1

The Case for NATO-EU Cooperation in the Protection of Cyberspace

Fabio Rugge1

“We are caught in an inescapable network of mutuality, tied in a single garment of destiny”. Martin Luther King, Alabama, 1963 The low level of cooperation between NATO and the European Union is a known cause of frustration for the members of both Organisations. Historically, the differing mandates of NATO and the EU have made it less urgent to reach an enhanced level of collaboration, which until now has been blocked by the vetoes wielded by individual members in both institutions. The dialogue between NATO and the EU has therefore been limited to occasional exchanges of information, and coordination between the two Organizations is either carried out in a decentralised manner - in the 21 capitals - or restricted to specific agreements such as the “Berlin Plus”.

The introduction of the Lisbon Treaty, however, has broadened the EU’s mandate on Common Foreign and Security Policy, thereby making closer coordination with NATO’s policies and tools a more pressing matter. Synchronization is required particularly in crisis management, where there is an increasing overlap in competencies.

1Counselor Fabio Rugge is a diplomat who worked at the Delegation of Italy to NATO, where he was responsible for the negotiation of the new NATO Cyber Defence Policy and its implementation. The views expressed in this article belong solely to the author and do not necessarily reflect those of NATO or the Italian Government.

Moreover, the economic and financial crisis makes any duplication of efforts all the harder to justify, especially in the sector of Defence spending, which is subject to particular scrutiny by public opinions. Lastly, NATO’s main shareholder increasingly expects the Europeans to “do more” and raise their investments in defence and force-planning to collectively correct the uneven balance of capabilities between the two shores of the Atlantic2. And the European Union is, of course, the natural setting and best facilitator for such a European coordination, especially in areas where a mix of civilian and military capabilities and expertise is required3.

As I will try to demonstrate in this paper, one of the sectors in which constant and more thorough coordination between NATO and the EU is essential in order for both Organisations to be effective, credible and mutually reinforcing in their respective interventions (and where, consequently, the opposing vetoes wielded within both appear instrumental to achieving alternative aims) is cyber security. Although sharing the same values and approaches to cyberspace, NATO and the EU have not yet put in place any formal coordination in this new foreign and security area. Collaboration today is in practice limited to informal staff-to-staff contacts, and despite the existence of an agreement between the two parties on the sharing of classified information, official documents do not getexchangedeasily4. This situation has led to a lack of collective situational awareness and real time information sharing on threats, vulnerabilities, incidents, intentions and techniques used in the attacks. It has also prevented an efficient 2 I.e.: Robert Gates speech in Brussels, June 2010: http://www.defense.gov/speeches/speech.aspx?speechid=1581 3Surviving austerity. The case for a new approach to EU military collaboration, Tomas Valasek, The Centre for European Reform. 4Cyber Warfare. Dutch Advisory Council on International Affairs / Dutch Advisory Committee On Issues Of Public International Law (AIV CAVV), 2011, p.33

2

“division of labour” whereby each Organization brings specific added value. If NATO remains essential in ensuring “hard security” capabilities and collective defence, the EU is indisputably better placed to encourage the adoption across Europe of common approaches toward cyberspace, to regulate the ICT industry and leverage the private sector, and to adopt cross-border crisis and consequences management procedures for dealing with cyber-related incidents.

If the broad sharing of membership of both Organisations were not a reason good enough for a deeper cooperation in all fields, the very essence of cyberspace makes it crucial for NATO and the EU to work together. Cyberspace is a continuum, and it is impossible to talk of cyber defence without considering cyber security, or to separate interventions to counter cyber threats depending on the goals pursued, the actors involved or the level of sophistication of the attack - as the nature, extent or level of complexity of an attack will seldom be clear, nor will the ultimate aim, be it criminal, ideological, political or military. Unless choosing to segregate its own networks from the rest of world (but also deploying their own hardware and software), no actor can counter the cyber threat in isolation, and without an integrated and holistic approach5. In this regard, the lack of cooperation between NATO and the EU is not only a wasteful duplication of efforts, but also, more worryingly, it weakens the action of each Organisation6.

In this paper I will try to make the case for a deeper cooperation between NATO and the EU in the protection of cyberspace. I will first briefly outline policies and instruments

5On Cyberwarfare. DCAF Horizon 2015 Working Paper N. 7. The Geneva Centre for the Democratic Control of Armed Forces. 6 The Demand for International Regimes, Robert O. Keohane, 1982, International Organization, vol. 36, no. 2.

currently in place in each Organization and I will then turn the attention to potential areas where cooperation and better coordination would allow the greatest gains for both. The potential threat emanating from the global cyber domain can endanger the prosperity, stability and security of our societies7, and as such demands a global response to ensure the highest possible degree of cooperative governance.

NATO’s Cyber Defence

NATO is probably the most advanced International Organisation in terms of cyber defence, as it has always been crucial for the Alliance to ensure the highest level of protection of the Consultation, Command and Control assets established for international crisis- management and collective defence. Today, without a functioning ICT infrastructure the armed forces simply could not carry out their duties. The critical nature of this requirement was clearly demonstrated with the cyber attacks against Estonia (2007) and Georgia (2008), and fully acknowledged in NATO’s Strategic Concept, approved in November 2010 8 . Second only to the Washington Treaty in terms of importance for the Alliance, this document confirms that NATO “will develop further (its) ability to prevent, detect and defend against and recover from cyber attacks, (...) bringing all NATO bodies under centralized cyber protection.”9 Thanks to an unprecedented acceleration in acquisition procedures and to the most significant call for tenders ever issued in this sector by an International Organisation, the NATO Computer Incident Response Capability 7U.S. White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, Washington, D.C.: Government Printing Office, May 2009. 8 “Active Engagement, Modern Defence. Strategic ConceptFor the Defence and Security of The Members of the North Atlantic Treaty Organisation”, adopted by Heads of State and Government in Lisbon, November 2010. 9 ibidem, par.19.

3

(NCIRC) for protecting the Alliance’s networks will reach Full Operational Capability in 2012. Meanwhile, timely internal reforms have ensured a governance structure that is able to deliver oversight and coordination on every aspect of cyber defence throughout the Alliance, and is directly linked to the North Atlantic Council and NATO’s Chain of Command.

NATO’s Level of Ambition in the sector of cyber defence goes beyond protecting its own networks and being capable of working in a degraded cyber environment10. The Alliance is reviewing its defence posture to account for the cyber dimension of future conflicts in its doctrine, strategy and force planning - a task assigned to the NATO Defence Planning Process 11 . In the absence of a historical precedent or a clear legal framework of reference, and with the current impossibility of quick and indisputable attribution of a cyber attack, the threshold for invoking Article 5 of the Washington Treaty calling for collective defence is purposefully ambiguous. However, there is no doubt that with the new Strategic Concept the bond of solidarity that ties Allied members in the “conventional” defence domains of maritime, air, ground and space now also extends to cyberspace.

Although protecting national civilian and military assets is the responsibility of individual member states, the risk of a cyber attack propagating within the Alliance and endangering its collective response mechanisms has induced NATO to assume a specific preventative role. The new NATO Cyber Defence Policy 12 approved in June

10 Keeping NATO Relevant, Jamie Shea, The Carnegie Endowment for International Peace, Policy Outlook, April 2012 11The Posture of the United States Strategic Command (USSTRATCOM)’, Hearing Before the Strategic Forces Subcommittee of the Committee on Armed Services, House of Representatives, 8 March 2007: http://www.fas.org/irp/congress/2007_hr/stratcom.pdf . 12NATO Policy on Cyber Defence and Cyber Defence

2010 tasks the Alliance with strengthening its awareness, warning and response capabilities with member states and being able to assist them upon request, including through deployment of technical Rapid Reaction Teams (RRTs) sent by the NCIRC. The bond of confidentiality developed over 60 years of shared threat analysis is essential to allow for exchanges of data among Allies in a sector where information on capabilities and specific threats constitute the very essence of strategic advantage. To this end, NATO has signed various Memoranda of Understanding for establishing Points of Contact and procedures for the exchange of information, including at classified level, with national authorities in charge of protecting networks; NATO is also an important axis for sharing information on vulnerabilities, advanced persistent threats, incidents, best practices and technical security requirements for protection of critical national networks and infrastructures. The Alliance also encourage and advise upon request Allies designing their national cyber policies. Lastly, regular exercises (Cyber Coalition) help to test national response capabilities and the effectiveness of NATO crisis management procedures.

The upcoming EU Cyber Security Strategy

The EU also has increasing competencies in safeguarding European critical infrastructures from cyber threats and reinforcing collaboration between member states in the fight against cybercrime13. However, for years

Action Plan, 7 June 2011 (classified). Public version at http://www.nato.int/nato_static/assets/pdf/pdf_2011_09/20111004_110914-policy-cyberdefence.pdf . 13Commission communication of 12 December 2006 on ‘The European Programme for Critical Infrastructure Protection (EPCIP)’; Council Directive of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection; Council conclusions of 19-20

4

its priority has been the so-called “digital agenda”14, which set out specific targets on the part of the European Union to promote the internet as a space in which the single market operates, innovations are produced and fundamental values of the individual such as freedom of expression, information and association are upheld. Network security was considered at most a necessary element for gaining users’ trust in the new cyber domain. Nonetheless, within the EU there is a growing awareness of the need to associate functional development and web freedom with security (which in fact are not, in the long-term, diverging goals), as demonstrated by the recent strengthening of the European Network and Information Security Agency (ENISA), created in 200415 with the aim of promoting information exchanges among national Computer Emergency Response/Readiness Teams (CERTs) and EU CERTs (the latter being in charge of protecting EU networks) and encouraging member states to adopt common standards of security, in particular regarding networks supporting cross-border critical infrastructures16.

Cyber security is an integral part of Common Foreign and Security Policy (CFSP), to the point where, in the Report on the Implementation of the European Security Strategy of 2008, it is recognized as one of the most relevant security interest, and a cornerstone of the EU outreach towards third Countries17. For example, the EU-US

April 2007 on a European Programme for Critical Infrastructure Protection; Commission communication of 30 March 2009 on Critical Information Infrastructure Protection (CIIP); COM(2011)163 on Critical Information Infrastructure Protection “Achievements and next steps: towards global cyber-security” adopted March 2011. 14“A Digital Agenda for Europe”, COM(2010) 245 final/2. 15Regulation (EC) No 460/2004. 16COM(2011) 163 final. 17Report On The Implementation of the European Security Strategy - Providing Security in a Changing World. Approved by the European Council held in Brussels on 11 and 12 December 2008 and drafted under the responsibilities of the EU High Representative Javier

“Working Group on Cyber Security and Cybercrime” is a mechanism for cyber incident management, awareness raising and the fight against cybercrime between the two shores of the Atlantic18 . The EU Military Staff is fully involved in exercises to test European civil and military response capabilities to cyber attacks (Cyber Europe) and collaborates on the elaboration of concepts, capabilities, analysis and training in the sector of cyber security in order to prepare future EU operations.

Given the serious material damage and the impact on the internal market that a large-scale cyber attack would have on the networks supporting critical European infrastructures (the exact list of which is currently being defined), the Critical Information Infrastructure Protection Action Plan was created in 2009 with the aim to assist member states, the Commission and the private sector in drafting new strategies, policies, standards and best practices for countering cyber threats on these assets19 . During the Cyber Atlantic 2011 exercise, the EU invited the United States to participate in a simulated attack against the information networks of European institutions.

Furthermore, as of January 1st, 2013, Europol plans to declare the initial operational capability of the European Cybercrime Centre (E3C), which will act as the main centre of gravity for the fight against cybercrime in Europe20. The E3C has four

SOLANA: http://www.consilium.europa.eu/ueDocs/cms_Data/docs/pressdata/EN/reports/104630.pdf 18 http://europa.eu/rapid/press-release_MEMO-11-246_en.htm 19 Communication from the European Commission on Critical Information Infrastructure Protection – ‘Protecting Europe from large scale cyber-attacks and cyber-disruptions: enhancing preparedness, security and resilience’, COM(2009) 149. This approach was broadly endorsed by the Council in 2009: Council Resolution of 18 December 2009 on a collaborative European approach to Network and Information Security (2009/C 321/01). 20Communication from the European Commission to the

5

essential aims: exchange of information among the private sector, CERTs, police forces, judicial and intelligence bodies of member states for specific activities, methods and cybercrime suspects; train-the-trainers as well as judicial and police officers; acting as operational support for cybercrime inquests and clearing house for ongoing inquests in various member states; and serving as the main centre for dialogue with industry, the private sector, academia, civil society and public opinion for devising policies of prevention and education on the risks of cybercrime. Moreover, DG Home Affairs is working on a directive aimed at improving individual member states’ capabilities to counter cyber attacks, with specific attention paid to the contrast of internet- connected computers whose security defences have been breached and control ceded to an unknown party (known as Botnets).

The European Defence Agency (EDA) is working to facilitate cooperation between member states on developing joint capabilities in this sector and launch joint training and education programmes. Since many member states are for the first time in the process of creating national policies and authorities for centralised network protection (so far 24 out of 27 member states have created their own CERT), and considering the current budget constraints, it is imperative to avoid costly duplications between member states and seek economies of scale as far as possible. This in turn would facilitate the adoption of coherent and interoperable solutions at the European level.

The increasing attention paid by the European Union to cyber security is also translating in the adoption of a comprehensive EU Cyber Security Strategy, the first draft of which is due to be soon

Council and the European Parliament: Tackling Crime in our Digital Age: Establishing a European Cybercrime Centre, COM(2012) 140 final.

presented by the Commission. This is an important development because it is only through the adoption of a coherent, integrated and holistic strategic framework that the EU will be able to promote governance oversight at the European level, encouraging the alignment of various national policies and defining in detail the role played by various actors in the numerous EU spheres of action, including in the aftermath of a large-scale attack and during a crisis.

The need for a coordinated approach

This brief outline shows how in both Organisations the adoption of measures to counter cyber threats has been recognized as an urgent matter, but also how respective actions in this field are often overlapping and not in line. Any difficulties in getting NATO-EU collaboration on cyber-security off the ground are certainly not practical, but solely political and, as such, they are all the more difficult to overcome. However, there are several reasons that call for such collaboration.

First, structured collaboration between NATO and the EU is necessary on the ground of increased efficiency and mutual gains. The cost of non-collaboration between NATO and the EU prevent the exploitation of the most significant advantage that the defender might have at its disposal, that is to say a governance system that is not centralised but at least cooperative, one in which every actor participates and benefits from the most inclusive, common cyber defence situational awareness. In a world characterised by profoundly different approaches to the protection of cyberspace, in the end it is in the interest of all like-minded countries to promote common approaches to international norms of behaviour, based on shared values: an increased homogeneity would improve the capability to counter the threats, enhanced resilience in the event of a major crisis, and

6

reduce the risk of miscalculations and escalations 21 . International cooperation in cyber security then obviously allows to expand the number of countries that can contribute to enhance actionable attribution, thereby helping in bringing the concepts of dissuasion, deterrence and retaliation back into the strategic horizon22.

In this regard, NATO’s programme of outreach towards its Partners (who today count more than 40 countries) is a proof of the benefit stemming from the adoption of a holistic and cooperative approach to cyberspace. Strengthening Partners’ ability to counter cyber threats is in the Alliance’s immediate interest. Partners participate in NATO-led military operations, and therefore need to connect to its networks. Any vulnerability of their information or communications systems could constitute the “weakest link” in the networks supporting operations, and have direct repercussions in-theatre. Interoperability of military assets has been a priority for Allied countries for over 60 years, and today this must also incorporate minimum requirements of cyber-protection. Focusing on cyber-defence capacity building in Partner countries is also in the Alliance’s interests for reasons other than operations: a major crisis in a country outside the Alliance could quickly propagate within its member states, endangering their security, stability and prosperity. It is therefore worthwhile to promote the adoption of minimum requirements on cyber defence at a global level, and encourage the creation of national authorities capable of interacting during a

21Thresholds for Cyberwar,James A. Lewis, Center for Strategic and International Studies (CSIS), September 2010, p.9 22The Specter of Non-Obvious Warfare, Martin C. Libicki, Strategic Studies Quarterly, Fall 2012: http://www.au.af.mil/au/ssq/2012/fall/libicki.pdf . Cyberdeterrence and Cyberwar, Martin C. Libicki, RAND Project Air Force, 2009: http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf

crisis. Finally, several Partners are leading developments in the area of cyber-security and cooperating with them gives the Alliance access to cutting-edge technology that is essential for defending cyberspace.

The reasons the Alliance decided to cooperate with Partner countries are all the more applicable for justifying a structured collaboration with the EU. In fact, the European Union participates – and in all likelihood will do so increasingly – in NATO’s led operations, and is a key actor in crisis management, intervening directly with integrated civil and military capabilities in the protection of critical infrastructures that support the Alliance’s core missions. It has six non-NATO members who are technologically highly advanced and growing mandate and tools for promoting common approaches to cyberspace at a global level. What seems someway paradoxical is that the obstacles to an enhanced NATO-EU cooperation are placed by the very countries, member of only one Organization, that would have the greatest interest in and would benefit the most from the capabilities and tools that their own Organisation does not have at its disposal.

The European Cybercrime Center is a clear case where the EU would bring added value to a transatlantic cyber situational awareness, as it will allow the collection and analysis of a massive quantity of data about the threat emerging from a sector with some of the fastest technological innovations and the greatest access to capital: the world of cybercrime. Visibility on the malicious activity throughout European networks is essential for early warning at the global level, and an important complement to the data gathered on a daily base through the network of European CERTs about intentions, specific goals and strategies of the attacks that occur in Europe.

Another example of the unique contribution

7

of the EU in this field is the involvement of the private sector - a keystone for the protection of cyberspace, as it owns and operates nearly all Communication and Information Systems (CISs) infrastructures and is on the front line in protecting its assets from cyber attacks on a daily basis. The private sector is where technological innovations take place and is a primary source of information on threats, vulnerabilities, strategies of attack and incidents. It also plays a vital role in every cyber-conflict scenario, as it enables and transmits the attacks, assures the system’s resilience and implements the operational guidelines of sovereign authorities. It is only through the private sector that national authorities will be able to ensure a country’s neutrality, blocking territorial internet connections to interrupt attacks and not embroiling the country in an unwanted conflict23.

NATO fully acknowledges the role of the private sector and foresees specific forms of involvement of industries and service providers in order to reduce the threat in the supply chain, protect intellectual property in the most sensitive sectors (military industry, dual-use laboratories, etc.) and identify minimum requirements and best practices for critical infrastructures. However, it would be unrealistic for the Alliance to launch a dialogue with the private sector without aligning its approach with that of the European Union. Through its regulatory powers, the latter defines the minimum security standards for Europe and has much more incisive tools than NATO to direct and leverage the private sector. The EU will, for example, be decisive in establishing the regulatory criteria regarding the liability of

23 When “Not My Problem” Isn’t Enough: Political Neutrality and National Responsibility in Cyber Conflict. Jason Healey. Cyber Statecraft Initiative – the Atlantic Council. Also, Government’s cooperation with the private sector is an essential condition to develop an ‘integrated national capability’, as defined byAlexander Klimburg in ‘Mobilising Cyber Power', Survival, 53, p.43 and note 8

those businesses that decide to notify a breach of their networks, largely determining the quantity and quality of the information that the private sector in Europe decides to share with the public sector24.

Moreover, at a time when both NATO (with its “smart defence initiative”) and the EU (with its substantially analogous “pooling and sharing initiative”) are marketing themselves as the poles around which defence requirements will be decided, it is essential for the two Organisations to be capable of coherently guiding the efforts of the defence industry 25 . The EU, in particular, will be focussing on defining support measures aimed at stimulating the adoption (imposition?) of security standards across all levels of the supply chain of ICT equipment of critical importance, as well as the allocation of European funds to promote R&D for a competitive European ICT industry. These two areas will be key in shaping the European cyber environment of the years ahead.

One of the issues that will become more pressing for cyber-security management in the coming years is education and training26. Even today specialists believe that around 80% of the incidents that occur in cyberspace could be prevented through solid basic training in “cyber hygiene” (such as updating software, using the appropriate firewalls and credentials for accessing data, or other basic behavioural norms)27. Few cyber attacks are conducted from the attacker’s location and hit their target directly: often they use compromised computers in other countries 24Directive 2009/140/EC 25 The Smart Defence initiative: http://www.nato.int/cps/en/natolive/official_texts_87594.htm. The NATO Secretary General’s Annual Report, 2011: http://www.nato.int/nato_static/assets/pdf/pdf_publications/20120125_Annual_Report_2011_en.pdf 26 US Department of Defence Strategy for Operating in Cyberspace, July 2011 27James Quinault, Director, Office of Cyber Security & Information Assurance, Cabinet Office, speaking at the National Security Conference held in London in July 2012

8

as unwitting intermediaries. Awareness-raising and education are therefore useful tools to enhance the security of cyberspace and prevent potential international crises. The current severe shortage of personnel sufficiently trained to work on network security or complex operating systems (a network’s security is only as good as its trained operator) will grow exponentially over the coming years, unless the academic world catches up on educational programmes that respond adequately to the requirements posed by new technologies. The NATO Allied Command for Transformation and the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn can play a crucial role in ensuring NATO swiftly standardises its training requirements for military tasks. But the European Union seems much better placed to alert and guide European governments on the need for awareness-raising campaigns and education. The collaboration launched between the EDA and the Tallinn Centre, which plays an important role in training and education, identification of best practices and research on legal frameworks applicable in cyberspace, is from this perspective very encouraging, as it offers an opportunity to go beyond staff-to-staff contacts and develop joint approaches in a sector in which even taxonomic differences still pose a serious obstacle to mutual understanding28.

One major last point that renders NATO-EU collaboration key in managing the cyber- threat is the need to establish coherent crisis-management procedures for responding to and mitigating the consequences of a major cyber attack29. It cannot be excluded that in a

28On Cyber Warfare, Paul Cornish, David Livingstone, Dave Clemente and Claire Yorke, A Chatham House Report, November 2010, p. 21. See also: http://www.kmin.ee/en/chief-executive-of-the-european-defence-agency-compliments-estonias-achievements 29 Samuel Huntington, The Soldier and the State: The Theory and Politics of Civil-Military Relations, 1957, Cambridge, MA, Belknap Press,

hopefully distant future, terrorist groups or those working for third states might acquire and use destructive cyber technologies. Even though, for the time-being, the development of cyber weapons is extremely expensive and complex and therefore limited to nation-states, the rapid evolution of events is one of the defining characteristics of cyberspace. It could very well be then that tools such as Stuxnet or Flame signal the start of a high-speed escalation of cyberspace capabilities, fuelled by operations of reverse engineering. In this scenario, the most probable target would be the weakest link and that most likely to produce the greatest destruction and cause the largest loss of human life, such as the Supervisory Control and Data Acquisition (SCADA) systems that support critical infrastructures and regulate industrial production processes30. The specific attention that both NATO and the EU are paying to protecting these assets is testimony to the seriousness of the threat. If efforts at prevention were to fail and – as is likely – the lack of certain and actionable attribution were to render recourse to Article 5 impossible, the states involved in the crisis would have to turn to the European institutions in search of coordinated policies and actions to assess the crisis situation, identify possible responses, financial instruments and available operational capabilities. The EU is the natural political and operational intra-European coordinator for crisis-management, as explicitly set out in the EU Emergency and Crisis-Coordination Arrangements of 2006 and by the “solidarity clause” contained in Art. 222 of the Lisbon Treaty31.

30 Reducing Systemic Cybersecurity Risk, Peter Sommer, Information Systems and Innovation Group, London School of Economics and Ian Brown, Oxford Internet Institute, Oxford University, OECD/IFP Project on “Future Global Shocks” 31 http://www.lisbon-treaty.org/wcm/the-lisbon-treaty/treaty-on-the-functioning-of-the-european-union-and-comments/part-5-external-action-by-the-union/title-7-solidarity-clause/510-article-222.html. See also: ‘The European Union’s Solidarity Clause: Empty Letter or

9

The EU has internal crisis-management structures and mechanisms that make it possible to provide a comprehensive response to crises of all kinds relating to civil protection, border surveillance for land, maritime and air environments, health security, police and judicial cooperation, etc. Crisis management following a large-scale cyber attack on European assets will require an immediate coordinated response that will involve a mixture of civilian and military instruments. The EU remains the better facilitator to cope with the foreseeable emergency following a cyber attack and to ensure an acceptable level of resilience across the European continent. In fact, even if NATO foresees, upon request, its direct involvement in support of an attacked Ally through deployment of Rapid Reaction Teams, resilience will require the immediate coordination of all CERTs to identify and mitigate the event and avoid its propagation across Europe. For this, a network-centric approach will be necessary, which today can be provided solely through ENISA and European CERTs coordination, as the NCIRC operates mostly on the basis of bilateral agreements with individual Allies.

Conclusions

As the prosperity and the stability of our societies increasingly rely on the security of cyberspace, States and International Organizations have a special responsibility to respond to the governance challenge posed by this global domain. In addition to mounting operational cyber capabilities, it is also important to invest at the institutional and strategic level, using political and diplomatic skills and tools to forge common

Effective Tool? An Analysis of Article 222 TFEU’, S. Myrdal and M. Rhinard, 2010, Occasional Papers, Swedish Institute of International Affairs: http://www.ui.se/upl/files/44241.pdf

approaches to cyberspace and foster international cooperation.

The global and asymmetric nature of the cyber-threat makes it necessary to establish strong transatlantic governance and a coherent, comprehensive and strategic cyber defence posture, one that is able to integrate the instruments of information-sharing, alert and early warning, forensic analysis and crisis management to enhance inter-agency collaboration, mitigation and attribution capabilities, system resilience and recovery. In cyberspace, aims and objectives of NATO and the EU coincide. To meet the security challenges that stem from cyberspace, NATO must live up to the spirit of cooperative security invoked in its Strategic Concept, and partner with the EU to expand and strengthen a common cyberspace situational awareness. The forthcoming EU Cyber Security Strategy, on the other hand, will have to take fully into account the cyber dimension of future conflicts, and the specific mandate that 21 of its members assigned to NATO in the area of cyber defence.

Abstract No actor can counter the cyber threat in isolation: its asymmetric and borderless nature requires a cooperative governance system, in which public and private actors integrate instruments of information-sharing, early-warning, forensic analysis, system resilience and recovery. Through international cooperation, like-minded actors reduce the risk of miscalculation and escalation, facilitate the emergence of international norms and rules of behaviour, enhance resilience in the event of major cyber crisis, avoid duplication of efforts and facilitate economies of scale in defence spending, and improve actionable attribution of cyber attacks at the international level. The seriousness of the threat, along with the broadened EU’s mandate on Common Foreign and Security Policy, makes the coordination with NATO’s well established cyber defence policies and tools a pressing matter. This coordination would strengthen situational awareness throughout transatlantic networks, facilitate the engagement of the private sector, outline minimum security standards requirements, allow for common education & training strategies and standards, leverage

10

civilian-military capabilities of both Organizations, and enable of a set of coherent and non-overlapping crisis-management procedures. Cyber defence is a new foreign and security policy area, in which new norms and behaviours need to emerge and to be widely recognized, and clear responsibilities identified. In addition to mounting operational cyber capabilities, it is also important to invest at the institutional level, bringing into play political and diplomatic skills and tools to forge common approaches to cyberspace and foster States’ and International Organization’s cooperation.