by Nick Watts, Vice-President EuroDefense UK, London
With the advent of a globalised and digitised world, the cyber threat has become all-pervasive. Unlike any other vector of warfare or terrorism, the cyber threat can reach into the lives of every citizen, and every business. To ensure that European civil society, as well as national security structures remains safe, a high level of co-operation is required. To do this, Europe can make use of its own cyber security standards, to help protect its citizens.
The IT realm is protected by civil and criminal law. The EU has competences in these areas – so regulations and directives can provide a necessary underpinning to safeguard the essential elements of a civic society. This includes Intellectual Property – which is highly prized by hostile states; the regulation of finance – which can be subverted by the use of ‘dirty’ money to finance criminal activity and arms trafficking; and data security – which can protect citizens from having their data stolen and misused to infiltrate sensitive web-sites.
As the EU develops competencies in the areas of defence and security, a strong ‘home base’ is essential to ensure that society can flourish, and to ensure that national defence and law enforcement structures are not compromised. Digital dependency has become all-pervasive. There is an opportunity for the EU – alongside international partners, to use its regulatory framework to require traders from third party countries to comply with its cyber security standards. Both sides benefit. The EU protects itself, and the trading partner gains the highest level of cybersecurity. To avoid claims of protectionism, the EU can offer to export its knowledge and best practice – a cyber version of the single market.
Introducing the cyber domain
In the modern era, the war of 1914-1918 was the first occasion where ‘signals’ intelligence played a significant role, from intercepting communications on the battlefield, to reading diplomatic cables. During the war of 1939-1945, the full panoply of electronic warfare was put to use; as well as ‘signals’ intelligence, code breaking, radar and jamming were widely employed by all sides. And as technology evolved during the Cold War, so did the realm of electronic warfare. The advent of the ‘Fifth Domain’ – Cyber emerged in 2010, from a fusion of electronic warfare and the widespread use of IT in the defence field.
The recognition of an IT risk led many governments to rapidly produce cybersecurity policies to protect their most essential defence and security systems. Only then did governments and security agencies realise that the cyber risk affected every element of modern society, with back doors into many sensitive areas unlocked. Notoriously, the revelations by Edward Snowden in 2013, that the US National Security Agency (NSA) and other agencies were intercepting the e-mails and telephone calls of foreign heads of state, made the wider public, and policy makers, aware of the cyber risk. The Snowden revelations sparked a debate on the balance between security and the freedom of the individual in a civic society.
Europe’s response to growing cyber threats
The challenge for policy makers in the national security space, as well as in the commercial world, is to ensure that the standards they mandate are relevant. The process of law making in a democracy can be slow. The same applies to the military, where doctrines and tactics have to be revised and are now encompassed by the doctrine of ‘fusion’. The “fusion doctrine” is where all sensors and systems can be linked together to produce information in real time.
The EU has increased its activities in the cyber domain, beginning in 2013 with a Cybersecurity Strategy. The Tallinn Digital Summit in September 2017 called on the EU to become a global leader in cyber security by 2025. On 12 March 2019 the European Parliament adopted the European Cybersecurity Act. This establishes an EU wide cybersecurity certification framework. It also gives a permanent basis to the EU Agency for Network and Information Security (ENISA). Previous legislative steps include the Network and Information Security (NIS) Directive, adopted in 2016 and the General Data Protection Regulation (GDPR), adopted across the EU by May 2018.
More recently, the Strategic Compass, published by the European Commission on 21 March 2022, refers to the cyber threat as part of the changing threat landscape and sets out several measures. Finally, on 16 January 2023 three cybersecurity-
related legislative acts came into force: the NIS2 Directive,
the Resilience of Critical Entities (RCE) Directive, and the Digital Operational Resilience for the Financial Sector (DORA) Regulation.
Developments following the invasion of Ukraine
It is too early to speak definitively of ‘lessons learned’, but some emerging themes are shaping the policy responses by national governments, security agencies and international organisations such as NATO and the EU. On 10 January 2023, a joint NATO-EU communique noted: “We have reached tangible results in countering hybrid and cyber threats, operational
cooperation including maritime issues, military mobility, defence capabilities, defence industry and research, exercises, counter-terrorism, and capacity-building of partners.” The significance of this is a recognition that cyber security is a shared responsility and a vital necessity. Russia’s use of its cyber capability, during this campaign has been less devastating than many commentators expected. However, Ukraine and the IT community began to understand the nature of these attacks. They were based on commercially available software, so they were dealt with.
There are multiple open source reports about assistance given to the Ukrainian government. Some of this assistance came from US Cyber Command, and some was provided by IT companies, following a 2015 attack on the power grid of Kyiv. These efforts were increased in autumn 2021 when the threat from Russia was assessed as having amplified. Of particular concern was the IT system for Ukrainian railways. This system has proven to be very resilient. After hostilities began, Russian cyber-attacks were mounted on border police, as well as national police computers. These attacks were dealt with via the use of hardware provided by Fortinet. Attempts at malware attacks were identified and reverse engineered by Microsoft engineers. The company reports that within three hours a software update was issued.
Best practice in the cyber domain
Modern societies are increasingly adopting digital methods of working in the commercial, governmental and national security fields. Governments are reliant on commercial IT vendors for much of their technical know how. A modern society, therefore, needs to adopt a “fusion doctrine” that embraces all aspects of its commercial and governmental sectors. The EU has an opportunity to export cybersecurity to its allies and partners, via its regulatory framework. Just as commercial companies wishing to trade in the Single Market must adopt EU standards, so there is an opportunity to reinforce the benefits of best practice in the cyber domain. For example in cyber the UK has expertise second to none in Europe. Therefore it is important that from its own defence and security, the EU enables UK input to its standards and the UK is not disadvantaged – from either a commercial or a security point of view – by being excluded.
The EU has developed a technical capability to come to the aid of Member States that suffer from cyber-attacks, via Cyber Emergancy Response Teams (CERTs). In the same way, the EU can provide Information Assurance (IA) assistance, as well as CERT know-how to those who choose to do so.