This blog is hosted on Ideas on EuropeIdeas on Europe Avatar

Latest

Cybersecurity and the EU: lessons from the COVID-19 crisis

Eva Saeva, Postgraduate Researcher at Newcastle Law School

The COVID-19 pandemic hit the world hard. While medical researchers are racing to find a vaccine, malicious actors are exploiting the new range of possibilities to interfere with IT devices. Cybersecurity has become a prominent feature of the pandemic, especially in the health sector.

Photo: Virus, Yuri Samoilov via Flickr, yuri.samoilov.online

This blog explores how the European Union has dealt with the impact of the pandemic on the health sector across its Member States and whether the present cybersecurity legislative framework was sufficient to protect it. It examines how existing legislation applies to attacks against this critical infrastructure (CI) sector and will identify key takeaways in terms of the EU’s legal cybersecurity preparedness to act in times of crisis.

The current legal framework for cybersecurity is built upon the three pillars identified in the 2013 ‘EU Cybersecurity Strategy’: law enforcement, network and information security (NIS), and defence. The Directive on Attacks against Information Systems (2013), regulating illegal activities, such as access to information systems or data interference, belongs to the first pillar. The second, NIS, is the most developed pillar and includes legal instruments, such as the NIS Directive (2016, to be reviewed later this year), the Cybersecurity Act (2019) and the proposal for a Regulation establishing a Cybersecurity Competence Centre and Network. The least developed pillar is (cyber) defence and as such the EU has relatively weak powers in this particular field. The most relevant measure here is the Cyber Diplomacy Toolbox, adopted in 2017. Cybersecurity is also found in various sectorial legislative measures such as the European Electronic Communications Code (2018), the Recommendation on Cybersecurity for 5G networks (2019), the White Paper on Artificial Intelligence (2020), among others.

The measures analysed in this blog will be the NIS Directive and the Cyber Diplomacy Toolbox because of their relevance to the COVID-19-related cyberattacks seen across Member States.

The NIS Directive, the first EU overarching cybersecurity law, aims to achieve a high common level of security of network and information systems in the Union. It applies to attacks targeting the CI sectors, including the health sector. It establishes the criteria for identifying operators of essential services (OESs) in each sector. According to article 5(2), these are entities which provide services “essential for the maintenance of critical societal and/or economic activities”, that the service depends on network and information systems and an incident “would have significant disruptive effects on the provision of that service”. This means not all hospitals or medical centres would qualify as OESs. But, for example, the biggest hospital in a large city would. However, which institutions are the OESs in a given sector, as identified by the Member States, is not publicly accessible information.

The Directive also sets security requirements for the OESs. Article 14 (1) and (2) imposes obligations for OESs to adopt risk management, as well as preventive measures for incidents that could affect the security of their systems.

The COVID-19 pandemic was the first large-scale cybersecurity-resilience challenge some Member States had to encounter. The correct implementation and enforcement of the NIS Directive was tested. Even though health institutions across various (current and former) Member States were targeted (Italy, the UK, France), the March and April attacks in the Czech Republic provide the most relevant case study.

The March 2020 attack targeted a hospital in Brno, the second largest city in the Czech Republic. It reportedly brought IT systems to a complete halt. Daily work was thus affected, new patients had to be re-routed to different hospitals and operations postponed. At the time of the attack, the hospital was also performing COVID-19 testing. While there is no certainty that this hospital was identified as an OESs under the NIS Directive, it certainly meets the criteria. In which case, Czech officials failed to correctly implement and enforce the security requirements listed above.

A month later, the health sector in the Czech Republic suffered another series of attacks. While “unsuccessful”, and although Czech officials never officially attributed the attack to a foreign state, it was reported Russia might be behind them. The allegations were officially labelled “fake news” by Russian officials. However, if foreign interference indeed took place, this would have additional legal implications as it might have constituted wrongful act under international law. According to the Cyber Diplomacy Toolbox, the EU has reaffirmed the recommendations for States not to “conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure”, adopted by the UN Group of Governmental Experts’ 2015 report. The Toolbox further states that even though attribution of an attack to a foreign actor is a sole responsibility of the state, there could be a joint EU diplomatic response.

In terms of the EU reaction, in his declaration on 30 April 2020, the High Representative Borell referenced cyberattacks on the health sector, stating that the EU and its Member States condemned “malicious behaviour in cyberspace”. In June, Commission’s President von der Leyen seemingly pointed a finger at China, stating attacks on hospitals “cannot be tolerated”. Neither statement referenced the Czech attacks specifically. No mention was made of the consequences of a failed implementation of the cybersecurity law. No mention of the possibility of a foreign interference within the territory of an EU Member State. No mention of an EU-level response in support of a targeted Member State. And while the Union has remained silent, on 17 April 2020, the US Secretary of State Pompeo explicitly referenced the Czech attacks, declaring that anybody engaging in such activities against allies should “expect consequences”, implicitly undermining the EU’s authority and making it seem unprepared to respond.

The COVID-19 pandemic and the pressure it put on the health sector have exposed the shortcomings of the overall EU approach to cybersecurity. While norms exist, enforcement is key – both at Member State and at EU level. If the EU wants to be a leader in promoting the regulation of cyberspace, including the protection of CI sectors or responsible State behaviour, it needs to be more assertive when its Member States fall victim to cyberattacks. The lack of reaction questions the willingness of the EU to enforce its own measures.

COMMENT

Recent Articles

Operational overlap between the EU and NATO: An empirical venue for Member State decision-making analysis?

Published on by | Comments Off on Operational overlap between the EU and NATO: An empirical venue for Member State decision-making analysis?

The EU and NATO crisis response operations have been widely debated from a division of labour perspective. For some scholars, there has been a de facto partition of work between these operations, as NATO focuses on the higher intensity tasks of peace enforcement and peacekeeping while EU is mainly involved in the lower end of conflict prevention and post-conflict management.

Terrorism in the United Kingdom: Securitizing Narrative, Surveillance Practices and the Right to Privacy

Published on by | Comments Off on Terrorism in the United Kingdom: Securitizing Narrative, Surveillance Practices and the Right to Privacy

By Romana Oliveira Pinhal | In the United Kingdom terrorism is presented, by the British government, as one of the most serious and dangerous threats to national security and justified the introduction of legislative, political and operational measures aimed at combating the terrorist threat. The British securitizing narrative states the country is facing “a serious terrorist threat” […]

Poor Detention Conditions and the European Arrest Warrant: Are Social Rights the Way Forward?

Published on by | Comments Off on Poor Detention Conditions and the European Arrest Warrant: Are Social Rights the Way Forward?

With poor detention and prison conditions in EU Member states, Neža Šubic argues that social rights should be taken seriously in the context of the European Arrest Warrant. This would be the next step in designing an ever more rights-based Union. 

Güzelyurtlu and Others v. Cyprus and Turkey: An Important Legal Development or a Step Too Far?

Published on by | Comments Off on Güzelyurtlu and Others v. Cyprus and Turkey: An Important Legal Development or a Step Too Far?

The Grand Chamber of the European Court of Human Rights recently delivered a judgment on a case concerning the murder of a Turkish Cypriot family. Nasia Hadjigeorgiou examines how this has broken new legal ground, while raising questions about the Court’s ability to address legal challenges in contexts of frozen conflict.

An Ever Growing Apart Union? On the Separating Impacts of Differentiated Integration

Published on by | Comments Off on An Ever Growing Apart Union? On the Separating Impacts of Differentiated Integration

The process of differentiated integration explicitly separates insiders and outsiders into different institutions. Within the Eurozone crisis, the institutional separation between ‘euro-ins’ and ‘euro-outs’ reached a new high. Alexander Schilin takes a social constructivist approach to reexamine the relationship between differentiated integration and interpersonal separation within the EU.

Ensuring the Future of Europe: The Decentring Approach to the EU’s Human Rights and Democracy Strategies

Published on by | Comments Off on Ensuring the Future of Europe: The Decentring Approach to the EU’s Human Rights and Democracy Strategies

Patrik Taufar argues that taking a decentring approach to the EU’s human rights policies may promote engagement and ensure the effectiveness of the policy. He frames this argument within the question of the future of Europe and what steps must be taken to ensure the existence of ‘a next European century’.

The Far-Right in International and European Law

Published on by | Comments Off on The Far-Right in International and European Law

Since the Second World War, the international community has sought to prevent the repetition of destructive far-right forces. Nevertheless, violent far-right entities have recently received unprecedented electoral support. In light of the current reality, a new book by UACES member Natalie Alkiviadou critically assesses the international and European tools available for States to regulate the […]

The Whistleblower’s Protection Directive: Reinforcing Transparency and Accountability at the EU Level

Published on by | Comments Off on The Whistleblower’s Protection Directive: Reinforcing Transparency and Accountability at the EU Level

In April 2019, the European Parliament voted on a new Directive for the protection of whistleblowers. Dimitrios Kafteranis provides a preliminary assessment of the significance and practicality of this new EU legal instrument.

UACES and Ideas on Europe do not take responsibility for opinions expressed in articles on blogs hosted on Ideas on Europe. All opinions are those of the contributing authors.