Cybersecurity in the European Union

Table of Contents

1. Frontmatter

2. 1. Introduction

   George Christou

   Abstract

   Information and communications technologies (ICTs), in particular the Internet, have been an increasingly important aspect of global social, political and economic life for two decades, and are the backbone of the global information society today Their evolution and development have brought many benefits for individuals, as well as a plethora of public and private institutions and actors; witness the positive impact of social networks on the uprisings in the Arab Spring in 2011, or the increased use of e-commerce across business and individuals. ICTs have also, however, brought the threat of serious cyber-attacks demonstrated in recent years through acts of cyber espionage and cybercrime within the virtual, networked ecosystem that we live in.

3. 2. Conceptualising Security as Resilience in Cyberspace

   George Christou

   Abstract

   Many cybersecurity strategies within and beyond Europe refer to developing effective cyber resilience, but without adequately defining and deconstructing what resilience is, what it looks like at different stages, and the preconditions and governance forms required to achieve it. Approaches to cybersecurity thus far have been theoretically and conceptually eclectic — utilising traditional and critical theories of International Relations (IR) and concepts such as cyber power. This chapter will — in line with the main purpose of this book — draw on existing theorisations of cybersecurity more broadly, and add to them through interrogating resilience and security governance in order to create a holistic approach to assessing the evolution of the European Union’s (EU) ecosystem for cybersecurity governance. Moreover, it will seek to provide a frame of reference for not only understanding the ‘Internet interconnection system’ (ENISA 2011c) but more specifically the conditions that can potentially lead to cybersecurity as resilience across the European space.

4. 3. Cybersecurity in the Global Ecosystem

   George Christou

   Abstract

   According to Steve Purser of ENISA, ‘International collaboration is essential. Security within national boundaries doesn’t make sense. Everything is globally connected. A European approach doesn’t make sense unless aligned to the approach of international partners’ (SDA Report 2012). Thus the EU’s construction of its cybersecurity ecosystem is embedded within, bounded by, and inexorably connected to the evolving global ecosystem of cybersecurity governance, and more broadly, Internet governance. The EU has emphasised in its Internal Security Strategy (November 2010) and the European Guidelines and Principles for Internet Resilience document (March 2011) the importance of working in partnership with global partners to address the civilian and military aspects of cybersecurity challenges. The global interconnectedness of the Internet ecosystem means that threats can emanate from any source around the world, which in turn requires solutions and policies that are borderless. The vulnerability of the Internet, and the interdependence between networks, information systems and individuals, makes it impossible for any single actor to assess and respond to cyber threats and risks. Moreover, national responses alone cannot be effective given the integration between electronic, economic and political networks across the globe, and in order to achieve this there must be a step-change in the coordination of approaches not only downwards, but also upward and outward to institutions, networks and actors, technical and political, that have a role to play in constructing security resilience within the many different aspects of cybersecurity.

5. 4. National Cybersecurity Approaches in the European Union: The Case of the UK

   George Christou

   Abstract

   The European Union (EU) has accelerated the development of its cybersecurity strategy since February 2013, which has inevitably also brought under greater scrutiny the variation in cybersecurity resilience and preparedness across the EU member states. Just as with the EU context that will be analysed in the chapters that follow, national levels of preparedness across Europe are perhaps the most important dimension of the cybersecurity ecosystem that if not improved to at least meet minimum standards could impact negatively on the ambition of achieving an effective EU cybersecurity strategy. Indeed the EUCSS was constructed to facilitate the security of cyber resilience in EU member states, in the recognition that it was national governments that could primarily drive the process of improvement and transformation in the cybersecurity ecosystem within Europe.

6. 5. The European Union and Cybercrime

   George Christou

   Abstract

   The European Union (EU) approach to cybersecurity has five priority areas (Cybersecurity Strategy 2013), and essentially three central strands. The first relates to protecting against and combating cybercrime. The second focuses on Network and Information Security (NIS), Critical Infrastructure Protection (CIP) and Critical Information Infrastructure Protection (CIIP) and the third, less developed strand, on cyber defence. This chapter will focus on the former of these strands (Chapter 6 will focus on the latter two), although with the recognition that overlap does exist between them when analysing the security as resilience that underpins them within the EU institutional milieu. This is particularly important to be aware of in the context of the existing European Principles and Guidelines for Internet resilience and stability (2011) and the construction of a Cybersecurity Strategy for the European Union (EUCSS 2013). The EU institutional set up is still reflective of policy separation with DG Home leading on criminal law elements, DG Connect on network security and resilience, and cyber defence under the remit of the CSDP: the EU is, however, developing integrated working structures in order to facilitate a coherent approach to its cybersecurity strategy.

7. 6. Network and Information Security and Cyber Defence in the European Union

   George Christou

   Abstract

   This chapter will address the remaining central strands of the Cybersecurity Strategy of the European Union (EUCSS 2013), namely those of Network and Information Security (NIS) and cyber defence. These two areas of cybersecurity policy are driven by two different mandates, and therefore very different processes and actors, even though collaborative structures on cybersecurity have now been established within the EU institutional milieu. Moreover, they are at different stages of development, with the issue of NIS part of the EU agenda for over ten years, and cyber defence only appearing more explicitly as a specific cybersecurity priority in the EUCSS. There will, thus, be a certain asymmetry in the balance of the analysis that follows, but it will nevertheless focus on the evolution of the two strands in the context of building resilience and indeed defence prior to the publication of the EUCSS and offer an early assessment of how measures outlined in the strategy might move the EU towards effective security as resilience in the near future. As with cybercrime, it must be emphasised here that these two strands whilst being analytically separated in this chapter, are very much interlinked — cyber defence is a critical element in securing systems and infrastructures against cyber-attacks. However, these two dimensions are ‘governed’ by very different mandates and therefore dynamics, which have varied implications for the evolving, even though overlapping ecosystem for both.

8. 7. Transatlantic Cooperation in Cybersecurity: Converging on Security as Resilience?

   George Christou

   Abstract

   Cybersecurity is a global challenge (see Chapter 3) that requires international collaboration and partnership with key actors and organisations if it is to be addressed effectively. In this context, a European Union (EU) priority within its cybersecurity strategy is to establish a coherent international cyberspace policy and to promote and project EU core values for cyberspace. The EU’s cybersecurity strategy (EUCSS) states that its international cyberspace policy ‘will be aimed at increased engagement and stronger relations with key international partners and organisations, as well as with civil society and the private sector’ and that at ‘bilateral level, cooperation with the United States is particularly important and will be further developed’, notably in the context of the EU-US Working Group on Cyber-Security and Cyber-Crime (European Commission 2011; EU Cybersecurity Strategy 2013, p.15). Indeed the Working Group was established to ‘tackle new threats to the global networks upon which the security and the prosperity of our free society increasingly depend’ (Joint Statement of the EU-US Summit 2010).

9. 8. Conclusions: Towards Effective Security as Resilience in the European Union?

   George Christou

   Abstract

   A central aim of this book was to analyse and provide a deeper understanding of the EU’s evolving ecosystem for cybersecurity. Moreover, it sought to demonstrate how far the EU has travelled in constructing and embedding the conditions for an effective security as resilience to emerge in Europe, and beyond. Not only this, it has explored the relationship between modes of cybersecurity governance employed and types of resilience emerging, interrogating in particular the relationship and often tension between the hands-on approach and the hands-off and market based approaches to cybersecurity. In this context, the central pillars of the EU’s Cyber Security Strategy (EUCSS) were assessed within a national and global context in order to address the central questions posed at the outset:

   • How can we characterise and understand the EU’s evolving ecosystem of cybersecurity governance?
   • To what extent has the EU been able to construct a comprehensive and resilient approach to cybersecurity within the evolving ecosystem?
   • What is the nature of the resilient ecosystem emerging in the EU?

10. Backmatter