Cybersecurity strategy: the EU and NATO’s approach
Security in the context of increasingly digital governments, societies and economies, means cybersecurity. Maintaining cybersecurity is characterised by maintaining information availability, integrity, and privacy online.
Cybersecurity, like physical security, requires preventing and countering attacks – cybersecurity incidents. In its preventative function, cybersecurity requires the building of defence mechanisms. On the other hand, cyber resilience requires procedures and mechanisms for responding to and recovering from cybersecurity incidents. Although security tools are mainstream, in practice, several types of cybersecurity can be divided according to the security target. These are:
- Industrial Cyber Security – Protection of infrastructure, operations and data, countering corporate espionage
- Civil cybersecurity – privacy, IoT, user security
- National and International Cyber Security – Critical infrastructure protection, counter-cyberwar and government funded espionage, and cyberterrorism.
Part of the national cybersecurity is also the cybersecurity of groups of countries such as the European Union or NATO. Due to a large number of citizens and the EU union of developed economies, part of NATO, the Cyber Security Strategy of both is essential for civil and industrial cyber security worldwide.
Finally, both groups aspire to a deeper security role. NATO is a military organization and, as such, achieving and maintaining security and peace in the member states is of existential importance.
The EU, for its part, puts security at the head of its priorities, besides customs, economic, currency and market alliances, laying the foundations for a defence alliance. The EU’s goal is to preserve the online environment, ensuring as much freedom and security as possible for everyone. And to achieve this goal, the EU include specific actions and tools to promote cybersecurity in its strategy from 2020. While recognizing that it is primarily the task of Member States to deal with cyber security challenges, the EU cybersecurity strategy proposes concrete actions that can improve overall EU productivity.
These actions are both short and long-term, they involve a variety of policy instruments and involve different types of actors, whether EU institutions, Member States or industry. The EU vision presented in this strategy is presented in five strategic priorities that address the challenges highlighted above:
- Trust and security at the heart of the EU Digital Decade
- Resilience, technological sovereignty and leadership
- Building operational capacity to prevent, deter and respond
- Advancing a global and open cyberspace through increased cooperation
- Cyber and physical resilience of network, information systems and critical entities
- Securing the next generation of networks: 5G and beyond
Based on the results to date, further EU action would be useful for defending international cyber attacks and contributing to a more coordinated response in emergencies, including a cyberwar or cyber pillar in conventional wars (eg Russia war in Ukraine). This will strongly support the smooth functioning of the internal market and enhance the EU’s internal security.
The goal of a cyber security strategy is to increase the global sustainability and security of ICT assets that support the critical processes of the state or society as a whole. Therefore, setting clear goals and priorities is of paramount importance for success in this field. Typical tasks to consider in this step are listed as below:
- Definition of vision and scope for a certain period of time ( 5-10 years).
- Identifying business sectors within the scope of this strategy.
- Prioritize objectives in terms of the impact of society, the economy and citizens.
- Identify a road map for implementing the strategy
Responsible for these steps are:
- European Network and Information Security Agency (ENISA)
- Computer Emergency Response Team (CERT-EU)
- National Network and Information Security (NIS) competent authorities
- National Incident Management Structure – CERTs
- European Standards Organizations – CEN, CENELEC, ETSI
Despite progress on the basis of voluntary commitments, there are still gaps within the EU, in particular in terms of national capabilities and coordination in case of incidents. Europe will remain vulnerable without significant efforts to promote improved capacity of government institutions to boost cybersecurity and a private sector to promote cybersecurity.
More capacity is needed to prevent, detect, and handle security incidents. The EU has adopted two instruments to improve these capabilities – a legal instrument and an investment instrument. With regard to legislative acts, the European Network and Information Security (NIS) Directive 2016/1148 (of 6 July 2016) requires that:
- National Cyber Security Strategies
- Strategic “cooperation group” to exchange information and assist Member States in building cybersecurity capacity
- Risk Management and Alarm Practices for Critical Infrastructure Accidents, Information Services, State Administration
The NIS 2 Directive currently under negotiations also formalises a EUCyber Crises Liaison Organisation Network (EU-CyCLONe)
In terms of investment, the EU set up in 2016 a so-called public-private partnership to pool public and private sector money in investing in cybersecurity. The investments under this instrument were expected to reach up to 1.8 billion euros by 2020. The Digital Europe Programme, for the period 2021-2027, plans to invest €1.9 billion into cybersecurity capacity and the wide deployment of cybersecurity infrastructures and tools across the EU for public administrations, businesses and individuals. The European Commission’s objective is to reach up to €4.5 billion of combined investment from the EU, the Member States and the industry, notably under the Cybersecurity Competence Centre and Network of Coordination Centres, and to ensure that a major portion gets to SMEs.‘
As for the EU critical infrastructure investment in cybersecurity, the EU Agency for Cybersecurity (ENISA) found in 2021 study that a typical operator of essential/digital services (OES or DSP covered by NIS Directive) invests around 2 million euro on information security. Vulnerability management and security analytics account for 20% of this investment, and 18% goes for GRC (Governance, Risk and Compliance).
On the other hand, NATO’s cybersecurity strategy is to promote and cooperate with the industry. The objective is simple, these could provide the necessary infrastructure, tools and qualified staff needed to maintain a good level of security in the NATO Member States and to NATO as an organisation.
In July 2016, Allies reaffirmed NATO’s defensive mandate and recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. As a military organisation, the main issue that NATO is facing is to reinforce the security of its members. All of its members have upgraded their cyber defence ever since.
Key NATO developments since 2016 include:
- NATO Cyber Rapid Reaction teams are on standby to assist Allies, 24 hours a day, if requested and approved.
- At the Brussels Summit in 2021, NATO members endorsed a new Comprehensive Cyber Defence Policy, which supports NATO’s core tasks and overall deterrence and defence posture to further enhance the Alliance’s resilience.
- At the Brussels Summit in 2018, Allies agreed to set up a new Cyberspace Operations Centre as part of NATO’s strengthened Command Structure. They also agreed that NATO can draw on national cyber capabilities for its missions and operations.
- Allies are committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks.
- NATO and the European Union (EU) are cooperating through a Technical Arrangement on Cyber Defence, which was signed in February 2016. In light of common challenges, NATO and the EU are strengthening their cooperation on cyber defence, notably in the areas of information exchange, training, research and exercises.
Contrary to the public perception, IT capacity is only one small part of cybersecurity, the better the security staff is the major part of cybersecurity. As a consequence, human resources development is the main tool to protect the cybersecurity of NATO. As such, NATO invests in different cybersecurity operations, such as:
- NATO Computer Incident Response Capability – to protect its own own network
- NATO’s Smart Defense initiatives – for improved cooperation between NATO members , including based on:
- Memorandum of Understanding on cybersecurity by 28 members of NATO (2016) – Malware Information Sharing Platform
- Smart Defense Multinational Cyber Defense Capability Project
- Multinational Cyber Defense Education and Training Project
To create the necessary skills for current and future NATO staff, the organisation creates its own training units in Europe. Some are selected as below:
- Cooperative Cyber Defense Center of Excellence (CCD CoE) and Cyber Range in Estonia
- Communications and Information Systems School (NCISS) in Italy
- Annual Cyber Coalition Exercise and Crisis Management Exercise
- Devoted school in Germany
But how all these initiatives create synergies in the EU?
As mentioned above, the majority of EU Member States are also NATO members. This implies both mutual interests and coverage of the two alliances. As it became clear earlier in the post, both coalitions expect the Member States to develop individual cybersecurity plans and strategies to feed into the common strategy. This also implies that for effective results, both have to harmonise their strategies and support each other with their full capacity. Currently, cooperation means the exchange of best practices and information between NATO and the EU.
In conclusion, security, in the context of increasingly digital governments, societies and economies, includes both physical security and cybersecurity. Part of national security is also the cybersecurity of your like-minded partners. And because the many citizens and most of the developed economies belong to one of these two unions (European Union or NATO), their cybersecurity strategy is essential for civil and industrial cybersecurity worldwide.