Recognising the growing cyber threat, EU foreign policy chief Federica Mogherini said, “Cyberspace threats do not know national borders. Cooperation among member states at European level is therefore essential.”
Speaking at the launch of a new Commission initiative for better cooperation between the four key EU agencies dealing with cyber defence and security, ENISA, CERT-EU, EDA and EUROPOL, the Italian o¬fficial said, “Europe is stronger when it tackles threats together, in a common and coordinated approach. This is exactly where this memorandum of understanding is key, where the added value of the EU lies. Working together, joining forces, putting the experiences and the knowledge of all, to the service of our citizens’ security.”
Commission Vice-President for the digital single market Andrus Ansip said, “We can face cyber threats successfully if we have in place a functioning exchange of information, if we have strong technical capabilities and we work on basic cyber hygiene. Better cooperation between these EU agencies will lead to this result.”
Commissioner for migration, home affairs and citizenship, Dimitris Avramopoulos said, “The threats against both our physical and virtual worlds are becoming increasingly connected. Therefore, increasing cyber security is one of the priorities of the EU. But we can only do this effectively through stronger cooperation and joint actions, where our operational agencies, like Europol, can play a critical role with the expertise they bring to the table in support of member states.”
Commissioner for the security union, Julian King, said, “The cross-border nature of the cyber threat means that cooperation has never been more important. This improved collaboration between ENISA, EDA, Europol and CERT-EU will help us to strengthen our cyber resilience, build effective deterrence and help deliver credible cyber defence and international cooperation.”
S&D group shadow rapporteur on the EU Cybersecurity Agency (ENISA) and cybersecurity act Peter Kouroumbashev backed the strengthening of ENISA. He said, “With the cybersecurity act, we should aim for a stronger operational ENISA.”
Kouroumbashev believed the agency needed a permanent mandate with key coordinating functions to develop better cooperation among member states, with the capacity to assist countries when there was a cyber-attack, and being responsible for coming up with a plan in response to large scale incidents.
Regarding the certification of cyber security protected products, he proposed “stronger engagement with stakeholders including industry and consumers, academia, standardisation bodies and all relevant actors. Finally, we should carefully tackle the nature of certification which should include compulsory provisions, but these should be clearly defined and not be burdensome.”
However, ECR group shadow rapporteur Evžen Tošenovský disagreed, preferring national government to take the lead, saying, “Member states should have strong capacities and capabilities for the prevention and response to each attack whether big or small.”
The Czech deputy was also against giving further powers to the EU agency. Instead Tošenovský just wanted ENISA to coordinate expertise and share best practices across Europe. He added, “We need to team up internationally, especially with Nato, in terms of cyber defence.”
Unlike Kouroumbashev, he was convinced certification of products should not have compulsory provisions, but remain on a voluntary basis, with substantial involvement from industry in its governance and preparation.
Urmas Paet, Parliament’s rapporteur on cyber defence, said, “Cyber security has fast become an indivisible part of global affairs.”
According to the Estonian deputy, not only do we have to deal with cyberattacks from different states, but also non-state actors. Together they have carried out “malicious cyber activities and attacks on critical infrastructure, cyber-espionage, mass surveillance of EU citizens, disinformation campaigns and have limited access to the internet.”
Like Tošenovský, he also wanted to see closer cooperation between member states, the EU and Nato. He also wanted to see more training for cyber defence experts by organising joint exercises between member states, like real world joint military exercises. Paet also recommended developing a better understanding of international law applicable to cyberspace.
EPP group shadow rapporteur Antonio López-Istúriz White stressed how “cyber and hybrid warfare not only constituted a major threat to the security, defence, stability and competitiveness of the EU, but also member states and its citizens.”
It was now important to strengthen military cooperation and coordination in relation to cyberspace, which was critical to military operations on land, sea, air, and in space. To achieve this he proposed, “institutional reinforcement of an EU cyber authority which will coordinate operations, build trust amongst states, and serve as the point of liaison between individual member states’ cyber authorities and closely collaborate with Nato.”
White added, “European citizens demand a union that protects, a EU cyber defence strategy was the answer to that demand.”
UK S&D group deputy Clare Moody said her group’s priorities on cyber defence were clear: “Better cooperation at European level, particularly given the development of the DSM.”
But, she stressed, “To do this effectively we also need to work cooperatively with our allies such as Nato and other countries who, like us, are keen to see the application of international law and norms in cyberspace to protect us.”
Indrek Tarand, Greens/EFA group shadow rapporteur, backed the Parliament’s initiative. However, the Estonian deputy pointed out shortcomings in the report. “It still lacks a definition of the term ‘cyber defence’ at European level, and consequently the operational implications remain somewhat unclear.”
He wanted greater focus “on ensuring that our IT systems are robust and resilient, both in the government sector and when it comes to critical infrastructure.”
Tarand pointed out the limited options the EU had in responding to a cyberattack, saying, “Since we need to respect international law and human rights, the best possible deterrence is mostly limited to diplomatic sanctions.”
According to AFET committee Vice-Chair Javier Couso Permuy, cyberthreats were not necessarily from external powers. Commenting on the Facebook scandal, he said, “Recently we have seen numerous cases where users of digital social platforms were vulnerable to the power of companies, such as Facebook. By using opaque ways, they were exploiting users, and turning into gold their private data.”
However, Couso Permuy pointed out the US government was extracting data illegally before Facebook. “We must remember that we had the case of the NSA, spying through communications companies, and social networks on millions of people and even governments.”