Knock Knock, Brussels: Fortress Europa’s growing cybersecurity firewall

Few people have flown to the aide of the NSA of late. Faced with significant scrutiny from elected officials, civil liberties groups, and technology firms alike, NSA assessments confront an environment in which practices for establishing foreign states’ intentions are laboriously monitored.

A report presented in June 2012, Towards a European Cybersecurity, examines one intelligence product the NSA was legislatively tasked to assess: EU policies on information security, securitization of its economic networks, and the political challenges of merged supranational objectives. In the report, published after the fourth annual international conference and hosted by the INDS (Institute for National Defense Studies, roughly the French equivalent of America’s own National War College), EU representatives elucidate responses to threats in vital telecommunication networks and commerce.

Held in the European capital, Brussels, and chaired by INDS Director Vice-Admiral Richard Laborde, the conference provided delegates with an open forum designed to clarify current national level policy and generate dialogue on shared interests and goals. With public and private sector participation by entities such as ENISA, ANSSI, EADS, and the Secretariat General of the European Council, discussion focused on three dimensions of cybersecurity: 1) industrial and commercial sector vulnerabilities, 2) current response capacity of member nations, and 3) European action at a global level to fight cyberthreats.

Overwhelmingly, delegates continue to see national prerogatives as superseding those of the Union as a whole or, as Giovanni Faleg describes in The Governance Gap in European Security and Defence, as differing “strategic cultures and interests.” This parallels comments given at the INDS conference by Dr. Steve Purser, Director of Core Operations at ENISA, the principal pan-European cybersecurity agency, that his agency is only “a center of expertise in service of the member states that…facilitates the exchange of information on security between public institutions and the private sector.”

Delegates tended to agree that the current structure of supranational politics in Europe not only prevents but also often works against the sharing of information across borders. This, unfortunately, creates inefficiencies when coordinating militaries, legal jurisdictions, commercial activities, and intelligence networks.

Some of this inefficiency originates in the relative novelty of cybersecurity itself, which is viewed as distinct from the simple safeguarding of information. Rather than bigger, bolder firewalls, actionable information and economic data require securitization—measures that are proactive in addressing cyberthreats. To date, however, this shared attitude has been confined to statements of intent.

Many nations admit they are making efforts to move forward, as the creation of no fewer than five cybersecurity centers and ministerial level committees in the UK, Spain, Germany, France, and Austria demonstrate. In the words of French ANSSI Director General Patrick Pailloux, threats to national assets are global by nature and deserve appropriately scaled cyberdefense responses from both individual EU members and the EU as a whole. He also stated, “firstly, strategy must insist on the crucial necessity of accelerating and reinforcing the development of cybersecurity capacities within the members themselves.”

Responses must consider the military-industrial-intelligence nexus and cannot be limited to political interaction. To date, this has helped goal setting through the pan-European cyber security preparedness exercises held in 2010 and 2012, Cyber Europe, but has yet to fully address threats that continue to develop in cyberspace. This point was emphasized by British delegate Sarah Lampert, Deputy Head, International Cyber Policy Unit in the Foreign & Commonwealth Office, who stressed, “we shouldn’t envisage cyberspace and cyberpolitics uniquely in terms of threats and security,” but rather, “in the spirit of economic and social benefit.” However, she did continue by noting that the United Kingdom still considers cybersecurity as part of its overall national defense and views cyberspace as a component of state strategies in preparing and executing military actions.

While strengthening internally and “speaking with one voice,” as German international cyberpolice coordinator Martin Fleischer elaborated, significant support exists for increasing policies aimed at existing bilateral relations, in particular with Russia and China, and establishing political and strategic objectives to accompany them. When establishing improved bilateral relations, the real question for policy strategy is “to know how to work with the States who’ve distanced themselves and with the states who have conflicting priorities.” Importantly, according to Fleischer, policy must also consider “the liberty of opinion” and “human rights.”

Any European policy response is going to be collective, but discussions remain centered around interstate policy coordination rather than supranational policy efficiency. The embodiment of supranational governance on the continent, the European Council, is at this point only pursuing protection of “the communications systems and sensitive and classified information against technical attacks,” according to Council representative and Head of Sector Jean-Luc Auboin.

Despite some progress and encouraging cooperation, the EU’s members remain as divided in dealing with cyber threats as they are in dealing with traditional security policy.

Feature Photo: cc/(Justus Blümer)