French election proves EU needs more effective cyber shield
Interested in this topic? See our full paper: ‘Building an Effective European Cyber Shield: Taking EU Cooperation to the Next Level’.
Although many — in France, in Europe, and around the world — are breathing a sigh of relief as independent centrist Emmanuel Macron beat National Front candidate Marine Le Pen in the second round of voting on Sunday, 7 May, it seems likely that others will be berating themselves for failing to sway the outcome of the vote in the manner they wanted.
Indeed, France has apparently become the latest nation to see a pivotal election overshadowed by fake news and large-scale cyberattacks; drawing parallels to events in the US last year, when hackers, seemingly linked to Russia’s military intelligence service, gained access to the emails of Democratic Party candidate Hilary Clinton, with a view to swaying the outcome of the US Presidential election.
And, with much of the suspicion directed at Moscow, Germany’s spy chief has already warned the Kremlin against interfering in the upcoming German elections, which are scheduled for September this year.
All these incidents point all too clearly to the fact that politically-motivated cyberattacks are gaining in scale, hostility and sophistication. Cyber warfare is emerging as a powerful new weapon that can easily be used by states such as Russia or North Korea — but also by non-state actors such as Daesh or al-Qaeda — to destabilise and undermine Western democracies.
In fact, cyberattacks are already affecting every sphere of our lives, as the world becomes increasingly connected, and the spread of the ‘Internet of Things’ means the vulnerability to cyberattacks now extends beyond digital assets to physical assets. This may even include critical infrastructure, with the potential to destabilise or harm large parts of the population.
This figure features only a small selection of incidents that took place in 2016.
Many more attacks occur every day all over the world.
Source: European Political Strategy Centre, based on media reports
In this context, European countries need to start anticipating and planning for hitherto unimaginable scenarios in which they could be put under severe attack. Currently, cybersecurity is still very far from being a first-hand consideration for many Europeans. Even where there is awareness of the potential risks and vulnerabilities linked to the increasing spread of digital technologies, the limited skills, tools and policies in place often do not match the speed and creativity of attackers. Furthermore, the predominance of silos acts as a major limitation in the fight against sophisticated cyberattacks.
‘In the area of security, as in many other areas in Europe, fragmentation is what makes us vulnerable.’
‘In the area of security, as in many other areas in Europe, fragmentation is what makes us vulnerable,’ European Commission President Jean-Claude Juncker warned last April. As part of efforts to address this fragmentation, the EU already adopted a Directive on Security of Network and Information Systems (‘NIS’ Directive) last year, which establishes a new, multi-level governance structure, with a view to boosting cybersecurity capabilities across Member States, reinforcing trust and improving information exchange and cooperation among them.
However, our paper argues that, given the rapid acceleration and intensification of cyber threats, the EU will need more than a system based on loose cooperation of national authorities and mostly voluntary exchanges. EU tools and responses will need to complete and broaden national capabilities — especially when responding to state-sponsored cyber threats — so as to maximise the deterrent effect.
The creation of a European Cybersecurity Platform could give a greater impulse to already ongoing efforts. Such a platform could take any form, ranging from a central Coordinator (e.g. mirroring the position of the European Counterterrorism Coordinator) to a fully-fledged Agency (e.g. with the transformation of the current Agency for Network and Information Security (ENISA) into a real Cybersecurity Agency) — depending on how far Member States are willing to go together.
Beyond the institutional framework, making Europe cybersecure will also require the involvement of all actors in the growing digital community. As a priority, this means developing European standards and certification schemes for cybersecure devices. It means promoting digital autonomy in certain strategic areas, where over-reliance on imported technologies could jeopardise EU safety and security. But, in turn, this means Europe’s fragmented and highly dispersed cyber industry must be in a position to offer credible alternatives. With this in mind, European investments in research and innovation could provide a much-needed boost to the sector, and could take the form of challenges and competitions. Ensuring consistent information-sharing among all relevant players — public, private, large or small, will be crucial to better understanding incidents and developing joint solutions. Finally, EU-NATO cooperation will be crucial in going forward as cyber threats evolve ever closer to the sphere of cyber wars that could fall within the remit of Article 5 of the NATO Treaty.
The past two years have seen a clear demonstration of the potentially disruptive effects of cyberattacks on Western democracies. Loose coordination and soft policies are a first step but will clearly be insufficient to face new versatile and cross-border threats. Cybersecurity needs to become a political priority. Anticipating and planning for the worst should drive the next steps at European level. Robust policies on cybersecurity and the development of European capabilities, underpinned by significant EU funding, should form the basis of a European cyber shield to defend EU institutions, Member States, businesses and citizens.
