Written by Zsolt G. Pataki with Victoria M. Joseph,

Blog post study Cybersecurity in the CSDP
©Shutterstock\wutzkohphoto

Cybersecurity is an oft-used term today, and many seem familiar with its meaning. However, it is unclear where the responsibility for policy-making on cybersecurity and cyberdefence actually lies. While national security is sometimes accountable, the cyber domain does not confine itself to operating within traditional national borders, limiting the impact of legislation at national level.

With the cyberattacks that infiltrated many private and public networks across the world in May 2017, including the national healthcare system in the United Kingdom, it became clearer than ever that international cooperation against cyberthreats is the best solution. The 2007 cyberattack on the Estonian public and private infrastructure established new dimensions in the use of IT assets and networks. The event triggered a series of discussions, decisions, agreements and actions, both at the EU and international levels, on the use of IT. In February 2013, the European Union published its cybersecurity strategy, to protect the EU’s core values in the digital, as well as the physical, world. The EU also laid out five strategic priorities to address cyberthreats, including the development of a cyberdefence policy and capabilities relating to the Common Security and Defence Policy (CSDP).

At the request of the European Parliament’s SEDE Subcommittee, STOA launched a project in 2016 to identify cyber risks, as well as challenges and opportunities for cyberdefence in the context of the CSDP. The study was carried out by the European Union Agency for Network and Information Security (ENISA) and revolves around three thematic areas, namely: policies; capacity building; and the integration of cyber in CSDP missions, with the latter being the main focus of the study. The study also provides key policy options for the future.

The authors of the study take the possible necessity for wider cooperation and an extension beyond the CSDP for cybersecurity issues into consideration. This is because cybersecurity goes beyond technical capabilities and infrastructures. It involves human beings, social behaviours, the rule of law, and a harmonised vision from all cyberstakeholders at both EU and Member State levels. Building trust among the stakeholders is one of the top priorities.

The study identifies five key policy options for consideration on this issue:

  1. Maintain coherent cyberpolicies and strategies at the EU level: All EU-level cyberstakeholders (bodies, institutions, agencies) should coordinate and plan current and future capacity-building by taking CSDP considerations into account. Coherence is a major challenge for EU policies on cybersecurity.
  2. Promote cyberculture: An overwhelming percentage of successful cyberattacks are due to the human factor, rather than technical issues. Promoting a responsible cyberculture should receive a higher priority in Europe’s efforts to achieve a safer cyberspace, including the CSDP. Another key element concerning the maturity of cybersecurity is trust. The authors propose that as many trust-building activities between stakeholders as possible are fostered, from events, workshops and exercises to partnerships and common projects.
  3. Develop cyberskills: As cyberthreat sophistication evolves, cyberdefences need to be adopted and updated continuously, since the continuous evolution of cyberthreats requires personnel with up-to-date skills to handle increasingly sophisticated cyberchallenges. The development of cyberskills should be a continuous process integrated with operational training.
  4. Enhance legal and regulatory frameworks: The legal aspect of cybersecurity is lagging behind in areas of international cooperation between states, and between states and the private sector.
  5. Develop standards, organisations and capabilities: Building common standards (especially on ICT) and clear organisational structures spanning all levels of the CSDP, and supporting the development of cybercapabilities within the EU and its Member States. The authors propose that a new cybertaxonomy could be adopted across the EU.

Within the study, each of these five options is further broken down into specific policy options for the political/strategic, operational and tactical/technical layers. Further to these options, the study identifies some additional factors that should be considered, especially for the protection of military and civilian missions, personnel and infrastructure. These include the recommendation to tighten cyberdefence organisation; ICT standardisation; closer cooperation with the private sector within the CSDP context; and building greater alliances with international partners to help coordinate efforts for a safer cyberspace.

The study was widely discussed by experts and MEPs after a presentation to the SEDE Subcommittee meeting on 22 March 2017, and to the STOA Panel on 6 April 2017.

To keep up-to-date with this project and other STOA activities, follow our website, the EPRS blog, Twitter, and Think Tank website.

We value your opinion –we would be grateful if you could fill in a short feedback questionnaire