Cybersecurity in the EU Common Security and Defence Policy (CSDP) Challenges and Risks for the EU
Total Page:16
File Type:pdf, Size:1020Kb
Cybersecurity in the EU Common Security and Defence Policy (CSDP) Challenges and risks for the EU STUDY Science and Technology Options Assessment EPRS | European Parliamentary Research Service Scientific Foresight Unit (STOA) PE 603.175 Cybersecurity in the EU Common Security and Defence Policy (CSDP) Challenges and risks for the EU Study EPRS/STOA/SER/16/214N Abstract This report is the result of a study conducted by the European Union Agency for Network and Information Security (ENISA) for the European Parliament’s Science and Technology Options Assessment (STOA) Panel with the aim of identifying risks, challenges and opportunities for cyber-defence in the context of the EU Common Security and Defence Policy (CSDP). Acceptance of cyber as an independent domain calls for the investigation of its integration with the EU’s current and future policies and capabilities. ENISA analysed the related literature and work on cybersecurity, including its own publications, to form the basis for this study. In addition, a number of stakeholders, experts and practitioners, from academia, EU institutions and international organisations, were consulted in order to ensure the study is well-founded and comprehensive. The study revolves around three thematic areas, namely: policies, capacity building, and the integration of cyber in the CSDP missions, with the last one being the main focus of the study. For each thematic area, we compile a set of policy options, covering different levels, starting from the EU’s political/strategic level and progressing down to the operational and even tactical/technical levels of the CSDP’s supporting mechanisms. These policy options are summarised in a separate options briefing document accompanying this study. PE 603.175 STOA — Science and technology options assessment The STOA project ‘Cybersecurity in the EU Common Security and Defence Policy (CSDP) — Challenges and risks for the EU’ was carried out by ENISA at the request of the Science and Technology Options Assessment Panel, and managed by the Scientific Foresight Unit (STOA) within the Directorate-General for Parliamentary Research Services (DG EPRS) of the European Parliament. AUTHORS Panagiotis Trimintzios, Georgios Chatzichristos, Silvia Portesi, Prokopios Drogkaris, Lauri Palkmets, Dimitra Liveri and Andrea Dufkova. The authors acknowledge and would like to thank the following external experts for their contributions to this report: Prof. Paul Cornish, Dr Maria Bada (The Global Cyber Security Capacity Centre Oxford); Dr Jason C. R. Nurse, Dr Jassim Happa, Dr Ioannis Agrafiotis (University of Oxford); Mr Wolfgang Röhrig (European Defence Agency); Mr Hans-Peter Morbach, WCdr Rob Smeaton (NATO); Prof. Raffaele Marchetti, Dr Roberta Mulas, Ms Beatrice Valentina Ortalizio, Ms Valeria Tisalvi (LUISS School of Government); Dr Stefanie Frey, Melani, Ltc Franz Landenhammer, Maj Nikolaos Pissanidis, Dr Lauri Linström, Mr Henry Röigas, Maj Christian Tschida (NATO CCDCoE). STOA ADMINISTRATOR RESPONSIBLE Zsolt G. Pataki Scientific Foresight Unit (STOA) Directorate for Impact Assessment and European Added Value Directorate-General for Parliamentary Research Services European Parliament, Rue Wiertz 60, 1047 Brussels Email: [email protected] LINGUISTIC VERSION Original: EN ABOUT THE PUBLISHER To contact STOA or to subscribe to its newsletter please write to: [email protected] This document is available on the internet at: http://www.europarl.europa.eu/stoa/. Manuscript completed in May 2017 Brussels, © European Union, 2017 DISCLAIMER This document is prepared for, and addressed to, the Members and staff of the European Parliament as background material to assist them in their parliamentary work. The content of the document is the sole responsibility of its author(s) and any opinions expressed herein should not be taken to represent an official position of the Parliament. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy. PE 603.175 ISBN 978-92-846-1058-7 doi: 10.2861/853031 QA-04-17-454-EN-N 2 Cybersecurity in the EU Common Security and Defence Policy (CSDP) Contents 1. INTRODUCTION....................................................................................................................................... 5 2. METHODOLOGY AND STUDY STRUCTURE................................................................................... 6 2.1. STUDY STRUCTURE.................................................................................................................................. 6 3. CHALLENGES FOR CYBERDEFENCE.................................................................................................. 7 3.1. POLICY CHALLENGES.............................................................................................................................. 7 3.1.1. The delicate balance between sovereignty and central powers and responsibilities ........................ 7 3.1.2. The complex set of mandates within EU institutions ..................................................................... 9 3.1.3. Cyberspace as a separate domain of operation and application of existing law of armed conflicts 10 3.1.4. Hybrid technologies — drones used in conflicts ........................................................................... 11 3.1.5. The issue of commonly agreed definitions and taxonomy ............................................................. 11 3.1.6. The number and diversity of the actors involved in cyberdefence................................................. 12 3.1.7. Military and civilian overlaps in cyberdefence — a blurry borderline ......................................... 15 3.1.8. The limited availability of updated and reliable data to support policy development ................... 15 3.2. CYBERNORMS........................................................................................................................................ 16 3.2.1. Technological innovation and the need for cybernorms ................................................................ 16 3.2.2. International efforts on cybernorms and the role of the European Union..................................... 17 3.2.3. Confidence-building measures ...................................................................................................... 19 4. CAPACITY BUILDING ........................................................................................................................... 21 4.1. MODELS FOR MEASURING CYBERCAPACITY......................................................................................... 21 4.2. CAPACITY BUILDING IN THE EUROPEAN UNION................................................................................. 22 4.2.1. Capacity building and cybersecurity strategies ............................................................................ 23 4.2.2. Cooperation between public stakeholders ...................................................................................... 25 4.2.3. Trust building ............................................................................................................................... 26 4.2.4. Resourcing .................................................................................................................................... 26 4.2.5. Common approach for cybersecurity and privacy......................................................................... 27 4.2.6. Risk analysis.................................................................................................................................. 27 4.2.7. Contribution from the private sector............................................................................................. 28 4.2.8. Public–private partnerships .......................................................................................................... 28 4.3. EFFORTS IN CAPACITY BUILDING BEYOND THE EU.............................................................................. 29 4.3.1. Council of Europe.......................................................................................................................... 29 4.3.2. Other international cybercapacity-building initiatives................................................................. 30 4.4. ATTRIBUTION OF CYBERATTACKS......................................................................................................... 32 4.4.1. Policy issues .................................................................................................................................. 33 3 STOA — Science and technology options assessment 4.4.2. Existing tools and methods ........................................................................................................... 33 4.4.3. Improving attribution through capacity building......................................................................... 35 5. CYBERDEFENCE AND THE EU COMMON SECURITY AND DEFENCE POLICY ................. 36 5.1. UNDERSTANDING CYBERTHREATS TO THE CSDP ............................................................................... 36 5.1.1. Political/strategic threat assessment ............................................................................................. 37 5.1.2. Technical/tactical threat assessment ............................................................................................. 39 5.1.3. Operating spaces ..........................................................................................................................