Upload
bertelsmann-foundation
View
216
Download
2
Embed Size (px)
DESCRIPTION
This issue of EuroWire examines recent developments in creating an EU-wide cyber security policy and the ramifications of that for US policymakers and businesses.
Citation preview
EU Cyber Security Policy in the Age of Snowden
The European Union is pursuing a new comprehensive strategy on cyber security that could lead to significant divergences with US policy.
The Snowden revelations have re-framed the discussion in Europe about the degree of necessary protections for data privacy at a time when the EU is re-visiting laws on the issue.
US-EU policies on cyber security and data protection could lead to a more fractured digital environment if not more closely coordinated.
Over the past decade, the European Union
has been slowly building the legal
framework and institutions to coordinate
cyber security across the 28 member states.
The EU established the European Network
and Information Security Agency (ENISA) in
2004 to oversee that coordination, maintain
Computer Emergency Response Team
(CERT) coordination, and provide training
and support. Since then, ENISA, along with
the European Defense Agency, has also
been working to ensure coordination on the
nascent offensive capabilities that member-
state militaries are developing. This year,
the EU established within Europol its
European Cybercrime Centre (EC3), which
addresses information-sharing among
national law-enforcement agencies on large
-scale online fraud and child pornography.
On February 7, 2013, five days prior to the
Obama administration’s executive order on
cyber security, the EU took its most
sweeping policy step to date, releasing its
long-anticipated European Cyber Security
Strategy. The strategy was a joint inter-
agency document prepared by Home
Commissioner Cecilia Malmström and the
EU’s homeland-security department,
Catherine Ashton’s European External
Action Service, the EU’s foreign-policy arm,
and Commissioner Neelie Kroes’ DG
Connect, a special EU department
responsible for developing an innovative
digital marketplace across EU member
states. The EU’s justice department, DG
JUST, was not part of the draft exercise
although it worked closely with the three
lead agencies.
JAN
UA
RY
201
4
The strategy is based on five main pillars: 1)
enhancing resilience and response to cyber
attacks; 2) reducing cybercrime; 3)
developing a foreign policy and defense
capability in cyber; 4) building an
indigenous industrial base for cyber
security-related R&D; and 5) promoting
global Internet freedom and governance in
a manner consistent with EU values. The
strategy is complemented by implementing
legislation in the Network and Information
Security (NIS) Directive and policies aimed
at creating the institutional infrastructure
to coordinate cyber policy across the EU.
The EU is also seeking to revise its data-
protection regime, upgrading legislation to
a binding regulation that would apply
across the EU. The debate around this
regulation has intensified in the wake of
Edward Snowden’s disclosures of NSA
surveillance programs such as PRISM,
which some members of the European
Parliament (EP) feel should be addressed in
the new law.
Given the deep digital integration of the US
and EU economies and the trans-Atlantic
alliance structure, EU cyber policy will have
immediate and noteworthy ramifications
for American policymakers.
The European Cyber Strategy and the NIS Directive
A primary deficiency noted in the strategy
is the wild divergence in preparedness
across member states. The strategy sets
three key benchmarks for addressing this.
First, it calls on each member state to
designate one national agency to act as a
coordinating “one-stop shop” for cyber
policy and operations. Second, it requires
that each member state have coordinating
national CERTs that would act as
operational hubs, or “cyber FEMAs”, in the
event of major cyber incidents. Third, it
calls for all member states to ratify the
2002 Budapest Convention as a baseline
policy for combating cybercrime.
The NIS Directive aims at operationalizing
the goals of the cyber strategy by
establishing minimum standards on
network and information security. The
legislation, slated for its first vote in EP
plenary in March 2014, includes provisions
to establish national cyber regulators and
CERTs, uniform breach reporting, and
enhanced networks for information sharing
across member states and with the private
sector.
Given the differences in preparedness
across member states, the directive offers a
degree of flexibility for each state to
transpose the strategy into national law in
accordance with its own legal framework
and political system. From Estonia, where
the information ministry coordinates a
massive, nationwide preparedness,
resilience and response effort, to some
countries in the eurozone south, which
have yet to designate a coordinator,
approaches to cyber-coordination vary
markedly. Most countries lie in the middle
of the range, with interior ministries
serving as government coordinators. This
designated national coordinating body—
usually the interior ministry— would also
be the agency to which businesses would
be required to report major cyber
incidents.
While American observers of EU cyber
policy have generally welcomed the
legislation, it diverges from the emerging
cyber framework in the US in several ways.
First, the NIS Directive requires compulsory
disclosure to national authorities in the
event of a breach, unlike CISPA’s voluntary
information-disclosure requirements. This
tough reporting requirement has unsettled
many American IT companies, particularly
given that thresholds for required
notification remain undefined. Notably, the
compulsory requirement for companies to
report incidents to governments is not
matched by similar requirements for
governments to share information with
industry. US stakeholders in Europe have
criticized this “one-way” requirement,
claiming that the strategy lacks incentives
for companies to collaborate with national
authorities. Governments can maintain
timely and actionable information
classified, leaving cooperating companies
vulnerable and limiting the ability of others
to integrate lessons learned and other best
practices from past incidents. In the US, by
contrast, the information-sharing
arrangement between government and the
private sector is mutual.
The second major divergence from
emerging US cyber policy is the definition
of “critical infrastructure”—the sectors that
will be required to comply with reporting
requirements. The NIS Directive identifies a
wide array of sectors including energy,
transport, banking and healthcare. A
number of Internet companies are also
included, a major departure from the
Obama administration’s executive order
and NIST Framework. The European
strategy even explicitly lists a number of
companies that will be required to provide
breach information to governments. These
include enabling providers such as e-
commerce markets (eBay, Kayak), social
networks (Facebook, Twitter) and search
engines (Google, Yahoo!). A preponderance
of attention has been paid to US companies
in the designation of critical infrastructure,
which has been an additional source of
American concern.
Finally, the strategy and NIS Directive draw
attention to the underdeveloped state of
the indigenous industrial base for cyber
security technology, which is increasingly
seen as a security risk. The strategy calls for
increased R&D, product standardization,
and financing incentives that would allow
ICT to become a strategic sector. The draft
legislation even compares the cyber-
industrial base to the aviation sector. The
strategy hints at linking funding for cyber-
research projects through the EU’s massive
R&D program, Horizon 2020, to their
development within the EU. It remains
unclear how US-based universities and
research institutions would have access to
these tenders and collaborate with EU
partners.
JAN
UA
RY
201
4
2
Re-thinking Privacy
In addition to new cyber legislation, the EU
has been working to develop its online
privacy regime, an area that has also led to
friction with the US. The 1995 Data
Protection Directive, the basis for
enshrining integrity, confidentiality and
availability of EU citizens’ personal data in
accordance with the European Charter for
Human Rights, is considered a “gold
standard” in Europe. In January 2012, the
European Commission proposed a unified
General Data Protection Regulation to
harmonize the EU approach to data
protection and hold foreign companies
accountable for all EU citizens’ data.
Revelations in summer 2013 of data
collection by the NSA led to debates about
using the regulation to more forcefully
guarantee compliance by US companies by
forcing them to comply with European data
-protection standards. When adopting its
position for negotiations with Council, the
EP re-inserted tougher provisions into the
draft data-protection law, putting strict
limits on conditions under which users’
data can be transferred to third countries.
Companies flouting this provision could be
hit with a financial penalty of up to five
percent of global turnover.
The rule, misleadingly called the anti-NSA
provision, maintains an exemption for
matters related to national security. In the
aftermath of the Snowden disclosure, some
have questioned if the US propagates a
similar extraterritorial enforcement of its
laws by compelling European (and other)
subsidiaries of US companies such as
Amazon, Google and Facebook to render
data to American authorities. The EU
measure attempts to address the potential
extraterritorial application of US law in
Europe but could compel US digital
companies to adhere to diametrically
conflicting sets of legal requirements. The
EP voted on a version of the regulation in
October 2013, but completion of the
regulation before EP elections in May 2014
appears unlikely.
The NSA revelations are also affecting
other areas of EU online economic policy.
Some European “sovereign cloud” projects
are gaining traction as alternatives to US-
based services due to their more stringent
adherence to emerging EU breach and
privacy laws. These projects are marketed
to prospective users as local alternatives to
major American IT service providers, which
are perceived to have cozy data-sharing
relationships with US intelligence agencies.
Trans-Atlantic Cooperation on Cyber Security
US-EU cooperation on cyber security has
been mixed. In 2010, the two established a
cyber-security working group on the
margins of a Lisbon US-EU summit. The
working group on cyber security intends to
hold a joint simulation exercise in 2014 as a
follow-on to their 2011 Cyber-Atlantic
simulation. The working group, however, is
still perceived as somewhat inactive.
Prior to the NSA revelations, the highly
sensitive dynamic on information-sharing
and data flows had not been significantly
incorporated into talks on cyber security.
Recent agreements between the two sides,
including on the Terrorist Finance Tracking
Program (TFTP) and the Passenger Name
Record (PNR), dealt with intelligence
related to suspected terrorists. In addition,
the US and EU have been negotiating a
separate comprehensive data-protection
framework agreement. In the wake of the
Snowden revelations, talks have
intensified, and the role of digital
commerce and data flows has become an
essential point of contention for the EU.
Many members of the EP contend that a
Comprehensive Data Protection Agreement
must be concluded before the EP ratifies
the Transatlantic Trade and Investment
Partnership (TTIP), the prospective US-EU
free-trade agreement. However, the extent
to which forthcoming TTIP negotiations will
address data protection and cyber security
remains unclear.
What is clear is that the NIS Directive and
Data Protection Regulation could lead to
conflicting legal regimes across the
Atlantic, creating a jurisdictional “spaghetti
bowl” in which compliance with one
regime negates compliance with the other.
Without greater US-EU cyber-security
cooperation, trans-Atlantic pre-eminence
in online security and prosperity could be
under threat.
JAN
UA
RY
201
4
3
Key Players to Watch on EU Cyber Policy
European Commissioner for
Home Affairs: Cecilia Malström
EU High Representative for
Foreign Affairs and Security Policy
and Vice President of the
European Commission: Baroness
Catherine Ashton
Rapporteur for Data Protection
Regulation, European Parliament
Committee on Civil Liberties,
Justice and Home Affairs: Jan
Phillip Albrecht (MEP-Germany)
Rapporteur for Network and
Information Security Directive,
European Parliament Committee
on Industry, Research and Energy:
Pilar del Castillo Vera (MEP-Spain)
Rapporteur for Network and
Information Security Directive,
European Parliament Committee
on Internal Market and Consumer
Protection: Andreas Schwab (MEP-
Germany)
European Commissioner for
Digital Agenda and Vice President
of the EC: Neelie Kroes
JAN
UA
RY
201
4
4