EU Cyber Security Policy in the Age of Snowden

The European Union is pursuing a new comprehensive strategy on cyber security that could lead to significant divergences with US policy.

The Snowden revelations have re-framed the discussion in Europe about the degree of necessary protections for data privacy at a time when the EU is re-visiting laws on the issue.

US-EU policies on cyber security and data protection could lead to a more fractured digital environment if not more closely coordinated.

Over the past decade, the European Union

has been slowly building the legal

framework and institutions to coordinate

cyber security across the 28 member states.

The EU established the European Network

and Information Security Agency (ENISA) in

2004 to oversee that coordination, maintain

Computer Emergency Response Team

(CERT) coordination, and provide training

and support. Since then, ENISA, along with

the European Defense Agency, has also

been working to ensure coordination on the

nascent offensive capabilities that member-

state militaries are developing. This year,

the EU established within Europol its

European Cybercrime Centre (EC3), which

addresses information-sharing among

national law-enforcement agencies on large

-scale online fraud and child pornography.

On February 7, 2013, five days prior to the

Obama administration’s executive order on

cyber security, the EU took its most

sweeping policy step to date, releasing its

long-anticipated European Cyber Security

Strategy. The strategy was a joint inter-

agency document prepared by Home

Commissioner Cecilia Malmström and the

EU’s homeland-security department,

Catherine Ashton’s European External

Action Service, the EU’s foreign-policy arm,

and Commissioner Neelie Kroes’ DG

Connect, a special EU department

responsible for developing an innovative

digital marketplace across EU member

states. The EU’s justice department, DG

JUST, was not part of the draft exercise

although it worked closely with the three

lead agencies.

JAN

UA

RY

201

4

The strategy is based on five main pillars: 1)

enhancing resilience and response to cyber

attacks; 2) reducing cybercrime; 3)

developing a foreign policy and defense

capability in cyber; 4) building an

indigenous industrial base for cyber

security-related R&D; and 5) promoting

global Internet freedom and governance in

a manner consistent with EU values. The

strategy is complemented by implementing

legislation in the Network and Information

Security (NIS) Directive and policies aimed

at creating the institutional infrastructure

to coordinate cyber policy across the EU.

The EU is also seeking to revise its data-

protection regime, upgrading legislation to

a binding regulation that would apply

across the EU. The debate around this

regulation has intensified in the wake of

Edward Snowden’s disclosures of NSA

surveillance programs such as PRISM,

which some members of the European

Parliament (EP) feel should be addressed in

the new law.

Given the deep digital integration of the US

and EU economies and the trans-Atlantic

alliance structure, EU cyber policy will have

immediate and noteworthy ramifications

for American policymakers.

The European Cyber Strategy and the NIS Directive

A primary deficiency noted in the strategy

is the wild divergence in preparedness

across member states. The strategy sets

three key benchmarks for addressing this.

First, it calls on each member state to

designate one national agency to act as a

coordinating “one-stop shop” for cyber

policy and operations. Second, it requires

that each member state have coordinating

national CERTs that would act as

operational hubs, or “cyber FEMAs”, in the

event of major cyber incidents. Third, it

calls for all member states to ratify the

2002 Budapest Convention as a baseline

policy for combating cybercrime.

The NIS Directive aims at operationalizing

the goals of the cyber strategy by

establishing minimum standards on

network and information security. The

legislation, slated for its first vote in EP

plenary in March 2014, includes provisions

to establish national cyber regulators and

CERTs, uniform breach reporting, and

enhanced networks for information sharing

across member states and with the private

sector.

Given the differences in preparedness

across member states, the directive offers a

degree of flexibility for each state to

transpose the strategy into national law in

accordance with its own legal framework

and political system. From Estonia, where

the information ministry coordinates a

massive, nationwide preparedness,

resilience and response effort, to some

countries in the eurozone south, which

have yet to designate a coordinator,

approaches to cyber-coordination vary

markedly. Most countries lie in the middle

of the range, with interior ministries

serving as government coordinators. This

designated national coordinating body—

usually the interior ministry— would also

be the agency to which businesses would

be required to report major cyber

incidents.

While American observers of EU cyber

policy have generally welcomed the

legislation, it diverges from the emerging

cyber framework in the US in several ways.

First, the NIS Directive requires compulsory

disclosure to national authorities in the

event of a breach, unlike CISPA’s voluntary

information-disclosure requirements. This

tough reporting requirement has unsettled

many American IT companies, particularly

given that thresholds for required

notification remain undefined. Notably, the

compulsory requirement for companies to

report incidents to governments is not

matched by similar requirements for

governments to share information with

industry. US stakeholders in Europe have

criticized this “one-way” requirement,

claiming that the strategy lacks incentives

for companies to collaborate with national

authorities. Governments can maintain

timely and actionable information

classified, leaving cooperating companies

vulnerable and limiting the ability of others

to integrate lessons learned and other best

practices from past incidents. In the US, by

contrast, the information-sharing

arrangement between government and the

private sector is mutual.

The second major divergence from

emerging US cyber policy is the definition

of “critical infrastructure”—the sectors that

will be required to comply with reporting

requirements. The NIS Directive identifies a

wide array of sectors including energy,

transport, banking and healthcare. A

number of Internet companies are also

included, a major departure from the

Obama administration’s executive order

and NIST Framework. The European

strategy even explicitly lists a number of

companies that will be required to provide

breach information to governments. These

include enabling providers such as e-

commerce markets (eBay, Kayak), social

networks (Facebook, Twitter) and search

engines (Google, Yahoo!). A preponderance

of attention has been paid to US companies

in the designation of critical infrastructure,

which has been an additional source of

American concern.

Finally, the strategy and NIS Directive draw

attention to the underdeveloped state of

the indigenous industrial base for cyber

security technology, which is increasingly

seen as a security risk. The strategy calls for

increased R&D, product standardization,

and financing incentives that would allow

ICT to become a strategic sector. The draft

legislation even compares the cyber-

industrial base to the aviation sector. The

strategy hints at linking funding for cyber-

research projects through the EU’s massive

R&D program, Horizon 2020, to their

development within the EU. It remains

unclear how US-based universities and

research institutions would have access to

these tenders and collaborate with EU

partners.

JAN

UA

RY

201

4

2

Re-thinking Privacy

In addition to new cyber legislation, the EU

has been working to develop its online

privacy regime, an area that has also led to

friction with the US. The 1995 Data

Protection Directive, the basis for

enshrining integrity, confidentiality and

availability of EU citizens’ personal data in

accordance with the European Charter for

Human Rights, is considered a “gold

standard” in Europe. In January 2012, the

European Commission proposed a unified

General Data Protection Regulation to

harmonize the EU approach to data

protection and hold foreign companies

accountable for all EU citizens’ data.

Revelations in summer 2013 of data

collection by the NSA led to debates about

using the regulation to more forcefully

guarantee compliance by US companies by

forcing them to comply with European data

-protection standards. When adopting its

position for negotiations with Council, the

EP re-inserted tougher provisions into the

draft data-protection law, putting strict

limits on conditions under which users’

data can be transferred to third countries.

Companies flouting this provision could be

hit with a financial penalty of up to five

percent of global turnover.

The rule, misleadingly called the anti-NSA

provision, maintains an exemption for

matters related to national security. In the

aftermath of the Snowden disclosure, some

have questioned if the US propagates a

similar extraterritorial enforcement of its

laws by compelling European (and other)

subsidiaries of US companies such as

Amazon, Google and Facebook to render

data to American authorities. The EU

measure attempts to address the potential

extraterritorial application of US law in

Europe but could compel US digital

companies to adhere to diametrically

conflicting sets of legal requirements. The

EP voted on a version of the regulation in

October 2013, but completion of the

regulation before EP elections in May 2014

appears unlikely.

The NSA revelations are also affecting

other areas of EU online economic policy.

Some European “sovereign cloud” projects

are gaining traction as alternatives to US-

based services due to their more stringent

adherence to emerging EU breach and

privacy laws. These projects are marketed

to prospective users as local alternatives to

major American IT service providers, which

are perceived to have cozy data-sharing

relationships with US intelligence agencies.

Trans-Atlantic Cooperation on Cyber Security

US-EU cooperation on cyber security has

been mixed. In 2010, the two established a

cyber-security working group on the

margins of a Lisbon US-EU summit. The

working group on cyber security intends to

hold a joint simulation exercise in 2014 as a

follow-on to their 2011 Cyber-Atlantic

simulation. The working group, however, is

still perceived as somewhat inactive.

Prior to the NSA revelations, the highly

sensitive dynamic on information-sharing

and data flows had not been significantly

incorporated into talks on cyber security.

Recent agreements between the two sides,

including on the Terrorist Finance Tracking

Program (TFTP) and the Passenger Name

Record (PNR), dealt with intelligence

related to suspected terrorists. In addition,

the US and EU have been negotiating a

separate comprehensive data-protection

framework agreement. In the wake of the

Snowden revelations, talks have

intensified, and the role of digital

commerce and data flows has become an

essential point of contention for the EU.

Many members of the EP contend that a

Comprehensive Data Protection Agreement

must be concluded before the EP ratifies

the Transatlantic Trade and Investment

Partnership (TTIP), the prospective US-EU

free-trade agreement. However, the extent

to which forthcoming TTIP negotiations will

address data protection and cyber security

remains unclear.

What is clear is that the NIS Directive and

Data Protection Regulation could lead to

conflicting legal regimes across the

Atlantic, creating a jurisdictional “spaghetti

bowl” in which compliance with one

regime negates compliance with the other.

Without greater US-EU cyber-security

cooperation, trans-Atlantic pre-eminence

in online security and prosperity could be

under threat.

JAN

UA

RY

201

4

3

Key Players to Watch on EU Cyber Policy

European Commissioner for

Home Affairs: Cecilia Malström

EU High Representative for

Foreign Affairs and Security Policy

and Vice President of the

European Commission: Baroness

Catherine Ashton

Rapporteur for Data Protection

Regulation, European Parliament

Committee on Civil Liberties,

Justice and Home Affairs: Jan

Phillip Albrecht (MEP-Germany)

Rapporteur for Network and

Information Security Directive,

European Parliament Committee

on Industry, Research and Energy:

Pilar del Castillo Vera (MEP-Spain)

Rapporteur for Network and

Information Security Directive,

European Parliament Committee

on Internal Market and Consumer

Protection: Andreas Schwab (MEP-

Germany)

European Commissioner for

Digital Agenda and Vice President

of the EC: Neelie Kroes

JAN

UA

RY

201

4

4