28.01. 2013 Enough cyber talk - we need to act! Mainstreaming cyber issues in EU policy

By Tunne Kelam MEP, Rapporteur

Europe has been operating online for more than a decade - some countries much longer than that and on a wider scale. Many European infrastructures operate in the cyber sphere: most European citizens do their banking online, submit tax returns online, purchase goods over the internet and benefit from numerous digital services such as e-government, e-health, e-school etc. E-commerce is expected to become the measure for making Europe more competitive in the global arena, with the digital single market having the potential to upgrade the European single market as a whole. 

On the other hand, cyber crime is giving rise to substantial costs for European businesses and is an increasingly serious threat to citizens' identity, privacy and assets. Not surprisingly, the military sphere has quietly but dramatically turned 'cyber'. Defensive or offensive operations do not necessarily mean using tanks or fighter jets, but are being planned or even conducted in cyber space, where the fate of future conflicts might be decided in milliseconds. 

Cyberspace and the EU

For a number of years there has been much talk in the EU about the need to protect critical information systems and infrastructures, and find a balance between privacy and security, to efficiently address the challenges of e-commerce, cyber security and even cyber defence. Numerous units in the Commission, Parliament (EP), Council and at the Member-State level are dealing with manifold aspects of cyberspace. 

In 2011 and 2012, the European Parliament prepared and adopted several reports on different facets of the issue. In November 2012, the EP approved the first comprehensive report on cyber security and defence which urged the Commission to come forward with an EU cyber security strategy. Dozens of conferences and seminars have addressed the cyber challenge, which has gained a respected position in the agenda of the EU - US parliamentary cooperation committee.

Time to act

There has been too much talking. The EU needs to act, and to act without further delays. 

1. A comprehensive EU cyber security strategy has to be finalized by the EU Commission in the shortest possible time. The presentation of such a comprehensive strategy is lagging behind the developments in cyber space. We should be aware that presenting such a strategy is only the first step. The crucial element is to make the strategy operational by providing for efficient cooperation and coordination between Member States and the relevant agencies. 

2. Member States need to step up their political commitment and acknowledge the arrival of the cyber era. This means rapidly developing national cyber security and cyber defence strategies as well as national cyber contingency plans. Both ENISA (the European Network and Information Security Agency) and EDA (the European Defence Agency) could facilitate and assist Member States in building their capacity in this regard. 

3. It is urgent to include the cyber aspect in risk analysis and crisis management plans on all levels, from European to national and local, from public to private sector. The most critical infrastructures are operated in the cyber sphere and are being exposed to dramatically increased risks; it is unthinkable not to upgrade our crisis management and risk analysis accordingly. 

4. Education should be seen as an increasingly important factor in tackling the bulk of daily cyber incidents. A great majority of them take place at a rather primitive level and could be easily prevented by improved awareness and preparedness. Introducing 'cyber competence' to basic school curricula from the earliest age possible could make a huge difference. In parallel to teaching children basic physical hygiene like regular washing of hands, we ought to teach them the basic rules of 'cyber hygiene'. At more advanced levels, the most economic and efficient tool in preventing and efficiently addressing cyber problems will be all-inclusive and systematic personnel training (including up-to-date training) in all spheres of public and private activity. All public servants need to be aware of the rules of safe behaviour in the cyber sphere and to prove it when applying for jobs.

5. The EU should prepare to better use the potential of its agencies, among them ENISA, EDA and the new Cyber Crime Centre. By accumulating and analysing different experiences, best and worst practice from around Europe, these EU agencies will have a special role in facilitating capacity building and strategic planning, becoming interlocutors for pooling and sharing knowledge and also ensuring cost-efficiency in times of austerity. 

6. Public-private cooperation in the cyber sphere remains unsatisfactory. The EU priority is to energize this cooperation to increase our capacity to credibly protect our information systems and infrastructures. Public and private actors should work hand-in-hand to boost e-commerce, support SMEs in going online and to bring about a crucial change in the European digital economy.

7. Lastly, we need norms and examples of good behaviour at an international level. At the European level, we should think about the possibility of introducing mandatory minimum standards for Member States as well as for the private sector. International cooperation on cyber security, based on clear political will, is the key to success in making approaches to the cyber sphere safer and more harmonized. I strongly advocate for mainstreaming cyber issues in all external actions of the EU, especially in its relations with third countries. 

What happens now?

The European Commission was due to adapt a comprehensive EU cyber security strategy on 30 January. This may now be delayed, but should be finalised as rapidly as possible so the dossier comes to Parliament and the Council for approval, and Member States can develop their cyber security strategies as harmoniously and quickly as possible.