Académique Documents
Professionnel Documents
Culture Documents
László KOVÁCS
National University of Public Service, Budapest, Hungary
kovacs.laszlo@uni-nke.hu
ABSTRACT
Nowadays it is clear not only for professionals but also for
outsiders that our advanced Western societies cannot operate without the
infrastructure based on information technologies. The security of these
infrastructures, which are present in public utilities, economic life, public
administration, defence sector or even in the smallest detail of everyday
life, have a vital importance. The reason for this is very simple: if these
systems do not work, then society does not work either. The importance of
cyberspace can no longer be questioned. Accordingly, the challenges and
threats to cyberspace have to be addressed at strategic level. This paper
presents the most important cyber security principles and strategies of the
European Union and NATO.
KEYWORDS: cyber, policy, strategy, NATO, European Union
The present study looks to the most This new strategy was the first effective
important steps that were taken at strategic and very important step towards laying the
level to define the EU cyber security as well foundations for unified European cyber
as NATO and cyber defence issues in the security. The strategy includes the EU’s
last few years. strategic vision to prevent and respond to
European telecommunications systems’
2. The Cyber Security Strategy of failures and responses to such cases.
the European Union Following a rather long and
In the wake of the 2008 global controversial negotiation and coordination
economic crisis, in order to reduce the process, in February 2013 the proposal for the
exposure and vulnerability of the European strategy was published in two parts. The first
economy and to increase the EU’s part is the Communication from the European
competitiveness, in 2010 the European Commission and the High Representative for
Commission announced a strategy with the Foreign Affairs and Security Policy on the
title “Europe 2020”, which consists of five EU Cyber Security Strategy, which is the
main objectives. These objectives are based strategy itself, and the second part is the
on pillars and sub-pillars. The first pillar European Commission’s proposal for a
focuses on the key growth which includes the directive on network and information
Digital Agenda for Europe (European security, which has become known as a
Commission, 2010). package for the NIS Directive.
The key objective of the European The strategy is based on five principles
Digital Agenda is to create a unified digital that will be priorities for the future of the
market for EU member states, relying on European Union. It is very important to
sustainable economic and social benefits for highlight the recognition that the EU’s
all European citizens. The Agenda is to official communications also emphasize:
explore and analyse the existing economic, cyber security is equally important as security
social challenges and shortcomings of the in the physical space. In accordance with the
European Union (i.e. segmentation of the official text of the Strategy its five principles
digital market, interoperability challenges, the (priorities) are the following:
spread of cybercrime, lack of network ● “Achieving cyber resilience,
investments, low level of R & D, low level of ● Drastically reducing cybercrime,
digital human capability) to make proposals ● Developing cyber defence policy and
for development and to define various actions capabilities related to the Common
(European Commission, 2010). Security and Defence Policy (CSDP),
Based on the above mentioned ● Develop the industrial and
findings of the European Digital Agenda, technological resources for cyber
the EU Cyber Security Strategy was security,
completed in 2013, referring to the ● Establish a coherent international
dependence on information technology and cyberspace policy for the European
information systems that are present in all Union and promote core EU values”
segments of our society and economy. (European Commission, 2013, p. 4).
Consequently, the security of In order to achieve cyber resilience,
cyberspace must also be initiated, because the strategy emphasizes the unity of public
if these information systems fail to work, it authorities and the private sector, and the
causes serious disruptions, in some cases development of cyber capacities, resources
inefficiency, not only in economic but also and efficiency. However, achieving this
in social functions (European Commission, goal cannot be imagined without improving
2013). the prevention, detection and management
of cyber security events and without member countries will participate in the
coordinating them at EU level. The strategy Safe Internet program, and should introduce
has a special and prominent role for ENISA safety-related training in schools from
(European Union Agency for Network and 2014. Additionally, this call of the
Information Security) to strengthen the European Commission forces that training
cyber resilience across the Member States. for IT specialists should include secure
The Strategy notes that, although software development and personal data
there is some progress in this area, namely protection issues, and some initial cyber
the creation of coordinated resilience as a security training for the public
priority, there are still serious gaps in many administration staff needs to be established
Member States, mainly in terms of national (European Commission, 2013).
capabilities, coordination in handling of To achieve the drastic reduction of
cross-border cyber incidents, or promotion cybercrime, the strategy calls for a single,
of the private sector’s preparedness areas. more powerful and stricter but effective
Therefore, the strategy must be followed by legislative environment to control
a legislative process. cybercrimes. Although earlier, international
This legislation should focus laying conventions have been recognised in the
down minimum requirements which will be area of cybercrime, such as the Council of
the basis for national authorities, creating Europe’s Convention on Cybercrime (or as
well-functioning network security widely used ‘the Budapest Convention’),
emergencies or CERTs (Computer Emergency which is an otherwise binding international
Response Teams) and adopting a national treaty for the signatory countries and which
strategy and national co-operation plan in provides an effective legal basis for the
different cyber issues (European adoption of national laws on cybercrime or
Commission, 2013). the use of online sex exploitation and the
One of the key segments of cyber fight against child pornography,
resilience is the cyber awareness. In the nevertheless a real breakthrough in the field
area of awareness, the strategy aims to has not yet been made. On the basis of the
maximize the security of users’ online strategy, the European Commission has a
activities: “End users play a crucial role in major role to play in countering cybercrime
ensuring the security of networks and for its work and the effective actions of the
information systems: they need to be made European Cybercrime Centre (EC3) within
aware of the risks they face online and be Europol. In addition to EC3, the European
empowered to take simple steps to guard Commission also names and encourages
against them” (European Commission, CEPOL, the European Police College, to
2013, p. 8). launch training courses that provide
To achieve the increased cyber security relevant knowledge to law enforcement
awareness, the strategy is highly relying on officers (European Commission, 2013).
ENISA and other organizations such as The next priority of the strategy is to
Europol and Eurojust. The document develop cyber defence policy and
highlights the European Cyber Security capabilities along the Common Security
Month series initiated by ENISA. This and Defence Policy (CSDP) of the EU. This
initiative has been regularly organized in would mean the protection of civil and
many Member States since its launch in 2013. military infocommunication systems in
In the strategy, the European closer cooperation with NATO. Within this
Commission requests the Member States to work, the strategy states: “To increase the
comply with a specific call. The request resilience of the communication and
states that in order to increase awareness, information systems supporting Member
security for products and services to be Annex III within the Union” (NIS Directive,
developed by the European Commission 2016, art. 16 1).
(European Commission, 2017b). The directive and its entry into force
Obviously, the strategic environment in May 2018 is a huge step forward in the
must be complemented by several laws (in field of cyber security, as the directive itself
the meaning of EU these are directives), to states, for the unified digital economic and
reach the full spectrum of cyber security. social activities and especially for the
These new laws or recommendations functioning of the internal market, since the
include, inter alia, the previously mentioned security of networked information systems
NIS and the GDPR (General Data can finally be read from a common scenario
Protection Regulation) Directive, which is a by the Member States.
breakthrough in the field of data protection. The other important directive, the
The GDPR is not directly aiming at cyber GDPR, replaces the former EU Data
security but indirectly it will greatly Protection Directive of 1995 and represents a
influence the cyber sphere. harmonized data protection law for the EU
As we referred earlier, the NIS Directive Member States. Its core objective is to protect
is an important segment of the EU Cyber the personal and private data of EU citizens.
Security Strategy, which has a rather long and Since 1995, when the last Data Protection
therefore slightly difficult to understand Directive was issued, the management of
official title: “Directive concerning measures citizens’ personal data has been
for a high common level of security of fundamentally changed and transformed
network and information systems across the thanks to information technology. Therefore,
Union” (NIS Directive, 2016). a fundamentally new regulation is needed
The adopted Directive sets out which is based on a totally new philosophy
mandatory requirements for all Member inspired by the information technology
States. The most important of these binding (GDPR, 2016).
factors is that each Member State must The General Data Protection
develop a national strategy for security of Regulation, which enters into force on
network and information systems. The NIS 25 May 2018, brings enormous changes to
specifies that dedicated and unique national all EU countries. Regarding the GDPR, one
contact points or CSIRTs (Computer of the most cited regulations is a very
Security Incident Teams) are to be set up in severe sanction tool. This penalty is no less
the Member States, whose operating than 4% of the annual turnover of the
conditions must be ensured. For CSIRTs, organization that violates the rules or
the Directive also orders to establish and 20 million euros (whichever is greater).
operate these organizations by a critical This serious penalty is the maximum fine
sector or sub-sector, and to ensure that these that can be imposed for the most serious
CSIRTs have to create a network within the infringements, processing and handling of
Union, thereby promoting trust and personal data without authorization.
effective and operational cooperation. All The directive also applies a penalty rate
this is accompanied by the obvious fact equivalent to 2 % of the annual turnover in
that: “Member States shall ensure that case of failure to notify the supervisory
digital service providers identify and take authority, or in case of incorrect data record
appropriate and proportionate technical or breach of the law. These penalties should
and organisational measures to manage the apply to data controllers and data
risks posed to the security of network and processors; therefore, the cloud service
information systems which they use in the providers are also subject to this regulation
context of offering services referred to in (GDPR, 2016).
“Cyber threats are rapidly increasing and Estonian cyber crisis in 2008. Today, the
evolving in sophistication. In order to CCDCOE has 20 members as supporting
ensure NATO’s permanent and unfettered nations. The main mission of the Centre is:
access to cyberspace and integrity of its “is to enhance the capability, cooperation
critical systems, we will take into account and information sharing among NATO,
the cyber dimension of modern conflicts in NATO nations and partners in cyber
NATO’s doctrine and improve its defence by virtue of education, research
capabilities to detect, assess, prevent, and development, lessons learned and
defend and recover in case of a cyber- consultation” (CCDCOE, 2018).
attack against systems of critical The CCDCOE was one of the key
importance to the Alliance” (NATO, 2010, facilitators and coordinators to make an
Article 40). international study on cyber warfare
On 8 June 2011, the Defence entitled “Tallinn Manual”. The first version
Ministers of NATO member states signed of this book was issued in 2013, and one of
the new Cyber Policy of the Alliance. This its main purposes was to investigate issues
document contained not only strategic ideas and the applicability of international law in
for cyber defence, but included an action the field of cyber warfare. Several experts
plan as well. The detailed program of this from different universities and research
Action Plan was adopted in October 2011 institutes were involved into the work.
(Kovács, 2014). The book itself is divided into two major
In accordance with the action plan the parts: International Cyber Security Law and
NATO Cyber Incident Response Capability the Law of Cyber Armed Conflict. It has
(NCIRC) was launched in February 2012, 7 chapters and 95 so-called rules have been
and a so-called Cyber Threat Awareness identified and investigated in the context of
Cell also started to be set up (Kovács 2014). international law’s applicability in cyber
As we discussed above cyber security warfare (Schmitt, 2013).
took into the focus of the Alliance, and the In 2016 the Tallinn Manual 2.0 was
Chicago Summit in 2012 dealt with the released, which is an updated and
issue in a very detailed way, as follows: significantly expanded version of the first
“Cyber-attacks continue to increase book. This volume includes all rules that
significantly in number and evolve in were investigated in the first version.
sophistication and complexity. We reaffirm The title of the new book was partially
the cyber defence commitments made at the modified, as it was referred to as
Lisbon Summit. Following Lisbon, last year “International Law Applicable to Cyber
we adopted a Cyber Defence Concept, Operations” instead of displaying cyber
Policy, and Action Plan, which are now warfare explicitly. The nearly 600-page
being implemented. Building on NATO’s study, divided into four sections, analyses
existing capabilities, the critical elements of 154 rules that could be applicable from
the NATO Computer Incident Response international law to cyber operations
Capability (NCIRC) Full Operational (Schmitt, 2016).
Capability (FOC), including protection of However, the biggest breakthrough
most sites and users, will be in place by the moment in NATO’s history regarding to
end of 2012” (NATO, 2012, Article 49). cyber defence took place at the Warsaw
One of the most important elements Summit in 2016 when the Alliance
in NATO’s cyber defence efforts is the officially declared that cyber space can be
Tallinn-based NATO Cooperative Cyber considered as an operational dimension.
Defence Centre of Excellence (CCDCOE), In accordance with this declaration of
which was established just after the NATO, cyber space, at least in the military
sense, also became a dimension of warfare The new EU Cyber Security Strategy,
beside the traditional four physical developed jointly by the EU High
dimensions. The official NATO Declaration Representative for Foreign Affairs and
of Warsaw Summit announces it as: “Cyber- Security Policy and the European
attacks present a clear challenge to the Commission, was launched in early 2013.
security of the Alliance and could be as This was the first comprehensive document
harmful to modern societies as a created by the European Union in the field
conventional attack. We agreed in Wales that of cyber security, which determined the
cyber defence is part of NATO’s core task of future of cyber era in the EU. The strategy
collective defence. Now, in Warsaw, we identifies very clear goals and priorities for
reaffirm NATO’s defensive mandate, and the EU’s cyber policy, including the
recognise cyberspace as a domain of promotion of freedom and openness,
operations in which NATO must defend itself compliance, cyber security capabilities, and
as effectively as it does in the air, on land, international co-operation on cyberspace.
and at sea” (NATO, 2016, Article 40). With this strategy and NIS Directive the EU
defines a very definite and common
4. Conclusion direction for its Member States in the field
Our society and economy are heavily of cyber security.
dependent on information technology and Although NATO has several common
cyber sphere. The more we rely on the actions with the European Union in the
cyber opportunities offered by cyberspace, field of cyber security, the Alliance has its
the more we need to consider new types of own cyber security policy and strategy.
threats that can significantly affect our Since the Estonian cyber crisis in 2007,
everyday activities, the operation of critical NATO and its member countries have
infrastructures, and the access to various treated cyber security and cyber defence as
services. a priority area. In 2016, there was a
To protect and defend the cyberspace breakthrough decision in the Alliance’s
and vital critical information infrastructure history when NATO proclaimed the
both the European Union and NATO need recognition of cyberspace as a domain of
strategic thinking. operations.
REFERENCES