Inspiring People. Shaping the Future.

WASHINGTON, DC1101 New York Avenue, NWSuite 901Washington, DC 20005 USAContact: Tyson BarkerE-mail: tyson.barker@bertelsmann-

foundation.orgTel: (+1) 202.384.1993www.bertelsmann-foundation.org

BRUSSELSRésidence PalaceRue de la Loi 1551040 Brussels, BelgiumContact: Thomas FischerE-mail: thomas.fischer@bertelsmann-

stiftung.deTel: (+32 2) 280.2830www.bertelsmann-stiftung.de/brussels

©Copyright 2010, Bertelsmann Foundation. All rights reserved.

The Growing Pains in EU Cyber Security Policy

From the 2007 wave of distributed denial of service (DDoS) attacks to hit Estonia to the 2008 Russian cyber attacks on Georgia during the brief South Ossetian war, Europe has become a primary theatre for cyber warfare. It has also emerged as a primary target of e-espionage, cyber crime, fraud, and “hacktivism”.

The EU is laboriously attempting to stitch together a holistic approach to cyber security to address these challenges. But despite the interconnectedness of European critical information infrastructure (CII) and the increasing sophistication of attacks, the common issues faced by member-states have yet to lead to a unified approach.

Ratification of the 2001 Budapest Convention on cyber crime, the only internationally

EuroWire is a joint publication of the Bertelsmann Foundation offices in Washington, DC and Brussels. It connects Capitol Hill to European

Union policy and politics and contributes to a common trans-Atlantic political culture. EuroWire is an occasional publication that highlights issues,

legislation and policymakers relevant to the Congressional legislative cycle. This publication looks at the European Union from the point of view

of Capitol Hill staffers and offers timely operational analysis.

Contact:TysonBarkerE-mail: tyson.barker@bertelsmann- foundation.orgTel: (+1)202.384.1993www.bertelsmann-foundation.org

Contact:ThomasFischerE-mail: thomas.fischer@bertelsmann- stiftung.deTel: (+322)280.2830www.bertelsmann-stiftung.de/brussels

KEY POINTS

• TheEUhasbeenslowtoputtogetheracomprehensiveapproachtocybersecurity.TheCommissionandENISAarethechiefinterlocutorsforcyberpolicyandwork closelywithEuropeanmember-states.

• WithintheEU,thebigthreemember-states(France,GermanyandtheUK)havebeguntoestablishnationalcybersecuritydoctrinesinthefaceofmountingthreats.

• USPresidentBarackObamaandEUPresidentJoséManuelBarrosoannouncedthecreationofaworkinggrouponcybersecurityattheUS-EUSummitinLisbonin November2010.

ABOUT THE BERTELSMANN FOUNDATION: TheBertelsmannFoundationisaprivate,nonpartisanoperatingfoundation,workingtopromoteandstrengthentrans-Atlanticcooperation.Servingasaplatformforopendialogueamongkeystakeholders,theFoundationdevelopspracticalpolicyrecommendationsonissuescentraltosuccessfuldevelopmentofbothsidesoftheocean.

©Copyright 2011, Bertelsmann Foundation. All rights reserved.

JULY

20

11

binding agreement on cyber security issues, by all 27 member-states has been slow. Eight member-states (Austria, the Czech Republic, Greece, Ireland, Luxembourg, Malta, Sweden and Poland) have been reluctant to sign due to concerns about data protection and privacy, among other issues.

The Commission has nevertheless taken some tangible steps forward to craft a pan-European policy. Charged with leading that effort, Home Affairs Commissioner Cecilia Malmström and Digital Agenda Commissioner Neelie Kroes are pasting together an EU strategy. In addition, the Commission in 2010 implemented a Digital Agenda for Europe that includes actions to improve Europe’s capability to prevent, detect and respond to network and information-security problems. In

accordance with the agenda, Kroes’ team established in June 2011 the first full-scale computer emergency response pre-configuration team (CERT) for EU institutions.

The European Network and Information Security Agency (ENISA), created in 2004 under EC Directive No. 460/2004 as an advisory body for member-states and EU institutions on network and information-security issues, has rapidly established itself as an actor in the European cyber security community. ENISA saw its mandate extended by the Council after overseeing in November 2010 the coordination of the first pan-European cyber security exercises. But the agency has come under criticism for its location on Crete, a distant 1,500 miles (2,500 kilometers) from Brussels, making it hard to attract qualified IT personnel. With a

Inspiring People. Shaping the Future.

WASHINGTON, DC1101 New York Avenue, NWSuite 901Washington, DC 20005 USAContact: Tyson BarkerE-mail: tyson.barker@bertelsmann-

foundation.orgTel: (+1) 202.384.1993www.bertelsmann-foundation.org

BRUSSELSRésidence PalaceRue de la Loi 1551040 Brussels, BelgiumContact: Thomas FischerE-mail: thomas.fischer@bertelsmann-

stiftung.deTel: (+32 2) 280.2830www.bertelsmann-stiftung.de/brussels

©Copyright 2010, Bertelsmann Foundation. All rights reserved. 2

JULY

20

11

staff of 65, ENISA has an exceptionally small number of people relative to the breadth of its programs and responsibilities.

On the military side, NATO early on considered cyber attacks among the greatest security threats to the developed world. The alliance’s new strategic concept, adopted at the Lisbon summit in November 2010, emphasized a desperate need to be able to respond to such attacks. The organization was one of the first to recognize the need for greater flexibility in the new strategic environment following the cyber attacks on

Estonia. Cooperation between NATO and the EU, however, has been unsatisfactory, according to many observers.

The US also plays an important role in Europe’s evolving cyber policy, one that many Europeans would like to see expand. During the Lisbon summit, US and EU leaders announced the creation of a joint working group on cyber security. Key subjects for this trans-Atlantic body will be “incident management response capabilities, immediate joint awareness raising activities, cooperation

to remove child pornography from the Internet” and advancing the Council of Europe’s convention on cyber crime. The working group is expected to offer concrete recommendations for enhanced cooperation by the end of this year. In more evidence of trans-Atlantic coordination, US Department of Homeland Security Secretary Janet Napolitano travelled to Hungary in April 2011 to meet with Commissioners Malmström and Kroes to reiterate shared commitments to combat global Internet security.

FranceIn June 2008, France issued a white paper on security and defense that for the first time prioritized cyber attacks as a threat to national security. The following year Paris took additional steps to implement cyber policy with the creation of the Network and Information Security Agency (ANSSI), which serves as the national authority for cyber security. In February 2011, France issued a national strategy for the defense and security of information systems, which relies on four major objectives: a proactive global leader in the arena, maintaining the balance between freedom and privacy while ensuring rights are protected, reinforcing the French national critical infrastructures’ cyber security and ensuring security in cyberspace.

Main agencies French Network and Information Security Agency (ANSSI); French Data Protection Authority (CNIL); Telecommunications and Post Office Regulator (ARCEP); Central Office for the Fight Against Crime Related to Information Technology and Communication (OCLCTIC); Internet Usage Delegation (DUI); State Administration Modernization Directorate (DGME)

Major themes of cyber • proactive global actor on cybersecuritysecurity strategy • maintaining a balance between freedom and privacy while ensuring rights are protected(as of February 2011) • reinforcing the cyber security of French national critical infrastructure • ensuring security in cyberspace

Key figures and positions • ANSSI Director Patrick Pailloux

Major incidents • March 2011 “spectacular” attack on the French government in advance of G20 meeting

GermanyGermany released in early 2011 its national cyber security strategy, which stresses enhanced protection of critical infrastructure and IT systems against cyber attacks. The strategy also called for the creation of a national cyber security center, which opened in Bonn on 16 June 2011. The Cyber Defense Center marks Germany’s first major effort to arm itself in the war against cyber attacks and follows the establishment of the UK’s Cyber Security Operations Centre and the US’s Cyber Command Center.

Main agencies Federal Ministry of the Interior (BMI); Federal Ministry of Economics and Technology (BMWi); Federal Office for Information Security (BSI); Federal Office for Information Technology (BIT); Federal Commissioner for Data Protection and Freedom of Information (BFDI); Federal Network Agency for Gas, Telecommunications, Post and Railway (BNetzA); Federal Criminal Police Office (BKA)

Major themes of cyber • protection of critical information infrastructuresecurity strategy • private public partnerships(as of March 2011) • comprehensive approach highlighting international cooperation with bodies such as NATO, the OSCE, the EU, the UN and the Council of Europe

Key figures and positions • Federal Commissioner for Information Technology Cornelia Rogall-Grothe

Major incidents • latest government report states the number of “electronic attacks” on German federal officials in 2010 was 2,108, about 600 more than in the previous year

Cyber Security Strategy Development in the EU’s Big Three

Inspiring People. Shaping the Future.

WASHINGTON, DC1101 New York Avenue, NWSuite 901Washington, DC 20005 USAContact: Tyson BarkerE-mail: tyson.barker@bertelsmann-

foundation.orgTel: (+1) 202.384.1993www.bertelsmann-foundation.org

BRUSSELSRésidence PalaceRue de la Loi 1551040 Brussels, BelgiumContact: Thomas FischerE-mail: thomas.fischer@bertelsmann-

stiftung.deTel: (+32 2) 280.2830www.bertelsmann-stiftung.de/brussels

©Copyright 2010, Bertelsmann Foundation. All rights reserved.

JULY

20

11

3

The United KingdomThe 2010 UK National Security Strategy names cyber attacks as one of the four most serious threats to the state. London accordingly earmarked £650 million to support a dedicated cyber security program. The UK’s first national Cyber Security Strategy, published in 2009, outlined the need for a coherent approach towards cyber security beginning with the establishment of an Office of Cyber Security and Information Assurance. In May 2011, Prime Minister David Cameron and US President Barack Obama reaffirmed their mutual commitment to tackling cyber security by recognizing that the same “rules of the road” that help maintain international peace, security, and respect for individual rights must apply to cyber space. As the latest signatory to Convention on Cybercrime (25 May 2011), the UK has increased its efforts to tackle such illicit activity.

Main agencies Office of Cyber Security and Information Assurance (OCSIA); Centre for the Protection of National Infrastructure (CPNI); Department for Business Innovation and Skills (BIS); Communications Electronics Security Group (CESG); Information Commissioner’s Office (ICO); Cyber Security Operations Centre (CSOC), Serious Organised Crime Agency, SOCA

Major themes of cyber • address deficiencies in the UK’s ability to detect and defend itself against cyber attacksecurity strategy • create a new Defense Cyber Operations Group to mainstream cyber security through the Ministry of Defence(as of June 2009) and integrate it across all defense operations • address shortcomings in critical cyber infrastructure • sponsor long-term cyber security research to build and maintain excellence • new program of cyber security education and skills for the public and businesses to encourage a more preventative approach to cyber security throughout the United Kingdom

Key figures and positions • Minister for the Cabinet Office Francis Maude • Minister for Security at the Home Office James Brokenshire

Major incidents • December 2010 attack on the British foreign ministry

Europe’s Who’s Who on Cyber Security

Cecilia MalmströmCommissioner for Home Affairs, European Commission

Ivailo KalfinMEP, Group of the Progressive Alliance of Socialists and Democrats; Vice Chair, Committee on Budgets, European Parliament

Krzysztof LisekMEP, Group of the European People’s Party; Vice Chair, Subcommittee on Security and Defense

Catherine AshtonHigh Representative for Foreign Affairs and Security Policy

Neelie Kroes Commissioner for Digital Agenda, European Commission

Gilles de Kerchove EU Counterterrorism Coordinator, Council

Sophie in’t VeldMEP, Group of the Alliance of Liberals and Democrats for Europe, Vice Chair, Committee on Civil Liberties, Justice and Home Affairs