Geopolitical competition and the erosion of multilateralism have concrete implications on cyberspace, and ultimately on our lives and our rights. New technologies are increasingly misused, from web restrictions and the curtailment of human rights and fundamental freedoms, to data theft or full-blown cyber-attacks that can put national economies to a standstill within minutes.
Cyber-attacks targeting election campaigns (such as the 2017 elections in France) or democratic institutions (take the 2015 cyber-attack against the German Bundestag) are direct attacks against our democracy. The WannaCry cyber-attack in 2017 affected over 200,000 computers in 150 countries created damage of an estimated $6.5 billion. Cyber-enabled theft of commercially sensitive data of companies has steadily increased over the last years. In 2019 alone, hundreds of incidents involving European critical infrastructures like finance and energy were reported.
The Covid-19 pandemic has only accelerated this trend: vaccine supply chains were targeted by cyber-attacks at the peak of the pandemic, data from the European Medicines Agency were stolen, even hospitals were ruthlessly attacked –endangering the lives of thousands of European citizens.
We need to enhance the security of our critical infrastructures, protect key technological sectors and strengthen our technological sovereignty to ensure that emerging technologies are developed and used in line with our values.
The new EU’s Cybersecurity Strategy adopted this Wednesday is a milestone in our broader efforts to increase our resilience and to fulfil our international responsibility in cyberspace.
The Strategy builds on ongoing actions at home: with the 2016 Directive on Security of Network and Information Systems, the 2018 General Data Protection Regulation, and the recently proposed Digital Services Act, we are building at EU level one of the most advanced legislation in this domain.
However, cybersecurity within Europe also depends on international security and stability in cyberspace. This is why the new Strategy also puts forward a number of concrete proposals for a more decisive and ambitious external cyber policy.
First, we will more actively shape the debate on international security in cyberspace. Within the framework of the United Nations, we will take forward the proposal for a Programme of Action that offers a platform for discussions on responsible state behaviour in cyberspace. Working closely with our member states, we will develop an EU position on how international law applies in cyberspace and increase our cooperation on cyber confidence-building measures.
Second, we will foster more cyber dialogues with third countries, regional and international organisations. Our existing cyber dialogues with the US, Canada, Japan, the Republic of Korea, India and Brazil have proved effective. We also hold already regular consultations with NATO, OSCE, the Council of Europe, and the ASEAN Regional Forum, and have regular exchanges with China through the EU-China Cyber Taskforce, or via the EU-China ICT Dialogue. We will increase these engagements with partners, including through the creation of an informal Cyber Diplomacy Network, bringing together experts dealing with cyber policy issues - “cyber attachés” - in our EU Delegations and EU member states’ Embassies across the world. Furthermore, we need to expand our cooperation with civil society, private sector and academia in this field.
Thirdly, we will enhance external cyber capacity building. We are already working with partners in the Eastern Neighbourhood and Western Balkans notably, to increase their cyber resilience and capacities to investigate and prosecute cybercrimes. Developing an EU External Capacity Building Agenda will bring more coherence to these efforts, focusing also on partner countries undergoing a rapid digital transformation.
At the same time, the EU also needs to be ready to act and react in view of state and non-state actors misusing technologies and cyberspace for malicious purposes. It needs to enhance its ability and capacity to prevent, deter and also respond to cyber threats.
To this end, we intend to strengthen our ‘cyber diplomacy toolbox’. Established in 2017, this toolbox allows us to use all measures under the Common Foreign and Security Policy – from political statements and demarches to sanctions. Last July, we adopted first sanctions against individuals, entities and bodies involved in the cyber-attacks WannaCry, NotPetya, Operation Cloud Hopper and the attempted cyber-attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. This list was expanded in October with those responsible for the cyber-attack against the German Bundestag, and now includes eight individuals and four entities and bodies. We will continue to hold authors of malicious cyber activities against the EU accountable, wherever they are.
To make our cyber diplomacy toolbox more effective, we will work with member states to enhance intelligence cooperation and develop a strengthened collective deterrence posture against cyber threats. We will also explore the use of Qualified Majority Voting for the adoption of EU sanctions.
Finally, we will step-up cyber defence cooperation between member states and at EU level. The Permanent Structured Cooperation and the European Defence Fund could be used to further develop cyber defence capabilities, for example based on Artificial Intelligence and quantum computing.
Needless to say that cyber security and cyber defence will feature prominently in the Strategic Compass that we are developing with EU member states to build a common understanding of the threats and challenges we are facing and define together a European collective response.
This is how the EU intends to make cyberspace safer for Europeans and for all.