The European Union’s Cyber security Governance: The Missing Link (Part 2/2)

By Jean-Baptiste Houdart. Originally published on 2013/02/16

In the terms described in the previous part of this article, the EU developed its own digital policy, ensuring that it addresses both opportunities and challenges of the digital world. To achieve this, the EU approved a decentralised structure, where the different institutions are responsible for the three aspects of the digital world. First, in 2010 the EU launched its Digital Agenda for Europe, under the responsibility of the Commissioner for Information Society and Media N.Kroes. The aim is to promote the new technologies in order to increase economic and social prospects.[1]. In the framework of the Agenda, the EU adopted several laws addressing, for instance, broadband coverage, roaming harmonization, E-Commerce, eID, eSignatures, as well as the protection of Intellectual Property.

Second, in order to ensure the protection of the infrastructure against cyber attacks, EU established a specialised agency the European Network and Information Security Agency (ENISA), that has the mandate to “ensure a high and effective level of network and information security within the Community and in order to develop a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union”[2]. Established in 2005, the ENISA has already demonstrated its effectiveness by organising the first pan-European cyber security exercise in 2012, and by publishing, in October 2012, its first report on annual incidents that occurred in 2011. This report provides an evaluation of the protection of infrastructure against cyber attacks.  In fact, it shows that in 2011, 51 significant incidents occurred in 11 Member States which affected around 300.000 users. Only 6% of those incidents were caused by malicious attacks, while 47% and 33% were respectively caused by hardware/software failure and Third Party failure. This means that from the 51 severe incidents, only 3 were actual cyber offences against critical infrastructures. It is, however, noteworthy that, the ENISA “estimates that the number of incidents, that will be reported over the year 2012, will increase by a factor 10 because most countries now have mature implementation of the incident reporting process”[3].

Third, cyber crimes are also covered by the plethora of EU digital policies and institutions, especially under the supervision of EU Commissioner for Justice and Home Affairs, Cecilia Malmström, as well as the recently established Cybercrime Centre which has the mandate to “pool expertise and information, support criminal investigations and promote EU-wide solutions, while raising awareness of cybercrime issues across the Union”[4]. It is interesting to observe the first results of this new specialised agency, as it will examine the real picture of the existing cyber crimes in the EU. Additionally, the EU took steps forward to fight against cybercrimes, by adopting EU laws on the protection against Sexual abuse and sexual exploitation of children and child pornography on the Internet, as well as on the fight against online fraud.

Finally, the European Parliament can be considered as an essential actor in the cyber security governance of the EU. Indeed, the European Parliament served as the guardian of civil liberties and fundamental freedoms in several controversial cases such as the PNR and the ACTA negotiations with the U.S., where it ensured the coherence between economic opportunities, citizens’ rights and cyber threats’ prevention. As a matter of fact, the EP is often the last rampart protecting European values in the EU’s partnerships with the rest of the world.

Cyber security is a global phenomenon and therefore, it is primordial for the EU to cooperate with other States and regions of the world. Yet, so far, those partnerships have been relatively precarious. The international position of the EU can be best illustrated by the recent developments in multilateral cyber security negotiations during the World Conference on International Telecommunications (WCIT) in December 2012. The central question of the Conference was whether the International Telecommunications Regulations should be revised to expressly reference the Internet, thereby deeply affecting the governance of the Internet and opening the door to States’ control over the content of the Internet[5]. During the Conference, the EU, that was represented by the European Commission (non voter Member) and the twenty seven EU Member States (voters Members), successfully reached a common position, and acted and spoke with one voice. Those efforts were insufficient to shape the debate against Internet censorship, and a controversial Resolution that explicitly encourages ITU mission creep toward the Internet was approved. Additionally, the failure of the EU during those negotiations also affects its cooperation with the United States, as the core element of the partnership in cyber security relies on mutual assistance to shape the global debate on the issue of cyber security and cybercrimes[6]. While both the U.S. and the EU appeared united at the WCIT, the rest of the EU-U.S. cyber security partnership remains shivering between high level of cooperation in the fight against cyber crimes[7], and disagreements on issues related to privcacy and data protection^[8]. Finally, the EU-U.S. cooperation is furthered through NATO  to protect critical infrastructures against cyber threats. Yet the level of the cooperation is teinted of disagreements between NATO Member States’ ideologies, national interests, and fear to loose their sovereignity[9].

To conclude, the structure of the governance of the EU in the field of cyber security reveals that the European Union fully understood the nature of the Internet, its social and economic benefits, as well as the  threats that exist in the digital world. It, therefore, structured its governance accordingly by establishing the ENISA to prevent threats against critical infrastructures, the Cybercrime Centre to tackle all online crimes and by continuously  promoting the development of economic and social opportunities online, through the European Commission’s Digital Agenda for Europe. Finally, the European Parliament plays an increasing role in defending citizens rights and freedoms, while ensuring a coherent balance between economic opportunities, cyber security and individual rights. However, the European Union’s record at the international level is less impressive as it fails to lead the debate and defend its values during multilateral negotiations, moreover, it faces ideological disagreements with its closest partners: the United States and NATO. This poor record on international cooperation in the field of cyber security is highly problematic as it impedes all efforts by the European Union to reach out the rest of the world and promote its coherent and comprehensive mode of governance in the field of cybersecurity, which could serve as a model for other parts of the world in order to secure the digital world at a global stage.

[1] http://ec.europa.eu/digital-agenda/digital-agenda-europe

[2] EUR-Lex

[3] ENISA, October 2012, “Annualm Incident Reports 2011”,http://www.enisa.europa.eu/activities/Resilience-and-CIIP/Incidents-reporting/annual-reports/annual-incident-reports-2011

[4] Europol

[5] P. Paoletta & P. McElligott, December 2012, “Perspectives—U.S. and European Union Stay United in opposition to ITU Efforts to Change Internet Governance”, Wiltshire &Grannis LLP, Published on The European Institute

[6] M. G. Porcedda, December 2011, “Transatlantic approaches to cybersecurity and cybercrime”, The EU-US security and justice agenda in action, European Institute for Security Studies, pp.41-54

[7] N. Nielsen, January, 2013, “EU and US joining forces on Internet child abuse”, EUObserver

^[8] N. Nielsen, January, 2013, “US cloud snoops pose questions for EU cybercrime body”,EUObserver

[9] T. Parkhouse & L. van Bochoven, November 6, 2012, “An Agenda for NATO-EU-Private Sector Cyber Collaboration”, Atlantic Council

About the author:

Jean-Baptiste Houdart obtained a Master in European studies from the KU
Leuven, Belgium in 2012. He is currently interning at the sector of
disarmament at the Permanente Delegation of the European Union to the
United Nations in Geneva.