The obvious importance of cyber defence – often the poor cousin of all things cyber – is becoming clearer and more entrenched, with growing high-level EU ambitions. The recent release of the EU cyber defence policy in late 2022 marks a milestone for the EU’s cyber defence policy framework insofar as its ambitions indicate the aspirational direction of travel for both the EU and its Member States. One practical consequence should be the maturing of some EU Member States’ national approaches to cyber defence to align with good international practices through the EU’s roles in supporting common approaches to cyber defence and working with its Member States to enhance coordination and cooperation across the Union. It would be expected that, at a minimum, national level focus should become enhanced on account of the planned-for initiatives – possibly reducing the current patchwork of cyber defence maturity across the Union.
Since the first EU strategy on cybersecurity was published in 2013, cyber defence priorities have continued to be integrated within the EU cyber policy framework to various degrees. Importantly, efforts continue to be made to integrate cybersecurity and cyber defence into the wider security and defence agenda through, for example, the EU Global Strategy for EU Foreign and Security Policy, the Security Union Strategy and, more recently, the inaugural Strategic Compass. This is well-established good practice which one would hope is not lost at the national level.
Cyber defence and the competence to use cyber defence capabilities naturally continue to be national prerogatives. But, the EU and its Member States are at a historical crossroads arising from the culmination of a decade-long maturation of EU cyber defence strategy combined with growing EU endeavours surrounding its security and defence posture. Adding to that the even deeper soul-searching over security and defence that has been occurring throughout Europe since the return of conventional war to the continent a year ago, the case for EU and national cyber defence to find its rightful place among the many other EU or national initiatives and stakeholders responsible for cybersecurity, cybercrime and cyber resilience becomes even stronger.
Additional reasons for agreeing to evolve EU cyber defence certainly include factors within the changing strategic threat landscape. In terms of general cyber threat dynamics, the military sector continues to be a target, as is the government/public administration sector – the highest targeted sector by percentile. Moreover, a number of those top 10 emerging cybersecurity threats identified for 2030 will have especially serious ramifications for defence. These include space-related matters; supply chain compromise; advanced disinformation campaigns; the rise of advanced hybrid threats; AI abuse; and, notably, skill shortages. Aspects of these emerging threats are already becoming apparent. Even more specifically, in November 2022, the European Commission recognised that recent cyber attacks on energy networks, transport infrastructure and space assets show they pose risks not only to civilian actors but also to military actors, thus showing in concrete terms the need for more action to protect citizens, the armed forces and the EU’s civilian and military missions and operations. Space-based services (as also highlighted within the new policy) are increasingly relevant for defence for reasons including surveillance, situational awareness, positioning and highly secured communication.
For armed forces, reliance on both civilian and military critical infrastructure presents a quagmire. And, for EU military missions, highly specific cyber risks arise. Reliance on digitally networked information to deliver military effects is growing; cyber risks impinge on military capabilities; cyber attacks can result in mission difficulties or failure; and EU-led military operations, due to their collaborative nature, are uniquely exposed to cyber risks.[1] In future, overseas missions are generally expected to involve more partners and depend on higher levels of national resilience, interoperability and technological capacity. In short, overseas operations, including through EU-led activities, will be increasingly unexpected and operating in increasingly complex environments. This requires fit for purpose cyber capabilities.
Capability priorities
Several capability-related priorities are specified by the EU. These include increasing cooperation in the EU and leveraging capabilities at EU level, as well as increasing cyber defence capabilities by EU Member States individually and through joint action. Specifically – even where cyber defence investments in the EU increased in the past few years – Member States are asked to act urgently to increase investments in full spectrum state-of-the-art cyber defence capabilities. Especially noteworthy for those countries looking to increase their defence investment and enhance capability is the potential presented for enhanced capability returns through instruments like the European Defence Fund. The Commission has already focused its attentions to some extent on supporting cyber defence capability development and research in this manner, and it will likely continue to do so in the near term.
In this regard, the increasingly important nexus between cyber and emerging and disruptive technologies (EDTs) is rightfully highlighted, calling for a need to ensure that sustaining state-of-the-art cyber defence capabilities also means staying on top of other technological developments like EDTs and their applications in defence-related systems.
There is also some attempt to address the global challenge surrounding a cyber defence skill-set dearth. This is crucial where cyber capability is not only about tech and ‘stuff’ or equipment – personnel, process and developing national cyber defence capability across the entire DOTMPLFI spectrum are equally critical. In addition to listing new initiatives to increase training and to attract and retain talent (such as the European Defence Skills partnership), the policy astutely finds that the defence industry must also retain and acquire key skills – a finding that is not always replicated at the national level.
Defence industry is a vital cog: No going it alone anymore
The new reality is that, no matter how much it might gall some sentiments, the defence industry is vital to future success surrounding cyber defence and EDTs. In no uncertain terms, the EU officially needs a European defence industry capable of delivering a full spectrum of state-of-the-art defence capabilities, including cyber defence capabilities. Thus, additional priorities going forward include reducing strategic dependencies in critical cyber technologies and strengthening the European Defence Technological and Industrial Base. Given the dual-use aspects of cyber technologies, there is a call for more work to be conducted together to develop better cutting-edge technologies for cybersecurity and cyber defence. This would be achieved by creating better synergy between the cybersecurity and cyber defence industries, R&D and innovation activities. There is a clear acknowledgement of the ever-growing importance of the defence industry for capabilities, and the need to reduce the EU defence industry’s substantial reliance on external markets for cyber defence. Notably, there will be greater efforts to enhance the cyber resilience not only of Member States’ military infrastructure, CSDP (the EU’s Common Security and Defence Policy) missions and operations, and critical infrastructure, but also of the defence industry and relevant research entities. In other words, the entire defence ecosystem needs attention.
Close military-civilian cooperation should no longer be just a talking point
The EU officially recognises the importance of close military and civilian cooperation. This is not a ‘nice to know’ anymore, but a genuine ‘need to have’. Moreover, it is a long-held rule of thumb that cyber defence should not only concern ‘cyber defence experts’. But it is not often heeded. The cross-cutting, horizontal nature of ‘cyber’ means that military action in all domains is increasingly reliant on cyberspace. Compared to older, traditional domains, it can be challenging to long-established practices within militaries and governmental ministries or agencies. With the turbo-charged onslaught of EDT and hybrid developments, this is only due to become even more challenging, unless resolved.
Not only is there a need to work across internal silos, it is also essential to work more closely with other governmental stakeholders (such as regulators, law enforcement and other ministries) and reach out even further beyond these structures to work in a highly collaborative manner with industry, civil society and academic experts. Few security and defence portfolios at the national or EU level do not comprise an aspect of cyber-related issues. At the EU level, while the European External Action Service (EEAS), Directorate-General for Migration and Home Affairs, Directorate-General for Justice and Consumers and many other Directorates are key European Commission stakeholders in this field, there is no dedicated Directorate-General for Defence matters. The Directorate-General for Defence Industry and Space is tasked with ensuring the evolution of an able European defence technological and industrial base. Relevant cyber defence agencies include the European Defence Agency and the European Security and Defence College. These structures will likely continue to matter when examining how to best achieve long-held ambitions to foster cooperation between civil and military communities (including how to best exchange good practices in cybersecurity, cyber defence and cybercrime) as well as EU external policy collaboration with partner nations and international organisations like NATO. The need to cooperate and coordinate across stakeholders is emphasised throughout the new policy – but in short, ‘cooperation between the defence and civilian cyber communities is the foundation for improved common situational awareness in cyberspace and it is equally crucial for coordinated crisis response at both the technical and operational level’.
Situational awareness, cyber commanders, Ukraine and partnerships: No-brainers
Other themes that are becoming even more evident include emphasis on the importance of military situational awareness and appropriate links with civilian intelligence. Building trust within the community is another foregone conclusion, including through further development of the EU Cyber Commanders Conference as a more permanent forum. Notably, aside from the spirit of nomenclature – it would help if nation states in Europe do in fact have dedicated or so-called ‘cyber commanders’ in this regard. This one practical example can hopefully work to enhance trust, information exchange and capability enhancement.
While it will take years to fully unpack lessons from the war in Ukraine, some key observations are already informative and becoming good practice. Nations across the world have woken up to the importance of the type of cyber resilience and cyber defence capacities that Ukraine has successfully exhibited over this past year, notably matured at least since 2014. The observation from Ukraine of the value and decisiveness of close cooperation with the private sector and necessity of having cyber reserves for major cyber attacks means that the EU Cyber Solidarity initiative might support the gradual establishment of an EU-level cyber reserve.
Lastly, the intention to establish tailored partnerships on cyber defence is an important next step for the EU’s global footprint and credibility as a serious security and defence actor. If implemented, it is highly likely that there will be a mandate for cyber defence topics to become closely integrated into the EU’s cyber dialogues as well as its security and defence dialogues with partner countries. This is a significant milestone, but it should not prove overly difficult to integrate in this manner. In terms of EU-NATO cooperation – whether an EU Member State is a fully-fledged member of NATO or not – the direction of travel is clear. The EU is aiming for compatibility with NATO concepts and doctrine on cyber defence to ‘the maximum extent possible’ as well as promoting synergies and complementarity for cyber defence capabilities and harmonisation of training needs.
[1] Wolfgang Roehrig, EDA presentation.