Eva Saeva, Postgraduate Researcher at Newcastle Law School
The COVID-19 pandemic hit the world hard. While medical researchers are racing to find a vaccine, malicious actors are exploiting the new range of possibilities to interfere with IT devices. Cybersecurity has become a prominent feature of the pandemic, especially in the health sector.
This blog explores how the European Union has dealt with the impact of the pandemic on the health sector across its Member States and whether the present cybersecurity legislative framework was sufficient to protect it. It examines how existing legislation applies to attacks against this critical infrastructure (CI) sector and will identify key takeaways in terms of the EU’s legal cybersecurity preparedness to act in times of crisis.
The current legal framework for cybersecurity is built upon the three pillars identified in the 2013 ‘EU Cybersecurity Strategy’: law enforcement, network and information security (NIS), and defence. The Directive on Attacks against Information Systems (2013), regulating illegal activities, such as access to information systems or data interference, belongs to the first pillar. The second, NIS, is the most developed pillar and includes legal instruments, such as the NIS Directive (2016, to be reviewed later this year), the Cybersecurity Act (2019) and the proposal for a Regulation establishing a Cybersecurity Competence Centre and Network. The least developed pillar is (cyber) defence and as such the EU has relatively weak powers in this particular field. The most relevant measure here is the Cyber Diplomacy Toolbox, adopted in 2017. Cybersecurity is also found in various sectorial legislative measures such as the European Electronic Communications Code (2018), the Recommendation on Cybersecurity for 5G networks (2019), the White Paper on Artificial Intelligence (2020), among others.
The measures analysed in this blog will be the NIS Directive and the Cyber Diplomacy Toolbox because of their relevance to the COVID-19-related cyberattacks seen across Member States.
The NIS Directive, the first EU overarching cybersecurity law, aims to achieve a high common level of security of network and information systems in the Union. It applies to attacks targeting the CI sectors, including the health sector. It establishes the criteria for identifying operators of essential services (OESs) in each sector. According to article 5(2), these are entities which provide services “essential for the maintenance of critical societal and/or economic activities”, that the service depends on network and information systems and an incident “would have significant disruptive effects on the provision of that service”. This means not all hospitals or medical centres would qualify as OESs. But, for example, the biggest hospital in a large city would. However, which institutions are the OESs in a given sector, as identified by the Member States, is not publicly accessible information.
The Directive also sets security requirements for the OESs. Article 14 (1) and (2) imposes obligations for OESs to adopt risk management, as well as preventive measures for incidents that could affect the security of their systems.
The COVID-19 pandemic was the first large-scale cybersecurity-resilience challenge some Member States had to encounter. The correct implementation and enforcement of the NIS Directive was tested. Even though health institutions across various (current and former) Member States were targeted (Italy, the UK, France), the March and April attacks in the Czech Republic provide the most relevant case study.
The March 2020 attack targeted a hospital in Brno, the second largest city in the Czech Republic. It reportedly brought IT systems to a complete halt. Daily work was thus affected, new patients had to be re-routed to different hospitals and operations postponed. At the time of the attack, the hospital was also performing COVID-19 testing. While there is no certainty that this hospital was identified as an OESs under the NIS Directive, it certainly meets the criteria. In which case, Czech officials failed to correctly implement and enforce the security requirements listed above.
A month later, the health sector in the Czech Republic suffered another series of attacks. While “unsuccessful”, and although Czech officials never officially attributed the attack to a foreign state, it was reported Russia might be behind them. The allegations were officially labelled “fake news” by Russian officials. However, if foreign interference indeed took place, this would have additional legal implications as it might have constituted wrongful act under international law. According to the Cyber Diplomacy Toolbox, the EU has reaffirmed the recommendations for States not to “conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure”, adopted by the UN Group of Governmental Experts’ 2015 report. The Toolbox further states that even though attribution of an attack to a foreign actor is a sole responsibility of the state, there could be a joint EU diplomatic response.
In terms of the EU reaction, in his declaration on 30 April 2020, the High Representative Borell referenced cyberattacks on the health sector, stating that the EU and its Member States condemned “malicious behaviour in cyberspace”. In June, Commission’s President von der Leyen seemingly pointed a finger at China, stating attacks on hospitals “cannot be tolerated”. Neither statement referenced the Czech attacks specifically. No mention was made of the consequences of a failed implementation of the cybersecurity law. No mention of the possibility of a foreign interference within the territory of an EU Member State. No mention of an EU-level response in support of a targeted Member State. And while the Union has remained silent, on 17 April 2020, the US Secretary of State Pompeo explicitly referenced the Czech attacks, declaring that anybody engaging in such activities against allies should “expect consequences”, implicitly undermining the EU’s authority and making it seem unprepared to respond.
The COVID-19 pandemic and the pressure it put on the health sector have exposed the shortcomings of the overall EU approach to cybersecurity. While norms exist, enforcement is key – both at Member State and at EU level. If the EU wants to be a leader in promoting the regulation of cyberspace, including the protection of CI sectors or responsible State behaviour, it needs to be more assertive when its Member States fall victim to cyberattacks. The lack of reaction questions the willingness of the EU to enforce its own measures.