07.02. 2013 MEP Tunne Kelam statement on EU cybersecurity strategy

Today the European Commission revealed the long-awaited EU cyber security strategy, which initially had to be launched already last September. Despite the delay, I welcome the adoption of the strategy by the EC as I see it as a step closer to bringing Europe up to date with the latest advancements in the field of cyber defence. However, there are still some parts missing from this strategy. This strategy report provides, for example, no common definition of cyber crime. In addition, the strategy does not call on all Member States to develop and adopt their national cyber security strategies without delay, even though more than half of the Member States still lack state level cyber security strategies. The foreseen obligatory NIS strategies will cover a big part, but not all that there is in cyber space. In addition, the application of the cyber security will prove very difficult, as currently EU has allocated no additional means to actually implement this strategy.

EP report asked for a comprehensive cyber security strategy that would build on multi stake-holder approach and go from network security to cyber defence. Clearly, the EC has delivered this by foreseeing strong involvement of private sector and horizontal approach. I especially welcome that the strategy emphasizes the need to mainstream cyber into external actions and CFSP, which was a clear call from the EP. NATOs role is envisaged as providing possible complementarity, but I expect this to reveal itself in close practical cooperation in all cyber fields. The world is connected and securing cyber space in Europe is worth very little without global efforts and cooperation with third countries. Europe has to take lead in defining global norms of behaviour for cyber space and promote the Budapest convention as the best international agreement on fighting cyber crime.

The strategy is accompanied by NIS directive, which leaves some room for interpretation. EP has previously called for minimum standards and extensive information sharing mechanisms. On this issue the directive could be clearer on how these will be achieved in a timely, cost-effective and sensitive manner. Time factor is crucial in cyber space, as things happen in milliseconds and we need to act now. There is a need to provide incentives for businesses and assistance to Member States lagging behind on cyber defence related matters to ensure timely application of the strategy. Information sharing mechanisms that allow anonymous sharing are needed to secure business secrets and national security. Examples can be found from not so far, notably from our closest cyber ally - US. I welcome the strong focus throughout the strategy on early warning and alert systems that could help preventing great damage.

Cyber defence gets a deserved prominent position in the strategy and boldly calls for both civilian and military cooperation and actions. It is not clear, however, why the term "pooling and sharing" is not used, as this would help with cost-effective capacity building.

I regret that the section on education stays rather vague, although calling for NIS to be included to school curricula. The strategy nevertheless does not specify if this should also include cyber hygiene or solely focus on programming and capacity building. Secondly, I am sceptical about flagship awareness projects without a concrete plan.  European cyber months may sound fantastic in Brussels, but will have little to no effect on national level.

Lastly, this strategy is only the first European step. NIS directive is proposed and now we expect this to be followed rapidly by European Cyber Defence Policy and by concrete implementation plans and progress reports on mainstreaming cyber issues into external actions and CFSP. There also needs to be further action concerning the inclusion of NIS and cyber hygiene in the all European school curricula from earliest age possible.