On 13 June 2018, the European Parliament (EP) plenary adopted Resolution 2018/2004(INI) on cyber defence, calling on EU Member States to work closely together to counter increasing cyber and hybrid challenges and attacks. Cyber defence remains a core competence of the Member States, reaffirms the EP, but still the EU has a leading role in providing a platform for EU cooperation, coordinating efforts in the transatlantic architecture.
While resolutions are not a legally binding act of the EU institutions and only suggest a political desire to act in a given area, the cyber defence resolution passed in June seems to put particular pressure on the MS and on the same EU institutions to act jointly and quickly to counter the ever-growing cyber threat.
The Members of the European Parliament (MEPs) stated that malicious cyber activities and state-directed cyber-attacks (or attacks conducted with the knowledge and approval of a state)1 constitute a major threat to the security, defence, stability and competitiveness of the EU, its Member States and its citizens. As such, they represent potential violations of international law, human rights and EU fundamental rights, which require a comprehensive and appropriate EU cyber defensive response within the framework for joint EU diplomatic responses to malicious cyber activities (the so-called EU Cyber Diplomacy Toolbox2 ).
Unfortunately, the fragmentation of European defence strategies and a lack of information sharing make Member States more vulnerable. For this reason, the 28 are invited to enhance their armed forces’ interoperability and cooperation with NATO and other partners,3 overcoming the existing political, legislative and organisational obstacles to cooperation on cyber defence.
Capability development for deterrence and cyber defence of EU missions and operations
To this aim, assumes the EP, an urgent reinforcement and development of defensive and even ‘offensive cyber capabilities’4 is primarily necessary, including the cyber defence of Common Security and Defence Policy (CSDP)5 missions and operations, together with an improved EU-NATO6 sharing of information.7 Both cyber defence capability development and information sharing are functional to enabling the formal attribution of cyber-attacks and consequently the imposition of restrictive sanctions on those responsible. The need to identify the authors of such violations explains the particular emphasis that the EP places on the development of attribution capabilities. These capabilities are to be considered as an essential component of effective cyber defence, deterrence and effective prevention and entail the development of substantial further technological expertise.
Noting that CSDP missions and operations are deeply reliant on functioning IT systems, the EP stresses the need for cyber defence to be considered as an operational task, to ensure that cyber security is constantly considered throughout the planning process and thus to reduce cyber vulnerability gaps. With the aim of fostering interoperability, necessary for the conduct of joint operations, the EP also invites the relevant EU institutions to consider ways of providing Union-level support for integrating the cyber domain into Member States´ military doctrines, and welcomes the exchange of concepts in close cooperation with NATO for integrating cyber defence requirements and standards into the planning and conduct of missions and operations.
EU-NATO initiatives, civil military cooperation and public-private partnerships
MEPs stated that the reinforcement of EU cyber defence should also go through new initiatives to be identified in EU-NATO relations, such as the possibility of cooperating with the NATO Cooperative Cyber Defence Centre of Excellence and including a dialogue with NATO on the possibility of the EU joining it. Among the new initiatives sponsored by the EP, particular emphasis is on exchanges for education and training in the field of cyber defence and on military academics’ integration of cyber defence education into their curricula. In this regard, while MEPs strongly supported the Military Erasmus Programme8 and other common training and exchange initiatives aimed at enhancing the interoperability of the armed forces of the MS and the development of a common strategic culture through an increased exchange of young military personnel, they also stressed that such initiatives should include military personnel of all ages and from all ranks.
In this light, the MS are also called upon to promote greater mutual availability of virtual cyber defence training and cyber ranges. The European Defence Agency (EDA) could play a fundamental role in this area, in supporting the Cyber Ranges Federation9 through a Cyber Defence Training and Exercise Coordination Platform (CD TEXP) with a focus on strengthening cooperation, harmonising requirements, fostering cyber defence research and technology innovations and collectively assisting third countries in building their capacities to create resilience in cyber defence.
Among the new initiatives, the EP expresses particular appreciation for the recent arrangement between the EU´s Computer Emergency Response Team (CERT-EU) and the NATO Computer Incident Response Capability (NCIRC), aimed at facilitating the exchange of information, logistical support, shared threat assessments, personnel acquisition and the sharing of best practices to ensure the ability to respond to threats in real time. Provided that full conformity with EU data protection legislation is ensured, useful information held by CERT-EU could be shared to NATO and help cyber defence research.
The resolution also addresses the need for civil-military cooperation and public-private partnership. On one side, private cyber-security firms play a pivotal role in early warning and attribution of cyber-attacks, and on the other, the EU capability to develop cyber defence projects hinges on its control of technologies, data and services and on its reliance on a trusted industry stakeholder base. In the meantime, the EU Parliament calls for a comprehensive review of software, IT and communication equipment and infrastructure used in the EU institutions, in order to exclude potentially dangerous programmes and devices and ‘to ban the ones that have been confirmed as malicious, such as Kaspersky Lab’. This statement is surprising, as it is unusual for an institution like the EP to urge for a specific ban on an allegedly dangerous software by a foreign company (Russian).
International norms applicable to cyberspace
From the perspective of international law, closer coordination on cyber defence between the Member States, the EU institutions, NATO, the United Nations (UN), the United States and other strategic partners should cover in particular rules, norms and enforcement measures in cyberspace, with the EU to assume a leading role in the ongoing and future debates on, and implementation of, international norms in the cyber dimension. In this regard, the resolution recognises that the 2013 and 2015 UN Group of National Experts on Information Security (UNGGE) reports apply10 and should be thoroughly implemented, including the recognition that existing international law and, in particular, the Charter of the UN11 is applicable and is essential to maintaining peace and stability and to promoting an open, secure, peaceful and accessible IT environment. Moreover, noting the relevance of the Tallinn Manual 2.0, the MEPs call on the Member States to start analysing and applying what the experts have stated in the Manual and to agree on further voluntary norms of international behaviour.
An interesting definition requirement has also been addressed by the resolution: together with NATO, Member States should draw up EU-level criteria for, and definition of, what constitutes, a cyber attack so as to improve the EU´s ability to quickly reach a common position following an internationally wrongful act in the form of a cyber attack.
The resolution re-affirms the possible application of the mutual defence clause (article 42 (7) of the Treaty on the EU) and of the solidarity clause (article 222 of the Treaty on the Functioning of the EU), recommending that each Member State embrace the obligations to assist any other Member State that is under cyber attack and to ensure national cyber accountability in close cooperation with NATO.
Institutional reinforcement
The EP, finally, stresses the necessity of an institutional reinforcement, calling on the MS to engage in more ambitious cooperation in the cyber domain, within the framework of a new Permanent Structured Cooperation12 cyber cooperative programme, with a view to supporting quick and effective planning, command and control of present and future EU operations and missions. The programme would be led by high-ranking military as well as civilian staff from each MS and would be accountable to the EU ministers of defence in the PESCO format. This institutional reinforcement called for by the EP should also entail the presentation of an EU white book on security and defence, with cyber defence and deterrence as a cornerstone. The white book would cover both the protection of the cyber domain for operations, as laid down in article 43 TEU, and common defence, as laid down in art. 42(7), TEU, and would be completed by the creation of an EU Council of Defence.
Author: LTC Massimiliano Signoretti
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
- Such as NotPetya and WannaCry, respectively attributed to the Russian Federation and North Korea. [↩]
- Aimed at developing the EU’s and Member States’ capacities in order to influence the behaviour of potential aggressors, the Toolbox foresees the use of proportionate measures within the EU Common Foreign and Security Policy (CFSP), including restrictive measures. On this topic, see an earlier Incyder article ‘European Union Equipping Itself against Cyber Attacks with the Help of Cyber Diplomacy Toolbox’. [↩]
- See the study ‘Cybersecurity in the EU Common Security and Defence Policy (CSDP): Challenges and risks for the EU’, European Parliamentary Research Service, Scientific Foresight Unit (STOA) PE 603.175, May 2017. [↩]
- In 2014 NATO established cyber defence as part of the Alliance´s core tasks of collective defence and in 2016 recognised cyberspace as an operational domain next to land, air and sea. [↩]
- The CSDP is the European Union’s course of action in the fields of defence and crisis management; the prospective developments of its structures are sometimes referred to as the European Defence Union (EDU). [↩]
- Previously, in the joint declaration of 8 July 2016, the EU and NATO agreed on a broad agenda of cooperation, followed by a proposal regarding cyber security and defence presented on 5 December 2017. [↩]
- See the arrangement between the EU’s Computer Emergency Response Team (CERT-EU) and the NATO Computer Incident Response Capability (NCIRC), aimed at facilitating the exchange of information to ensure the ability to respond to threats in real time. [↩]
- The Military Erasmus Programme, formally the ‘European Initiative for the Exchange of Young Officers Inspired by Erasmus’, is an initiative launched in 2008 by the European Union Ministers of Defence to harmonise the European Union Basic Officer Education and to increase interoperability, through exchanges between future officers of armed forces, as well as their teachers and instructors, during their initial education[1] and training. The initiative is implemented by the Member States on a purely voluntary basis. [↩]
- Cyber Ranges are key national facilities to develop and evaluate cyber defence capabilities. Their federation is based on a Memorandum of Understanding signed on 28 June 2018 in Brussels, which opens the way for the signatories to make their cyber ranges available for shared development activities and joint exercises by using the pooling and sharing arrangements developed through the EDA Cyber Ranges Federation Project Launched in May 2017. Up to now 11 MS have implemented the Cyber Ranges Federation Project. [↩]
- The 2015 UNGGE report, in particular, lists a set of norms of responsible state behaviour, including the prohibition of states conducting or knowingly supporting cyber activities contrary to their obligations under international rules. The UNGGE was unable to produce a consensus report in 2017. [↩]
- Which prohibits the threat or use of force against the political independence of any state, including coercive cyber operations that are intended to disrupt the technical infrastructure essential to the conduct of official participative procedures, including elections, in another state. [↩]
- PESCO is the part of the European Union’s (EU) security and defence policy (CSDP) in which 25 of the 28 national armed forces pursue structural integration. Based on Article 42.6 and Protocol 10 of the Treaty on European Union, introduced by the Treaty of Lisbon in 2009, PESCO was first initiated in 2017. [↩]