Breaking down the EU’s new plans on cyber-security
The European Commission’s overhaul points a way forward for achieving de facto international norms in cyber-security.
President of the European Commission Jean-Claude Juncker held his State of the Union address on 13 September. The address sets out the 2018 priorities for what is still the second largest economy in the world.
Scaling up the European Union’s efforts in cyber-security is one of those priorities, and the direction the EU takes on it will have a direct impact on political, security and trade partners like Australia and other countries in the Asia-Pacific region.
How is the EU scaling up in cyber?
- The EU will set up a European Cyber Security Agency. The existing pan-European Agency for Network and Information Security’s (ENISA) role is limited to providing advice and expertise to EU Member States. The new — and probably first ever supranational — Cybersecurity Agency, is expected to get a mandate with operational responsibilities.
Those will include the implementation of:
the Network Information Security directive: this law obliges all Member States to have a modern Computer Security Incident Response Team (CSIRT) in place and to nominate critical infrastructure providers and digital services that will be bound by strict cybersecurity measures and by an obligation to notify the authorities in case of liabilities.
a Common Cybersecurity Certification Framework: The EU wants to deploy a common framework for industry certification of ICT-based products and services. As it stands, individual countries draw up their own certification schemes with the risk of creating barriers to free trade within the European single market.
- The EU will also launch a European Cybersecurity Research and Competence Centre in order to ensure that the European Union achieves “technological autonomy”. An investment of €50 million (A$75 million) in additional to ongoing R&D funding schemes was announced.
- The EU will expand its legal framework for dealing with the criminalization of cyber attacks by issuing a new directive (i.e. law) on combating fraud and counterfeiting non-cash means of payment.
This week, Europol, in its Internet Organised Crime Threat Assessment, reported that ransomware attacks now eclipse all others, that a great variety of ‘every day attacks’ occur on critical infrastructure and that the rise of card-not-present fraud impacts heavily on retailers alongside the use of cryptocurrencies by criminals.
- The EU will use its foreign policy tools to “encourage cooperation”, “mitigate threats” and “influence behavior of potential aggressors” by leveraging its so-called cyber diplomacy toolbox and cyber capacity building efforts. In cyber defence, the EU seeks to streamline the doctrines of Member States and, where possible, pull capabilities together.
What’s the upshot?
Whereas efforts to arrive at further political and international legal norms for responsible state behavior in cyber reached a deadlock earlier this year with the collapse of the UN GGE 2017 process, the European Commission — the executive organ of the European Union in charge of its domestic economy and international trade, has seemed to steam ahead nonetheless.
Rather than a classical top-down approach seeking political — and sometimes ideological — convergence, the Commission’s approach, driven by market incentives, is to set regulatory, safety and security and law enforcement standards that may well have a cascading impact on Europe’s main trading partners across the globe.
The by-product of such a techno-economic approach may be the emergence of de facto multilateral norms, limited in scope as they may be — for the moment, but accommodating those who reap the real benefits from the Internet: consumers and businesses.
Bart Hoogeveen is an analyst in ASPI’s International Cyber Policy Centre (ASPI Cyber Policy). Follow him on Twitter @BartHoogeveen
