By Lamprini Basdeki and Patrick McQuillan*
Abstract
The turn of the 21st Century ushered in a new era of technological interconnectedness. The growing reach of the internet has now created unprecedented threats and unfamiliar security risks across borders. The inherent lack of regulation in this sphere facilitates frequent breaches of cyber security and quite regularly infringes on the most basic of human rights. These “cybercrimes” have expanded into various regions, particularly in developed Western states where populations are most susceptible to attack. The levity of these security breaches can range from personal identity fraud to global cyber terrorism. Following Edward Snowden’s divulgence of top-secret information regarding the interception of private communications from United States (US) intelligence agencies in Europe – including violations from high-ranking government officials – the US and European Union (EU) formed a bilateral partnership committed to upholding and strengthening the integrity of cyber security. This accord remains the most developed of its kind in the world. However, US cyberspace policies are driven by deterrence methods in the interests of national security, whereas the EU relies on a comprehensive digital policing initiative. This methodological dichotomy elucidates the fundamentally different interpretations the US and EU take in defining what truly constitutes a cyber threat, and how best to address it. This paper critically examines the cyber security strategies of both the EU and the US by underlining the greatest successes and shortcomings of their efforts. This paper also analyzes the possibility for and proposes the establishment of an EU-US alliance under a NATO strategic framework to effectively address the challenges macro cyber threats have imposed on what has become a swiftly growing and increasingly complex technological arena.
Introduction
The EU and US have been key players in data protection since the genesis of the Digital Age, and have only recently begun undertaking extensive measures to ensure that effective policies have been put into place. With the proliferation of such incidents as the Edward Snowden data leaks and the more recent data breach at the US Office of Personnel Management, which successfully hacked into the personal information of several million federal employees, a global call to arms has been raised for EU and US lawmakers to develop policies that identify and prevent risks to data infrastructures. However, many of these policies remain in their infancy while governments continue to explore and understand the nature of cyber security. Despite the progress these policies have made, they continue to suffer from inconsistencies in risk identification, reporting of potential threats, national accountability, international cooperation, and general methodology. Their cooperation is critical to optimizing the secure functionality of data infrastructures in Western states. The North Atlantic Treaty Organization (NATO or “the Alliance”) can provide systematic mechanisms where these two powers’ respective policies prove insufficient, and would serve as an excellent forum in cultivating a cooperative EU-US relationship focused on improving cyber security regulations among its member states under a unified standard. The objective of this paper is to critically analyze the individual EU and US cyber security policies currently in place, assess the possibility of an overarching EU-US cyber security framework unified under NATO as an instrument of enhanced cooperation, and propose the implementation of such a framework that can be executed by all NATO member states. These arguments and analyses are made strictly within the scope of matters involving the abovementioned parties and do not consider alternative partnerships with other institutions such as the United Nations or address cyber security concerns beyond those experienced by Western states, the main reason being the EU, US, and NATO are ostensibly well-situated to enact the cyber security objectives recommended in this paper as they concern the Trans-Atlantic region. The main thesis of this paper argues that the evolving cyber security policies of the EU and US establish a practical basis for the creation of an overarching cyber security framework committed to integrating a superior, mutually-beneficial, and more universally-implementable monitoring and prevention system under an EU-US partnership with NATO.
The Cybersecurity Strategy of the European Union
While there have been initiatives at the national level to create cyber security frameworks, these have proven largely insufficient. EU member states’ preparedness is inconsistent across borders and lags in cooperation mechanisms with other EU member states, which leaves much to be desired should a major international cyber threat arise. The European cyber space arena is exceptionally complex in nature due largely to the interconnectedness of the system: should one unprotected element collapse, then the entire data infrastructure could be at risk as issues originating in one state spread to others. This level of vulnerability is unacceptable and demands the harmonization of efforts across EU member states to develop a framework designed for the assurance of cyber security for all members. (Vyskoč J. 2013)
The first coordinated EU-wide document formally issued on cyber security is the “Cybersecurity Strategy of the European Union” (“the Strategy”) released on February 7, 2013. The Strategy outlines a series of goals for the EU in addressing the growing threats to European data infrastructures, with the success of the most essential objectives contingent on the endowment of individual responsibility to each member state. This undertaking requires that each state create a functional computer emergency response team, adopt a national strategy and cooperation plan, improve preparedness and the engagement of the private sector, and set up ‘coordinated prevention, detection, mitigation and response mechanisms’ conducive to network and information security. (Commission 2013) This effort is easier said than done. In an arena where member states vary greatly both economically and governmentally, each state will have a different type of responding authority and some may prove incapable of formulating a national-level response to any threats that arise. (Robinson, N. 2013) The Strategy also brings together defense and foreign policy contributions to cyber security into a single framework. This is possibly the most noteworthy provision given that defense and foreign policy are issues of which EU member states have been historically protective. This undertaking is long overdue. No unified solution to cyber security provision can manifest without the unerring cooperation of these states to coordinate their policies in addressing the risks together.
These initiatives exist only on paper for the time being. In order for the gap between theory and application to be bridged, two significant issues remain to be resolved in enacting the Strategy. The first obstacle is mitigating the frequent ‘institutional turf wars’ that occur among member state directorates, and to oversee their creation of effective national frameworks under the Strategy. (Robinson, N., 2013) Where there is internal conflict or dissonance amid the actors of a system, there can be no real progress. The second issue relates to the Strategy being primarily an intention-oriented document that defines broad goals without actually offering a strategy with which to reach them. The ends have been illustrated, but the road has yet to be determined. If the path to cyber security in the EU continues to be littered with fluctuating levels of cooperation and the absence of an action plan, then the passionate calls for security reform will be reduced to hollow echoes in time. (Robinson, N., 2013)
The US Framework for Improving Critical Infrastructure Cybersecurity
US policy measures in combating cyber threats are certainly more rigid in contrast to those of the EU, but they lack sound enforcement mechanisms. Over 50 statutes govern data protection and digital infrastructure stability in some respect, although prior to 2013 no major policies relating to cyber security had been enacted since 2002. (Fischer 2013) The tempo of this pattern shifted on February 12, 2013 when US President Barack Obama issued Executive Order 13636, ‘Improving Critical Infrastructure Cybersecurity.’ In his executive order, President Obama called for the development of a voluntary framework that provides a ‘prioritized, flexible, repeatable, performance-based, and cost-effective approach’ allowing for the appropriate identification and management of cyber risks. (White House 2013) Exactly one year later, the US National Institute of Standards and Technology released the ‘Framework for Improving Critical Infrastructure Cybersecurity’ (the Framework’). The Framework is the US’ first overarching legislative attempt at cyber security regulation and provides a risk-based approach to managing cyber threats for any institution willing to adopt its guidelines. Although only constituting normative soft law, the Framework is a crucial step forward in cyber security policy and serves as a useful model for constructing a more comprehensive and standardized NATO framework. The Framework consists of three key parts: the Core, Implementation Tiers, and Profile. (National Institute of Standards and Technology 2014)
The Core presents industry standards, guidelines, and common practices through a means that optimizes the communication, implementation, and organization of responses to cyber threats. The Core’s primary functions are to (1) develop an understanding of cyber security risks, (2) implement the appropriate infrastructure safeguards, (3) detect threats to data or systems in a timely manner, (4) contain the impact of these potential threats, and (5) recover to normal operations following any breach in cyber security. These guidelines are aimed toward achieving specific outcomes regardless of the level of uncertainty rooted to the issues that arise. This objective-based approach helps institutions to define their goals and assess their own regulations for effectiveness against unexpected threats. (Framework for Improving Critical Infrastructure Cybersecurity, 2014) The Implementation Tiers provide context into the various types of cyber security risk and offer a series of different management approaches for addressing these risks. This system ensures that each institution that has adopted the Framework is using an effective means of managing risks to their data infrastructure and, more importantly, that this means is being appropriately implemented. (Framework for Improving Critical Infrastructure Cybersecurity, 2014) The Profile aligns the Framework Core with the Implementation tiers to enable institutions to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers other regulatory requirements, and reflects risk management priorities. The Profile is intended to elucidate any inconsistencies in a party’s operations that may prove vulnerable to cyber breaches in the future. (Framework for Improving Critical Infrastructure Cybersecurity, 2014)
Despite this strategy, there exist at least two fundamental problems with implementing the Framework on an international scale. First, only businesses and organizations that volunteer to adopt its protocols are affected. Even then, these parties are free to make use of its guidelines as they wish without fear for any governmental enforcement of its protocols. Second, given that this policy relies chiefly on risk detection rather than threat resolution leaves one questioning its effectiveness in situations where cyber threats are immediate and unavoidable. Preventative policy only goes so far. The fact that the US would also need to rely on EU states to seamlessly identify risks as the exclusive option for securing transcontinental data protection would proliferate the potential damage that could occur is any number of risks were overlooked. This inherent lack of an assurance that the Framework’s measures will be successfully implemented breeds an inherent lack of accountability among involved institutions. There is no tangible mechanism in place to ensure that these businesses and organizations will consistently execute their responsibilities under the Framework. The nature of this policy leaves the US in a similar scenario as the EU: in dire need of overarching cyber security regulations.
The Possibility of a NATO Standard Framework
It is valid to believe the successful establishment of an EU-US NATO alliance would bolster international cyber security measures and reinforce their execution under uniformly agreed upon norms and standards, though several concerns arise when contemplating this course of action. The question remains as to why such an option would be considered when there currently exists an EU-US bilateral partnership on cyber security, which is considered the most effective alliance of its kind. (Renard 2015). Having this partnership in place can deter the notion of enabling a similar system within NATO under a unified standard. Another limitation, as noted above, is that individual EU member states have been historically reluctant to participate in a formalized collaboration on cyber security matters at the EU level, which could inhibit any real progress from being achieved should a strategic framework be adopted through NATO. The EU’s own independent cyber security measures in the first decade of the 21st century were lagging compared to those of NATO and the US, and have been described as being in an “embryonic stage” lacking minimum standards. (Pernik 2014) The concern could also arise where the US and EU would be unwilling to make compromises concerning their national cyber security policies in exchange for a joint approach, preferring their methods to remain under sovereign control – free from the influence of outside parties. Despite these reasons for caution, the US and EU share common concerns against a common threat, and each has taken recent actions exhibiting the mutually beneficial desire for objective-oriented multilateral cooperation with NATO on matters of cyber security.
The EU has displayed substantial evidence supporting the idea that it would be open to a cooperative strategic framework with the US under NATO. While the EU-US bilateral partnership on cyber security is effective to a point, the EU’s political and diplomatic inexperience on the issue leaves the partnership with something to be desired. (Renard 2015, Pernik 2014) In recent years the EU has been taking additional measures specifically in tandem with the Alliance to expand its cyber security oversight. For instance, the EU recently signed the Technical Arrangement on Cyber Defense with NATO (“the Technical Arrangement”), which commits the NATO Computer Incident Response Capability (NCIRC) – NATO’s primary team responsible for detecting and responding to cyber incidents – and the Computer Emergency Response Team of the European Union (CERT-EU) to information transparency and the exchange of best practices. The Technical Arrangement was designed to implement the EU Cyber Defence Policy Framework, which outlines future cooperation with the Alliance as one of its five primary objectives. (NATO 2016) This alliance demonstrates EU member states’ willingness to work alongside NATO in the long term and indicates the appeal a NATO cyber security framework would have to the EU. Both the EU and NATO “prioritise cyber security of [their] own institutions and infrastructure, operations and missions” and have an appreciable overlap in their respective memberships, thus incentivizing each party to cooperate at a higher degree. (Pernik 2014, House of Lords 2010) They also agree that cyber security should be approached from the state level. This implies a collaboration between the two organizations would be beneficial. While the EU lacks a central authority responsible for decision making on issues of cyber security, the North Atlantic Council – NATO’s top political decision-making body – exercises principal authority and manages NATO’s cyber defense posture. This would prove to be a major asset for EU policymakers, positioning them to instill more effective security policies through NATO instruments. (Pernik 2014) The past few years have seen the EU evolve into a formidable and norm-setting catalyst making appreciable commitments for progress in cyber security policy, exhibiting a considerable preparedness to continue future work with NATO and devoted Western states.
Despite the noted obstacles that could potentially arise from a NATO standard framework, the US has sufficient incentives to participate. Cyber security breaches are not conditional to geography/borders; any location on the planet with access to the internet is a potential source of an attack, and a partnership with NATO would provide the US with the opportunity to achieve the same ends in its bilateral agreement with the EU, but with a more rigid structure and with greater resources made available for data infrastructure monitoring and incident prevention. These resources include the NCIRC, which is also presently engaged in the Technical Arrangement with the CERT-EU. (NATO 2016) In fact, the US is currently a member of the NATO Cooperative Cyber Defence Centre of Excellence – the foremost NATO-accredited research and training facility in the world. Among its many contributions, the US makes its primary national cyber security strategy documents available to the Centre for use and reference, eliminating any concern that it would be hesitant to share its security policies with like-minded states in a NATO engagement. (NATO 2015) US participation in a joint NATO commitment with the EU would establish a forum in which the US can champion its own security initiatives to allied states and more significantly benefit from the cooperation of the Euro-Atlantic community. Such an alliance would be best to begin incorporating measures early; the Digital Age is still in its dawn and these issues are sure to only proliferate with time as more sophisticated hacking methods develop and global internet literacy and access expand.
NATO itself has been taking strides to set in place an array of mechanisms to address information security concerns and the integrity of data infrastructures. While the Alliance has historically been lagging in its implementation of essential cyber defense protocols, the past few years have seen it develop remarkable strengths in preventing and monitoring data breaches. These methods include a comprehensive approach that integrates cyber defense into the formal NATO Defence Planning Process and provides extensive training and exercises to willing participants. The NATO Cyber Defence Policy of 2014 outlines cyber security as a core task of collective defense, thereby allowing member states to invoke the collective defense clause of the North Atlantic Treaty should a cyber attack arise with outcomes comparable to those of an armed attack. (Pernik 2014) The Alliance has also taken specific efforts to recognize and involve the private sector as a chief agent in the international endeavor against cyber crime. Under the NATO Industry Cyber Partnership, voluntary engagement is encouraged between NATO and industry actors to collaborate and ensure the secure operational persistence and development of data infrastructures in place across all respective member states. (NATO 2016) These systematic measures prioritize global data integrity and actively strive to enable NATO member states to confront cyber attacks as a collective and like-minded unit. While the EU, US, and NATO all possess respective shortcomings, their combined approach to cyber security under a standardized framework would more than compensate for their individual weaknesses and introduce a powerful tool in the campaign against data security violations.
Establishing a NATO Standard Framework
The US and EU cyber security policies lay the groundwork for creating an overarching NATO framework that functions under a common standard shared by all member states. The risk management facets of the US Framework coupled with the tools being set in place by the EU Strategy can help to contribute a unified regulatory system under NATO initiatives aimed toward the development of transparency in reporting threats, governmental accountability, and the prevention or resolution of cyber threats among member states. The use of a single framework encourages cooperation and facilitates the process of equipping lawmakers with security standards specifically tailored to their state’s respective circumstances and needs. These states would run self-assessments based on their own regulations under the larger NATO framework and routinely report back to the North Atlantic Council on their security status. This method counters the inconsistencies that would arise under the EU Strategy with a more effective and reliable reporting infrastructure that promotes states to take responsibility for their own monitoring systems in contributing to the greater whole. Similarly, the approach would prove far more enforceable than the normative measures contained in the US Framework. The success of this system relies on the implementation of four pillars intended to guarantee cyber security in Western states: State Accountability, Regional Cooperation, Systemic Integration, and Structural Consistency.
Pillar 1: State Accountability: The responsibility for establishing monitoring and response systems to cyber threats lies with each individual state, and accountability is fundamental in enabling these systems to function. For this reason, only member states that follow the guidelines of the NATO framework would be granted participation in the initiative. Governments that are not willing to accept the standards set forward by NATO are faced with the option of remaining vulnerable to cyberattacks in the long run. This selective provision of the theorized framework allows for the enforcement of its protocols.
Pillar 2: Regional Cooperation: Perhaps the most difficult obstacle to overcome is orchestrating a shared policy network among EU member states. Harmonizing the disparate cyber security tools and initiatives in each state under a common NATO standard would establish a web of support that would not only provide relatively uniform risk monitoring performance across the EU, but would also better equip the region for aptly responding to any macro-level multistate cyber threats that could arise.
Pillar 3: Systemic Integration: The NATO framework would require member states to create national-level monitoring systems, more reliable threat-reporting infrastructures, and effective response procedures to manage and contain any data breaches that take place. Unlike the approach outlined in the EU Strategy, this system of security tools will establish a series of minimum requirements for these state-centric cyber security systems to meet before granting them participation and protection under NATO.
Pillar 4: Structural Consistency: Cyber threat reporting, management, and response protocols would be best implemented in an environment where member states are enacting security policies under a unified set of principles and objectives. The national-level systems the NATO framework would establish and rely upon would all share a common structure. This approach can further promote interstate societal cooperation and enhance the normative role of cyber security worldwide.
The turn of the 21st Century has ushered in a new era of technological interconnectedness that, with the dawn and rise of the internet, has made cyber security more essential than ever before. As evidenced in the US and EU policies for data protection, initiatives are currently insufficient for combating these threats as governments continue to explore the nature of this unfamiliar field of security. A standardized NATO framework would help likeminded states to navigate this terra incognita and establish a transcontinental system guided by both preventative and reactionary strategies for confronting new dangers to data infrastructures. The greatest obstacle in achieving this policy is for EU member states to cooperate under a unified security standard. Once this collaborative environment has been established, sustainable progress will grow considerably more feasible as states continue to participate in developing the framework. An interconnected issue demands an interconnected solution, and the NATO unification of international efforts toward ensuring cyber security is paramount to safeguarding future generations from unprecedented threats in the Digital Age.
References
Commission, European. 2013. Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace. Brussels: European Commission.
Fischer, Eric A. 2013. Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions. Washingcton, DC: Congressional Research Service.
House of Lords. 2010. Protecting Europe against large-scale cyber attacks. London: Authority of the House of Lords.
National Institute of Standards and Technology. 2014. “Framework for Improving Critical Infrastructure Cybersecurity.” National Institute of Standards and Technology. 2 14. Accessed January 20, 2016. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
NATO. 2015. Cyber Security Strategy Documents | CCDCOE. August 3. Accessed April 18, 2016. https://ccdcoe.org/strategies-policies.html.
NATO. 2016. NATO – Cyber security. February 16. Accessed April 19, 2016. http://www.nato.int/cps/en/natohq/topics_78170.htm.
NATO. 2016. NATO and the European Union enhance cyber defence cooperation. February 10. Accessed April 16, 2016. http://www.nato.int/cps/en/natohq/news_127836.htm.
Pernik, Piret. 2014. Improving Cyber Security: NATO and the EU. Tallinn, Estonia: International Centre for Defence Studies.
Renard, Thomas. 2015. Reshaping Europe | US-China cybersecurity agreement: a good case of cyber diplomacy. September 30. Accessed April 19, 2016. http://reshaping-europe.boellblog.org/2015/09/30/us-china-cybersecurity-agreement-a-good-case-of-cyber-diplomacy/.
Robinson, N. 2013. “RAND Corporation.” The Rand Blog. Accessed January 31, 2016. http://www.rand.org/blog/2013/02/the-european-cyber-security-strategy-too-big-to-fail.html.
Vyskoč J., Illési Z., Świątkowska J, Rezek T. 2013. “www.cepolicy.org.” Central European Policy Institute. November 23. Accessed January 31, 2016. http://www.cepolicy.org/publications/protecting-cyberspace-v4-towards-implementation-eus-cyber-security-strategy.
White House. 2013. White House. February 12. Accessed January 28, 2016. https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
* Lamprini Basdeki is an international security expert and Patrick McQuillan is an analyst/researcher at Compass Lexecon.
This article first appeared in https://europeanstudentthinktank.com/european-policy-review/third-edition/