In today’s information society, data and information replace the traditional resources for conducting war: coal and steel. Preventing conflicts revolving around these new resources demands greater cooperation and transparency.
Until recently, coal and steel were critical raw materials for the economy and the basis for waging wars. It was coal and steel that brought European countries together in 1951 to sign the Paris Treaty, pooling these resources with the aim of preventing bloody wars. The European Coal and Steel Community was created based on the premise that economic interdependence could create enough transparency to ensure nefarious intentions would not go unnoticed. And so the European integration project was born.
Almost 70 years later, the international community is faced with competition over new resources that are the basis for new wars: data and information. Data and information are comparable to the coal and steel of the Paris Treaty: they are commoditized and valuable, but can also threaten the sustainability of the everyday life of citizens in the information society. These resources are pervasive and range from vulnerability information, attack techniques, methods of delivery and operation, to malware samples, however the mere availability or access to data can also be weaponized. This is why the international community has, for over twenty years, devoted significant resources to maintaining stability in cyberspace under the disarmament agenda.
Diffusion of information and communication technologies has facilitated the distribution of security by creating new resources for conflict, new tools, new channels through which to deliver conflict and new vulnerabilities to exploit. It brought about the “loss of location”, which makes physical spaces less important to economic efficiency and functionality (e.g. cloud storage). The concept of security has also broadened, and now encompasses issues of migration, finance, environment and sustainable development. In this context, it may be more correct today to refer not to resources of conflict, but to resources for creating insecurity. The information society has added layers to the complexities of integration, blurring the boundaries between external and internal policy, civilian and military domains, public and private aspects of security, centrifugal and centripetal forces in cyberspace. The cyber ecosystem is, by nature, defined in global terms rather than confined to state borders. This indivisibility is apparent, for example, in the new Data strategy (2020) and the Communication on Shaping EU’s Digital Future (2020), as well as the EU Security Union Strategy (2020). Shifting perspective and addressing the EU as a security project adds important dimensions in responding to current challenges.
Functional Shortcomings in the EU’s Cybersecurity Policy
Looking back at the Paris Treaty, it seems that information sharing about the use of particular resources was necessary to create the transparency and control needed for the structure to work. Over time, the agreed cooperation model became mismatched to what was needed for effectiveness, resulting in several revisions of the treaties. Arguably, the current state of affairs of cybersecurity in the EU largely corresponds to that expressed in the Single European Act in terms of integration: functional problems were in the spotlight, leading to the fundamental changes brought by Maastricht (1992), and finally altering the structure of cooperation.
While the EU has laid down the cornerstones of its cybersecurity policy, currently, we cannot say that the EU’s cybersecurity strategy is working well. In particular, there are problems in sharing cyber threat intelligence and other relevant information. Building strong cybersecurity for the EU is arguably hampered by a lack of political will and mistrust resulting from the underlying practical issues: lack of common understanding of cybersecurity; lack of clarity about interdependencies between the different elements of cybersecurity policy; and under-exploitation of technology solutions as policy means.
First, “cybersecurity” is a catchy word, and while the term is overused in EU documents, its use is not based on a stable definition. In 2015 ENISA concluded that it is an “enveloping term” and that a comprehensive definition was therefore not practical. Indeed, the list of documents that address cybersecurity issues is countless: the GDPR, “Botnet Directive”, Network and Information Security Directive, Cybersecurity Act and the cyber diplomacy toolbox. Despite this, it is hard to say what dangers these laws should protect us from. For instance, in Article 2, the Cybersecurity Act defines “cybersecurity” as “the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats“. This definition is dynamic but also overly broad. This leaves member states in charge of their conceptualization of cybersecurity. Naturally, their views differ strategically.
Second, early concern about security in the context of information and communication technologies was already visible in the Bangemann report and the parallel data protection directive, as well as in the 2002 EU telecom package. Cybersecurity grew from an economic issue to a strategic one after the 2007 cyberattacks against Estonia. The following years were called a “cyber awakening“, and brought the realization that cyber channels could be used to cause physical, economic and societal damage. While the 2017 update of the strategy focused more on the political and defence aspects of cybersecurity, it still provided no clear assessment framework or guidance about the interdependencies between policy areas. The new EU Security Union Strategy (2020) proposed by the Commission addresses the question of interdependencies, and the ongoing review of the 2013 Strategy might be the right opportunity to address this further.
Third, technology can enable or thwart behaviours, as prescribed by political, legal or social norms, and such solutions can be employed autonomously. The EU has already made such moves, for example by trying to change the architecture of information systems at the design level, most prominently by the privacy and security by design principles. However, these only apply early in the lifecycles of a product, and efforts may become less effective due to the dynamic nature of cyber ecosystems – products are interrelated at the supply chain level and continuously change, e.g. through updates and patches. This points towards the insufficiency of static solutions and makes the case for experiments with dynamic tools, such use of artificial intelligence agents for security purposes in e-government systems. However, influencing the development of technology is a double-bind problem, prompting the EU to balance solutions reducing the EU’s external dependencies in the digital world with those fostering technological innovation. Although the EU’s cybersecurity strategy is unequivocal about member states remaining responsible for national security, the 5G Toolbox, new proposals for quantum computing and the intensifying debate on “digital sovereignty” showcase the need for European leadership.
Towards a Cyber Maastricht?
Cyber Maastricht is a process that systematically eliminates barriers to effective pooling and sharing of data and information within the EU, as well as the barriers to monitoring and controlling these pools. Such a process involves the use of policy, legal and technological tools, calibrated to create synergies and ensure strategic alignment of tech solutions with the (cyber)security vision and objectives of the EU.
In this light, the interdependencies between different policy areas need further clarification, since cyberspace particularly favours the entanglement between external & internal, public & private, and civilian & military dimensions of policies. The complexity of cybersecurity also demands elevation of point-in-time and static approaches (such as security by design) to reflect the dynamic nature of the cybersecurity environment, articulation of technological requirements fostering sharing and pooling and transparency about new sources of conflict and insecurity (i.e. data and information). These must be translated into a concrete set of practical instructions – collectively referred to as the “integration by design” approach.
Furthermore, the idea of pooling and sharing resources only improves security if it is accompanied by transparency. The pooling and sharing, as well as transparency in cybersecurity, can be facilitated by technological solutions, where it is not the data and information but rather access to the necessary data that is delivered to the “central pool” in a timely manner, having the effect of pooling data (which is why projects like the Once Only Principle Project are important). However, for such architecture to be achieved at the EU level, it is also necessary for governments to open their e-governance and public sector information systems to a certain level, including making some source code open and publicly accessible. The European Strategy for Data (2020) supports the idea of creating a single market for data and emphasises the importance of its availability for use, however, this must be accompanied by sharing actionable cyber threat intelligence as a prerequisite for transparency and joint control.
Lastly, effective oversight of pooled resources and shared information requires technology that can keep up with the dynamic changes in the security ecosystem, and do it fast. This need for better use of technological tools resonates with the Commission’s strategy on Shaping Europe’s Digital Future (2020), which dedicates significant thought to the relationship between trust and security and calls for proactive information sharing and operational cooperation across borders and domains. Artificial intelligence technologies hold significant promise for improving cybersecurity, including identifying actual and potential threats, weaknesses and anomalies in involved systems quickly and precisely. However, these cyber technologies work best at scale, leading us back to the need for data and information sharing and pooling, as well as transparency.
The strategic framework presented by the Commission in 2020 is not unsupportive of this process, but is perhaps unconvincing on key issues such as building trust among member states and persuading them to want to pool and share information and data – both as a resource and for cyber threat intelligence. In the longer term, regardless of actual progress or the lack of it, both external and internal communications (the purposeful use of data and information resources) will also be key. Luckily, the process of Cyber Maastricht does not require a significant revision of the Treaties nor a widespread public campaign, at least not initially, since the main structures are already in place and several problems are functional, requiring functional responses. However, taking steps in this direction would demonstrate commitment to the idea, and could even lead to a new pledge as significant to cybersecurity cooperation as the Maastricht Treaty was to integration.
About the Author
Agnes Kasper is a senior lecturer of technology and law at Tallinn University of Technology in Estonia and adjunct research fellow in the Cybersecurity Research Institute at the National University of Public Service in Hungary. Her PhD dissertation on cybersecurity regulatory frameworks has received 1st price award from the Estonian Ministry of Defence and her research is focused on EU cybersecurity policy, cyberlaw, emerging technologies and digital evidence.