Cybersecurity Strategy of the European Union – the proposal

Last week the European Commission and Catherine Ashton, the High Representative of the European Union for Foreign Affairs and Security Policy, have  submitted to the Council and the European Parliament a draft of “Cybersecurity Strategy of the European Union”

The document is a first of its kind with regard to the institutions mentioned despite since several years the authorities are emphasizing the need to raise the level of security of the member states of the EU in cyber space.

One of the most interesting documents prepared in the past was the “Action Plan and a Communication on Critical Information Infrastructure protection (CIIP)” with which the EU aims to strengthen the security and resilience of vital Information and Communication Technology (ICT) infrastructures.

The document proposed to the European Parliament formalizes a cyber strategy to preserve  Information and communications technology between the countries of the EU, contributing to ensure, in collaboration with other national and international authorities, a cyberspace “open, safe and secure,”

“All these factors explain why governments across the world have started to develop cybersecurity strategies and to consider cyberspace as an increasingly important international issue. The time has come for the EU to step up its  actions in this area. This proposal for a Cybersecurity strategy of the European Union, put forward by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy (High Representative), outlines the EU’s vision in this domain, clarifies roles and responsibilities and sets out the actions required based on strong and effective protection and promotion of citizens’ rights to make the EU’s online environment the safest in the world.” 

The report introduces the strategic importance of Information and communications technology for any countries confirming the increase of the number of cyber threats moved by various actors.

“Information and communications technology has become the backbone of our economic growth and is a critical resource which all economic sectors rely on. It now underpins the complex systems which keep our economies running in key sectors such as finance, health, energy and transport; while many business models are built on the uninterrupted availability of the Internet and the smooth functioning of information system”

“Cybersecurity  incidents, be it intentional or  accidental, are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, healthcare, electricity or mobile services. Threats can have different origins including criminal, politically motivated, terrorist or state-sponsored attacks as well as natural disasters and unintentional mistakes.“ 

Despite we are daily discussing of commitment of governments worldwide in the cyber space and of the numerous state-sponsored attacks, the document is mainly focused on cybercrime and its social impact.

The approach is oriented to the cyber threats and related effects, dedicating little attention to the source of the menace (e.g. cyber warfare, hacktivism, cyber terrorism).

The document is logically organized in the following sections:

1. Principles for cybersecurity
2. Strategic priorities and actions
3. Roles and responsibilities

Of course primary target of cyber strategy is to achieve an adequate level of cyber-resilience protecting fundamental rights, freedom of expression, personal data and privacy.

“Cybersecurity can only be sound and effective  if it is based on fundamental rights and freedoms as enshrined in the Charter of Fundamental Rights of the European Union and EU core values”

The cybercrime is considered a primary menace, the more we live in a digital world, the more  opportunities for cyber criminals to exploit, and its fundamental to rapidly reduce its impact. Cybercrime is considered the most aggressive form of crime with  the fastest growing trend.

“Cybercriminals and cybercrime networks are becoming increasingly sophisticated and we need to have the right  operational tools and  capabilities to tackle them. Cybercrimes are  high-profit and low-risk, and criminals often exploit the anonymity of website domains. Cybercrime knows no borders – the global reach of the Internet means that law enforcement must adopt a coordinated and collaborative crossborder approach to respond to this growing threat.”

The principal actions to reduce the cybercrime are:

• definition of a strong and effective legislation
• enhanced operational capability to combat cybercrime
• Improve coordination at EU level

EU countries have to work together to develop cyberdefence policy and capabilities related to the framework of the Common Security and Defence Policy (CSDP)  to increase the resilience of the communication and information systems supporting Member States’ defence and national security interests.

“Cyberdefence capability development should concentrate on detection, response and recovery from sophisticated cyber threats.” 

The document promotes the development of industrial and technological resources for cyber-security in member countries through the promotion of a Single Market for cybersecurity products and the fostering R&D investments and innovation. Last aspect described in the draft is the establishment of a cyber-space International Policy of the European Union

“The Commission, the High Representative and the Member States should articulate a coherent EU international cyberspace policy, which will be aimed at increased engagement and stronger relations with  key international partners and organisations, as well as with civil society and private sector”

The cyber strategy analyzes the roles and responsibilities assigned to each actor in this ambitious project, every state in the EU must be involved activelly in the fight to cyber threat on its territory to ensure a rapid response.

Each Member State are responsible for the writing of its own policy paper on national cyber-security, the document highlight the necessity of a mutual support including solidarity clause.

“A particularly serious cyber incident or attack could constitute sufficient ground for a Member State to invoke the EU Solidarity Clause (Article 222 of the Treaty on the Functioning of the European Union).  If the incident seems having compromised personal data, the national Data Protection Authorities or the national regulatory authority pursuant to Directive 2002/58/EC should be involved. Finally, the handling of cyber incidents and attacks will benefit from contact networks and support from international partners. This  may include technical mitigation, criminal investigation, or activation of crisis management response mechanisms.”

The time to act is now!

Pierluigi Paganini