by Eva Saeva, Newcastle Law School
This article is based on research presented at the UACES Graduate Forum Research Conference 2021 (17-18 June, online)
Cybersecurity has become the backbone of a global digital society, a key element for a variety of issues ranging from national security, data protection, the trustworthiness of AI and 5G technologies, digital sovereignty, to, last but not least, responsible state behaviour in cyberspace. The COVID-19 pandemic revealed the many benefits of digitalisation, but also exposed its vulnerabilities. During the (ongoing) health crisis, and especially the first few months, there was a sharp rise in cyberattacks against various critical infrastructure (CI) sectors, particularly the health sector, which was heavily targeted in certain EU Member States. More specifically, a series of serious attacks in the spring of 2020 were directed against the Czech Republic. In September 2020, a woman died in a German hospital, which at the time was suffering a ransomware attack. In addition, in late 2020, even the European Medicines Agency was attacked and vaccine data was accessed.
Against this background, this blog will investigate the new EU Cybersecurity Strategy adopted in December 2020, by discussing the new legislative proposals, with a particular focus on the new measures under development within the cyber diplomacy area. The blog’s objective is to examine whether COVID-19 was a key factor in the Strategy’s development.
The 2020 EU Cybersecurity Strategy for the Digital Decade put forward two legislative proposals. Both these proposals were built on existing legislation: the review of the NIS Directive and the resilience of critical entities. From a legal standpoint, it did not bring forward anything new – the focus remained on cyber resilience and risk management, in line with the 2013 Strategy. In other words, the 2020 Strategy efforts were directed towards securing critical infrastructure from possible attacks rather than dealing with the attackers themselves.
The increased number of cyberattacks against the health sector during the pandemic does not seem to have been a crucial element in the development of these proposals. However, these attacks further demonstrated the extreme vulnerability of CI sectors and the consequences of not having implemented properly prior legislative measures, such as the NIS Directive 2016. The attacks on the Czech Republic clearly illustrate this.
The Strategy also focused on the development of the EU diplomatic approach to malicious state-sponsored cyber operations. The Cyber Diplomacy toolbox, the legal framework regulating the EU’s actions in the field of cyber diplomacy, was used twice in 2020, in July and October respectively. However, sanctions fell short from attributing attacks to state-actors, even for already attributed attacks such as the WannaCry ransomware and NotPetya malware in 2017 (conducted by North Korea and Russia respectively). In the meantime, attacks such as the ones against the health sector in the Czech Republic, were not publicly and explicitly attributed or even addressed.
The newly elaborated strategic approach to cyber diplomacy seems too vague and underdeveloped. With undecided applicability of the Solidarity and Mutual defence clauses (“the EU should reflect upon the interaction between the cyber diplomacy toolbox and the possible use of Article 42.7 TEU and Article 222 TFEU”), the Strategy not only fails to build upon previous legislative efforts; it actually contradicts the 2013 Strategy, according to which “[a] particularly serious incident or attack could constitute sufficient ground for a Member State to invoke the EU Solidarity Clause”. While this could simply be a change of strategy, the applicability of the two clauses should have been further explored and reinforced as a strategic approach. The 2020 document also does not set a timeline for when the EU “will present a proposal” to “further define its cyber deterrence posture” contributing to responsible state behaviour. It therefore appears that diplomacy in cyberspace at EU level is still a challenging topic to address. COVID’s exposure of the EU’s hesitant steps in the area has not served as a lesson learned. As Helena Carrapico and Benjamin Farrand have argued, COVID “does not appear to have served in itself as a critical juncture in the EU’s understanding of cybersecurity”.
The EU’s diplomatic approach in cyberspace also affects its attribution capacities, which so far have remained a “sovereign political decision” belonging to the Member States. The EU’s Strategy does not reflect the changing international (political and technological) environment, where attribution is no longer as challenging as before. The US – a like-minded and allied state – is accelerating in its position as a leader in setting norms on state accountability, having officially attributed various cyberattacks to different nation-states. The most recent example was the SolarWinds breach, discovered in December 2020 and attributed to the Russian Federation, leading the latter to be sanctioned in April 2021. Even though 6 out of 14 EU institutions, agencies and bodies which use the SolarWinds product also fell victim of the attack, the EU remained silent on possible attribution. The EU only issued a press release “expressing solidarity” with the US and stating that the “United States assesses” that the operation “has been conducted by the Russian Federation”. The EU is therefore lagging behind in a field where it could have taken the lead. Annegret Bendiek and Matthias Kettemann have evidenced both the importance of the “strategic capacity to act” and of the EU’s ability to assert its views on security internationally, concepts which were a missed target in the 2020 Strategy.
Covid-19 is not only a health crisis. It is also a cybersecurity one. Based on existing evidence, it appears that the impact of COVID-19 on the development of the EU strategic approach to cybersecurity was little to inexistent. Rather, because of its impact on cybersecurity, the pandemic should have been a driving factor in the drafting of the 2020 EU Cybersecurity Strategy. The legislative proposals put forward are indeed a step towards more resilient CI sectors, but they do not fill the existent gaps in terms of attribution and state accountability. The COVID-19 pandemic’s impact on cybersecurity – a key element for both international and national security – was therefore a missed opportunity for the EU to claim its role as a global leader in developing cybersecurity legislation. If the EU wants to lead the discussions on responsible state behaviour, it should be more assertive, have a unified voice, and act collectively when attributing attacks to state-actors. Moreover, all these concepts should be clearly spelled out and included in a legal framework.
Eva Saeva is a postgraduate researcher at Newcastle Law School where she researches the EU’s legal approach to cybersecurity. Her thesis examines the UK, Italy, Bulgaria and the US’ national approaches, providing for internal and external factors in the development of the EU’s cybersecurity legal framework.