By Claudia Hillebrand
One of the topics discussed earlier this week at the JHA Council were EU-wide measures to fight cyber crime. The European Commission presented a legislative proposal to the Council with the aim of revamping the EU’s anti-cyber crime toolbox, in particular concerning large-scale cyber attacks. This is a timely topic, as there has recently been much talk about the threat of cyber crime, computer attacks and cyber warfare on both sides of the Atlantic. Take the case of the UK, for example. On Tuesday, British Defence Minister Nick Harvey pointed out in a talk that the UK is increasingly facing such cyber threats. A similar assessment can be found in the 2010 National Security Strategy. In recent years, new bodies have been set up or the few existing ones have been expanded (e.g., the centre for cyber security operations at GCHQ, the UK Defence Cyber Operations Group, the UK Office of Cyber Security & Information Assurance). Moreover, the British government launched the National Cyber Security Programme funded with £650m over the next four years (cf. pp. 47-49 of the British Strategic Defence and Security Review) and the Home Office will publish a new National Cyber Crime Strategy in late autumn. Finally, the UK-France Declaration on Defence and Security Co-operation includes a paragraph on enhanced co-operation to fight cyber attacks.
The terminology is very blurred, however. In general, the prefix ‘cyber’ refers to electronic and computer related activities. A useful definition is provided by Daniel Kuehl, referring to cyberspace as “an operational domain whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange and exploit information via interconnected information-communication technology (ICT) based systems and their associated infrastructures.” Roughly, on the one end of the spectrum of ‘cyber threats’ one can locate cyber crime – thus, according to the European Commission, “criminal acts committed using electronic communications networks and information systems or against such networks and systems” (compare the definition of e-crime by the British Association of Chief Police Officers). As a Joint Report by Europol, Eurojust and Frontex stated: “The threat from cyber crime is multi-dimensional, targeting citizens, businesses, and governments at a rapidly growing rate.” On the other end of the spectrum we find cyber espionage and cyber warfare, i.e., attacks that may complement (and potentially replace) traditional kinetic attacks. Cyber security therefore can refer to efforts at law enforcement, critical infrastructure protection, defence and national security more broadly. Most of the EU’s current measures in this context focus on fighting cyber crime.
Given the global nature of the Internet and the overall interconnectedness of current computer systems, cyber crime easily crosses borders. Indeed, the ‘cyber space’ is a field denying territorial and, at least to some extent, judicial borders, and comprises state as well as non-state actors. A 2010 Report by the House of Lords EU Committee suggested that “cybercrimes will continue to increase and that in the near future most crimes will have a cyber component.” The Committee argued that, amid the lack of a global regulation on cyber security, there is sufficient reason for a regional body, such as the EU, to be active. The European Commission itself emphasised in a 2009 Communication that “(a) purely national approach runs the risk of producing a fragmentation and inefficiency across Europe.” A cross-border, EU-wide approach is therefore considered of crucial importance.
Yet, it is much less clear what constitutes cyber security. The EU’s efforts so far have mainly focused on fighting the exploitation of digital networks for criminal purposes and ensuring the protection of IT infrastructure. In particular, Europol has been involved in fighting cyber crime in the law enforcement context. The cyber space is often exploited by serious or organised crime actors. Radicalisation through the web is just one example. A Europol Cyber Crime Platform (ECCP) was set up in 2009, and a EU Cybercrime Task Force one year later. Moreover, the Europol Strategy 2010–2014 calls for the strengthening of cybercrime capabilities (e.g., by creating a European Cybercrime Centre at Europol). The European Commission had already highlighted the challenges for securing information and communication infrastructures in 2001. The most relevant legislation concerning cyber security so far is the Council Framework Decision 2005/222/JHA of 24 February 2005. Official documents, such as the 2009 Stockholm Programme, call for a stepping up of efforts to fight cybercrime. The European Network and Information Security Agency (ENISA) was established in Crete in 2004 with the aim of informing about information security issues and setting best practices in this context. Earlier this week, it provided the framework for simulations of cyber security incidents involving representatives of 22 countries. The Commission is funding several research programmes related to cyber security.
Despite these individual efforts, however, the EU has been criticised for some time for the lack of a coherent, forceful approach to cyber crime. As Paul Cornish maintained in a 2009 report for the EP: “the EU’s responses are diverse, lack coherence and could at times conflict.” The ENISA published a report highlighting the need for a pan European information sharing platform concerning cyber security. Moreover, in September 2010, the US government called for the EU to make cyber security a larger priority.
The proposed Directive discussed this week at the JHA Council would replace the current core legislative tool, the 2005 Council Decision. Overall, the Directive’s objective is the further approximation of national approaches on cyber security and closer collaboration between the relevant law enforcement bodies as well as public-private co-operation. Particular attention would be paid to large-scale attacks against information systems, such as malicious emails addressed to government computer networks as well as cyber attacks posed at power grids (see also the recent speech by Iain Lobban, the current head of GCHQ). The budgetary implications are estimated at €5,913,000, to be mainly covered by the Member States.
It appears highly unlikely that the proposed Directive would be able to address all the criticisms, partly because it is a non-binding legislative instrument. The Directive does not explicitly address the concerns about a lack of coherence and co-ordination of EU activities in this field. Moreover, the EU seems to reduce the concept of cyber security to the operational grounds of law enforcement and critical infrastructure protection. Cyber security also refers to challenging questions concerning profiling and activity censorship, however. The nexus between cyber security and privacy protection has been little discussed at EU level so far.