The EU’s cyber defense policy was unveiled by the EU’s executive and diplomatic powers on Thursday (November 10th) in response to heightened geopolitical tensions over Russia’s aggression in Ukraine.
The Cyber Defense Policy is a strategic document designed to strengthen Europe’s cyber security capabilities, increase military and civilian cooperation, address potential security gaps, reduce strategic dependencies and develop cyber capabilities.
“Europe has no defense without cyber defense”, EU Digital Commissioner Margrethe Vestager said at a press conference. He also added that: “US cyber defense policy strengthens our ability to protect our military and civilian assets from cyber attacks. »
More investment is needed to strengthen cyber defense at European and national level, and there are currently several European programs that can contribute to this. For example, Permanent Structured Cooperation, European Defense Fund, Horizon Europe and Digital Europe.
However, this funding has already been cut due to strains on the EU budget caused by high inflation, RepowerEU’s exceptional package of measures and extra-budgetary initiatives such as the semiconductor law.
The cyber defense policy has developed a roadmap for cyber technologies based on a strategic assessment of the most critical vulnerabilities to support long-term strategic investments by Member States, possibly with the support of the European sovereignty of the future Fund.
Voluntary commitments to increase national cyber defense capabilities will also be discussed with member states. Cyber defense training programs will be established in the form of a European Cyber Skills Academy for various professional profiles, including those in the defense sector in particular.
EU policy also aims to implement effective coordination mechanisms between national and European cyber defense actors, military and civilian cyber communities, and private and public sectors.
“Public-private cooperation in the field of cyber defense is becoming more complicated due to the role played by non-European technology platforms. Europe needs to implement clear and smooth procedures to work faster and more efficiently with trusted cybersecurity SMEs.”Danilo D’Elia, vice president of YesWeHack, informed EURACTIV about this.
In addition to existing structures, EU policymakers intend to create a Cyber Defense Coordination Center to contribute to better situational awareness in the defense community. They also want to create an operational network for military computer emergency response teams, called CERT.
A new CyDef-X framework will also be developed to support EU cyber defense exercises. However, the most significant development for EU officials is expected to be situational awareness and response capabilities through Security Operations Centers (Security operations centerSOC) run by civilians.
Preparedness and response
The idea of creating a SOC network as an EU “cyber shield” goes back to the 2020 cyber security strategy.
In the coming weeks, the Digital Europe program will launch calls for the creation of a number of SOCs. As these operational centers generally operate in specific areas, they will be grouped at the national level.
However, SOCs are not only funded by the government. They are effectively control centers that monitor and respond to cyber security incidents for “client” organizations. A critical point not mentioned in the guidance document is that existing operations centers have so far shared very little information because they have no incentive to do so—monetary or otherwise.
Instead, the Commission is considering the creation of a European advanced detection infrastructure to inform Member States of threats in real-time as part of the EU’s cyber solidarity initiative.
In addition, the initiative envisages the creation of a cybersecurity emergency response fund to assist countries under attack by providing them with the necessary skills and resources. These emergency responses will be supported by a European cyber pool of trusted service providers.
The upcoming initiative will also trigger the critical infrastructure stress tests provided for in the latest Council Recommendation.
Dual Purpose Technology
A growing problem for the defense industry is that even a laptop’s operating system can be hacked to cripple a country’s military capability. As a result, the distinction between cybersecurity requirements for civilian and military technologies is blurring.
The EU’s approach in this area will be to develop risk scenarios, including penetration tests, to assess the importance of critical infrastructure for military communications and mobility. In addition, civil-military cooperation will be needed to develop harmonized standards for dual-use products.
Meanwhile, Cecilia Bonefeld-Dahl, chief executive of trade association Digital Europe, called for better conditions for European SMEs to develop dual-use technologies.
The EU is ready to establish special partnerships with like-minded countries in the field of cyber defense. Joint training and exercises with NATO are also planned.
Progress in implementing the cyber defense policy will be the subject of an annual report.