Despite a slew of directives and task forces, the EU faces a renewed threat amid the Ukraine war.
When the systems of three oil and transport companies in Europe and Africa were brought down on February 2, 2022, Europe was preparing for a coming war in Ukraine and the impact of tensions on the Russian border were beginning to be felt in global energy markets.
The cyberattack sparked a wave of anxiety that a war in Ukraine would quickly expand online, with critical infrastructure at risk. Less than a week after the attack on SEA-Invest, and just eleven days before Russian troops crossed the border into Ukraine, the European Central Bank warned banks in Europe to brace themselves for a wave of Moscow-sponsored cyberattacks.
It is less than 18 months since a new EU cybersecurity strategy was presented by the European Commission and critical infrastructure, such as hospitals, energy grids and railways, were highlighted as a priority, but it also highlighted the risk to everyday homes and offices.
“We need to be sure that our systems are reliable,” explained Tanel Sepp, Estonian ambassador-at-large for cybersecurity.
One of Europe’s most digitally-advanced nations, Estonia went paperless in 2000 and has set itself up as a tech hub, having produced the high-profile video-calling firm Skype, which was bought by Microsoft in 2011. It recently introduced an e-residency programme, inviting entrepreneurs to register in Estonia.
Sepp believes that Estonia's example can be repeated across the continent and prioritises an open internet free of state-control.
“We think alike, we have the same principles,” he said.
Estonia was the target of a massive cyberattack in 2007, which brought down government sites, banks and the media, and Sepp organised a cyber-defence exercise for EU ministers in 2017.
“That was precisely to show the politicians how cyber incidents can lead to situations that demand political decisions,” he said.
Among the European Commission’s proposals is an EU-wide “cyber shield” of security operations centres that use artificial intelligence and machine learning as an early-warning system for cyberattacks and a joint unit to share information and collectively respond to threats.
ENISA, the EU’s cybersecurity agency, was made a permanent agency in 2019 and given more money and responsibility for cooperation and coordination of EU member states.
The EU passed a directive in December 2020 that required companies to address cybersecurity risks in their supply chains and supplier relationships and member states to conduct risk assessments.
Even when the attacks hit in February, the EU’s response team had been time assisting the Ukrainian government in fending off cyberattacks. In January, Brussels ran cyber war games featuring a fictitious Finnish energy company in order to test the resilience and preparedness of cybersecurity in Europe, part of a planned six-week exercise.
One of the ways Europe is working to tackle cyber threats is through raising the cybersecurity standards of products through EU-wide certification processes, like a quality mark.
At the moment, a certification framework is being developed so that specific certification schemes can be developed for specific types of products.
“The great success of the EU, when we think about cybersecurity, is that it took it from a very technical information security, computer networks and systems status back in the 80s to something that's now a top tier item on the political agenda across 27 countries,” says Tim Stevens, a professor at University College London.
This earlier approach to cybersecurity was more reactive, focusing on how to minimise disruption and ensuring business continuity. Since then its approach has changed, he explains, and has moved from a focus on risks to a focus on specific threats, from criminal gangs, nation states, and everything in between.
As for being more pro-active on defence, Stevens says this is more “uncomfortable” territory, as the EU was never set up as a security and defence organisation.
But as the bloc is emerging as a “cyber diplomatic actor” as well, exercising sanctions against some of these identified threats, such as Russia, China and North Korea.
“It's very much a shift in emphasis. Partly that's kind of been forced on them by circumstances,” Stevens said.
“If your member states networks are regularly getting hammered by somebody in Eastern Europe, then what are you going to do about it? Are you just going to sit there and just take it?”
But Tanel Sepp wants to see the EU go further.
He’d like to see EU member states committing a certain percentage of IT investment towards cybersecurity and infrastructure, with the EU helping to calculate a fair contribution across members.
“We all want to advance on our e-government and services, but we all have to think about the security,” he said.