Cybersecurity – a critical element of the strategic autonomy of the EU

Digital transformation in all areas of our lives continues at an increasing pace. Here are some facts:

• Ninety percent of the data in Internet was created in the last five years.
• Every minute, 300 hours of video are uploaded to YouTube.
• In the next five years, Gartner estimated that there will be 50 billion connected devices worldwide. And these are conservative estimates given the exponential innovation we've seen in digital technology.

?Furthermore, the corona virus pandemic has only accelerated this transformation and as a result today and in the future, we will be increasingly dependent on digital technologies and the exchange of information in various forms.

?As a matter of fact, information is already and will continue to be our most valuable asset – both at the individual level and for organizations and governments. It is undeniable that digital technologies are opening up a whole new world of possibilities and giving us access to countless new products and services that are quickly becoming an integral part of our daily lives. But at the same time, it also makes us increasingly vulnerable to cyber crimes and cyber attacks, which can have a huge social and economic cost.

?While in general we all agree that digital transformation is all around and will continue it seems that we still fail to recognise its ‘dark’ side and to act to address it. Few examples:

• Although 80% of EU companies experienced at least one cyber incident in 2018, understanding of the risks associated with the use of digital technologies is still alarmingly low.
• Among EU companies, 69% do not have a cyber security policy and cyber risk management plan, and 60% have never assessed their potential financial losses from cyber attacks.
• The 2017 global Wannacry ransomware and NotPetya wiper attacks claimed over 320,000 victims in around 150 countries.
• As a result of the accelerated digitization process linked to the corona virus pandemic, 86% of EU citizens now believe that the risk of becoming a victim of cybercrime has increased.

The examples above clearly demonstrate that cyber security today is much more than a technical problem and has become an integral and important part of the national and European security and of the EU strategic autonomy.

?

The war in Ukraine is yet another practical demonstration of this fact. The main threat vector for the countries immediately bordering Ukraine, and for the entire European Union as a whole, is not so much the possible military action by Russia as massive and targeted cyber attacks against government and national critical infrastructure. Such attacks have already been registered in Lithuania, Latvia, Poland, and other countries.

Over the past 10 years, the European Union, appreciating the growing importance of cyber security in political, economic, and social aspects, as well as the ever-increasing number of cyber attacks within the Union and globally, has made continuous efforts to improve the cyber resilience at European and national level.

At the same time, the cyber security ecosystem in EU is complex and multi-layered. It covers a range of internal policy areas such as justice and home affairs, the digital single market and research policies. Cyber security is also an essential element of the European foreign policy as well as of the common defence policy of the EU.

To be able to see the future development of cyber and information security, however, a broader view is needed that goes beyond purely technological aspects and current policies and trends. To give you an example. In the 19th century, industrialization began a process that led on the one hand to an incredible progress. But these same advances also created sophisticated military technology and tools that were used successfully in both world wars. This example clearly indicates that any technology has strategic, political, and economic aspects that must always be considered, especially in the context of today's globalized world. These specific aspects are particularly important in cases where national and EU policies regarding cyber and information security are being discussed.

In fact, today the world has entered a new period of confrontation of economic systems, governments and military alliances. Today, the lines of opposition are invisible, the conflicts undeclared and from physical they have become virtual. This development is quite natural, since the digital technologies and Internet could be seen as publicly available resource with a dual-use. On the one hand, it is a means of economic development, market expansion and the exchange of ideas and information. At the same time, it is also used for other, far less benevolent purposes – cyber terrorism, hybrid attacks and more.

The modern dimensions of cyber security go far beyond simple technical protection of infrastructure, systems, and information. They have specific economic and political dimensions, as modern societies are based on knowledge, information, intellectual property and research and development. And for this reason, cyber security and cyber resilience are essential part of the EU digital strategic autonomy.

How can EU develop an adequate response to modern cyber threats? First of all I shall say that in EU there are already sufficient number of instruments - political, financial and operational – that all together form a comprehensive toolset in the area of cyber security.?I am convinced that we do not need more of them but to make efficient use of what we already have at hand.

But what does this mean in practical terms? There are several important aspects that need to be addressed in order EU to develop further its preparedness to respond to the modern cyber threats, in particular:?

• ?Legislation in the field of cyber security.

I must note that the speed at which digital technologies are developing and the cyber risks arising from them are still far outpacing the design and implementation of the legislation in this area in EU.

Despite the drive for better coordination, the legislative framework for cyber security needs further evolution and still sometimes hinders the achievement of the overall objectives of the revised EU Cyber Security Strategy. Gaps identified by the European Commission in the recent evaluations of the implementation of the strategy include the Internet of Things, the balance of responsibilities between users and providers of digital products and services, and others. The EU Cybersecurity Act and recently adopted NIS 2 Directive address number of existing shortcomings. Nevertheless, more efforts are required since the EU still lacks a clearly defined cyber industrial policy and a common coordinated approach to cyber espionage and cyber terrorism.

In addition, the still incomplete transposition of the EU law into Member States' national legislation leads to legal and operational problems and prevents the realization of the full potential of the available instruments.

• Financing of cyber security policies

The global cyber security spendings in 2019 as a percentage of GDP is estimated to be around 0.1%. In the United States, their share is about 0.35% (including the private sector) or approximately $21 billion, in the 2019 budget.

EU cyber security spending compared to the US is still relatively low and fragmented. They are estimated at between one and two billion euros per year. Most Member States' cyber security spending as a percentage of GDP is less than a tenth of US levels or even lower.

Given the fact that cyber security is today an essential element of national and European security, this financing model must change significantly. EU Member States and EU should start allocating a fixed share of their GDP to finance national and intergovernmental initiatives in the field of cyber security. ??

• Common standards and governance of cyber security

Cyber security governance is much more than a simple technical problem and its adequate resolution requires effective leadership, robust processes and agile procedures.

Today, national cyber security governance models ( to the extent they exist ) differ across EU. Within them, responsibility is often divided between multiple national entities. This in practice hampers coordination and cooperation at national and European level, which is critical for responding to large-scale cross-border incidents and for exchanging information on risks and threats.

In general, today, cyber security governance models are mainly focused on the public sector because the risk and consequences of cyber incidents are estimated to be the highest there. Given the effects of the global digital transformation, however, it is necessary to better integrate the private sector into existing cyber security governance models at national level, because today successful prevention of cyber threats and response to cyber attacks and incidents can only be achieved as a result of the l coordinated efforts of all national stakeholders.

• Digital skills

Cyber security is no longer a problem of governments and specialized agencies alone. Users play a crucial role in avoiding cyber risks, as well as in the adequate and timely response to cyber attacks. For this reason, the development of their knowledge, skills and awareness is the key to building a sustainable information society. The development of digital skills in society is also of particular importance due to the growing asymmetry between the resources needed to carry out a cyber attack and the resources needed to defend against it. ?

The annual European Cyber Security Awareness Month (ECSM) and Safer Internet Day are examples of practical awareness-raising initiatives. But more coordinated efforts are needed at national and European level. In this context, it would not be an exaggeration to say that the present European Cyber Security Strategy is still partially effective in terms of developing the knowledge and skills of citizens and businesses in the European Union.

• Trust, exchange of information and cross-border cooperation

Cyber security requires close cooperation between the public and private sectors, information sharing, exchange of standards and good practices. Trust in general is of utmost importance to create an appropriate collaborative environment at national and European level.

In turn, trust is built through transparency and predictability. The key to effective response of the modern cyber threats is involvement of all stakeholders at national level. Cyber and hybrid attacks are a preferred means of attack recently against EU since they generally have the main goal to undermine trust in governments. That is why their most effective countermeasure is to increase the awareness and countermeasure capabilities of the private sector and citizens.

It is undeniable that significant progress has been made in recent years in the interaction between the public and private sectors at national and European level on the cyber security issues. However, more joint efforts are needed to develop this interaction and to improve overall the EU's coordination and ability to respond effectively and in a timely manner to current and future cyber security risks. This is also one of the priorities in the updated European Cyber Security Strategy as well as in the European Security Union Strategy.

Finally, I would like to emphasize once again that the main challenges to the effective and efficient response to the modern cyber security threats today are not technical. If we all fail to recognize this fact and remain focused only on the technical aspects of cyber security, the technical excellence of cyber security solutions will have little meaning and minimal added value… Because today the countries, the governments, the businesses and the people - all of them - are part of one global network in cyberspace using virtual and physical resources.

Information sharing, transparency, public-private partnerships, cross-border cooperation should not be just wishful thinking. They are the true and solid foundation of the EU response against modern cyber threats. If we fail to make them work and instead raise barriers ( intentionally or not ) to information sharing and cooperation at national and European level, we will ourselves be giving up the most powerful weapon of the EU in the fight against modern cyber threats.?