On the 9th of December, the European Medicines Agency released a statement: it was hacked. This made it to the news since the agency is currently enjoying a higher level of public interest as Europe is impatiently awaiting the results of the certification of the COVID-19 vaccine. But as quickly as the reports on the stolen certification process have arisen, they disappeared, and with them the demands for an appropriate response.
In recent years, this has become a recurring pattern that is happening more and more often. The public outcries are often very limited. Perhaps, this is because digital information is a concept quite abstract to us. Maybe because when digital goods are ‘stolen’, they are just copied but not gone. A prime example for an opposite reaction would be the Dresden Green Vault burglary that happened in Germany in late 2019, where royal jewellery was stolen. While it is true that an item of tremendous value was lost, this story has been very present in the media, and to this day updates on the investigations are being presented on the front page of our media outlets. Compared to the many cyber-attacks on infrastructure, companies, or political institutions, which appear to happen almost weekly, events of the latter kind seem to enjoy a significantly lower level of public interest.
This is a mistake. And quite an expensive one. While it is hard to get good estimates of the commercial damages, it is enough to look at an in-depth study on German firms to get a better idea of the scale. According to the non-profit organization bitkom, which is cooperating closely with the Germany Ministry for the Protection of the Constitution, the aggregated damage of cyber-attacks in 2018 and 2019 cost German firms more than 200 billion Euros. In a representative survey, 75% of firms in 2019 reported that they have been the victim of data theft, industrial espionage, or sabotage – up from 53% in 2017. While no studies on a European level have been conducted, many other studies paint a similar picture: the number of attacks is high – and increasing.
And these numbers are likely to underestimate the real number: firms often do not report cyber-attacks, in fear of a damage to their reputation. Furthermore, cyber-attacks that aim on stealing intellectual property are often not discovered, and as firms are unable to respond to attacks which they have not noticed, these security breaches can cause tremendous damage over longer periods of time.
But next to firms, governmental institutions are often targets as well. Next to the aforementioned cyber-attack on the European Medicines Agency, there are countless other examples of similar events. This week, the ‘SolarWinds hack’ was found, affecting several international technology and telecom companies, as well as the US government. Multiple agencies were compromised, including the US treasury, Commerce, Homeland Security and the Energy department, that is responsible for managing the nuclear weapon stockpile of the nation. In addition, attacks were made on the German parliament in 2014 and 2016, the organizers of the G20 summit in 2011 where countless documents were stolen, and a US and German hospital in 2020, with a resulting first suspected death from a cyberattack. And this is just a small excerpt, with many more incidents potentially being undiscovered or unreported.
The European answer
It is clear that there is an ongoing international cyber warfare, between individual criminals, companies and states. While some states of the EU have founded cybersecurity defense forces, and are also working on their offensive capabilities, many experts have been calling out the lack of cooperation and big-picture strategic vision. This should change now, as the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy has now presented its response to this ongoing threat with their EU Cybersecurity Strategy.
The overarching goal of this strategy is to complement other strategic projects such as Shaping Europe's Digital Future, the Recovery Plan for Europe and the EU Security Union Strategy. For all of them, a safe cyberspace is essential. As such, the new strategy will aim to increase Member States’ collective resilience against cyber threats. But there are three main categories of measures to be implemented:
1. Resilience, technological sovereignty and leadership
One of the main proposals is the launch of a so-called network of Security Operations Centers distributed across the EU. The aim is to utilize artificial intelligence to create a ‘cyber-security shield’, which detects attacks and allows for early preventative actions. Small and medium-sized businesses (‘SMEs’) should also be offered dedicated support as part of the Digital Innovation Hubs, which are clusters supporting digitization processes. These changes aim to improve the current weakness of delayed detections as well as smaller companies which are often under-prepared for such high-level threats. Furthermore, a directive on higher levels of cybersecurity standards for network and information systems with a high relevance to the public has been issued. The aim is to ensure that critical infrastructure such as hospitals, energy grids, railways but also data centers and public administrations are impermeable to the current and future threats.
2. Building operational capacity to prevent, deter and respond
The creation of a new Joint Cyber Unit is planned. The aim is to increase cooperation between all relevant forces of EU bodies and Member States, from civilians over law enforcement to cyber defense communities. In addition, measures to strengthen the diplomatic toolbox have been proposed, to better prevent and respond to cross-border cyber-attacks, especially with regard to attacks on critical infrastructure.
3. Advancing a global and open cyberspace through increased cooperation
The goal is to start and improve the dialogue about cybersecurity with different countries and international organizations, with the aim of strengthening the rule-based global order, international security and human rights. The EU plans to achieve this through building a Cyber Diplomacy Network that promotes the EU’s core values. Moreover, diplomatic capabilities are to be expanded, making it possible to pursue cyber capacity-building efforts to third countries by developing an EU External Cyber Capacity Building Agenda.
With the wide range of cybersecurity threats for companies, societies and nations, it is important that the EU comes up with an adequate response. This strategic vision is a holistic approach to this risk, that has the potential to produce convincing results and to shape international norms and standards as well. The project’s funding of 2 billion Euros in the next seven years supports that the EU has recognized this threat and will hopefully be sufficient to produce convincing results. It will be crucial to see how the strategy develops; more specifically, how the individual measures will be implemented.
Cover picture from Pexels.