Europe
Sophie-Charlotte Brune, former Research Fellow, RAND Europe
Alain Esterle, Fondation pour la Recherche Stratégique
Pablo Rodriguez, Fondation pour la Recherche Stratégique