The EU's Revised Cybersecurity Strategy. Half-Hearted Progress On

Introduction

Stiftung Wissenschaft und Politik German Institute for International and Security Affairs

Comments

The EU’s Revised Cybersecurity Strategy WP Half-Hearted Progress on Far-Reaching Challenges

Annegret Bendiek, Raphael Bossong and Matthias Schulze S

In September 2017 the EU updated its 2013 Cyber Security Strategy. The new version is intended to improve the protection of Europe’s critical infrastructure and boost the EU’s digital self-assertiveness towards other regions of the world. But the reformed strategy leaves open a number of questions as to how its objective of an “open, safe and secure cyberspace” will be credibly defended, both internally and externally. The EU has neither properly defined resilience or deterrence nor made sufficiently clear how it intends to overcome institutional fragmentation and lack of legal authority in cybersecurity issues. Moreover, controversial topics – such as the harmonisation of criminal law or the use of encryption – have been entirely omitted. Member states should abandon their stand- alone efforts and speed up the legal regulation of cybersecurity at the EU level.

It has been obvious for some time that the digital single market to replace the cur- China is increasingly sealing off its nation- rently existing patchwork of rules in all 28 al Internet, Russia is trying to spread its member states. In the run-up to the sum- authoritative understanding of information mit, Germany, France, Italy and Spain were sovereignty, and the USA is engaged in a particularly ambitious. Inter alia, they military-offensive form of cyber-defence. called for a common tax on US Internet Experts already speak of the era of “data giants and the creation of a secure environ- nationalism” and the end of the global In- ment that protects citizens, businesses and ternet. In view of these strategic challenges, governments in exerting their rights. the EU’s member states are seeking a path The European Commission and the High to digital self-assertiveness. “Cyber-attacks Representative for Foreign Affairs and Secu- can be more dangerous to the stability of rity Policy have also proposed to create a democracies and economies than guns and “solid cybersecurity structure”. Whilst the tanks”, Commission President Jean-Claude EU’s 2013 Cyber Security Strategy remains Juncker said in his State of the Union in place, the updated version introduces an speech in mid-September 2017. At the digi- extensive package of new measures. Some tal summit in Tallinn in late September, of these have provoked lively debate, such European Heads of State and Government as the creation of a Union agency for cyber- restated their determination to complete security that would build on the work of

Dr. Annegret Bendiek is a Senior Associate, Dr. Raphael Bossong an Associate in the EU / Europe Division at SWP. SWP Comments 47 Matthias Schulze is an Associate in the International Security Division at SWP. November 2017 This SWP Comments was written in collaboration with Magnus Römer, an intern in the EU / Europe Division at SWP.

1 the EU Agency for Network and Informa- politicised debate on cybersecurity. It is time tion Security (ENISA). In addition, there are for the EU and its member states to over- plans to introduce a European system for come limited, step-wise initiatives, and to cybersecurity certification to improve the address more challenging topics head-on security of networked devices and digital so as to provide strategic orientation. Other- products and services. The updated strategy wise, repeated calls for EU “strategic autono- foresees five major reforms: First, the for- my” will remain empty words. mation of a European research and com- petency centre for cybersecurity; second, establishing a Europe-wide crisis-response Resilience as Guiding Principle mechanism to deal with future large scale Both the EU’s 2013 Cyber Security Strategy cyber-attacks; third, the creation of a cyber- and the new package of proposals maintain security emergency fund; fourth, the devel- a preference for civilian, police and mili- opment of common projects in military tary-defensive instruments to protect infor- cyber-defence as part of Permanent Struc- mation-technology (IT) systems and infra- tured Cooperation and with the help of structures. The underlying guiding prin- the European Defence Fund; and fifth, the ciple of resilience corresponds to the EU’s promotion of confidence-building measures Global Strategy of June 2016. However, the and state responsibility, so as to contain meaning and impact of resilience on Euro- cyber risks worldwide. All these proposals pean cybersecurity needs to be defined are intended to increase the EU’s resilience more clearly. in the cyber domain. The term of “resilience” is not synony- A more significant role for the EU in mous with comprehensive security. Instead, cybersecurity is needed for the protection resilience refers to the capacities of any of the digital internal market, but obviously technical or natural system to regulate it- it cannot become the single dominant policy self. The concept of resilience replaces the forum in this domain, given the global in- measurement and control of risks with the terdependence of technical infrastructures decentralised and flexible ability to resist and software as well as changing national varied disruptions and often unforeseen ambitions in cyberspace. Yet since the EU is shocks. A resilient system can tolerate the the world’s largest common market, it also loss of individual building blocks, and may represents the largest framework for bind- even thrive through so-called “creative de- ing regulation. Seen from this angle, the struction”. An example is the early Inter- current set of proposals for reworking the net, which was founded on the principles European cybersecurity strategy appears of radical self-organisation and dynamic rather half-hearted. Five problems or defi- change. Similarly, many technical experts cits need to be addressed. First, the EU’s and activists advocate the development of understanding of resilience as a strategic open-source software, decentralised net- approach remains vague. Second, European works and use of encryption as the best way cybersecurity suffers from institutional frag- to cyber resilience. mentation and a weak financial base. Third, However, the past few years have shown the proposed measures for increased cyber- that such a decentralised approach is in- security lack legal force. Fourth, this is par- sufficient. The growing vulnerability of ticularly true for the harmonisation of crimi- infrastructures to cyber-attacks or software nal law in the fight against cybercrime. Fifth, errors cannot be addressed by voluntary it remains unclear how defensive cyber- cooperation and technical innovation deterrence as a credible component of cyber- alone. In liberal societies, cybersecurity is diplomacy is supposed to work in detail. also increasingly viewed as a public good For these reasons, the EU’s updated strat- that can only be generated through binding egy is no turning-point in the ever more regulation. Yet in order to maintain a bal-

SWP Comments 47 November 2017

2 ance between the stability and necessary Institutional and Financial openness of cyberspace, the EU needs to Fragmentation formulate a more precise understanding The EU should also be more decisive when of resilience. it comes to the fragmented institutional The European Commission rightly calls and multi-level set-up for cybersecurity. The for an approach to resilience that encom- EU’s updated strategy makes some impor- passes economic, societal and political tant proposals in this regard. The legal basis actors – in other words, the whole of soci- and budget of ENISA should be strength- ety. This comprehensive approach includes ened in order to work on cybersecurity cer- a unified market for cybersecurity, based on tification and to oversee the implementa- “security by design” in networked devices, tion of EU legislation on IT infrastructure the centrepiece of the digital single market. security. Furthermore, the agency’s range Mandatory cyber-hygiene – meaning the of tasks and budget should be expanded, obligations to update and carefully use flanked by more structured and intensive networked devices – concern each market cooperation with other relevant EU actors participant, since the behaviour of the for cybersecurity, especially the Cybercrime weakest link can determine the resilience Centre (EC3) within Europol. The agency of the whole system. At the same time, the should also take the lead on new operative shortage of IT and cybersecurity experts solutions, such as serving as a one-stop shop is identified as the most fundamental chal- for handling acute cyber-attacks. Affected lenge. Calls for harmonised training and businesses would have only one interlocu- curricula to build up human resources are tor when it comes to the security of cross- therefore necessary and welcome. However, border data transfers – on whose pro- the EU has almost no formal competences nouncements they should then rely. How- in education. This structural deficit cannot ever, alongside ENISA the Commission fore- be compensated by further proposals for sees the creation of a further centre and a European “blueprint” on crisis-response network of excellence, which should boost mechanisms or reinforced cybersecurity both security research and the roll-out of exercises alone. new security technologies. This additional Overall, these measures are coherent centre of excellence would be built on, and with a notion of distributed resilience, but incorporate existing national research cen- fail to set clear priorities, which could tres for cybersecurity. The European Defence accelerate the necessary structural changes Agency (EDA) should also become involved in member states. An overly vague concept step by step. Finally, the new excellence of European resilience may instead conceal centre should “buttress” ENISA’s certifi- badly coordinated practices and introduce cation processes for IT products, whereas a lack of accountability. Blueprints, certifi- ENISA will retain the main responsibility cates and education plans do not guarantee for strategic risk analysis. resistance to actual crises or operative secu- Not all tasks can meaningfully be bun- rity. More detailed concepts should show dled into a single EU cybersecurity agency. how the EU could make progress here de- Yet the overlapping competences and inter- spite its limited legal competences. In the faces between these different actors must long term, early and comprehensive train- be specified as quickly as possible. Larger ing will be the only way to close the digital member states might complicate the devel- skills gap and tackle the lack of correspond- opment of an effective governance network ing human capital. at the EU level, because they are already heavily invested in their own national solutions. The German Federal Government puts much effort into a new cyber-defence cluster in Munich while France has taken a

SWP Comments 47 November 2017

3 strategic policy decision to promote re- ucts as a central step. The European (digital) search into artificial intelligence. To date, it single market as biggest global market has remains wishful thinking on the part of the the necessary leverage, which could also Commission that these and other national help to increase global standardisation. initiatives will be smoothly integrated into Yet even if ENISA should work onstricter a comprehensive European network. Not product certification and security testing, even ENISA’s role vis-à-vis national cyber- the EU does not commit to making such security bureaucracies – for instance, Ger- procedures compulsory. By contrast, the many’s Federal Office for Information Secu- new EU directive on protecting critical IT rity (BSI) as well as its newly established infrastructure (Network and Information Central Office for Information Technology Security, NIS) has shown that previous in the Security Sphere (ZITis) – has been voluntary approaches reached their limits. adequately clarified. All too often, public-private partnerships Meanwhile, all state agencies compete for cybersecurity could not overcome struc- with the private sector for IT experts, but tural hurdles to the timely reporting and they are often much less attractive than early prevention of cyber-attacks. The new private employers. EU institutions should NIS Directive therefore obliges operators avoid unnecessary competition for quali- and providers of “essential services” – such fied staff; the scarce human resources to as energy, water supply, transport, finances, deal with acute security challenges need health and the Internet – to make adequate to be concentrated as much as possible. investment and organisational reforms for The desired substantial increase in training cybersecurity. Member states, too, have to and human resource development in all create national reporting systems. The member states is a very long-term ambition, widely divergent cyber capacities of mem- which needs to be bridged and supported ber states are the critical issue for a reliable by an effectiveEuropean process of pooling implementation of the NIS Direction under and sharing of knowhow. the leadership of a strengthened ENISA. In For immediate impact, member states the medium term, the definition of critical should at least support an ambitious financ- infrastructures covered by the NIS Directive ing of the new excellence network, as the needs to be reviewed as well, because Inter- Strategy calls on them to do. This is clearly net providers or smaller digital businesses necessary given the enormous sums that can be gateways for attacks. competitors such as China, India and USA Considering this, the revised strategy’s invest in their IT industries and research. cautious approach to further product secu- The new cybersecurity emergency fund rity regulation comes as a surprise. Not to suggested by the Commission can only be envisage a shift from voluntary to obligato- the beginning of a much more substantial ry product certification is a missed oppor- reallocation of EU budgetary resources. tunity for a forward-looking document. However, the coming negotiations about Traditionally centralised infrastructures the EU’s next Multiannual Financial Frame- increasingly overlap with the private use of work risk getting bogged down in national technical devices in the so-called Internet net contributions and compensations for of Things, which is creating multiple new the loss of UK net payments. vulnerabilities. Mandatory certificates and enforceable liability would also force pro- ducers from other parts of the world to Weak Standard-Setting adapt to European standards, if they want All stakeholders should be ready to support to maintain access to the single market. more EU legislation to strengthen cyber Early regulatory action could, in turn, cre- resilience. In the updated strategy, the EU ate competitive advantages for European rightly stresses the certification of IT prod- businesses (first mover advantage). Last but

SWP Comments 47 November 2017

4 not least, the growing public demand for Online as offline, criminal evidence has IT-product security justifies transitioning to be acquired in line with core principles from voluntary to compulsory standardisa- of the rule of law and fundamental rights. tion processes at the earliest opportunity. Hence, EU interior ministers have been negotiating on the challenging issue of encryption for some considerable time Fighting Cybercrime already. The fact that the updated cyber- The EU’s ambitions for legal reform outside security strategy fails to engage with this the single market remain limited as well. debate is a further sign of its weak political To contain cybercrime effectively criminal ambition and overemphasis on compro- offences and investigative tools for pros- mise. ecuting authorities need to be harmonised. Similarly, the strategy fails to touch on The updated strategy mentions the EU’s the thorny question of how criminal con- ongoing policy debate on how to facilitate tent on the Internet and social media the cross-border transfer of electronic evi- should be tackled. Most EU member states dence. This, and its proposal to use the tech- have signed the Budapest Convention and nical communications protocol IPv6 as thus committed themselves to prosecuting widely as possible, could help to simplify criminal offenses committed in cyberspace. IT forensics. However, other important Nevertheless, there is a wide discrepancy debates are dealt with in an overly cautious between European states regarding which manner or simply left out. For instance, The actions constitute a crime in the digital proposal to draw up voluntary guidelines domain. The main contention is over the on how public-private partnerships to com- scope of freedom of expression, or the defi- bat cybercrime could comply with EU data- nition of illegal “hate speech”. Whereas the protection laws can only be a first step. Commission has drawn up another volun- Evolving European data-protection laws for tary code of conduct in partnership with the single market (e.g. E-privacy) create the private sector, several EU member significant tensions with the practices by states have passed stricter liability laws many global companies. The US has shown, for social-media providers. Uncoordinated too, that public-private collaboration for national efforts, however, have limited law-enforcement in cyberspace requires effect and may endanger freedom of speech binding rules, so as to avoid surveillance both within and outside the EU. For in- scandals or high-profile court cases that stance, authoritarian regimes such as Rus- damage mutual trust. sia have explicitly referred to Germany’s Moreover, the EU’s revised strategy does new Internet Enforcement Law (Netzwerk- not take a stance on whether encryption durchsetzungsgesetz) of September 2017 to technologies could be weakened to allow justify their own growing online censor- for easier access by law-enforcement and ship. Coordination problems are aggravated intelligence organisations. Encryption is by the fact that private actors are urged a crucial pillar of dispersed and resilient to delete content directly. This frequently cybersecurity, as it makes it more difficult results in excessive private decisions to for all malignant actors to steal data. EU take down content and may create a wider member states soon have to decide jointly “chilling effect” on freedom of speech. Gen- whether to allow “back doors” or “tele- erally speaking, the reach and power of communications surveillance at source”, Facebook and Google underline the need to i.e. to break into devices to intercept com- draw up binding rules at the EU level. These munications before encryption. In this rules need to define clear, balanced, account- context, member states also have to con- able and enforceable mechanisms for pro- sider maintaining a trustworthy regime of tecting fundamental rights as well as ad- cross-border law-enforcement cooperation. dressing illegal content.

SWP Comments 47 November 2017

5 Cyber-Defence and later. This framework is meant to improve Cyber-Foreign Policy the protection of CSFP missions and the The EU’s revised strategy contains little communications security of the European new on international rules and norms for External Action Service (EEAS). EU-NATO the conduct of states in cyberspace, despite cooperation on hybrid threats, which also the intensifying global debate on digital includes cyber-attacks and misinformation sovereignty and cyber-deterrence. In cyber- campaigns, should be channelled through defence, the EU continues to pursue a de- a new Hybrid Fusion Cell established in fensive approach. This is in line with its Helsinki in early April 2017. All NATO and guiding principle of resilience, according to EU member states are represented on its which certain risks must be accepted and supervisory board, and common EU-NATO their impact minimised. However, it would cyber-exercises now regularly take place. be helpful to spell out more clearly how Nevertheless, the joint EU-NATO strategic systemic resilience combines with effective framework remains unclear. In the Tallinn deterrence. Resilience first and foremost Manual of 2013 and 2017, NATO’s Coopera- deters – or rather undermines the effective- tive Cyber Defence Centre of Excellence ness of – denial of service attacks and cyber made proposals for codifying the right to operations that seek to disrupt critical in- wage war (jus ad bellum) and the laws of war frastructures. By contrast, misinformation (jus in bello) in cyberspace. This should not campaigns or cybercriminals may only be be construed as a joint policy with the EU deterred by more active measures and effec- and its member states. tive prosecution. Hence, further bilateral Many academic researchers take a criti- agreements between the EU and third states cal view of the digital counter-attacks con- on fighting cybercrime would be useful. sidered by NATO. It is often impossible to When it comes to military cyber-defence, identify either the perpetrators of cyber- the EU strategy primarily refers to its exist- attacks or the targets for counter-strikes, ing cooperation with NATO, the option of a difficulty known as the attribution prob- Permanent Structured Cooperation under lem. There is a high risk of attacking sys- its Common Security and Foreign Policy tems that were uninvolved or hijacked (CSFP), and the potential of the Defence themselves – and that might even be Fund agreed in June 2017. Because of the needed for critical supply tasks in other widely different levels of capacity and speed countries. Counterattacks may also trigger of digital transformation among the armed an escalating spiral of reciprocal cyber- forces of EU member states, it makes sense attacks. The problem needs to be addressed to make cyber-cooperation within the CSFP urgently, since some private companies more flexible. More EU exercises and capac- already practice digital counter-attacks, ity-building in the weaker member states known as hack backs. Under the EU’s guid- are certainly useful as well. Nevertheless, ing principle of resilience, states should the question arises how these countries can define their red lines and levels of escala- catch up and use the new defence fund, tion readiness, including corresponding while they may simultaneously be excluded sanctions. This is predicated on the creation from Permanent Structured Cooperation of uniform attribution standards and a due to their lagging capacities in the cyber common situational awareness of cyber- domain. threats. ENISA or the Hybrid Fusion Cell in NATO, in any case, remains the first Helsinki would be suited to this task. To point of reference for Europe’s defensive prevent conflicts from spiralling out of cybersecurity. The European Council had control in cyber-space, further political already decided in December 2013 to inten- instruments need to be specified. The EU sify EU-NATO cooperation and adopted the agreed to develop a so-called Cyber Diplo- Cyber Defence Policy Framework a year macy Toolbox, which sets out possible

SWP Comments 47 November 2017

6 counter-measures in case of an external The first litmus test will be the envisaged cyber-attack and raises the costs for perpe- European certification and identification trators. The toolbox is expected to encom- framework. Led by ENISA and the European pass the summoning of diplomats, further Commission, member states need to rapidly political, economic and penal sanctions, reach agreement on adequate security as well as digital responses. However, the standards and move towards legally bind- fundamental problem of attribution applies ing rules for the security of ICT products as even to diplomatic responses. And since quickly as possible. The private sector and the use of the Toolbox is not only voluntary academia must also be involved in the pro- but also requires the unanimous support cess to maintain the right balance between of all EU member states, there are multiple innovation and regulation. A competitive hurdles to a mount an effective defensive European ICT industry depends on a level deterrence. playing field, which would also enable it Finally, the EU’s updated strategy de- to do better on global markets. This shared clared that cybersecurity issues would be understanding should help to reach agree- © Stiftung Wissenschaft und prioritised in all relevant external relations. ment among all stakeholders. Politik, 2017 As a starting point, the strategy proposes a The greatest challenge to building multi- All rights reserved further “platform” to support third states layered cyber-resilience remains the crea- These Comments reflect in their cybersecurity capacities. This can tion of reliable and trusting relationships the authors’ views. also be seen as a concession to Eastern Euro- between all participants. This holds true SWP pean states, aimed at improving protection between strong and weaker cyber-nations as Stiftung Wissenschaft und Politik from Russian interference in the EU’s neigh- well as between member states, EU author- German Institute for bourhood. Yet further global or multilateral ities and private actors. Looking beyond International and Security Affairs processes for negotiating common norms the EU, clear strategic guidelines for cyber- on cybersecurity are only mentioned in foreign policy and credible links to deci- Ludwigkirchplatz 34 passing. sion-making are becoming ever more im- 10719 Berlin Telephone +49 30 880 07-0 portant. These include reinforcing encryp- Fax +49 30 880 07-100 tion and responding to cyber-threats from www.swp-berlin.org [email protected] Outlook: The EU as Digital Power outside Europe with political, economic The reform proposals contained in the up- and legal sanctions. ISSN 1861-1761 dated EU Cyber Security Strategy of Septem- Taken individually, EU member states Translation by Tom Genrich ber 2017 are a step in the right direction. and businesses cannot handle these tasks. (English version of Taken together, they would help the Union If the EU truly wants to become a digital SWP-Aktuell 72/2017) to resist cyber-attacks technically, legally power, close cooperation in all mentioned and politically. However, effective resilience areas, a legally binding European frame- requires a deeper engagement by member work and technical standardisation are in- states. They need to adopt a more strategic dispensable. perspective and systematically tackle any weak points. To date, ambitious proposals have tended to meet with resistance. Some EU member states do not see the EU as the appropriate organisation for IT regulation but prefer the OECD. Representatives from the information and communications technology (ICT) industry complain that EU institutions currently lack the requisite expertise. That is why the EU must take a step beyond the reticent approach that still characterises the new package of proposals.

SWP Comments 47 November 2017