This week, the European Commission is expected to share its newly revised European Cybersecurity Strategy – nearly five years after the first edition was released. Five years is a long time in the digital world. As technology has matured to offer even greater opportunities for human progress and social transformation, the challenges of maintaining an ‘open, safe and secure cyberspace’ have evolved too.
In this time we have witnessed a significant increase in cybercrime and cyberattacks worldwide. The economic impact of such activity is estimated to reach into the trillions of dollars. Against this backdrop, the revision of the EU Cybersecurity Strategy is therefore a necessary and welcome update. But for it to be effective, it will need to adhere to four core principles: protect, respond, collaborate, and deter. Protect connects back to the cybersecurity baselines laid down in the EU’s Network and Information Security (NIS) Directive, which was adopted last year with a view to boosting the EU’s overall level of cybersecurity. As the first piece of EU-wide legislation on cybersecurity, the Directive is a vital step forward. But it also presents challenges.
The fact that it only requires minimum harmonization means that implementation could differ significantly across Member States. Yet in a borderless digital world, harmonization is essential to make any meaningful impact. The revised EU Cybersecurity Strategy should therefore encourage Member States to adopt a more unified approach to cyber risk management. One idea we have proposed is to explore a European version of the NIST Cybersecurity Framework, which provides a set of guidelines based on internationally-recognised standards for the protection of critical infrastructure.
Respond relates to the need for a comprehensive framework for managing vulnerabilities; unpatched software flaws, glitches or weaknesses that can cause significant damage. There is a growing market for the purchase of vulnerabilities and unfortunately, governments play an increasingly large role in acquiring and hoarding these. For instance, the exploits used in the recent WannaCry attacks – which affected hospitals, businesses, and government agencies – were allegedly stolen from a US. intelligence agency. This incident vividly illustrated why the stockpiling of vulnerabilities by governments is such a problem.
To reduce (and ideally prevent) exploits being used in such attacks, we have called for more effective vulnerability disclosure policies by which governments would report vulnerabilities they discover directly to vendors – akin to the Vulnerability Equities Process (VEP) in the U.S. While the VEP is certainly not a perfect model, EU Member States have some catching-up to do when it comes to increasing transparency and accountability around how governments acquire, stockpile, and report vulnerabilities to vendors so they can be patched rather than stockpiled, sold, or exploited. In our view, the revised EU Cybersecurity Strategy presents an important opportunity to, at the very least, provide high-level guidance on this issue.
The Cybersecurity Strategy should also include guidance for Member States on how to develop a Coordinated Vulnerability Disclosure (CVD) approach within their national legislation. The Dutch Government prioritized this issue during their 2016 Presidency of the Council of the EU but not much, it seems, has happened across the Member States since. More recently, the Center for European Policy Studies (CEPS) announced that a new Task Force was being established to help tackle these issues – we look forward to the group’s recommendations.
The third principle, collaborate relates to the fact that effective cyber policy must include frameworks for collaboration, both across EU Member States and with third countries. Improved intra-EU cooperation should be facilitated by implementation of the NIS Directive. This foresees a political cooperation group to be chaired by the Commission, as well as improved operational cooperation through a network of EU Computer Emergency Response Teams (CERTs), facilitated by ENISA.
Externally, the EU has, through the External Action Service, steadily expanded a series of “Cyber Dialogues” with a range of countries, including China and the U.S. Yet an increasing number of nation states are now engaging in cyberattacks against other states, businesses, and citizens. This rise in cyber-conflict has far more serious ramifications than pure financial loss, including the danger of advanced nation-state cyber tools falling into the hands of hostile actors far less receptive to traditional concepts of deterrence. A lot more therefore needs to be done, in particular on advancing norms of acceptable nation state behaviour in cyberspace.
One way to advance the discussion would be to re-examine what may be possible in terms of binding international agreements in the cyber realm – including at the global level. This is one reason why, earlier this year, we called for a new “Digital Geneva Convention” to protect civilians online. Unfortunately, the UN-process (“UN Government Group of Experts”) which had traditionally been the main forum for such discussions recently collapsed without tangible results. EU nations may not possess the world’s most advanced cyber offensive capabilities, but the EU still views itself as a “norms superpower.” In order to avoid a dangerous power vacuum, where nation states with advanced cyber capabilities will simply dictate the rules of the game to less advanced countries, the EU needs to step up and take a lead on this issue. We expect the new Cybersecurity Strategy will have something to say about this vital debate.
The fourth principle, deter, rests on improving cyber attribution. With cyberspace becoming a new battleground for nation state warfare, where countries are focused on their own national security agendas, it is vital to protect citizens in Europe and beyond. As a model, we’ve proposed creating an independent attribution organization made up of technical experts from the private sector, academia and civil society, whose role would be to investigate and publicly share the evidence that attributes nation-state attacks to specific countries. Without effective attribution, we cannot hold those who violate the rules to account, nor can we deter them from continuing their activities.
In June, the Council of the European Union launched a “Cyber Diplomatic Toolbox”; a framework for joint responses to cyber activities which aims to work as a deterrent and increase the cost of coercive cyber operations. The European Cybersecurity Strategy should build on this by creating a framework for improving attribution, developing collective response options, and improving coordination mechanisms with third countries, particularly when it comes to building capacity to deal with cyber incidents.
Protect, respond, collaborate, and deter are four principles that can ensure the revised EU Cybersecurity Strategy will effectively address the challenges we face not only today, but also tomorrow. With the increased integration of cloud-based technologies, the internet of things and artificial intelligence into our everyday lives, such issues will become of paramount importance to each of us. This is an opportunity for the EU to cement its leadership on cybersecurity and set an example to the world it – let’s make the most of it.