Cyber-security in the European Union, the big “time trial”

Quentin Dumont, translated by Perrine Berthier
2 Juillet 2013

The question of cyber-security, now cleared of its « glamorous-geek » panache, makes a significant return in the international political agenda. After a decade of hesitations and partial initiatives, decision-makers finally admit the necessity of putting in a global strategy of cyber-defence.

From left to right : Neelie Kroes, Vice-President of the European Commission in charge of the Digital Agenda, Catherine Ashton, High representative for Foreign Affairs and Security Policy, and Cecilia Malmström, EU Commissioner for Home Affairs
From left to right : Neelie Kroes, Vice-President of the European Commission in charge of the Digital Agenda, Catherine Ashton, High representative for Foreign Affairs and Security Policy, and Cecilia Malmström, EU Commissioner for Home Affairs
If the United States opened the ball in 2012 with their Cyber Security Act project, Europe is catching up. After having announced in February their decision to forge a European strategy regarding cyber-security, the European Commission produced an ambitious directive project on the 6th of June which will have to be discussed by the Parliament and the Council in the next months. Though, the first steps of the EU towards a European cyber-bastion turn out to be laborious. 

The cyber-threats, a European reality

If cyber-security is not new in Europe, the strategy initiated by the Commission in February is, as for it, new: the problem has never been tackled in such a global and coherent way. How could this turnaround regarding cyber-defence be explained? It must be by the emergency of the situation. Explanation.
It would be wrong to give up the issues of cyber-security to the Sino-American commercial relationship. And for good reason, the EU backwardness with regards to cyber-defence exposes it to attacks of which the consequences could prove to be disastrous, if some “critical infrastructures” would ever come to be hit. The hospitals, the governmental agencies, power plants and financial services rely more and more on the web. A considerable amount of information is collected, created and stored online. It is an attack of these weak links – or “critical infrastructures” – that decision-makers dread.   
 After all, the Israeli virus Stuxnet put an Iranian power plant out of order; a scenario which, if it came to happen in France, would knock the whole electrical network down. The globalised structure of networks suggests an even more general collapse: the World economic forum estimates the probability of a major web rupture due to a cyber-attack at 10%, so a cost which would reach about 200 billion of dollars.      
In a less alarmist perspective, cyber-attacks represent a daily economic harm. A report from the British government claims that 78% of big British companies suffered from an attack in 2012, for a bill reaching about a million euros. Without any coherent cyber-security strategy, European growth could be strongly compromised. 

We can add the political requirements which are as much worrisome: the multiplication of attacks committed by Chinese companies forces Brussels to gamble on its “Cyber-defence strategy” to solve the problem. Although, it imposes to act very quickly as the attacks multiply: in 2008, 9 cyber-attacks against critical infrastructures were attributed to China, and 198 four years later. Even more significant is the estimation that in 2011, the number of cyber-attacks in the world increased by 38% compared to 2010… There is an emergency here.

To force cooperation regarding cyber-security? One for all and all against the Commission

Thus, under the pressure from all sides, the Commission suggested its last solution to the problem of cyber-security in Europe on the 7th of February. The first section of this solution is a “strategy for Cyber-security” establishing safety standard common to all member States and companies. The second section is a directive project aiming to oblige companies and member States to cooperate with the European institutions by signaling all attacks targeting them. The method might seem derisory, but it is not: without cooperation, it is impossible to move forward. But here we are, cooperation does not seem to interest a lot of people.   

It is the business world which grumbled the fastest. Indeed, until now, companies used to indicate the cyber-assaults on a volunteer basis. Yet, the majority of these companies are very careful not to expose that their systems are not completely safe. Moreover, a large part of big firms already have a cyber-security strategy in place, meaning that they don’t really want to start over to follow the standards of the Commission. Suffice to say that the project does not raise enthusiasm among the companies.    
As for the member States, they also decided - on some rare exceptions – to stand up against the directive project. Why so? For financial reasons - for once.
The Commission declared that the States should be financially in charge of this system of cyber-attacks’ information collection. And paying for Brussels’ whims does not amuse many. 

To sum-up, two months after the Commission’s proposition, 4,000 amendments have already been submitted… It is little to say that the Commission’s project encounters some resistance. 

“I will not be the only culprit, we will all be”

Could the Commission have bitten off more than it could chew? And if yes, what would be the price of this adventurism? In Brussels, optimism is not appropriate. Even from Commissioner Cecilia Malmström’s confession « we really had a lot of difficulties » and the process would be strongly likely to go on and on about the details. To the current rhythm, discussion procedures about the project are only going to start in September and the Parliament and then the Council will only yet have a few months to validate the directive… Or to let it go and start again from scratch with the new deputies who are going to come into the Parliament in June 2014.  

But frankly, can the EU allow itself such lateness? Commissioner Neelie Kroes, in charge of the file, settles for a warning: “I don't want there to be a major incident around the corner and we get the finger of blame for failing to take action. […] I will not be the only culprit, we will all be”. Here we are warned.