(by Caitríona Heinl, EXEDEC)
The first EU-Singapore Security Think Tank Dialogue was held in Singapore at the end of January at the initiative of the EU Delegation to Singapore in order to promote greater EU-Singapore political and security cooperation . Three policy areas were chosen for discussion, namely maritime security, cybersecurity, and counter-terrorism. While cyber-related questions also cut across maritime security and counter-terrorism issues, the underlying goal of the cybersecurity panel was to identify ways to deepen the EU-Singapore relationship in the field of cybersecurity, pointing out areas where the two sides could mutually learn from each other and cooperate more. For my part, I was originally asked to (1) Provide a general overview of the European Union’s current strategies, policies and concepts on cyber; (2) Outline EU cooperative efforts, in other words the EU’s global cyber engagement framework; and (3) Discuss possible avenues for cyber cooperation between the EU and Singapore. This blog post provides a very general overview of the European Union’s thinking on cybersecurity, while a later post will offer some initial thoughts on specific channels for cooperation between the EU and Singapore.
EU perspectives in this field have matured rather significantly over the past ten years, and there is now a plethora of EU strategy/policy documents and legislative initiatives (Box one below offers an outline of at least 17 of the EU’s most significant cyber policies). This material, while not exhaustive or deeply analytical, outlines EU priorities, objectives and concepts in simple terms as a starting point for those third countries which might be seeking to identify common interests to engage more concretely with the EU.
A non-exhaustive list of several EU cyber-related policies, legislative initiatives and documents is provided below in chronological order:
- Council Framework Decision 2005/222/JHA on attacks against information systems, 24 February 2005 (now replaced)
- 2008 Report on the Implementation of the 2003 European Security Strategy first mentioned cyber as a potential challenge with an external dimension (most likely because of the incidents in Estonia (2007) and Georgia (2008) .
- Communication from the Commission to the European Parliament and the Council, The EU Internal Security Strategy in Action: Five steps towards a more secure Europe, 22 November 2010
- Identifies cybersecurity as one of five strategic objectives for the period 2010 to 2014.
- Joint Communication of the European Commission and the High Representative of the European Union for Foreign Affairs and Security Policy to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, 7 February 2013
- Five strategic priorities include (1) Building cyber resilience; (2) Drastically reducing cybercrime; (3) Developing cyber defence policy and capabilities; (4) Developing the industrial and technological resources for cybersecurity; and (5) Establishing a coherent international cyberspace policy for the EU and promoting core EU values.
- Directive 2013/40/EU of the European Parliament and of the Council on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, 12 August 2013
- Establishes minimum rules on the definition of criminal offences and provided operational measures for cooperation among authorities.
- Helps to facilitate cross-border cooperation and harmonisation of measures across EU Member States.
- Council of the European Union, EU Cyber Defence Policy Framework, 18 November 2014
- Five priorities include (1) Supporting the development of EU Member States’ cyber defence capabilities related to CSDP; (2) Enhancing the protection of CSDP communication networks used by EU entities; (3) Promoting civil-military cooperation and synergies with wider EU cyber policies, relevant EU institutions and agencies and with the private sector; (4) Improving training, education and exercises opportunities; and (5) Enhancing cooperation with relevant international partners.
- Communication from the Commission to the European Parliament, the Council, the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, The European Agenda on Security, 28 April 2015
- Prioritises terrorism, organised crime and cybercrime as interlinked areas with a strong cross-border dimension where EU action can make a difference.
- Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, “A Digital Single Market Strategy for Europe”, 6 May 2015.
- Council of the European Union, “Council Conclusions on Cyber Diplomacy”, 11 February 2015.
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, “General Data Protection Regulation”, 27 April 2016
- Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, “Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry”, 5 July 2016.
- Directive 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (“NIS Directive”), 6 July 2016
- EU Member States were due to transpose the Directive into national law by 9 May 2018 and identify operators of essential services by 9 November 2018. The Directive provides legal measures to boost the overall level of cybersecurity in the EU.
- Joint Communication to the European Parliament and the Council, Joint Framework on countering hybrid threats: a European Union response, 6 April 2016
- Recognises that the range of measures applied as part of a hybrid campaign may be very wide, including cyber attacks on critical information systems.
- Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC, “Regulation on Privacy and Electronic Communications”, 10 January 2017
- Council of the European Union, “Draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (“Cyber Diplomacy Toolbox”) – Adoption”, 7 June 2017.
- Cybersecurity package “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU”,2017
- Builds on the review of the 2013 EU Cybersecurity Strategy
- Includes the Joint Communication to the European Parliament and the Council, “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU”, 13 September 2017
- EU Framework for screening foreign direct investment, European Commission 2017 proposal agreed in November 2018
- On the grounds of security and public order.
- By the end of 2018, the Commission was due to carry out an analysis of FDI flows into the EU, focusing on strategic sectors and assets such as key technologies, critical infrastructure and sensitive data. This is particularly the case when the investor is owned or controlled by a third country or benefits from significant state subsidies.
The EU’s revised Cybersecurity Strategy, which was released in 2017 with a package of policies, reflects some of the Union’s most recent perspectives and ongoing objectives for stronger cybersecurity. While the EU’s previous cyber strategy of 2013 emphasises the need to achieve cyber resilience, the changing geopolitical and cyber threat landscape warrants more concrete resilience and deterrent activities. The new strategy recognises that the evolving threat landscape means that cyber incidents are diversifying in terms of the actors involved and their motivations – it explains that these activities and actors are both clearly criminal and political in nature. Since the 2013 strategy was first released, more recent malicious cyber activities not only threaten economies and EU plans for the Digital Single Market, but also the functioning of democracies, freedoms, values and core EU principles. The new strategy consequently considers cyber operations targeted against critical infrastructure but also disinformation campaigns and fake news. Furthermore, there are worries that strategic threats are increasing exponentially and other notable risks include the rising number of IoT devices with insufficient cybersecurity embedded in their design.
A new willingness, and recognition of the need, to shift from a reactive to a proactive posture with a focus on all actors (namely the EU itself, Member States, industry and individuals) to bring about a better EU response to attacks is particularly noteworthy. Although EU Member States remain responsible for national security, the 2017 strategy document argues that the scale and cross-border nature of the threat means that the EU should take action by providing incentives and support for its Member States to develop and maintain more and better national cybersecurity capabilities (whilst continuing to build EU level capacity).
Building such EU level capacity and creating a proactive culture is no easy task given the number of EU stakeholders in this field. Bringing different cyber policy areas under a single strategic document, for instance, continues to mean working together with different EU stakeholders holding responsibility for cyber. These stakeholders can include the following EU actors:
- The European Commission ;
- The European Defence Agency (EDA), which works with EU Member States on cyber defence capability development;
- Europol’s European Cybercrime Centre (EC3), among other cybercrime/law enforcement agencies and groups;
- The European Centre of Excellence for Countering Hybrid Threats, and EU Hybrid Fusion Cell as part of the EU Intelligence and Situation Centre;
- The European Security and Defence College, which launched the Cyber Education, Training, Evaluation and Exercise (Cyber ETEE) platform in November 2018 to provide training to civilian, police and military staff;
- The European Agency for Network and Information Security (ENISA), which focuses on EU Member State cyber resilience by providing guidance and capacity building;
- CERT-EU, which is responsible for incidents within the EU institutions;
- The Security policy directorate within the European External Action Service (EEAS); and
- EU ISS
In order to address these contemporary cyber challenges and looming risks, the EU’s recommended activities and principles fall under three strategic priorities within the 2017 strategy. First, the EU aims to achieve better resilience and response to cyber attacks as well as strategic autonomy. Second, it will create effective EU cyber deterrence by taking more actions, and third, it will work to strengthen international cooperation on cybersecurity.
It is particularly pertinent that third countries understand the importance to the EU of its core principles, which apply to activities both within the Union and in its international cooperative efforts. The 2013 strategy specifies, for instance, that (1) the EU’s core values apply as much in the digital as in the physical world; (2) the importance of the protection of fundamental rights, freedom of expression, personal data and privacy; (3) Access for all; (4) Democratic and efficient multi-stakeholder governance (in other words, the importance of all stakeholders’ involvement in governance of the Internet); and (5) A shared responsibility to ensure security.
In addition, the EU considers that the framework for international cooperation provided by the Council of Europe Budapest Convention on Cybercrime offers an optimal legal standard for different national legislation addressing cybercrime. The EU position is that rather than creating new international legal instruments for cybercrime issues, it is calling for all countries to design appropriate national legislation and pursue cooperation within this existing international framework. The 2017 Cyber Strategy further denotes the EU’s position that international law, and in particular the UN Charter, applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible state behaviour of the UN GGE.
Achieving better resilience to cyber attacks and strategic autonomy
The understanding of resilience to cyber attacks in this context is defined as “a Europe that can protect its people effectively by anticipating possible cybersecurity incidents, by building strong protection in its structures and behaviours, and by recovering quickly from any cyber attacks”. In order to achieve such resilience, a number of activities are recommended, which are listed in detail in Box two below.
The main focus of these activities can, however, be summarised as strengthening ENISA; raising cybersecurity standards and building market confidence; implementing legislation such as the NIS Directive; enhancing rapid emergency response and establishing crisis management mechanisms to respond to large-scale cross border cyber incidents; stimulating the development and deployment of EU cyber technologies as strategic assets and key growth technologies; growing the skills base; and continuing to promote cyber hygiene and drive awareness-raising on cybersecurity issues that now include online disinformation campaigns and fake news on social media specifically aimed at undermining democratic processes and European values.
To achieve its objective of better resilience to cyber attacks and strategic autonomy, the 2017 EU Cyber Strategy outlines the following actions :
- Strengthen ENISA.
- Move towards a single cybersecurity market by proposing an EU cybersecurity certification framework recognised across the EU to increase resilience and support EU-wide market confidence through high cybersecurity standards.
- Advocate for conditions to enable coordinated vulnerability disclosure across Member States.
- Implement the NIS Directive fully given that Member States were due to transpose the Directive by May 2018.
- Establish rapid emergency response to mitigate the impact of attack so that public authorities do not seem powerless and trust is maintained. For fast and effective response, a swift information exchange mechanism between all key players at national and EU level has been proposed which can also mean that clarity on respective roles and responsibilities is needed.
- The Commission consulted institutions and Member States on a Blueprint to provide an effective process for an operational response at Union and Member State level to a large-scale cross-border cyber incident.
- Two separate projects are being conducted within the permanent structured cooperation (PESCO): one on the creation of a European Cyber Information Sharing Platform; and one on developing European Cyber Rapid Response Teams .
- The need to respond to a particularly serious cyber incident could be ground for a Member State to invoke the EU Solidarity Clause under Article 222 of the Treaty on the Functioning of the European Union.
- Establish a network of cybersecurity competence centres with a European Cybersecurity Research and Competence Centre to stimulate development and deployment of cybersecurity technology. The EU wants to do more in terms of investment into cyber technologies that are both strategic assets and key growth technologies and overcome fragmentation of capacities spread across the EU.
- Build a strong EU cyber skills base given projections of major shortfalls of at least 350,000 by 2022 in the EU and 1.8 million globally.
- Promote cyber hygiene and awareness.
- For example, a recent initiative developed by Europol and industry – the no more ransom campaign – is helping users to prevent ransomware infections and decrypt data. The EU proposes to create a single portal to bring together all such tools in a one-stop shop, offering advice to users and links to reporting mechanisms. The Strategy further recommends that Member States accelerate the use of more cyber secure tools in the development of e-government.
- Awareness raising has been a priority for quite some time, but now current policies are calling for awareness raising in relation to online disinformation campaigns and fake news on social media specifically aimed at undermining democratic processes and European values.
Creating effective EU cyber deterrence
The second core strategic objective of the 2017 strategy is to create effective EU cyber deterrence. This is understood to mean the establishment of a framework for measures that are both credible and dissuasive for cyber criminals and attackers.
Box three below specifies the recommended actions as part of this framework for effective deterrence. The framework has five streams that include (1) Improving the capacity to identify malicious actors; (2) Stepping up law enforcement response to cybercrime through effective investigations and prosecutions, updating the procedural framework, and adhering to the Budapest Convention; (3) Enhancing public private cooperation against cybercrime; (4) Improving the political response to activities that harm EU political, security and economic interests through the Framework for a joint EU diplomatic response to malicious cyber activities (otherwise known as the EU Cyber Diplomacy Toolbox; and (5) Focusing on Member States’ defence capability by promoting synergies between military and civilian efforts given the dual-use nature of these technologies and tools. In addition, it aims to enhance EU industrial capacities and strategic autonomy; to ensure the cyber resilience of CSDP missions and operations; and address the skills gap in cyber defence through initiatives such as the EU Cyber ETEE platform for EU cyber defence training and education.
Specific actions recommended as part of the EU’s framework for effective deterrence include:
- Identifying malicious actors
- Sees a need to improve capacity to identify those responsible for cyber attacks, including technological capability for Europol’s cross-jurisdictional investigations; and the uptake of IPv6.
- Stepping up law enforcement response to cybercrime
- Some Member States still need to fully implement the 2013 Directive on attacks against information systems.
- Effective investigation and prosecution of cyber-enabled crime is considered to be a key deterrent, but the procedural framework needs updating to take the speed of attacks into account. For example, forensics capabilities need to be reinforced to enhance attribution.
- The EU considers that the framework for international cooperation provided by the Council of Europe Budapest Convention on Cybercrime offers an optimal legal standard for different national legislation addressing cybercrime. The EU position is that rather than creating new international legal instruments for cybercrime issues, it is calling for all countries to design appropriate national legislation and pursue cooperation within this existing international framework.
- Public private cooperation against cybercrime
- Stepping up the political response
- The Framework for a joint EU diplomatic response to malicious cyber activities (otherwise known as the EU Cyber Diplomacy Toolbox) sets out the measures under the CFSP, including restrictive measures, which can be used to strengthen the EU response to activities that harm its political, security and economic interests. It is significant given that the EU is developing signalling and reactive capacities at EU and Member State level. It aims to increase the EU’s capacity to attribute malicious cyber activities with the aim of influencing behaviour of potential aggressors, while taking into account the need for proportionate responses.
- 2017 Council conclusions on the cyber diplomacy toolbox affirm the EU’s willingness to put to use the entire scope of CFSP measures, including restrictive ones such as sanctions, in order to respond in a proportionate manner to cyber malicious activities by third parties, to protect the EU, and to attain its foreign policy objectives .
- The Strategy specifies that it is important that attribution to a state or non-state actor remains a sovereign political decision based on all-source intelligence. Its implementation is ongoing and it will be taken forward with the Blueprint to respond to large scale cyber incidents.
- Building cybersecurity deterrence through Member States’ defence capability
- The EU proposes that it can help Member States promote synergies between military and civilian efforts given the dual-use nature of these technologies and tools.
- It is further working to enhance EU industrial capacities and strategic autonomy.
- It will promote interoperability.
- Cyber resilience of CSDP missions and operations is considered to be essential.
- The EU will facilitate strategic level engagement between Member State’s cyber defence policymakers.
- It will support the development of European cybersecurity solutions as part of its effort for a European Defence Technological and Industrial Base.
- The new EU cyber defence training and education platform, the EU Cyber ETEE platform, was launched at the end of 2018 to address the skills gap in cyber defence.
A general overview of the EU’s cooperative efforts: the EU’s global cyber engagement framework
The third core strategic objective of the EU is to continue strengthening its international cooperation on cybersecurity. This is in line with the main guiding document for the EU’s foreign policy, the 2016 EU Global Strategy on Foreign and Security Policy for the European Union, which considers cyber a significant element in the EU’s foreign policy . EU documents further explain that the rationale behind international cyber engagement with third countries is to prevent and deter cyber attacks, thus promoting global cyber stability and broader international security and stability.
More broadly, the EU is working towards becoming a more serious diplomatic and security global actor . EU officials explain that, today, the EU’s role is growing as a diplomatic and strategic actor, and it is ready to take more responsibility to bring security and stability globally . The development and success of the EU’s global cyber engagement efforts will naturally be linked to these wider strategic developments, especially where some third countries may have previously preferred to deal bilaterally with EU Member States on political and security questions.
While the 2013 EU Cybersecurity Strategy originally called for more active EU engagement at international level, including by deepening dialogue with third countries and international organisations and by stepping up capacity building in third countries, the 2015 Council Conclusions on cyber diplomacy later promoted a number of more specific objectives and principles related to the EU’s global cyber engagement. These Council Conclusions are considered an important instrument to guide the EU’s collective efforts related to global cyber policy and to offer more detailed objectives in foreign policy issues . This framework includes the promotion and protection of human rights in cyberspace; the promotion of norms of behaviour and the application of existing international law in the field of international security; Internet governance; enhancing competitiveness and prosperity; capacity building and development; and strategic engagement with key partners and international organisations .
These objectives continue to be priorities for the EU in its global cyber engagement, as specified in more detail within the 2017 Cyber Strategy and laid out in Box four below. Under this document, the EU’s international cybersecurity policy is said to aim to promote global cyber stability and contribute to Europe’s strategic autonomy in cyberspace. In short, the Strategy makes the following recommendations for the EU’s international cybersecurity policy: First, through its external relations, the EU will build and maintain partnerships with third countries, and prioritise international security issues in cyberspace. Second, cybersecurity capacity building to build resilience in third countries continues to be important to the EU given the importance to global cyber stability of all countries being in a position to prevent and respond to cyber incidents. Council conclusions on EU cyber capacity building guidelines were subsequently adopted in 2018. Third, the EU will deepen its cooperation with NATO on cybersecurity, hybrid threats and defence. The Cyber Defence Policy Framework also lays out its ambitions to enhance cooperation with relevant international partners.
Again, the EU’s external activities and international cooperation efforts will continue to promote those EU core values and principles which are highlighted in the above sections.
EU activities to promote global cyber stability and contribute to Europe’s strategic autonomy in cyberspace
(a) Cybersecurity in external relations
- The Strategy specifies that building and maintaining robust alliances and partnerships with third countries is fundamental to the prevention and deterrence of cyber attacks (which are increasingly central to international stability and security);
- The EU will prioritise the establishment of a strategic framework for conflict prevention and stability in cyberspace in its bilateral, regional, multistakeholder and multilateral engagements.
- The EU strongly promotes the position that international law and in particular the UN Charter applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible state behaviour of the UN GGE. It also encourages the development and implementation of regional CBMs in the OSCE and other regions.
- At bilateral level, cyber dialogues will be further developed and complemented by efforts to facilitate cooperation with third countries to reinforce principles of due diligence and state responsibility in cyberspace.
- According to the Strategy, by September 2017, the EU had cyber dialogues with the United States, China, Japan, the Republic of Korea and India. Other cyber dialogues include EU-Brazil covering topics such as international security in cyberspace, cyber resilience, cybercrime, Internet governance and cybersecurity standards .
- The EU will prioritise international security issues in cyberspace in its international engagements.
- The EU will ensure cybersecurity does not become a pretext for market protection and the limitation of fundamental rights and freedoms, including the freedom of expression and access to information. A comprehensive approach to cybersecurity requires respect for human rights and the EU will continue to uphold its core values globally, building on the EU’s Human Rights Guidelines on online freedom.
- The EU emphasises the importance of all stakeholders’ involvement in governance of the Internet.
- The Commission has also put forward a proposal to modernise EU export controls including the introduction of controls on the export of critical cyber surveillance technologies that could cause violations of human rights or be misused against the EU’s own security. It will step up dialogues with third countries to promote global convergence and responsible behaviour in this area.
(b) Cybersecurity capacity building
- The EU Strategy explains that global cyber stability relies on the local and national ability of all countries to prevent and react to cyber incidents and to investigate or prosecute cybercrime cases. It is therefore supporting efforts to build national resilience in third countries with the aim that this will increase the level of cybersecurity globally. It identifies that fast evolving cyber threats mean that there is a need for training, as well as policy and legislation development efforts, effective CERTs and cybercrime units in all countries.
- Since 2013, the EU has systematically linked these efforts with its development cooperation. EU efforts will be complementary to the EU’s development agenda in light of the 2030 Agenda for Sustainable Development and overall efforts for institutional capacity building.
- It will continue to promote a rights-based capacity building model in line with the Digital4Development approach.
- Priorities for capacity building will be the EU’s neighbourhood and developing countries experiencing fast connectivity and rapid development of threats.
- The Strategy recommends the EU Cyber Capacity Building Network to mobilise its collective expertise, bringing together EEAS, Member State cyber authorities, EU agencies, Commission services, academia and civil society.
- Council conclusions on EU cyber capacity building guidelines were adopted in 2018 to offer better political guidance and prioritisation of EU efforts in assisting third countries.
- The EU has invested more than 80 million Euro in cybersecurity capacity building since 2013 .
(c) EU NATO cooperation
- The EU will deepen EU and NATO cooperation on cybersecurity, hybrid threats and defence.
- Annual high level consultations and staff to staff meetings are ongoing since 2012, and the EU-NATO Joint Declaration of 2016 sets specific objectives for furthering cyber defence cooperation.
- The Cyber Defence Pledge was also agreed in 2016, focusing on areas of common interest such as fostering joint training exercises and deepening cooperation between states and between the two organisations.
Caitríona holds degrees from UCD and the University of Innsbruck, the Oxford Institute of Legal Practice and Cambridge University (MPhil International Relations).
 The “EU-Singapore Dialogue Addressing Security Challenges in a Changing World” was co-organised by the European Union Institute for Security Studies (EU ISS) and the S. Rajaratnam School of International Studies (RSIS), Singapore, 30 January 2019.
 Thomas Renard and Andre Barrinha, “The EU as a partner in cyber diplomacy and defence”, Handbook on Cybersecurity – The Common Security and Defence Policy of the European Union, European Security and Defence College and the Federal Ministry of Defence of the Republic of Austria, Volume V 1st edition, 2018.
 A number of Directorate-Generals hold responsibility for different cyber-related policies such as DG HOME for justice and home affairs which is responsible for updating EU policies related to cybercrime and facilitating law enforcement cooperation; the EEAS which is responsible for Common Foreign and Security Policy (CFSP), including cyber defence and international cyber policy related objectives; and DG CNECT for matters related to the internal market such as legislation and the Digital Single Market. For further explanation, see Heli Tiirmaa-Klaar, “Two generations of EU cybersecurity strategies”, Handbook on Cybersecurity – The Common Security and Defence Policy of the European Union, European Security and Defence College and the Federal Ministry of Defence of the Republic of Austria, Volume V 1st edition, 2018.
 For a discussion on strategic autonomy, see the Munich Security Report 2019 p.4.
 Renard and Barrinha, “The EU as a partner in cyber diplomacy and defence”.
 See https://eeas.europa.eu/headquarters/headquarters-homepage/2370/singapore-and-eu_pl, High Representative Federica Mogherini, Singapore, June 2015.
 Heli Tiirmaa-Klaar, “Two generations of EU cybersecurity strategies”.
 Renard and Barrinha, “The EU as a partner in cyber diplomacy and defence”.
 Heli Tiirmaa-Klaar, “Two generations of EU cybersecurity strategies”.
This article was first published on Caitríona Heinl’s blog.