The EU’s cyber defence policy was presented by the EU executive and diplomatic branches on Thursday (10 November) as a response to rising geopolitical tensions resulting from Russian aggression in Ukraine.
The cyber defence policy is a strategic document intended to strengthen European cybersecurity capacity, boost military and civilian cooperation, close potential security loopholes, reduce strategic dependencies and develop cyber skills.
“There is no European defence without cyber defence,” said EU digital chief Margrethe Vestager at a press conference, adding, “The US cyber defence policy steps up our ability to protect both our military and civilian assets from cyber-attacks.”
More investments are needed to scale up cyber defences at the EU and national levels, and there are currently several European programmes that can contribute to that, from the Permanent Structured Cooperation and European Defence Fund to Horizon Europe and Digital Europe.
However, this funding was already cut due to the strains on the EU budget, affected by rampant inflation, the emergency RepowerEU package and unbudgeted initiatives like the Chips Act.
The Cyber Defence Policy developed a cyber technology roadmap based on a strategic assessment of the most critical vulnerabilities to support long-term strategic investments from the member states, possibly with the support of the upcoming European Sovereignty Fund.
Voluntary commitments on how to scale up national cyber defence capabilities will also be discussed with member states. Cyber defence training programmes will also be set up, particularly in the form of an EU Cyber Skills Academy for several professional profiles, including those in the defence workforce.
The EU policy also strives to implement effective coordination mechanisms among national and EU cyber defence actors, between military and civilian cyber communities and between the private and public sectors.
“The public-private cooperation in cyber defence is getting more complex because of the role of non-European tech platforms in it. Europe should put in place clear and smooth procedures to work faster and more efficiently with the trusted cybersecurity SMEs,” Danilo D’Elia, vice president at YesWeHack, told EURACTIV.
On top of the existing structures, EU policymakers want to establish a Cyber Defence Coordination Centre to support enhanced situational awareness within the defence community and an operational network for military computer emergency response teams – CERTs in jargon.
A new framework project, CyDef-X, would also be established to support EU cyber defence exercises. But the most significant development for EU decision-makers should occur regarding situational awareness and response capabilities thanks to civilian-run Security Operation Centres.
Preparedness and response
The EU’s idea of establishing a network of SOCs as a ‘Cyber Shield’ dates back to the Cybersecurity strategy of 2020.
In the coming weeks, the Digital Europe Programme will launch calls to establish a series of SOCs. Since these operational centres usually operate on specific domains, they will be grouped at the national level.
However, SOCs are not just publicly funded. They are control rooms that monitor and react to cybersecurity incidents for their ‘client’ organisations. A critical point left unaddressed in the policy document is that existing operational centres have so far shared very little information because they have no incentive to do so, monetary or otherwise.
What the Commission envisages instead is, under the preparation of an EU Cyber Solidarity Initiative, the creation of a European advanced detection infrastructure to inform member states of threats in real-time.
Moreover, the initiative is set to establish a cyber emergency fund to support countries under attack with the necessary competencies and resources. These emergency responses would be supported by an EU cyber reserve of trusted service providers.
The upcoming initiative would also operationalise the stress tests of critical infrastructure included under a recent Council recommendation.
An increasing challenge for the defence sector is that even a laptop operating system could be hacked with the intent of crippling a country’s military capacity. Therefore, the distinction in the cybersecurity requirements for civilian and military technology is blurring.
The EU’s approach in this area will develop risk scenarios, for instance, via penetration testing, to assess the importance of critical infrastructure for military communications and mobility. Moreover, cooperation between civilians and the military will be needed to develop harmonised standards for dual-use products.
At the same time, Cecilia Bonefeld-Dahl, director-general of the trade association Digital Europe, called for creating better conditions for European SMEs to develop their dual-use technologies.
The EU is poised to set up tailored partnerships with like-minded countries in the field of cyber defence. Joint training and exercises with NATO are also envisaged.
The progress on implementing the Cyber Defence Policy will be reported annually.
[Edited by Alice Taylor]