“Who are you? You’re in our meeting. General, what do you suggest we do? General, you are right: we need to invest in privacy”. This is how Josep Borrell, High Representative of the European Union for Foreign Affairs, reacted when a secret videoconference of EU defence ministers was crashed last year . In a careless oversight, the Dutch defence minister had shared a picture on Twitter where the access code for the meeting was visible. A compatriot journalist noticed the error and joined the videocall, leaving the institution red-faced
The scene, despite being pretty wild, highlights the EU’s ongoing difficulties with cybersecurity: in a club of twenty-seven countries, with meetings and conversations that would ideally take place in person but that, owing to logistical difficulties, have moved online, it is difficult to ensure that every door remains closed. This, in a world as connected as ours, is the enormous risk that has forced the EU to arm itself against digital attacks, whenever they take place, wherever they come from and whatever shape they take.
The threat is silent yet not invisible. Not unsuccessfully, the European Union Agency for Cybersecurity (ENISA) identified three-hundred-and-four significant malicious attacks against “critical sectors” in 2020 , more than double 2019’s tally. Many of them targeted hospitals and health networks, institutions which, during the pandemic, held very valuable information on the evolution of Covid and subsequent vaccination projects.
Their aims can be varied, from stealing data to paralysing key infrastructure, with the disastrous consequences that that represents for the targeted country. The biggest example in recent times is the attack on the Colonial pipeline , the largest in the United States, in May 2021. The attack, perpetrated by an apolitical group of professional hackers called Darkside, forced operators to halt the flow of oil, leading to a gasoline shortage across the East coast, and to pay the group 75 bitcoins, equivalent to €3.8m.
Fortunately for European citizens, the EU has a plan that means that the crashing of a secret defence meeting remains merely an amusing anecdote, rather than a cyberattack that compromises the entire security of the European community. In December 2020, the European Commission presented a new Cybersecurity Strategy and a proposal to reinforce the directive regarding measures for heightened levels of community cybersecurity in the EU (Directive NIS2 ).
A new arms race
The European Union has been preparing itself since 2013 to respond to digital attacks and, in recent years, it has launched various initiatives to advance the creation of a common defence and security strategy.
Among them stands out a common cyberdiplomacy toolbox and a joint EU cyberdefence framework , both approved in 2018 and designed to improve coordination between Member States; the Cybersecurity Act (2019), which renewed the European Network and Information Security Agency’s (ENISA) mandate, renaming it the European Union Agency for Cybersecurity; and the EU toolbox for 5G security , also in 2019.
Yet in a hyperconnected world like this, where hybrid threats are more and more sophisticated and powers compete to develop different technologies that allow them to secure their systems, the risk of being left behind in the cyber race becomes greater and greater. In this sense, the cybersecurity race is reminiscent of the arms race of the Cold War, when the United States, the Soviet Union and their respective allies became engaged in a secretive war of nuclear arms development. As is the case now, each advance was guarded jealously and developments forced each side to move faster and faster.
This is what is causing the European Union to continually modernise its Cybersecurity Strategy; it is trying to stay one step ahead of cybercriminals. That is why, although the document was first published in 2013, the strategy was revised in 2017 and again in December 2020.
Nevertheless, the most recent version represents a change in paradigm: now that the European institutions and Member States count on unified and coordinated security measures, the EU wants to work on the creation of tools that allow it to respond immediately and effectively or, better still, to prevent cyberattacks.
An ambitious plan
In this respect, the new Cybersecurity Strategy brings three key areas into play: first of all, it intends to improve common resilience against cyberattacks through both the creation of a network of security operations centres across the EU that work with artificial intelligence technology and a reform to security laws regarding information networks and systems, incorporated into Directive NIS2.
The NIS Directive, passed in 2016, provoked a change in the institutional focus on cybersecurity in Member States- it obliged them, among other things, to create a national cybersecurity strategy and to establish emergency cyber response teams-, though it has started to show limitations.
“The digital transformation of society, intensified by the Covid crisis, has increased the threat level and is creating new challenges that require innovative and adapted responses. Now, any interruption can have wide-ranging effects on the entire internal market”. These were the words of the European Commission in the presentation of its new strategy.
In short, Directive NIS2, which received the green light from the European Parliament in October , expands the definition of critical sectors and strengthens the requirements for the 160,000 businesses that the definition covers. The objective is to bridge the gap between European and US companies, who invest 41% more, on average, in cybersecurity than their European counterparts.
Secondly, with its new Cybersecurity Strategy, the Commission also wants to build up its operational capacity to prevent, deter and respond to cyberattacks, which has led to a proposed Joint Cyber Unit . This team will work to guarantee a coordinated EU response to cyberincidents and cybercrisis on a large scale and to offer assistance in recovery from these attacks. “These threats are a common enemy, which is why it is necessary to coordinate, to share intelligence and to raise the alert early”, argues the Commission.
Finally, Brussels wants to promote a global and open cyberspace, bringing exterior countries to the table to replicate its laws worldwide and to contribute to international security. The strategy, in other words, aims to prevent a cybersecurity landscape reminiscent of the Cold War, instead bringing nations together in the spirit of cooperation to shield the world against these types of threats.