This blog is hosted on Ideas on EuropeIdeas on Europe Avatar

Latest

The new EU Cybersecurity Strategy 2020: was COVID-19 a key factor?

by Eva Saeva, Newcastle Law School
This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)

 

Cybersecurity has become the backbone of a global digital society, a key element for a variety of issues ranging from national security, data protection, the trustworthiness of AI and 5G technologies, digital sovereignty, to, last but not least, responsible state behaviour in cyberspace. The COVID-19 pandemic revealed the many benefits of digitalisation, but also exposed its vulnerabilities. During the (ongoing) health crisis, and especially the first few months, there was a sharp rise in cyberattacks against various critical infrastructure (CI) sectors, particularly the health sector, which was heavily targeted in certain EU Member States. More specifically, a series of serious attacks in the spring of 2020 were directed against the Czech Republic. In September 2020, a woman died in a German hospital, which at the time was suffering a ransomware attack. In addition, in late 2020, even the European Medicines Agency was attacked and vaccine data was accessed.

Against this background, this blog will investigate the new EU Cybersecurity Strategy adopted in December 2020, by discussing the new legislative proposals, with a particular focus on the new measures under development within the cyber diplomacy area. The blog’s objective is to examine whether COVID-19 was a key factor in the Strategy’s development.

The 2020 EU Cybersecurity Strategy for the Digital Decade put forward two legislative proposals. Both these proposals were built on existing legislation: the review of the NIS Directive and the resilience of critical entities. From a legal standpoint, it did not bring forward anything new – the focus remained on cyber resilience and risk management, in line with the 2013 Strategy. In other words, the 2020 Strategy efforts were directed towards securing critical infrastructure from possible attacks rather than dealing with the attackers themselves.

The increased number of cyberattacks against the health sector during the pandemic does not seem to have been a crucial element in the development of these proposals. However, these attacks further demonstrated the extreme vulnerability of CI sectors and the consequences of not having implemented properly prior legislative measures, such as the NIS Directive 2016. The attacks on the Czech Republic clearly illustrate this.

The Strategy also focused on the development of the EU diplomatic approach to malicious state-sponsored cyber operations. The Cyber Diplomacy toolbox, the legal framework regulating the EU’s actions in the field of cyber diplomacy, was used twice in 2020, in July and October respectively. However, sanctions fell short from attributing attacks to state-actors, even for already attributed attacks such as the WannaCry ransomware and NotPetya malware in 2017 (conducted by North Korea and Russia respectively). In the meantime, attacks such as the ones against the health sector in the Czech Republic, were not publicly and explicitly attributed or even addressed.

The newly elaborated strategic approach to cyber diplomacy seems too vague and underdeveloped. With undecided applicability of the Solidarity and Mutual defence clauses (“the EU should reflect upon the interaction between the cyber diplomacy toolbox and the possible use of Article 42.7 TEU and Article 222 TFEU”), the Strategy not only fails to build upon previous legislative efforts; it actually contradicts the 2013 Strategy, according to which “[a] particularly serious incident or attack could constitute sufficient ground for a Member State to invoke the EU Solidarity Clause”. While this could simply be a change of strategy, the applicability of the two clauses should have been further explored and reinforced as a strategic approach. The 2020 document also does not set a timeline for when the EU “will present a proposal” to “further define its cyber deterrence posture” contributing to responsible state behaviour. It therefore appears that diplomacy in cyberspace at EU level is still a challenging topic to address. COVID’s exposure of the EU’s hesitant steps in the area has not served as a lesson learned. As Helena Carrapico and Benjamin Farrand have argued, COVID “does not appear to have served in itself as a critical juncture in the EU’s understanding of cybersecurity”.

The EU’s diplomatic approach in cyberspace also affects its attribution capacities, which so far have remained a “sovereign political decision” belonging to the Member States. The EU’s Strategy does not reflect the changing international (political and technological) environment, where attribution is no longer as challenging as before. The US – a like-minded and allied state – is accelerating in its position as a leader in setting norms on state accountability, having officially attributed various cyberattacks to different nation-states. The most recent example was the SolarWinds breach, discovered in December 2020 and attributed to the Russian Federation, leading the latter to be sanctioned in April 2021. Even though 6 out of 14 EU institutions, agencies and bodies which use the SolarWinds product also fell victim of the attack, the EU remained silent on possible attribution. The EU only issued a press release “expressing solidarity” with the US and stating that the “United States assesses” that the operation “has been conducted by the Russian Federation”. The EU is therefore lagging behind in a field where it could have taken the lead. Annegret Bendiek and Matthias Kettemann have evidenced both the importance of the “strategic capacity to act” and of the EU’s ability to assert its views on security internationally, concepts which were a missed target in the 2020 Strategy.

Covid-19 is not only a health crisis. It is also a cybersecurity one. Based on existing evidence, it appears that the impact of COVID-19 on the development of the EU strategic approach to cybersecurity was little to inexistent. Rather, because of its impact on cybersecurity, the pandemic should have been a driving factor in the drafting of the 2020 EU Cybersecurity Strategy. The legislative proposals put forward are indeed a step towards more resilient CI sectors, but they do not fill the existent gaps in terms of attribution and state accountability. The COVID-19 pandemic’s impact on cybersecurity – a key element for both international and national security – was therefore a missed opportunity for the EU to claim its role as a global leader in developing cybersecurity legislation. If the EU wants to lead the discussions on responsible state behaviour, it should be more assertive, have a unified voice, and act collectively when attributing attacks to state-actors. Moreover, all these concepts should be clearly spelled out and included in a legal framework.

 


 

Eva Saeva is a postgraduate researcher at Newcastle Law School where she researches the EU’s legal approach to cybersecurity. Her thesis examines the UK, Italy, Bulgaria and the US’ national approaches, providing for internal and external factors in the development of the EU’s cybersecurity legal framework.

COMMENT

Recent Articles

November 14th 2012: “European Day of Action and Solidarity” or “Day of Rage”?

Published on by | Comments Off on November 14th 2012: “European Day of Action and Solidarity” or “Day of Rage”?

by Cláudia Araújo This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   Writing a blog post about November 14th 2012 may seem like a delayed reaction after almost 9 years, but this day was central in my choice of a theme for a doctoral dissertation. This is […]

French appeals court decision is a victory for solidarity with Migrants

Published on by | Comments Off on French appeals court decision is a victory for solidarity with Migrants

On 9 September 2021, seven European citizens who marched in solidarity with migrants across the Franco-Italian Alpine border were acquitted of facilitating irregular migration. The decision is a victory for activists in France, reaffirming their right to act in solidarity with migrants based on the constitutional principle of fraternity. The trial took place on 27 […]

Vertical Interplay between the European Commission and Member States in EU Trade Policy

Published on by | Comments Off on Vertical Interplay between the European Commission and Member States in EU Trade Policy

by Taro Nishikawa This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   After the European Community (EC) launched the Common Commercial Policy (CCP) in 1970, the question of who influences EC/EU positions in international trade negotiations became an important scholarly research topic. On the one hand, greater control […]

Regional cooperation, externalization, and prevention: trends and practices of EU counter-terrorism in EU enlargement

Published on by | Comments Off on Regional cooperation, externalization, and prevention: trends and practices of EU counter-terrorism in EU enlargement

by Magdalena König This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   Counter-terrorism policy has never been such a prominent policy area in EU enlargement as it currently is. In recent years, the EU has put security policy, and in particular counter-terrorism policy, high on the agenda […]

The study of ideas in EU-China disputes in the WTO

Published on by | Comments Off on The study of ideas in EU-China disputes in the WTO

by Salvatore FP Barillà This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   In the context of trade policy, economic capacity and market size are often considered central analytical factors. It is assumed that the larger the market size of a state, the more likely it will […]

EU-China Strategic Partnership is at a Low but is it at its Lowest or is the Downward Spiral Only Beginning?

Published on by | Comments Off on EU-China Strategic Partnership is at a Low but is it at its Lowest or is the Downward Spiral Only Beginning?

by Preksha Shree Chhetri This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   On 20 May 2021, the European Parliament voted to freeze the ratification of the much-hyped EU-China Comprehensive Agreement on Investment (CAI) (Reuters, 2021). The bilateral deal had been agreed in principle between the EU […]

Mission Impossible? Challenges to the implementation of the EU-Mercosur Association Agreement

Published on by | Comments Off on Mission Impossible? Challenges to the implementation of the EU-Mercosur Association Agreement

by Bruno Luciano and Cairo Junqueira This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   The European Union (EU) and the Southern Common Market (Mercosur) reached an ‘agreement in principle’ in June 2019 for an Interregional Association, after more than thirty years of negotiations. Although a political […]

Poland vs. The EU: The “Clash” over LGBTQ+ Rights

Published on by | Comments Off on Poland vs. The EU: The “Clash” over LGBTQ+ Rights

by Solomiya Kharchuk This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   The clash over LGBTQ+ rights between Poland and the European Union has been particularly noticeable in recent years. From this clash, questioning around why Poland and the European Union disagree on the issue […]

Europe is a Woman. And What Does She Say about Men?

Published on by | Comments Off on Europe is a Woman. And What Does She Say about Men?

by Michał Gulczyński This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   In 2019, Donald Tusk famously said “Europe is a woman,” when arguing for gender parity in top positions in the European Union (EU). Indeed, the EU has been recognized as a leading actor […]

What can ECB credit lines to central banks tell us about European Integration?

Published on by | Comments Off on What can ECB credit lines to central banks tell us about European Integration?

by Lukas Spielberger This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)   The European Central Bank (ECB) is a strange creature. Since the Lisbon Treaty in 2009, it has been a supranational EU institution that is jointly owned by all member states. But when it comes to […]

UACES and Ideas on Europe do not take responsibility for opinions expressed in articles on blogs hosted on Ideas on Europe. All opinions are those of the contributing authors.