“Achieving cyber resilience in the EU” is one of the strategic priorities of the 2013 EU cybersecurity strategy.
Cyber resilience can be understood as an organisational, national and EU-level ability to deliver an intended outcome at all times even if regular delivery mechanisms have failed. The 2016 Global Strategy recognises that EU’s internal security depends on external security, including security of its partners and geographical neighbours. Cyberspace as a global and in some respects borderless domain exacerbates risks and vulnerabilities related to interdependencies. For example, a cyber incident in one country might affect cross-border transport, energy and financial flows, and almost all essential services, which depend on electricity and data communications. The Global Strategy commits the EU to “increase its focus on cyber security,” notably in CSDP missions and operations, and to invest in cyber diplomacy and cyber capacity building.
The Union supports third countries’ cyber security through three instruments: cyber diplomacy, development cooperation, and cyber capacity building. The EU capacity building approach is based on shared values and interest, consisting of a normative and an operational agenda. Council conclusions (Joint communication “A Strategic Approach to Resilience in the EU’s External Action” of 7 June 2017) set out the normative agenda, which is to project EU’s core values (human dignity and human rights, freedom, democracy, equality and the rule of law) including online protection of personal data, right to privacy and freedom of expression. Council’s conclusions on Cyber Diplomacy (Council conclusions on Cyber Diplomacy as adopted by the General Affairs Council on 10 February 2015, Brussels, 11 February 2015, 6122/15) recognise a link between development and cyber capacity building. Projects that aim to enhance protection of critical infrastructure and develop e-governance will simultaneously improve cyber security.
One of the main goals of EU cyber diplomacy is to build international consensus on international law’s applicability in cyberspace and to attain agreement in regards to responsible behaviour of states in cyberspace. States’ responsible behaviour in cyberspace is based on agreed political (legally non-binding) norms and confidence-building measures. EU’s recently revised cybersecurity strategy (13 September 2017) underlines that “international law, and in particular the UN Charter, applies in cyberspace” and stresses security concerns should not become a justification to compromise free speech and access to information, and surveillance technologies must not violate human rights.
In regards to the EU’s normative agenda Freedom House 2017 data classifies three Eastern Partnership countries (Azerbaijan, Armenia, and Belarus) as authoritarian or semi-authoritarian, which indicates that these governments may be less concerned about protecting the EU core values online. Empirical data supports this hypothesis, for example, Azerbaijan and Belarus have not created a data protection authority. Three countries do not publish public reports about cyber security threats and situation in the country, while only Azerbaijan has a website to inform public and has conducted public awareness-raising campaigns. None of the countries have adopted a cyber security strategy nor designated a government entity to develop cyber security policy.
There is also an alternative digital integration framework in the region that seems more attractive for Armenia and Belarus, member states of the Eurasian Economic Union. Together with Russia and Kazakhstan they have adopted a common model of information security threats, and are integrating national certification and e-signatures systems. They also share similar conceptual approaches to information security with Russia. Integration with Russia in information security is facilitated by shared ICT infrastructure, the Russian ownership of major telecoms, and due to the fact that public authorities and people use many Russian software products. For example, national regulation in Russia requires Russian telecom operators to install SORM (Система Оперативно-Розыскных Мероприятий) surveillance system, which violates customer privacy rights of these companies. SORM monitors and record IP traffic, phone calls and social media platforms. Moreover, the use of illegal Russian-produced software that is prone to backdoors and vulnerabilities is widespread in the region. These factors complicate the EU’s support to cyber capacity building in the region because values and interest in some areas clearly do not overlap.
The EU and the Eastern Partnership countries have agreed (A joint working document of the Commission and EEAS “20 Deliverables for 2020”) that during the next four years key cyber capacity building areas are:
- Fighting cybercrime (establishing international points of contacts, developing strategy and action plans, setting up operational cybercrime units),
- Protecting critical infrastructure,
- Setting up fully operational CSIRTs that cooperate with the EU,
- Developing actionable cybersecurity strategies,
- Establishing public-private partnerships and international cooperation,
- Developing the capacity to respond to cybersecurity incidents.
In spring 2017, the e-Governance Academy and ICDS assessed cyber security maturity levels in the six Eastern Partnership countries and findings were presented at the e-Partnership Conference on 4 October in Tallinn. The study reveals that all countries should improve their ability to respond to cyber incidents, establish or enhance cooperation with other countries and with the private sector, as well as improve the protection of critical information infrastructure, and develop cyber defence capabilities of armed forces.
The study also reveals that out of the six priority areas as of today the ability to respond to cyber incidents and to coordinate cyber crisis, as well as the ability to develop public-private partnerships and international cooperation are largely lacking in the region as a whole. In the area of coordinated response to large-scale cyber incidents, none of the countries has created response plan, and cyber crisis management exercises have been organised only in Georgia, while Ukraine has set up a cyber operations centre. Only Belarus and Georgia have established formal public-private cooperation frameworks. Only Belarus, Georgia, and Ukraine have identified measures to protect critical information infrastructure and have set up a specific unit for this.
Concerning technical capabilities, all countries except Armenia have national CSIRTs, have criminalised cybercrimes (but Belarus is the only country that has not joined the Budapest convention) and have identified a 24/7 point of contact for fighting international cybercrimes. Belarus, Moldova, Georgia, and Ukraine provide public e-services via secure digital platforms or are developing them.
In terms of the overall ranking of cybersecurity capacity maturity, Georgia ranks on top with 66% of criteria fulfilled, followed by Belarus with 59%. This result is consistent with the countries’ ranking in the ITU Global Cybersecurity Index (Georgia has 82% and Belarus 59% in ITU index). However, while all countries have an equal position at the level of ICT development in society (56-62%) – with an exception of Belarus that has 73% – there are gaps between countries in cyber security maturity. Armenia (16%) and Azerbaijan (37%) and in some extent also Moldova (42%) are lagging behind Ukraine, Belarus, and Georgia in cyber security maturity. This means that Armenia and Azerbaijan are the most vulnerable countries in the region.
Finally, while among the Eastern Partnership countries Georgia ranks top in terms of political freedoms and cyber security, Belarus ranks high only in cyber security. Azerbaijan that has only 14% in freedom index has about the same level of cyber security that notably more free Moldova that has 62% of political freedom.
To promote an operational agenda, the EU should consider expanding pan-European cyber crisis management exercises to the Eastern Partnership countries (for example, Georgia was an observer at the NATO CCD COE cyber exercise Locked Shields 2017). It should also consider consulting three countries on policy and strategy development in particular to counterbalance Russia’s pronounced influence in this area. Another area that requires immediate assistance from the EU is the protection of critical information infrastructure with three countries lacking respective legal frameworks.