The EU as a whole is taking a more serious approach to cybersecurity
The Estonian Presidency of the Council of the European Union, which was symbolic for all government officials as well as for Estonia’s position in the EU, ended just as it began to seem to everyone involved that we had rather got the hang of leading European affairs. An important topic on which we made significant progress during our six-month presidency was the promotion of cybersecurity in the whole of the EU. The following is a short insight into the global cybersecurity situation, European developments in this context and the steps we should be taking in this field.
Let’s discuss the state of European cybersecurity first. The conflict in global cyberspace is intensifying year by year and 2017 was no exception. The fact that campaigns of untargeted criminal attacks are becoming more extensive, more intense and smarter every year has come to be accepted by all authorities responsible for cybersecurity around the world as a reality that we simply need to get used to and adjust to. Last year, however, was significant mainly because, for the first time, worldwide cyber campaigns were carried out and several countries decided to attribute responsibility to North Korea and Russia.
When Europe was struck by the WannaCry attack in May, bringing to a standstill British hospitals, car manufacturing in France and telephone connections in Spain, it was suddenly clear to everyone in Brussels that we could no longer bury our heads in the sand over cyber-attacks and their devastating economic impact.1 When, shortly afterwards, NotPetya also ran across Europe, halting, for example, the operations of shipping giant Maersk, this fact became even more evident.2,3
Over the years, Estonia has tried to reduce the use of operating systems that are no longer supported by vendors and has worked systematically on developing cybersecurity in the healthcare sector—which is why it escaped these globally significant attacks without considerable losses. But damage had been caused in Europe as a whole and it had to be decided what to do to prevent this from happening again—and expectations for Estonia’s approaching presidency increased significantly.
Following the devastating attacks in Europe in the spring and summer, it was admitted for the first time that the attitudes of those countries that had carried out cyber campaigns themselves or fostered their implementation on their territory had to be changed. Cyber-attacks have mainly been a convenient tool for these countries in achieving their objectives because no one has had to fear any economic or political sanctions. This applied especially to the EU as a whole—sanctions from the world’s most important economic union were nothing to fear. In order to change this situation, it was recognised shortly before the beginning of Estonia’s presidency that the EU must be capable of responding to cyber-attacks with all the instruments at its disposal, from diplomatic efforts to economic sanctions.
Our task for the following half-year was to lead the EU to an agreement on how all this should be done. We managed this classic presidency task smoothly and, since mid-October, the EU has had rules on how it should respond to cyber-attacks using foreign-policy tools. This was confirmed by the General Affairs Council in its conclusions of 20 November, which stressed that the adoption of this joint framework should contribute to international stability in cyberspace “by setting out measures within the CFSP including restrictive measures, which can be used to prevent and respond to malicious cyber activities”.4 It also called for the use of that framework to be regularly exercised.
Similar action by other countries was quick to follow. The US Homeland Security Adviser’s statement on 19 December that North Korea was responsible for the WannaCry attack and the fact that Japan, the UK, Australia and New Zealand supported this undoubtedly encouraged Europe’s joint action.5 And it signalled that the world had entered an era in which countries respond to cyberattacks with all the weapons in their arsenal, not only by developing their own cybersecurity.
When, in February 2018, mainly the same countries, including Estonia, publicly and collectively identified the perpetrator of the NotPetya attack, it was clear to all concerned that such a response to cyber-attacks by the West was becoming a rule. The situation changed for the EU, however, because a country whose status in the EU is not about to change in the coming years attributed the attack to a state for the first time and directly brought out the damage to its economy. The estimated damage of about 300 million euro incurred by the Danish shipping company Maersk clearly gave reason for this.
“Hacking is the most dangerous when its intent is causing damage. Russians have raised the significance of this activity up to where it causes damage comparable to military activity,” Danish defence minister Claus Hjort Fredriksen commented in February.6 If this statement is seen in the context of applicable international law, as described in the Tallinn Manual, we realise that by making this statement Denmark (a member of both NATO and the EU) in essence compared the cyber-attack to military activity—a significant step by any country. It is clear in this context that the EU cannot forego joint action and responses to these attacks.
This international background must be also taken into account by Estonian politicians—attributing cyber-attacks is complicated but by no means impossible and depends primarily on political will. Estonia has been able to prevent high-impact cyber incidents in the past few years, thanks mostly to systematic activity, but we should not be lulled by this apparently positive situation—we should also be prepared to take similar action in our own international affairs. We can, therefore, be quite sure that in international relations cyber-attackers will now encounter collective responses, in which the EU will certainly participate.
While all this was undoubtedly important for Europe’s common cyber-development from the capitals’ viewpoint, Brussels considered the most important step in cybersecurity last year to be the new cyber package, presented by the European Commission in September during the Estonian presidency, which introduced the new EU cyber strategy.7 Although such nice, ambitious documents, which we know Brussels is good at producing, might not mean much for the member states, it should not be underestimated because it sets out the main directions in EU cyber-activity for the years to come.
“Our future security depends on transforming our ability to protect the EU against cyber threats: both civilian infrastructure and military capacity rely on secure digital systems,” states the introduction to the strategy. So cybersecurity has now become the subject that forms the basis for the entire future of the EU. How is it intended to substantiate this great ambition? And what will be the most important aspects for us?
The strategy covers any field directly or indirectly related to cybersecurity. It would probably take up this entire publication to explore this, but I will address two fields whose importance could be considered most significant for Estonia in the future: contributing to research and development activities, and developing a single market in the field of cybersecurity.
The EU has always been best at one thing: influencing member states to cooperate more by directing joint resources. While the digital single market—the cross-border provision of digital services in the EU—is one of the priorities of the current European Commission, there was not very much ambition over cross-border cooperation in ensuring cybersecurity before this strategy. The strategy started an initiative that aims to direct EU member states towards more effective cooperation in cybersecurity R&D activity. As the strategy admits, for the EU and its industry to catch up a bit with the US and China—which dominate the global market in the sector—large-scale investment is needed, which in Europe can be raised only by providing more direct support for cooperation between the member countries, because in a digital single market we also need cybersecurity solutions that help all EU member states to move forward quickly.
However, when hearing about such an initiative anyone who has the slightest understanding of the field will immediately ask whether there aren’t already enough centres of excellence in Europe (particularly in the field of cyber). This is true—and it is shown by the results of surveys conducted by the Commission. But cooperation between existing R&D centres in the member states is inadequate, and only the EU can facilitate it with the smart targeting of resources.
In this respect, the formation in early 2018 of the Estonian Information Security Association, in cooperation with Estonian companies, universities and the Information Security Authority, is quite symbolic.8 This initiative has the potential to become part of the new EU network, through which we can take to the European level the smart cybersecurity solutions that we have launched in our country in cooperation with companies and the Estonian government. A great example here is how we have used blockchain technology in our e-state security, which for several European countries still seems like pure science fiction. We should not forget that our e-state is also a unique platform for testing novel and bold solutions for ensuring security, which has been happening, and with this new initiative the EU is creating a more systematic basis for further developing our successful solutions on the European level.
Another option for the EU to significantly advance European cybersecurity, in addition to supporting cross-border R&D cooperation, is good old market regulation to increase the cybersecurity of products and services in the European market. Many fields already apply a method for evaluating the quality of various products or services in different sectors of the single market framework and to certify this level of quality based on certain scales or schemes.
For example, everyone is probably aware of the possibility of assessing the energy efficiency of a washing machine and to make a decision to buy based on this. Cybersecurity does not yet have this option. Meanwhile, it is acknowledged that consumers and product users in this field often buy the least secure products, which create easy and accessible resources for cyber-attackers that can be used for different cyber-offences. This means that the situation today is very unfair for a regular computer user who seems to be expected to use more secure IT products and services while not being given the chance to make informed decisions.
This is what the European Commission is trying to improve with its initiative last autumn by kick-starting the creation of a pan-European system to organise cybersecurity certification. This is currently organised by member states that have authorities with responsibility for the field and laboratories that organise certification, issue cybersecurity certificates and conduct various other related processes. Only the larger EU member states have this capacity to provide credible cybersecurity certification, and the remaining countries either trust the certificates they issue or are not involved in this topic at all.
But what does this situation mean for Estonian companies that may want to enter the European market with their cybersecurity solutions? It means that, for a solution to be sold in Germany, it must be certified according to the German system; but a German certificate does not guarantee the ability to sell the same product in France, where there is a different system with slightly different requirements to be met. The completion of each certification process is costly, meaning that the current situation primarily benefits the larger member states.
It can therefore be seen that there is no single European cybersecurity market and the initiative is attempting to resolve all these deficiencies at once. In the best-case scenario, in five years’ time we might find ourselves in a situation where consumers can to some extent evaluate the cybersecurity of products and services sold in the European single market in certain sectors and then make the decision to use the more secure product. Negotiations about this initiative began during the Estonian presidency, and the upcoming Austrian presidency [July–December 2018—Ed.] will have to conclude them. Naturally, it is not in Estonia’s interests to establish a European cybersecurity regulatory system that does not create any added value and at the same time would impede our own companies. There is a risk of such a regulation being created, and to prevent this we need to oppose the desire to overregulate a field that the EU is entering for the first time with its new initiative. Simplicity and transparency are the keywords from which we should proceed.
The steps taken last autumn during Estonia’s presidency can significantly develop the cybersecurity of the EU as a whole. For the proposed initiative to succeed, we need a little patience—a trait that an efficient, small country like ours does not usually have in excess. The cybersecurity of Europe as a whole will improve significantly when we learn to use all of Europe’s foreign-policy tools to counter cyber-attacks, when states start to cooperate more in the field of research and development in cyber-defence with the support of EU investment, and when a simple and transparent system for assessing cybersecurity is developed in the European market. We must hope this will be the case.
This article was published in ICDS Diplomaatia magazine.