Austria, Finland, France, the Netherlands, Spain, and Romania have urged the European Commission to aim high in its upcoming proposal on cyber defence, setting out their recommendations on five priority areas.
The non-paper, obtained by EURACTIV and dated 27 September, is intended to influence the upcoming proposal for an EU’s Cyber Defence Policy.
The initiative is part of a broader security and defence package scheduled for 9 November and is due to include an action plan on military mobility and a European defence programme, as laid out by the EU’s new military strategy, the Strategic Compass.
“The CDP should also highlight the role cyber defence has within the broader EU security and military architecture,” the six member states wrote.
Question of definition
According to them, the starting point for the EU should be to develop a shared understanding of EU cyber defence, which cannot be limited to protecting military communications networks only.
They propose identifying areas where military and civil cooperation should be enhanced regarding investments, capacity building and coordination in case of attacks.
In addition, “the EU and its member states must clarify who protects what part of the European cyberspace as well as the roles and responsibilities of each actor”.
The non-paper stresses the need to update the EU’s cyber defence objectives and create a concrete roadmap to support their implementation.
It also suggests that the CDP should include a way for the most cyber-advanced member states to share their lessons learned and organisational blueprints.
A ‘genuine’ ambition
The six governments want the CDP to funnel the required investments to promote the priorities in the Strategic Compass. These include stronger cooperation among state and non-state actors, mechanisms for crisis management, coordination with partners such as NATO, promoting research and innovation, and capacity building.
Against these priorities, the member states would have to set out five-year national programmes for both civilian and military in cooperation with the Commission and the European Defence Agency.
In addition, the EU countries want the Cyber Defence Policy to set guidelines for priority investments, particularly for emerging technologies such as post-quantum cryptography, a technology that can resist hacking from quantum computers.
According to the document, these guidelines might be accompanied by performance indicators that would help to inform the allocation of earmarked financial instruments in areas that require further financing, including in relation to the European Defence Fund.
The approach chosen for developing capabilities, the non-paper notes, “should be based, when relevant, on open source architectures and solutions”.
The six EU countries propose including a call for boosting cybersecurity in the Defence Technological and Industrial Base, the EU’s programme to develop a pan-European defence industry.
Besides the CDP, the non-paper calls on the European diplomatic service, the EEAS, to draw up an implementation plan for the EU’s military vision and strategy on cyberspace, as well as the EU concept on cyber defence for military-led operations.
The countries also want a clarification on the responsibilities of crisis management and on what conditions military staff can request governments to support common operations and missions on matters such as the type of incident, context, and financial and legal responsibility.
Moreover, they want the CDP to set out a mechanism whereby the EU countries can voluntarily pool their cyber capacity outside joint operations in ad hoc crisis response teams.
The document pitches the set-up of a coordinating role to a member state, modelled on existing cyber coordination projects. This coordinator would coordinate cyber defence actions with external actors such as NATO, sharing information with the relevant stakeholders and reporting on identified cyber threats.
The member states also want the CDP to support the formal creation of a network of EU cyber commanders, which the EU Council agreed on in May as part of the EU’s cyber posture.
These commanders are intended to liaise between the technical and the strategic levels while cooperating with civilian bodies in case of significant cyber incidents or cross-border crises.
At the technical level, they make a case for operationalising the network of military Computer Emergency Response Teams that would have to cooperate with their civilian counterparts.
Education and training
Regarding capacity building, the non-paper calls for the organisation of exercises that combine civilian and military aspects starting next year and for developing shared training capabilities, including via permanent cooperation. Joint training courses and mutual participation in cyber exercises should be envisaged with NATO.
Finally, the six countries want a new recruitment policy at the EU level in the medium term, particularly by funding grants in the context of the Erasmus+ programme for European cyber talents to boost military and civilian skills.
They would additionally also like to see a training programme at the European level.
[Edited by Alexandra Brzozowski/Zoran Radosavljevic]