“Staying secure online is becoming as important as staying safe offline…It's not just computers and phones that are connected; but homes and hospitals; governments and electricity grids; the news we read and, soon, the cars we drive”.
These few words were pronounced by EU commissioner for security Julian King at the European Conference on Digital Single Market and Common Digital Security. The Conference took place on September 15 of the last year in Tallinn. His speech was focused on the relationship that exists between the creation of the EU Single Digital Market and cyber security. A relationship that the Union is currently trying to strengthen, looking at it as one of the most important logical consequences of a unique digital market among member states.
Mr. King then kept going:
“Since 2016 more than 4,000 ransomware attacks have occurred every day, a 300% increase compared to 2015. Recent big attacks like WannaCry showed both how large the impact can be – and how far we have to go in improving our response. It affected over 230,000 systems in 150 countries and was a powerful reminder of just how significant the challenge facing us is…”.
Apparently, the building process of a unified response to cyber threats is not only the next logical step in the framework of a single digital market. It is in fact a specific strategic need arising from concrete threats. Last year, the Commission edited a Cybersecurity Package including additional provisions and further guidelines on the interpretation of the 2016 NIS Directive (Directive on security of network and information systems). Consequently, it has emphasised the expiring temporary mandate of the ENISA (EU’s Network and Information Systems Agency). Still, it underlined the need of the presence of a permanent EU agency based on already existing instruments.
The ambitious project of an EU Cybersecurity Agency is envisaged by the Commission road map for the next years. It would be fundamental for a swift implementation of the first body of EU laws on cybersecurity (the already mentioned NIS Directive) and for its extension to the critical area of national public administration sectors.
Quickness is going to be the central issue. The ability to promptly react equally to targeted, strategically-aimed raids and to massive attacks conducted on a large scale.
“…the threat continues to change both in its nature and in terms of the expanding threat surface”.
The recall of the fluid nature of cyberthreats reminds us, once again, that usual barriers are not safe anymore: fluid dangers do not know national borders.
This may sound as one of the typical catchphrases used by EU enthusiasts to shift the attention on sovereignty issues. However, in this case, its meaning is much deeper. And worrying. The last part of the quotation talks about an expanding threat surface. This has a quite straightforward meaning. In words, that we have now a potentially borderless area to defend from attacks that have a large and, most importantly, quasi-instantaneous impacts. This implication for EU institutions is that coordination will have to be maximised on all the available levels. From data sharing to cooperation between CSIRTs (Computer Security Incident Response Teams) placed in different countries, the European response to cyberthreats cannot be acceptably rapid without being extremely coordinated, given the number of States involved and the multiple existent types of cyberthreat. Being fluid, as said before, and being subject to no barrier, cyberattacks and cybercrimes can potentially cause damages in any sector. The possibility to steal sensible data, to seriously interfere with the results of an election or with the mechanisms of the stock market, to hide flows of money, to employ viruses on large scale attacks, to traffic weapons or to fund organisations, has tremendously widened the range of vulnerable sectors. Nothing is out of reach.
“The final element of our proposals to strengthen resilience is to up our game in responding to cyber incidents. As recent attacks have shown, there are many different actors that need to be involved; and they need to work together, swiftly and efficiently. We have set out a Blueprint so we have a well-rehearsed playbook for how to respond to a severe cross-border incident or crisis”.
Military, diplomacy, justice administration, bureaucracy, private enterprise, political institutions, financial markets, media and much more. If willing to construct a credible, coordinated response strategy to transnational challenges such as cybersecurity, European and national actors will have to stretch their institutional flexibility at the current maximum. Furthermore, they will have to cooperate in order to build disincentives for cybercriminals through law enforcement and tracing, common databases, shared expertise and public - private agreements.
“There are also challenges to access digital evidence. We want to tackle barriers to prosecution, including by facilitating access to electronic evidence. Digital services and data flows are cross-border in nature, but the work of investigators and prosecutors is still too often set within national frameworks…And finally, we need to boost the current international processes to agree on the norms of state behaviour, the applicability of international law and confidence building measures in cyberspace”.
In order to respond to malicious cyber activities against the EU, the Foreign Affairs Council adopted "the cyber diplomacy toolbox" framework. In addition, the Warsaw Joint Declaration signed with the NATO envisages collaboration in possible scenarios of hybrid attack. These are concrete signals of what is the current direction undertaken by the Union in the field of defence.
Coherently, we can appreciate another aspect of cybersecurity which is even more closely tied with the development of a Single Market. Specifically, it is to be directly considered as part of the set of measures taken against digital exclusion: the issue of individual awareness and digital literacy. To this purpose, the Commission has planned to enhance a new framework of European ICT certifications with a specific focus on cybersecurity.
“Laws are one thing; culture is another. Some 95% of successful attacks are enabled by some type of human error. So, cyber security begins at home; with simple cyber hygiene practices like safe passwords, checking attachments and backing up. Not rocket science, but it can make a real difference”.
King clarified what could be the effect of a general raise in the average level of competence among ordinary users of web services. Still, the adoption of standard, simple practices of cyber hygiene also by large groups of non-frequent users would be a necessary step.
“Europe faces a "cyber security skills gap", a shortfall currently estimated to sum to 350,000 people by 2022. Addressing this skills gap is central to effective resilience. So cyber must be mainstreamed and prioritised into education and training curricula”.
Providing EU citizens with the right skills does not only consist of spreading forms of technical knowledge and online best-practices. It means transforming passive users into critical users or at least into responsible ones.
“Of course, attacks can also have a political rather than a criminal motive. They may seek to spread propaganda; even undermine democratic processes. Awareness-raising about online disinformation campaigns and fake news can help”.
Given the risk of exposure to fake news, various types of propaganda and theft of information, the main concern is to make sure that at least the great majority of citizens-users is developing forms of critical judgment towards the World Wide Web. In an information-based society, leaving a responsible approach to the media out of a modern definition of citizenship is a risk simply too big to be run.
Eventually, those policies currently adopted at the European level display an ever growing interest in going towards the harmonisation of the markets of security and defence. The PESCO, the Single Digital Market and the directives on cybersecurity are all different initiatives which derive from a central doctrine of coordination. Moreover, they are based on very similar diplomatic, economic and geopolitical needs. Probably, on the same fears.
Coping with more and more cross-national threats as the ones touched above might not, at least now, trigger inverse spillover mechanisms towards greater integration.
Still, what is certain is that cybersecurity issues are going to test EU responsiveness.