The EU Cyber Security Strategy – A Much Needed Digital Agenda for the EU
Cybersecurity has become a high ranking issue on the EU’s emerging security risks agenda, due to the fact that the security of information systems and networks is a critical element to ensure “prosperity and to keep the online economy running”[i]. The new Cybersecurity Strategy of the European Union – An Open, Safe and Secure Cyberspace[ii] (February 2013) is the first comprehensive policy document put forward by the High Representative Catherine Ashton and the European Commission related to cyberspace security issues. The Strategy is meant to prioritize particular policy areas[iii] for the EU’s international cyberspace: from strengthening the information systems in the EU, confidence-building in online services, to capacity-building strategies involving international partners, the private sector and civil society.
Cybersecurity is a global challenge and the response should be global as well.
The term cybersecurity advanced by the Strategy has remained vague and a blanket term that encompasses an array of issues ranging from responsibility, freedom and openness, trust, public and private industry collaboration, the protection of privacy, the combat of cybercrime, to ensure better cooperation between member states and to encourage spending in cutting-edge cyber defense technologies. Nevertheless, notwithstanding the lack of territoriality and borders in the cyberspace and cybercrimes, Member States still remain entrenched in the vision that cybersecurity is part of national security agendas. As well, the terminology used to define cybersecurity issues varies across national context, private industry, and civil society, leading to a fragmented understanding and the lack of a reliable[iv] international definition of the term. On top of that, it still remains unclear how responsibility should be distributed among stakeholders from either the EU institutions, national governmental bodies, or the private sector, as the most relevant drivers of a coherent plan of action[v].
In this respect, the Strategy was accompanied by proposals for a set of unified network and information security rules and demanding regulatory obligations to attempt the coordination of national cybersecurity policies, i.e. the “NIS Directive”[vi] proposed by the European Commission in February 2013. On March 13, 2014, the European Parliament voted to adopt the draft NIS Directive as part of an EU cybersecurity effort of harmonization that targets the creation of uniform standards and levels of cybersecurity across the EU. Also, the Cybersecurity Directive envisages creating Computer Emergency Response Teams (CERTs)[vii] in each EU Member States as well as cooperation and information exchange obligations between Member States and the Commission. However, the implementation of such standards depends on the Member States’ willingness to redirect funds specifically for cyber defense, to share critical information, or their determination to pass targeted legislation concerning cybersecurity.
Turning on the digital security innovation growth machine in the EU
In particular, the Strategy intends to encourage the demand for highly secure Information and Communications Technologies products and to stimulate Research and Development plans by EU Members States so as to create competent and competitive technical resources for cyber defense. For this end, there has already been a dedicated concern at EU level regarding research and planning initiatives to protect Europe’s cyber-future and to address its lack of digital security innovation. The Commission’s Working Paper Executive Summary of the Impact Assessment[viii] clearly articulated this problem back in 2011, expressing concern for the EU’s “structural innovation gap” and the necessity to boost productivity and growth for creating breakthrough technologies.
Compared to its competitors, the EU’s innovation and performance lag makes it difficult to develop new competitive and cyber-secure products, processes and services. In the context of the EU’s security policy, Horizon 2020 comes as a timely and targeted financial instrument for bridging the “structural innovation gap” and for encouraging innovation and the development of “the industrial and technological resources for cybersecurity”[ix]. From 2014 onwards, Horizon 2020’s comprehensive framework will become the go-to financial honeypot to address Research, Development and Innovation in the field of Cybersecurity and Online Privacy. The end goal would be the development of reliable Information and Communications Technologies (ICT) solutions that promise the creation of a secure and trustworthy digital environment in the EU and the protection of fundamental rights. The lofty purpose of the funding is “to help boost Europe’s knowledge-driven economy, and tackle issues that will make a difference in people’s lives”.[x]
Horizon 2020 – The EU Framework Program for Research and Innovation
Horizon 2020 – The EU Framework Program for Research and Innovation is the biggest EU Research and Innovation program, with a budget of nearly €80 billion of funding available over 7 years (from 2014 to 2020), in addition to the private investment that this money will generate. Horizon 2020 follows on the EU’s Seventh Framework Program for Research (FP7) template, which ran from 2007 to 2013. It is expected that approximately 2.2% or €1.69 billion of the Horizon 2020 budget will be dedicated to the Security research, this being an increase of approximately 20% compared to FP7[xi].
The Commission will utilize the Horizon 2020 framework to deliver improved coordination of funds and to address a range of areas in ICT security and privacy, from R&D to innovation and deployment, to supporting the development of instruments to fight cyber-criminal and terrorist activities. On 11 December 2013, the European Commission initiated a first call for projects[xii] under Horizon 2020, a budget of more than 15 billion euro being available for the first two years of the Horizon 2020 program. In these first two years, the program will prioritize three pillars: excellent science, industrial leadership, and seven societal challenges. Providing enhanced cybersecurity[xiii], ranging from secure information sharing to new assurance models, is tallied under the seventh Societal Challenge: (7) Secure societies – protecting freedom and security of Europe and its citizens.
Horizon 2020 and what it actually means for improving Europe’s cybersecurity
Twelve focus areas based on the Horizon 2020 societal challenges are emphasized in the first two years, among which Digital Security: Cybersecurity, Privacy and Trust, covering €47 million – the 2014 budget and €49.6 million – the 2015 budget. Digital Security in Horizon 2020 is given a wide berth, from academic and laboratory R&D, the development of the economic and societal dimension of security and privacy, secure information sharing, security of eServices, to trustworthiness in the European digital ecosystem[xiv]. Specifically, Horizon 2020 will fund research into activities which aim to bolster the security of current applications, services and infrastructures and especially incentivize the creation of market opportunities for the EU in the digital arena.
The focus is thus on giving the EU the needed competitive edge to bridge its digital security “structural innovation gap” and demonstrate the market feasibility of its up-to-date security, privacy and trust solutions. On 15 January 2014, in Brussels, the European Commission – the Directorate General for Communications Networks, Content and Technology was organized a Horizon 2020 information session[xv] on the calls for proposals addressing cybersecurity, privacy and trustworthy ICT research, development and innovation. All in all, there is a concerted effort at the EU level to upgrade its cybersecurity regime in a bid to offer competitive technological solutions to digital security, to impose a certain level of competence and standardization across Members states, to battle cybercrime, and to reinforce resilience to cyber-attacks.