Why the European Union’s move towards a more threat-based cybersecurity approach encourages member state cyber resilience.

INTRODUCTION

This study reviews the effectiveness of current EU cybersecurity implementations in encouraging member state cyber resilience by considering them against:

1. Readiness,
2. Resilience, and
3. Strategic Engagement.

It is imperative to evaluate whether imposed measures address issues of cyber resilience, not just cybersecurity, as both must be addressed to provide appropriate prevention policy and management. This is because cybersecurity revolves largely around prevention and reducing threats, while cyber resilience also concerns mitigation of the impact such cybersecurity attacks may have on stakeholders (Conklin et al, 2017).
The EU was chosen rather than an individual state because its presence as a cybersecurity actor is unique in the international community. At an EU level, there has been an increasing institutionalisation of cybersecurity capabilities which has pushed an international process of collective securitisation and the standardisation of interstate cybersecurity (Christou, 2019).
Coherence in such a dichotomy therefore must be questioned on how the EU system of governance facilitates such a state of play in order for policymakers to implement it globally.

BACKGROUND

Concerns surrounding cybersecurity have only grown in prominence in the last decade because due to the interconnected nature of society, any cybersecurity incident can detrimentally disrupt en masse a multitude of social, political and economic aspects (Scholte, 2017). In response to such concerns, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) created the 'Manual on the International Law Applicable to Cyber Warfare' in 2013, otherwise known as the Tallinn Manual, which addressed how cyber operations should act concerning the rules of international law (Schmitt, 2013). As an influential resource for policy advisors both the 2013 and 2017 publications identified key areas of concern, which have encouraged such policymakers to consider cyber resilience alongside cybersecurity (Schmitt, 2017). Cyber resilience refers to the ability of a system to adapt, prepare, absorb, and recover in relation to cyber-attacks (Linkov and Kott, 2019).

Inputting such advice, the European Union (EU) has also declared cyber resilience a major concern and in 2021 began to instigate research into the creation of a Cyber Resilience Act (Council of the European Union, 2021). The EU is notably a unique entity within the global realm of policy making, but this singularity is most pertinent when contemplating the policing of cybersecurity challenges. As much of the EU’s mistakes as a cyber-security actor in relevant past guidance have highlighted how difficult multi-jurisdictional governance is, but also how integral such an approach is in limiting cyber-attacks.

Markedly, over time the EU’s approach to legislation and implementation has shifted away from being risk-based, instead focusing on a more threat-based approach to cybersecurity.
Threat-security looks at direct causes of harm, whereas risk-security is predominantly focused on the conditions surrounding the vague possibility of harm (Allen and Derr, 2015).
Moving on from Beck’s (1999) traditional risk society, they are understood as separate from each other because questions of risk and underlying riskification do not involve securitisation which is demonstrated in threat politics (Corry, 2011). Securitisation can be described as a core form of extreme politicisation presented as an existential threat to a referential object which justifies actions outside of the ordinary political procedure to combat it (Buzan, 1998).
Actions of which the 2020 EU’s Cybersecurity Strategy for the Digital Decade mandated aspects relating to cyber resilience (European Commission, 2020).

KEY ISSUES

I assess current EU policy, bodies, and cyber strategy, including aspects such as the EU’s Cybersecurity Strategy 2013 and 2020.

Specifically, the analysis will discuss in what ways the EU is moving towards a more threat-based approach to cybersecurity. Focusing on comparing previous strategy and policy prescriptions with the most recent EU guidelines (at the time of writing). Such key aspects will be considered in light of whether such threat-based aspects encourage EU member state cyber resilience through readiness, resilience, and strategic engagement.

1. Readiness is when member states, on a cohesive and individual level of cyber maturity, are working with one another in light of increasingly sophisticated threats to enhance cyber resilience (European Central Bank, 2022).
2. Member state Resilience is affirmed through the presence of cross-border information sharing and collaborations (European Central Bank, 2022).
3. Strategic engagement takes the form of joint strategy forums that encourage collaboration in the form of joint initiatives to increase cyber awareness or general capabilities (European Central Bank, 2022).

Such concepts are prescribed by the Eurosystem cyber resilience strategy for financial market infrastructures 2017 to be three key aspects which increase cyber resilience (Bayle de Jessé, 2019). The main advisor of the strategy, the European Central Bank, importantly took into account the CPMI-IOSCO and set out clear guiding pillars (Bayle de Jessé, 2019). Furthermore, as a predominant existing framework currently implemented throughout the EU, it is a pragmatic guiding tool as it is already tailored to the political landscape. Although it is not directed at assessing general EU member state cyber resilience, as a part of the Eurosystems oversight strategy it is likely to influence how the future EU Cyber Resilience Act will be formulated. Therefore, this section will analyse whether the ratified strategy and policy prescriptions can be considered ‘more’ cyber resilient with such concepts.

ANALYSIS

DO THREAT-BASED MEASURES ENCOURAGE EU CYBER RESILIENCE?

When assessed according to readiness, resilience, and strategic engagement threat-based measures do overwhelmingly demonstrate the foundations required for encouraging cyber resilience. The readiness of member states in handling cyber-attacks has increased because of a shift in how aspects of safety are perceived in relation to security.
Unlike the 2013 cybersecurity strategy, the 2020 publication succinctly defined and clarified aspects of security (European Commission, 2013 and 2020). Focusing strictly on properties of security that are predominantly connected to external, rather than inherent, threats (Backman, 2022). This 2020 threat-based security logic increased readiness, as the 2013 strategy focused inappropriately on the concept of security as occurring alongside the safety of citizens' rights, rather than as a separate issue (Backman, 2022; European Commission, 2013 and 2020). By focusing on the internal inherent causes of harm, instead of other external threats, insufficient scope was provided to member states to adapt to ever-evolving cyber threats as it limited the potential for cross-border international cooperation.

Reinforcing this narrowed scope, what is included and defined as a cause of cyber incidents, not just aspects, has also evolved over time in a manner that also increases readiness. Within the introduction section, the strategies differ on how exclusive they are in perceiving the origins of cyber threats (European Commission, 2020). The narrowing of definitions between the 2013 to 2020 cybersecurity strategy is indicative of a shift from an approach that emphasises numerous varieties of potential risks and threats, to one which focuses primarily on the need to defend against antagonist cyber threats in more threat-based logic (Backman, 2022). The broad 2013 strategy, which loosely stated “threats can have different origins”, did not encourage readiness as it allowed variance in member state interpretations of what could cause a threat which limited the possibility for a cohesive approach (European Commission, 2013). In contrast, the 2020 strategy exclusively discusses cyber incidents as cyber-attacks that are related to malicious targeting (European Commission, 2020). This clear definition encourages coherent cross-body interpretation and application which enhances cyber readiness.

Moreover, policy prescriptions have shifted towards facilitating the implementation of resilient measures that specifically aim at enhancing the EU’s cyber diplomacy, deterrence and defence capabilities. The “cyber diplomacy toolbox” was created and highlighted in the 2020 strategy as a collection of operational measures aimed at responding to malicious cyber activities (European Commission, 2020). Integrally the new strategy highlights that a joint cross-border EU diplomatic response, which can utilise the full range of measures available at the EU level, should be used when responding to malicious cyber activities (European Commission, 2020). The new diplomatic response enhances resilient operations because it increases intelligence cooperation between member states by facilitating the establishment of EU cyber intelligence working groups within the EU Intelligence and Situation Centre (INTCEN). All of which work within existing structures to cover the wider threat of hybrid and foreign interference (European Commission, 2020).

Facilitation of cross-border engagement between member states is also evident in prioritisation efforts. By specifying that cybersecurity is a prioritised and an integral part of European security the 2020 cybersecurity strategy re-focuses the policy prescription narrative in a manner that provides more power to joint initiatives - in turn encouraging strategic engagement (European Commission, 2020). Such a speech act increases cyber awareness as securitising the referent object highlights it as an aspect of importance (Buzan et al, 1998). In comparison, as the 2013 cybersecurity strategy still lacked such focus and even denoted cybersecurity as an area that the EU merely had to “step up within" rather than seek, strategic engagement was not optimised (European Commission, 2013).

Explicit indications of how this prioritisation encouraged strategic engagement are echoed in the changing positions of ENISA and CERT-EU. The 2020 strategy provided them with new tasks, as well as an increased mandate. The more recent EU Cybersecurity Act even provided that ENISA would set up an office within Brussels to encourage cooperation with CERT-EU (European Commission, 2021). This expansion is indicative of how the EU perceives a need to bring cyber resilience measures quite literally to the core of the EU. Further expansion of strategic engagement is also demonstrated within EU involvement in cyber crisis management, operational cybersecurity and responsive activities (Backman, 2022). Proposals, which include the building of a Security Operations Centre network across the EU (European Commission, 2020) and a Joint Cyber Unit, highlight a focus on operational capabilities of which reactive tendencies are indicative of a more threat-based approach.

CONCERNS

The threat-based approaches discussed above may encourage cyber resilience, however several of these initiatives are being implemented in a manner which somewhat negatively impacts cybersecurity. This is contradictory to the very justification behind the EU’s prioritisation of cyber resilience - defence. Ultimately guidance, as a de jure action, can seemingly increase resilience in law but the de facto reality may ruminate far from the aspirations sought. The narrowed scope of what a cause of cyber-attack can constitute exemplifies such an issue. Although it has increased cyber resilience by encouraging member state readiness, it does not necessarily correlate with increased cybersecurity. This is because the exclusive focus on antagonistic attacks as the cause of major cyber incidents may deflect resources and attention away from the management of other causes of cyber incidents such as mistakes and failures. However, I would argue that causes of cyber incidents which result from inherent issues would benefit more from being categorised under cyber management. Removal from the definition of cyber-attack causes was an appropriate measure as inherent issues do not need to same types of prevention or response as those from external sources. Instead, by placing such issues under cyber management effective prevention measures will be in place without encroaching on cyber-attack resources.
Nonetheless, although operational involvement has theoretically increased resilience the joint cyber crisis management effort is littered with governance challenges that lower perseverance. One such challenge stems from the increased reporting duties and requirements during incidents as a way of encouraging resilience which realistically appears to be an inefficient process. This is because it creates more reporting duties for staff within the operational incident response structures who are already overloaded (Backham, 2022). It is also contradictory to member-state national cyber crisis responses because responding to the immediate situation at a national level typically takes priority over such international information sharing (Backman, 2022).
Furthermore, increasing Strategic cooperation raises concerns over the balance between member states' sovereignty in security matters and supranational initiatives that involve defence and national security directions (Council of the European Union, 2021). Due to cyber crises’ inherently being about national security, rather than international, an EU task force which includes staff from numerous member states may not be the most efficient cybersecurity initiative.

CONCLUSION

Through analysing the impact of the 2020 Cybersecurity strategy alongside the Eurosystem cyber resilience strategy for financial market infrastructures 2017, this study assessed that the European Union’s move towards a more threat-based cybersecurity approach has subsequently encouraged member state cyber resilience. Specifically through narrowing the scope of cyber attacks, implementing cooperative measures, such as the cyber diplomacy toolbox, and re-prioritising cyber aspects.
However, such measures are not necessarily effective at encouraging overall member state defence as increasing cyber resilience does not always equate to an increase in cybersecurity. Attempts at encouraging cross-border member state cooperation, securitising cybersecurity and narrowing definitions have created new governmental challenges and security gaps that the EU needs to address within its upcoming Cyber Resilience Act. Ultimately, failing to address such fundamental issues will only leave the EU more vulnerable within cyberspace.

Lauranne Finney will be completing her master’s degree at the University of Tokyo Graduate School of Public Policy in 2023. She has a LLB Law with Politics degree from the University of Manchester and is interested in security studies, resilience engineering and risk management.

REFERENCES

1. Allen, G. and Derr, R., 2015. Threat assessment and risk analysis: an applied approach. Butterworth-Heinemann.
2. Backman, S., 2022. Risk vs. threat-based cybersecurity: the case of the EU, European Security, DOI: 10.1080/09662839.2022.2069464
3. Bayle de Jessé, M., 2019. The Eurosystem’s cyber resilience strategy for financial market infrastructures. Cyber Security: A Peer-Reviewed Journal, 2(4), pp.294-302.
4. Beck, U., 1999. World risk society. Polity. Cambridge: Polity Press, 184.
5. Bendiek, A., Bossong, R., and Schultze, M., 2017. The EU’s revised cybersecurity strategy: half-hearted progress on far-reaching challenges. Berlin: Stiftung Wissenschaft und Politik (SWP) Deutsches Institut für Internationale Politik und Sicherheit.
6. Buzan, B., Wæver, O., and Wilde, J.D., 1998. Security: a new framework for analysis.
7. Carrapico, H., and Barrinha, A., 2017. The EU as a coherent (cyber)security actor?. JCMS: Journal of common market studies, 55, 1254–1272. doi:10.1111/jcms.12575.
8. Christou, G., 2019. The collective securitisation of cyberspace in the European Union. West European politics, 42 (2), 278–301.
9. Conklin, W.A., Shoemaker, D. and Kohnke, A., 2017, March. Cyber resilience: Rethinking cybersecurity strategy to build a cyber resilient architecture. In ICMLG2017 5th International Conference on Management Leadership and Governance (p. 105).
10. Corry, O., 2011. Securitisation and ‘Riskification’: Second-order Security and the Politics of Climate Change. Millennium: Journal of International Studies, 40(2), pp.235-258.
11. Council of the European Union. 2021. Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive 2016/1148- General Approach.
12. Dunn Cavelty, M., 2008. Cyber-security and threat politics: US efforts to secure the information age. London & New York: Routledge.
13. European Commission. 2013. Cybersecurity strategy of the European Union: an open, safe and secure cyberspace.
14. European Commission. 2020. The EU’s cybersecurity strategy for the digital decade. European Court of Auditors. 2019. Review No 02/2019: challenges to effective EU cybersecurity policy (Briefing Paper).
15. Linkov, I., Kott, A., 2019. Fundamental Concepts of Cyber Resilience: Introduction and Overview. In: Kott, A., Linkov, I. (eds) Cyber Resilience of Systems and Networks. Risk, Systems and Decisions. Springer, Cham. https://doi.org/10.1007/978-3-319-77492-3_1
16. Muckin, M. and Fitch, S.C., 2014. A threat-driven approach to cyber security. Lockheed Martin Corporation.
17. Mueller, M., 2010. Networks and states: the global politics of Internet governance. Cambridge: MIT press.
18. Schmitt, M., 2013. Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press. doi:10.1017/CBO9781139169288
19. Schmitt, M., 2017. Tallinn manual 2.0 on the international law applicable to cyber operations.
20. Scholte, J., 2017. Polycentrism and democracy in internet governance. In: U Kohl, ed. The net and the nation state: multidisciplinary perspectives on Internet governance. Cambridge: Cambridge University Press, 165–184.