Advanced and coordinated responses in the field of cybersecurity have become increasingly necessary, as cyberattacks grow in number, scale and consequences, impacting heavily Europe’s security. All relevant actors in the EU need to be prepared to respond collectively and exchange relevant information on a ‘need to share’, rather than only ‘need to know’, basis.

First announced by President Ursula von der Leyen in her political guidelines[1], the proposed Joint Cyber Unit aims to bring together resources and expertise available to the EU and the Member States to effectively prevent, deter and respond to mass cyber incidents and crises. Cybersecurity communities, including civilian, law enforcement, diplomatic and cyber defence communities, as well as private sector partners, too often operate separately. With the Joint Cyber Unit, they will have a virtual and physical platform of cooperation: relevant EU institutions, bodies and agencies together with the Member States will build progressively a European platform for solidarity and assistance to counter large-scale cyberattacks.

Background

The COVID-19 pandemic has increased the importance of connectivity and Europe’s reliance on stable network and information systems and has shown the need to protect the whole supply chain. Reliable and secure network and information systems are particularly important for entities in the frontline of the fight against the pandemic, such as hospitals, medical agencies and vaccine manufacturers. Coordinating EU efforts to prevent, detect, discourage, deter, mitigate and respond to the most impactful cyber attacks against such entities could prevent the loss of life and attempts to undermine the EU’s ability to defeat the pandemic in the swiftest possible manner. Moreover, strengthening the EU’s ability to counter cyber attacks effectively contributes to advancing a global, open, stable and secure cyberspace.

Faced with the cross-border nature of cybersecurity threats and the continuous surge of more complex, pervasive and targeted attacks, it’s incumbent on the relevant cybersecurity institutions and actors to increase their ability to respond to such threats and attacks by harnessing existing resources and coordinating efforts better. All relevant actors in the EU need to be prepared to respond collectively and exchange information on a ‘need to share’, rather than a ‘need to know’, basis.

No common platform

Despite the major progress achieved through cooperation between Member States on cybersecurity, most notably through the NIS Cooperation Group and the CSIRTs (Computer Security Incident Response Teams) network, there is still no common EU platform where information gathered in different cybersecurity communities can be exchanged efficiently and safely and where operational capabilities can be coordinated and mobilised by relevant actors. As a result, cyber threats and incidents risk being addressed in silos with limited efficiency and increased vulnerability. Furthermore, an EU-level channel for technical and operational cooperation with the private sector, both in terms of information sharing and incident response support, is missing.

Existing frameworks, structures and the resources and expertise available in Member States and relevant EU institutions, bodies and agencies provide a strong basis for a collective response to cybersecurity threats, incidents and crises.

However, a mechanism for harnessing existing resources and providing mutual assistance across the cyber communities responsible for network and information systems security, for combating cybercrime, for conducting cyber-diplomacy, and, where appropriate, for cyber-defence in the event of a crisis does not yet exist. Nor is there a comprehensive mechanism at the EU level for technical and operational cooperation in situational awareness, preparedness as well as response, between all communities. Moreover, synergies with the law enforcement and intelligence communities should be achieved respectively through Europol and INTCEN (EU Intelligence and Situation Centre).

A Joint Cyber Unit

The importance of analysing the strengths, weaknesses, gaps and overlaps of the current EU cybersecurity architecture which has been created over recent years is clearly recognised at the highest levels. In consultation with Member States, the Commission, with the involvement of the High Representative of the Union for Foreign Affairs and Security Policy, has developed a concept for a Joint Cyber Unit as a response to this analysis and as an important component of the Security Union Strategy, the Digital Strategy and the Cybersecurity Strategy.

The Four Cyber Communities

In cases of crisis, Member States should be able to rely on EU solidarity in the form of coordinated assistance, including from all four cyber communities i.e., civilian, law enforcement, diplomacy and, where appropriate, defence. The degree of intervention of participants from one or more communities may depend on the nature of a large-scale incident or crisis and, consequently, on the type of countermeasures required to respond to it. When confronted with cyber threats, incidents and crises, well-trained experts and technical equipment represent essential assets that can contribute to avoid serious damage and bring effective recovery. Therefore, clearly identified technical and operational capabilities, primarily experts and equipment, ready to be deployed to Member States in case of need, will be at the centre of the Joint Cyber Unit. Within that platform, participants will be in a unique position to nurture and coordinate such capabilities through EU Cybersecurity Rapid Reaction teams, while ensuring appropriate synergies with the already existing cyber projects conducted in the framework of PESCO (cyber defence-related projects launched under the Permanent Structured Cooperation).

The Joint Cyber Unit provides for a virtual and physical platform and does not require the creation of an additional, standalone body. Its setup should not affect the competencies and powers of national cybersecurity authorities and relevant Union entities. The intention is that the Joint Cyber Unit should:

• be anchored in MoUs between its participants.
• build on, and add value to, existing structures, resources and capabilities as a platform for secure and rapid operational and technical cooperation between EU entities and Member State authorities.
• bring together all four cybersecurity communities.
• provide a new impetus to the process started in 2017 with the Blueprint.
• further operationalise the Blueprint architecture and mark a decisive step towards a European cybersecurity crisis management framework where threats and risks are identified, mitigated and responded to in a coordinated and timely manner. By taking such a step, the Joint Cyber Unit should help the EU respond to current and impending threats.

Participants in the platform should have either an operational or supporting role.

• Operational participants should include ENISA, Europol, the CERTs, the Commission, the European External Action Service (including INTCEN), the CSIRTs Network and EU-CyCLONe.
• Supporting participants should include the European Defence Agency (‘EDA’), the NIS Cooperation Group Chair, the Council Horizontal Working Party on Cyber Issues Chair, and one representative of the relevant PESCO projects.

Since the Member States have operational capabilities and competences to respond to large-scale cyber threats, incidents and crises, the platform’s participants should primarily rely on their capacities, with the help of relevant EU entities, to achieve their objectives.

A Four Step Implementation Process

The objectives set out in the Recommendation are to be achieved through a four-step process:

• A preparatory process should start with the identification of relevant available EU operational capabilities and the launch of an assessment of the roles and responsibilities of participants within the platform.
• The development of the EU Incident and Crisis Response Plan, consistent with the Blueprint and the EU Law Enforcement Emergency Response Protocol, the roll-out of preparedness and situational awareness related activities, consistent with the Cybersecurity Act and the Europol Regulation, and the conclusion of the assessment on the roles and responsibilities of participants within the platform. The working group should present the results of that assessment to the Commission and the High Representative, which subsequently will share those results with the Council. The Commission and the High Representative should work together, in line with their respective competences, to draw up a joint report based on that assessment and invite the Council to endorse that report via Council conclusions.
• Following that endorsement, the Joint Cyber Unit will be made operational, with a view to completing the two remaining steps of the process.
• Participants should be able to deploy EU Rapid Reaction teams within the Joint Cyber Unit, along the lines of procedures defined in the EU Incident and Crisis Response Plan, leveraging both the physical and virtual platform and contributing to various aspects of incident response (from public communication to ex-post recovery).

Private sector stakeholders, including both users and providers of cybersecurity solutions and services, will be invited to contribute to the platform, allowing participants to improve information sharing and enhance the EU’s coordinated response to cyber threats and incidents.

The Role of ENISA

It’s intended that the Commission, ENISA, Europol and CERT-EU should provide administrative, financial and technical support to the Joint Cyber Unit, subject to budget and human resource availability.  In view of its reinforced mandate, ENISA is in a unique position to organise and support the preparation of the Joint Cyber Unit, as well as to contribute to its operationalisation. In line with the provisions of the Cybersecurity Act, ENISA is currently establishing a Brussels office to support its structured cooperation with CERT-EU. That structured cooperation, including adjacent offices, provides a useful framework to facilitate the creation of the Joint Cyber Unit, including the establishment of its physical space which should be made available to participants in case of need, as well as to staff from other relevant EU institutions, bodies and agencies. The physical platform should be combined with a virtual platform composed of collaboration and secure information sharing tools. Those tools will leverage the wealth of information gathered through the European Cyber-Shield, including Security Operation Centres (SOCs) and Information Sharing and Analysis Centres (ISACs).

Law Enforcement Procedures

The EU Law Enforcement Emergency Response Protocol for major cross-border cyber-attacks  gives a central role to Europol’s European Cybercrime Centre (‘EC3’) as part of the ‘Blueprint’ framework. That Protocol allows EU law enforcement authorities to provide a response to large-scale cross-border attacks of a suspected malicious nature on a 24/7 basis through rapid reaction and assessment, as well as the secure and timely sharing of critical information for the effective coordination of responses to cross-border incidents. The Protocol further elaborates on the collaboration with other EU institutions and EU-wide crisis protocols, as well as crisis cooperation with the private sector. The law enforcement community, with the support of Europol when appropriate, is to contribute to the Joint Cyber Unit by taking the necessary steps within the full investigation cycle, in line with the requirements of the criminal justice framework and the applicable electronic evidence handling procedures. Europol has been providing operational support and facilitating operational cooperation against cyber threats since the inception of EC3 in 2013. Europol should support the platform according to its mandate and the intelligence-led policing approach, while leveraging all types of in-house expertise, products, tools and service of pertinence for the incident or crisis response.

The Cyber Diplomacy Community

The EU cyber diplomacy community contributes to promoting and protect a global, open, stable and secure cyberspace and to prevent, deter and respond to malicious cyber activities in this regard. In 2017, the EU established a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (‘Cyber Diplomacy Toolbox’). This framework is part of EU’s wider cyber diplomacy policy. It contributes to conflict prevention and greater stability in international relations. It allows the EU and Member States, in cooperation with international partners where relevant, to use all Common Foreign and Security Policy (‘CFSP’) measures, in line with the respective procedures for their attainment, to encourage cooperation, mitigate threats and influence current and potential future malicious behaviour in cyberspace. The cyber diplomacy community should cooperate under the Joint Cyber Unit by using and providing support in using the full range of diplomatic measures, notably as regards public communication, supporting shared situational awareness and engagement with third countries in the event of a crisis.

The Cyber Defence Community

Within the cyber defence community, the EU and Member States aim to strengthen cyber defence capabilities and enhance further synergies, coordination and cooperation between relevant EU institutions, bodies and agencies, as well as with and between Member States, including as regards the Common Security and Defence Policy (CSDP) missions and operations. The community functions based on an intergovernmental governance at EU level, national military command structures and military, or dual-use capabilities and assets. In light of its different nature, specific interfaces with the Joint Cyber Unit should be built to enable information sharing with the cyber defence community.

Private Sector Engagement

Through the Joint Cyber Unit, participants should adequately integrate private sector stakeholders, including both providers and users of cybersecurity solutions and services, to support the European cybersecurity crisis management framework, with due regard to the legal framework for data sharing and security of information. Cybersecurity providers should contribute to the initiative by sharing threat intelligence and providing incident responders to quickly expand the Unit’s capacity to respond to large scale attacks and crises. Users of cybersecurity goods and services, primarily those under the scope of the NIS Directive, should be able to seek help and advice through currently missing structured channels linked to EU-level Information Sharing and Analysis Centres (ISACs). The platform could also contribute to strengthen cooperation with international partners.

The Role of the Commission

The Commission, primarily through the Digital Europe Programme, will support the necessary investments to set up the physical and virtual platform and build and maintain secure communication channels and training capabilities as well as developing and deploying detection capabilities. In addition, the European Defence Fund could help fund key cyber defence technologies and cyber defence capabilities which would reinforce national cyber defence preparedness.

 

David Goodman, Trust in Digital Life

 

[1]        https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1. The Recommendation on the creation of the Joint Cyber Unit is an important step towards completing the European cybersecurity crisis management framework. It is a concrete deliverable of the EU Cybersecurity Strategy and the EU Security Union Strategy, contributing to a safe digital economy and society.