EU Policy on Fighting Hybrid Threats

On 6th April 2016, the European Union adopted a Joint Communication On Countering Hybrid Threats in order to activate a coordinated response at EU level and to build on European solidarity, mutual assistance and the Lisbon Treaty. This is a timely response,  in light of the dramatic changes in the security environment of the European Union and especially with regard to the challenges to the peace and stability of the eastern and southern neighbourhood of the EU.

Background and general aspects

The Communication defines the concept of hybrid threats as a ‘mixture of coercive and subversive activities, conventional and unconventional methods (i.e. diplomatic, military, economic, technological), which can be used in a coordinated manner by state or non-state actors to achieve specific objectives while remaining below the threshold of formally declared warfare’. Hybrid threats are usually referred to in connection with the conflict in Ukraine or the ISIL/Da’esh campaign in Iraq; they can include different strategies and tactics to influence decision-making processes for the purpose of  achieving strategic aims, such as massive information campaigns, recruiting radicals or using proxy actors to conduct certain acts.

The Communication aims to establish synergies between the different instruments available at the European level whilst fostering cooperation between all the relevant actors. These instruments include the European Agenda on Security, the soon-to-be-adopted EU Global Strategy for Foreign and Security Policy and European Defence Action Plan, the EU’s Strategy on Cyber Security, the Energy Security Strategy and the Maritime Security Strategy. The Communication outlines a list of actions that it encourages the Member States and the European Institutions to take:

  • launch of a hybrid risk survey to identify key vulnerabilities by the Member States;
  • creation of a Hybrid Fusion Cell within the EU intelligence and Situation Centre (EU INTCEN) that operates under the European External Action Service (EEAS), which would operate as an information-sharing platform concerning hybrid threats;
  • updating and coordinating strategic communications;
  • establishment of a Centre of Excellence for countering hybrid threats, which would work closely with existing EU and NATO centres of excellence;
  • establishing common tools for the protection of critical infrastructure, including the diversification of energy resources, promotion of safety and security standards to increase resilience of nuclear infrastructure, monitoring emerging threats in the transport sector, and promoting resilience of space infrastructure (satellite communications);
  • proposing projects on how to adapt defence capabilities and development of EU relevance;
  • improving the awareness of hybrid threats in the public health and food safety sector;
  • targeting hybrid threat financing;
  • building resilience against radicalisation and violent extremism;
  • cooperating with third countries;
  • building on Crisis Management and Integrated Political Crisis Response procedures; and
  • increasing cooperation with NATO.

Aspects related to cyber security

The Communication takes note of the importance of resilient communication and information systems in Europe to support the Digital Market. It states that sectors under the upcoming NIS Directive such as energy, transport, finance and health, as well as digital services, should notify serious incidents to national authorities, including those with hybrid characteristics. The Communication encourages Member States to take full advantage of the 28 CSIRTs (established under the NIS Directive) and the CERT-EU.

Regarding the industry, the Communication places importance on the convergence of risk management approaches, highlighting public-private cooperation and the European Commission Network and Information Security Platform, which is an initiative on the European level to establish best practices in risk management and to support the efforts of the NIS Directive. It emphasises the importance of industry cooperation through the establishment of a contractual Public-Private Partnership on Cyber Security (to be launched in mid-July 2016) and the Commission reinforces its commitment to work together with industry to develop and test technologies which might have an impact on hybrid threats.

Regarding cyber security, the Communication prioritises three sectors: energy, finance and transport, and outlines specific actions for each of them as follows:

  • Energy: In addition to developing a comprehensive energy sector strategy on cyber security in smart grid operations and launching a web-based information sharing platform, the Commission will consider proposing ‘risk preparedness plans’ and procedural rules for sharing information for market operators, in order to establish common rules across Member States in times of crisis.
  • Finance: The Commission and the European Network and Information Security Agency (ENISA), together with the Member States and relevant financial institutions and authorities, promise to promote and facilitate threat information-sharing platforms and try to identify current obstacles to such sharing.
  • Transport: The Commission and the European Aviation Safety Agency (EASA) are in the process of developing a Cyber Security Roadmap for the aviation sector. Cyber security threats in the maritime sector have also been addressed in the EU Maritime Security Strategy. The Commission and the Member States are encouraged to further examine ways to respond to hybrid threats in the different sectors of transport.

How it relates to actions taken in NATO and the way ahead

The fact that the EU has stepped up to build a comprehensive plan to counter hybrid threats in cooperation with NATO is a welcome development, but a lot still needs to be done for it to translate into concrete measures. Talk of closer EU-NATO cooperation has been a topic for some time and has already yielded some initial results in the form of a Technical Arrangement on Cyber Defence between the NATO Computer Incident Response Capability (NCIRC) and the Computer Emergency Response Team of the European Union (CERT-EU). However, substantive cyber defence policy cooperation still needs further work in order to develop concrete mechanisms and procedures that will produce results on a practical level. The Communication makes an effort to establish further cooperation with NATO initiatives, such as in the areas of strategic communications, cyber security, crisis prevention and response, and situational awareness. It proposes that one way to do that is to establish better information-sharing on incidents between the EU Hybrid Fusion Cell and NATO’s hybrid cell, as well as joint exercises. Whether that would also include cyber security and how it relates to other existing information- sharing networks is not yet clear.

It remains to be seen when, how and to what extent these proposals will be transposed into practice and how the NATO-EU cooperation will take effect.

Mari Kert-Saint Aubyn

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.