The European Union’s Cybersecurity strategy was published on December 16th 2020 and could have not come at a better moment. The COVID 19 pandemic has pushed employment and governance online across the EU. This accelerated the convergence of cyber and physical spaces, a digital transformation that demands quick responses to complext security dilemmas.
Clearly, Europe is preparing but is not ready for the challenge at hand.
A timely strategic vision
Numerous reports confirm the suspicion that cybersecurity threats proliferate in this new environment. Governments and criminal groups exploit the new cyber-landscape for political and criminal purposes. This new reality undermines the pluralism and openness of European societies and, consequently, our ability to defend our way of life. Hence a concerted EU response to the challenge is timely, as Europe’s economic Recovery Plan requires a common cybersecurity security vision.
The document bridges the gap between online and offline, digital and physical, internal and external security concerns, creating a common conceptual framework of the threat before us. That is a precondition to building up Europe’s collective resilience to cybersecurity threats. That vision elaborates on the applicability of human rights principles online, attempting to strike a balance with the need for security, giving the EU a leading normative role in operetionalising cyber defense and cyber diplomacy.
In securing the EU’s core values, the new Cybersecurity Strategy needs to look beyond security. The EU’s Cyber Diplomacy Toolbox sets standards for the protection of critical infrastructure, supply chains, democratic institutions and processes. Building on these benchmarks, the EU can begin to built network resilience, credible cyberser-detterence against all potential foes, and take the diplomatic initiative.
The benefit of taking this lead in regulating cyberspace is mainly in the security field, but also carries an economic and diplomatic edge. The new strategic blueprint allows the EU to remain a “normative superpower,” affirming a commitment to a secure cyberspace but also rule of law, human rights standards, and democratic values. At least, that is the theory.
The EU’s “Digital Decade” visions suggests realism and forward thinking in Brussels. There is clearly a vision for common European defence that goes beyond intergovernmental cooperation between security agencies. The new geopolitical discourse emanating from Brussels indicates a more wholistic approach to prevention, deterrence and reaction to potential threats.
Reassuringly, in discussing the EU’s new cybersecurity strategic blueprints, the European Commission provides quite a bit of detail on how security will become a guiding principle rather than “a concern” in an age of digital transformation. For Brussels it is clear that cybersecurity is an independent variable in both network and information systems development.
The new security blueprint goes beyond the dated (2008) perception of critical indrastructure security. Therefore, it looks beyond energy generation and distribution, transport and hospitals to encompass data centres, research laboratories, governance/administrative hubs, and critical equipment and services as potential cyber targets. The Commission’s proposal for AI-enabled Security Operations Centres across the EU and a Joint Cyber Unit appear to set the stage for convicing collective defence and cyber-resilience.
The challenge at hand
While efforts to streamline threat perceptions and create EU-wide response mechanisms are clearly moving towards the right direction, there are two kinds of challenges, political and economic.
On an economic level, it is clear that EU member states have different economies and, therefore, the interface between “the real” and the digital economy is also different. Economies dominated by very small and medium sized businesses face different challenges to major economies where the corporate sector is founded on companies with the size of a small state. Similarly, countries diverge in terms of public infrastructure, security infrastructure and know-how. That is a big issue in highly networked systems that are as strong and resilient as their weakest link.
On a political level, Member States need to form a consensus over the right balance between the need for data monitoring and surveillance required for reasons of national security and individual rights. That balance is not automatic or “self-evident” across the union, where different standards of data protection and information sharing prevail.
In sum, cybersecurity is fusing economic and political considerations. As cyber and physical interface become less distinguishable, the distinction between collective security, national security, and home affairs is blurred. That is more complicated while the state plays a central role in economic activity amidst a profound economic crisis and, at the same time, the UK is disengaging from the Single European Market and, to some extent, Europe’s collective security framework.