Introduction Stiftung Wissenschaft und Politik German Institute for International and Security Affairs Comments The EU’s Revised Cybersecurity Strategy WP Half-Hearted Progress on Far-Reaching Challenges Annegret Bendiek, Raphael Bossong and Matthias Schulze S In September 2017 the EU updated its 2013 Cyber Security Strategy. The new version is intended to improve the protection of Europe’s critical infrastructure and boost the EU’s digital self-assertiveness towards other regions of the world. But the reformed strategy leaves open a number of questions as to how its objective of an “open, safe and secure cyberspace” will be credibly defended, both internally and externally. The EU has neither properly defined resilience or deterrence nor made sufficiently clear how it intends to overcome institutional fragmentation and lack of legal authority in cybersecurity issues. Moreover, controversial topics – such as the harmonisation of criminal law or the use of encryption – have been entirely omitted. Member states should abandon their stand- alone efforts and speed up the legal regulation of cybersecurity at the EU level. It has been obvious for some time that the digital single market to replace the cur- China is increasingly sealing off its nation- rently existing patchwork of rules in all 28 al Internet, Russia is trying to spread its member states. In the run-up to the sum- authoritative understanding of information mit, Germany, France, Italy and Spain were sovereignty, and the USA is engaged in a particularly ambitious. Inter alia, they military-offensive form of cyber-defence. called for a common tax on US Internet Experts already speak of the era of “data giants and the creation of a secure environ- nationalism” and the end of the global In- ment that protects citizens, businesses and ternet. In view of these strategic challenges, governments in exerting their rights. the EU’s member states are seeking a path The European Commission and the High to digital self-assertiveness. “Cyber-attacks Representative for Foreign Affairs and Secu- can be more dangerous to the stability of rity Policy have also proposed to create a democracies and economies than guns and “solid cybersecurity structure”. Whilst the tanks”, Commission President Jean-Claude EU’s 2013 Cyber Security Strategy remains Juncker said in his State of the Union in place, the updated version introduces an speech in mid-September 2017. At the digi- extensive package of new measures. Some tal summit in Tallinn in late September, of these have provoked lively debate, such European Heads of State and Government as the creation of a Union agency for cyber- restated their determination to complete security that would build on the work of Dr. Annegret Bendiek is a Senior Associate, Dr. Raphael Bossong an Associate in the EU / Europe Division at SWP. SWP Comments 47 Matthias Schulze is an Associate in the International Security Division at SWP. November 2017 This SWP Comments was written in collaboration with Magnus Römer, an intern in the EU / Europe Division at SWP. 1 the EU Agency for Network and Informa- politicised debate on cybersecurity. It is time tion Security (ENISA). In addition, there are for the EU and its member states to over- plans to introduce a European system for come limited, step-wise initiatives, and to cybersecurity certification to improve the address more challenging topics head-on security of networked devices and digital so as to provide strategic orientation. Other- products and services. The updated strategy wise, repeated calls for EU “strategic autono- foresees five major reforms: First, the for- my” will remain empty words. mation of a European research and com- petency centre for cybersecurity; second, establishing a Europe-wide crisis-response Resilience as Guiding Principle mechanism to deal with future large scale Both the EU’s 2013 Cyber Security Strategy cyber-attacks; third, the creation of a cyber- and the new package of proposals maintain security emergency fund; fourth, the devel- a preference for civilian, police and mili- opment of common projects in military tary-defensive instruments to protect infor- cyber-defence as part of Permanent Struc- mation-technology (IT) systems and infra- tured Cooperation and with the help of structures. The underlying guiding prin- the European Defence Fund; and fifth, the ciple of resilience corresponds to the EU’s promotion of confidence-building measures Global Strategy of June 2016. However, the and state responsibility, so as to contain meaning and impact of resilience on Euro- cyber risks worldwide. All these proposals pean cybersecurity needs to be defined are intended to increase the EU’s resilience more clearly. in the cyber domain. The term of “resilience” is not synony- A more significant role for the EU in mous with comprehensive security. Instead, cybersecurity is needed for the protection resilience refers to the capacities of any of the digital internal market, but obviously technical or natural system to regulate it- it cannot become the single dominant policy self. The concept of resilience replaces the forum in this domain, given the global in- measurement and control of risks with the terdependence of technical infrastructures decentralised and flexible ability to resist and software as well as changing national varied disruptions and often unforeseen ambitions in cyberspace. Yet since the EU is shocks. A resilient system can tolerate the the world’s largest common market, it also loss of individual building blocks, and may represents the largest framework for bind- even thrive through so-called “creative de- ing regulation. Seen from this angle, the struction”. An example is the early Inter- current set of proposals for reworking the net, which was founded on the principles European cybersecurity strategy appears of radical self-organisation and dynamic rather half-hearted. Five problems or defi- change. Similarly, many technical experts cits need to be addressed. First, the EU’s and activists advocate the development of understanding of resilience as a strategic open-source software, decentralised net- approach remains vague. Second, European works and use of encryption as the best way cybersecurity suffers from institutional frag- to cyber resilience. mentation and a weak financial base. Third, However, the past few years have shown the proposed measures for increased cyber- that such a decentralised approach is in- security lack legal force. Fourth, this is par- sufficient. The growing vulnerability of ticularly true for the harmonisation of crimi- infrastructures to cyber-attacks or software nal law in the fight against cybercrime. Fifth, errors cannot be addressed by voluntary it remains unclear how defensive cyber- cooperation and technical innovation deterrence as a credible component of cyber- alone. In liberal societies, cybersecurity is diplomacy is supposed to work in detail. also increasingly viewed as a public good For these reasons, the EU’s updated strat- that can only be generated through binding egy is no turning-point in the ever more regulation. Yet in order to maintain a bal- SWP Comments 47 November 2017 2 ance between the stability and necessary Institutional and Financial openness of cyberspace, the EU needs to Fragmentation formulate a more precise understanding The EU should also be more decisive when of resilience. it comes to the fragmented institutional The European Commission rightly calls and multi-level set-up for cybersecurity. The for an approach to resilience that encom- EU’s updated strategy makes some impor- passes economic, societal and political tant proposals in this regard. The legal basis actors – in other words, the whole of soci- and budget of ENISA should be strength- ety. This comprehensive approach includes ened in order to work on cybersecurity cer- a unified market for cybersecurity, based on tification and to oversee the implementa- “security by design” in networked devices, tion of EU legislation on IT infrastructure the centrepiece of the digital single market. security. Furthermore, the agency’s range Mandatory cyber-hygiene – meaning the of tasks and budget should be expanded, obligations to update and carefully use flanked by more structured and intensive networked devices – concern each market cooperation with other relevant EU actors participant, since the behaviour of the for cybersecurity, especially the Cybercrime weakest link can determine the resilience Centre (EC3) within Europol. The agency of the whole system. At the same time, the should also take the lead on new operative shortage of IT and cybersecurity experts solutions, such as serving as a one-stop shop is identified as the most fundamental chal- for handling acute cyber-attacks. Affected lenge. Calls for harmonised training and businesses would have only one interlocu- curricula to build up human resources are tor when it comes to the security of cross- therefore necessary and welcome. However, border data transfers – on whose pro- the EU has almost no formal competences nouncements they should then rely. How- in education. This structural deficit cannot ever, alongside ENISA the Commission fore- be compensated by further proposals for sees the creation of a further centre and a European “blueprint” on crisis-response network of excellence, which should boost mechanisms or reinforced cybersecurity both security research and the roll-out of exercises alone. new security technologies. This additional Overall, these measures are coherent centre of excellence would be built on, and with a notion of distributed resilience, but incorporate existing national research cen- fail to set clear priorities, which could tres for cybersecurity. The European Defence accelerate the necessary structural changes Agency (EDA) should also become involved in member states. An overly vague concept step by step. Finally, the new excellence of European resilience may instead conceal centre should “buttress” ENISA’s certifi- badly coordinated practices and introduce cation processes for IT products, whereas a lack of accountability. Blueprints, certifi- ENISA will retain the main responsibility cates and education plans do not guarantee for strategic risk analysis.