Avrupa Çalışmaları Stajyeri
Editör: Eda Kurt
Sosyal medyanın yükselişi ve kullanıcı bilgilerinin bir ürün haline gelmesiyle siber güvenlik küresel gündemde yerini almaya başladı. Bazı ülkeler bazı uygulama ve siteleri yasaklarken, bazı ülkeler daha liberal politikalar benimsedi. Özellikle kamu ve özel sektörün dijitalleşmesi ile konu büyük önem kazandı. Bu çalışmada siber güvenlik nedir ve siber güvenlik alanındaki tehlikeler nelerdir, Avrupa Birliği’nin siber güvenlik alanında aldığı önlemler, bahsettiği politikalar ve genel stratejisi ele alınacaktır. Eylemlerin ve kararların etkinliği sorgulanacaktır. Bu amaçla bu konuda yapılan araştırma ve literatür çalışmaları incelenecektir.
Anahtar Kelimeler: Siber Güvenlik, Politika, Strateji, Avrupa Birliği, Dijitalizm
With the rise of social media and user information becoming a product, cyber security began to take its place on the global agenda. While some countries have banned some apps and sites, some countries have adopted more liberal policies. Especially with the digitalization of the public and private sectors, the issue gained great importance. In this study, what is cybersecurity and what are the dangers in the field of cybersecurity, the measures taken by the European Union in the field of cybersecurity, the policies it talks about, and its general strategy will be discussed. The effectiveness of actions and decisions will be questioned. For this purpose, research and literature studies on this subject will be examined.
Keywords: Cybersecurity, Policy, Strategy, European Union, Digitalism
The lockdown of everyone with the COVID-19 Pandemic has had many consequences in our society. One of them was the acceleration of digitalization. Many attempts have been made to enable people who cannot go out from home to do their work. Examples are grocery couriers, internet banking, online shopping, online meetings, online business and more. When the information of everyone and everything quickly moved into the cyberspace, some malicious people took advantage of this and started to look for the vulnerabilities of the systems. Cybercrime has increased and the importance of cybersecurity has become clear. Of course, it was not only the information of individuals and businesses that has been moved online, but infrastructure also moved to cyberspace slowly. Transportation systems, telecommunications, water systems, food, energy, health care, power grids, financial services and more are at risk of cyber threats. In this study, first of all, cybersecurity and cyberthreat, what is cyber-attack will be explained, then the institutions and organizations, policies, strategies and legislations established by the European Union (EU) for cybersecurity will be researched from the official pages of the EU, and then the studies on the EU and its cybersecurity will be examined.
What is Cybersecurity?
According to the Cambridge Dictionary, cybersecurity is defined as “things that are done to protect a person, organization, or country and their computer information against crime or attacks carried out using the internet” (Cambridge University Press, n.d.). United Kingdom’s National Cyber Security Centre says that cybersecurity’s essential task is protecting the devices people use, and the services people access from theft or damage, also preventing personal data breaches (National Cyber Security Centre, n.d.). The virtual environment, which has grown with digitalization, has become a place open to dangers just like every other environment. Illegal sales, data security, theft, fake accounts, scams, and more have all been common in the online world. These kinds of cyber threats are also called cyberattacks. Cyber criminals can harm or disrupt computer systems and devices. They can trick people into sharing sensitive information such as passwords and bank details. Or they can just steal passwords with their programs. There is also this thing called a denial-of-service (DoS) attack, which is making a website, network unable to users. And lastly, information that should be confidential can be spread by an insider leaking information. These are all very serious crimes and are a risk to everyone in the online world. The age of digitalization has brought cybersecurity along with these crimes. To protect people’s virtual safety, companies were founded, programs were developed. Developing regulations is one way to ensure cyberspace is a safe place. Digitalization is still ongoing, and with new technological developments, new cyber threats are coming.
Works on EU’s Cybersecurity Policies
There are a lot of cybersecurity policies of EU. Many scholars have studied on the EU’s work in cybersecurity, and on the EU’s perspective on cybersecurity. For example, G. G. Fuster and L. Jasmontaite (2020) in their work, mention two ransomware attacks that happened in 2017, Fuster and Jasmontaite say these attacks embody certain characteristics of cybersecurity as a policy area. It is suggested three characteristics: First, cyber-attacks are the new reality, and they can have devastating consequences that are hard to foresee. Second, it requires cooperation between public and private entities to deal with cyber-attacks. Third, useless cybersecurity policies can harm the digital single market, individuals, businesses, and the public sector (Fuster & Jasmontaite, 2020, p. 99-100). Many policies were addressing the point made by the second characteristic. Aims of many of them were always cooperation between public and private entities. Later, writers also touch upon the Network and Information Security (NIS) Directive, which will be talked about in the later chapter. They say, most legal measures being in directives can be seen as a weakness, since it means the member states are free to implement the requirements as they wish, however when introducing such a complex legislative change, this can be the best option (Fuster & Jasmontaite, 2020). This harmonization of legislation issue has always been a problem in the EU. Starting small and adding more layers to it as the time goes can be an effective way to harmonize cybersecurity regulations among the member states. But if it stays shallow, minimal, and overall un-harmonized, it can create a bigger problem in the EU.
In another work for cybersecurity, it is written “most European standards do not apply directly to all member states, but rather must be transposed into national legislation, creating further fragmentation and difference” (Krüger & Brauchle, 2021). Cyberspace does not know borders, and mostly when a business opens in a member state, it operates in other member states as well. Having different standards or legislation can make things complicated, since cybersecurity is not like other areas, it does not have borders.
Some works also comment on the EU’s place in cybersecurity as a whole, for example “While not wielding coercive cyber power, the EU has, developed into an institutional cyber power, with a wide range of instruments, platforms and voluntary as well as mandatory requirements at its disposal” (Dunn Cavelty, 2018, as cited in Backman, 2023). Backman (2023) also says that some studies show that the EU is a securitizing actor in the cybersecurity area. The EU has always been a fan of soft power in politics. Rather than coercive power, institutional power is the EU’s specialty. This characteristic can be seen in the cybersecurity field as well. With many platforms and assistance and incentive, the EU can be seen as a securitizing power. In becoming that securitizing power, they would need help. The EU has always been cooperating with other states besides its member states. Anagnostakis (2021) in his work mentions that the EU’s cybersecurity strategy is establishing an international cyberspace policy and cooperating internationally. It is said that one of those cooperators is the United States (US) (Anagnostakis, 2021). The US is a big actor in cyberspace. Most technology companies are based in the US, so cooperation with them might be vital. China is big in cyberspace too, but the EU’s cooperation with them is not frequently heard. Anagnostakis (2021) also mentions some common principles of the EU and the US, and one of them is that fundamental rights and freedoms should be superior to cybersecurity measures and violation of human rights in cyberspace like online censorship is not tolerable. This might be a reason for unheard China-EU cooperation. In cooperation, there should be similar values and principles between the parties. Anagnostakis wrote, “The EU and the US converge on the norm that internet governance should be regulated through a mixture of state and industry and private sector involvement rather than through direct and heavy-handed governmental control as Russia and China suggest.” (p.249). The EU is not in favor of heavy state control in the name of security. It can be said that the EU is in favor of soft power in cybersecurity issues too. All the works and policies support this claim.
The European Union’s Cybersecurity Policies
The EU has many common policies and legislations. The Cybersecurity Policies from the EU takes precautions and plans in many areas. They are trying to make both the Union’s psychical and the virtual zone safe. For this, they have taken several initiatives. One of those initiatives is the European Union Agency for Cybersecurity (ENISA). In their website it is written as, “The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe” (The European Union Agency for Cybersecurity, n.d.). This agency was established in 2004, it contributes to EU cyber policy, improves the credibility of Information and Communication Technology (ICT) products and cooperates with member states and EU bodies (The European Union Agency for Cybersecurity, n.d.). One of its key roles is said to be “setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes” (European Commission, 2023a, April 18). There is also the EU Cybersecurity Act, which strengthens ENISA and presents a cybersecurity certification framework, it is said to help companies certify their ICT products (European Commission, 2023a, April 18). Another important Act of the EU is Cyber Resilience Act. According to the European Commission’s Digital Strategy webpage, on Cyber Resilience Act (2023, January 30), it says that currently most of the hardware and software products’ cybersecurity are not covered by any EU legislation, so the Cyber Resilience Act proposes for a regulation, supporting rules that promotes more secure hardware and software products.
There are also centres and organizations for the EU’s Cybersecurity policies. One of them is the European Cybersecurity Organization (ECSO). Established in 2016, ECSO is a cross-sectoral and independent membership organization that serves as the contractual counterpart to the European Commission tasked with the implementation of Europe’s distinctive Public-Private Partnership in the field of cybersecurity (European Cyber Security Organization, n.d.). Another Centre from the EU is the European Cybersecurity Competence Centre (ECCC). ECCC is established in June 2021, and their mission is written in the webpage as “The Centre and the Network will make strategic investment decisions and pool resources from the EU, its Member States and, indirectly, the industry to improve and strengthen technology and industrial cybersecurity capacities, enhancing the EU’s open strategic autonomy” (The European Cybersecurity Competence Centre, n.d). One of the other centres is the European Cybercrime Centre (EC3) which is set up by the Europol in 2013, with the aim of strengthening the law enforcement capabilities in addressing cybercrime in the EU, EC3 say they offer “operational, strategic, analytical and forensic support to Member States’ investigations” (Europol, n.d).
According to the press release by the European Commission on 10 November 2022, the Commission and the High Representative came up with Joint Communication on an EU Cyber Defence policy, and an Action Plan on Military Mobility 2.0 in November 2022. The biggest factor in doing this was the deteriorating security environment due to Russia’s aggression towards Ukraine and to make the EU’s ability to protect itself better. They explain the aim of this policy as to make the EU’s cyber Defence ability stronger, to ensure coordination between the military and civilian cyber communities, to strengthen the European Defence Technological Industrial Base (EDTIB) while reducing the EU’s dependence on cyber technologies (European Commission, 2022, November 10).
Now to move on to the legal framework for the cybersecurity, as a legislation, there was the Directive on Security of Network and Information Systems, NIS Directive, which all countries said to be implemented. This legal framework is said to be made to have strong government bodies overseeing cybersecurity while working with their counterparts in member states by sharing information. But it was then reviewed, so the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) entered into force on 16 January 2023, although the member states still have time to implement the new Directive (European Commission, 2023b, April 18). The NIS2 Directive ensures that the member states are fully equipped and prepared, it ensures that they set up a Cooperation Group so that the information floods smoothly, and it promotes an environment centered on security for crucial sectors that rely on ICTs (European Commission, 2023, January 16). This NIS Directive sets some requirements for member states. Computer Security Incident Response Teams (CSIRTs) or Computer Emergency Response Teams (CERTs), which under the NIS Directive, EU Member States are required to have them. According to the European Commission (2023b, April 18), they are teams that deal with cybersecurity incidents, cooperate with each other, and work with the private sector.
Other than these, the Cybersecurity Strategy is presented by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy at the end of 2020 (European Commission, 2023b, April 18). This strategy, which aims to respond to major cyberattacks with collective capabilities, is for the security of energy grids, hospitals, railways, and other essential services, as well as for the connected objects in offices and houses (European Commission, 2022, June 7). The strategy is described as “how the EU can harness and strengthen all its tools and resources to be technologically sovereign” and how the EU can cooperate with its partners around the world better (European Commission, 2022, June 7). The European Commission says this strategy guides how a Joint Cyber Unit can respond to cyber threats most effectively. The Joint Cyber Unit is described as a platform that can protect the EU from cybersecurity attacks, especially from the cross-border ones (European Commission, 2021, November 18).
The digital world, which has affected every aspect of our lives, is full of dangers including theft, data breaches, frauds, and cyberattacks. Governments and companies all across the globe have realized the significance of cybersecurity in protecting people, businesses, and vital infrastructures from these attacks. This realization has been stronger after the COVID-19 Pandemic. One of the actors who understand the importance of cybersecurity has been the EU. The EU was also carrying out studies in the field of cybersecurity before COVID-19, but these studies seem to accelerate in 2020 and beyond. ENISA, the EU Cybersecurity Act, Cyber Resilience Act, ECSO, ECCC, EC3 by Europol, Joint Communication on an EU Cyber Defence policy, Action Plan on Military Mobility 2.0, the NIS2 Directive, CSIRTs or CERTs, the Cybersecurity Strategy, and the Joint Cyber Unit; these are all things the EU does in the name of cybersecurity. Voluntary to mandatory, non-governmental to intergovernmental, what the EU does in this field varies. They put big importance on cross-sectoral cooperation, as well as cooperation between the member states, and non-member states. They aim for private and public sector cooperation too. While there is some criticism of the minimal harmonization between the member states, there is also some recognition of the institutionalized cybersecurity power. The EU is choosing cooperation as its cybersecurity policy, rather than state control. They can also educate people on how to stay safe online. These types of education can reduce the number of people who fall for phishing and protect them from many more cyberattack types. Overall, the governments should allocate time and budget for cybersecurity. They should do research, stay alert for the upcoming threats, and develop solutions for the new ones. Overall, the EU is currently trying hard to make the internet safe for both the individuals, businesses, and the institutions. It is not in its final form, neither in the perfect shape, but in the future, it can be expected.
Cambridge University Press. (n.d.). Cybersecurity. In Cambridge dictionary. Retrieved May 8, 2023 from https://dictionary.cambridge.org/dictionary/english/cybersecurity
Dimitrios Anagnostakis (2021) The European Union-United States cybersecurity relationship: a transatlantic functional cooperation, Journal of Cyber Policy, 6:2, 243-261, DOI: 10.1080/23738871.2021.1916975
European Commission. (2021, November 18). EU Cybersecurity Strategy for the Digital Decade: Questions and Answers. Retrieved from https://digital-strategy.ec.europa.eu/en/faqs/eu-cybersecurity-strategy-digital-decade-questions-and-answers
European Commission. (2022, June 7). Cybersecurity Strategy. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-strategy
European Commission. (2022, November 10). Press release: Commission proposes measures to strengthen EU’s cybersecurity capabilities. Retrieved from https://ec.europa.eu/commission/presscorner/detail/en/ip_22_6642
European Commission. (2023, January 16). NIS 2 Directive. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
European Commission. (2023, January 30). Cyber Resilience Act. Retrieved from https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
European Commission. (2023a, April 18). Cybersecurity Act. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-act
European Commission. (2023b, April 18). Cybersecurity Policies. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies
European Cyber Security Organization. (n.d.). Who We Are. Retrieved from https://ecs-org.eu/who-we-are/
European Union Agency for Cybersecurity. (n.d.). About ENISA. ENISA. https://www.enisa.europa.eu/about-enisa
European Union Agency for Cybersecurity. (n.d.). About Us. Retrieved from https://cybersecurity-centre.europa.eu/about-us_en
Europol. (n.d.). European Cybercrime Centre (EC3). Retrieved from https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3
Fuster, G.G., & Jasmontaite, L. (2020). Cybersecurity Regulation in the European Union: The Digital, the Critical and Fundamental Rights. In M. Christen, B. Gordijn, & M. Loi (Eds.), The Ethics of Cybersecurity (pp. 97-115). The International Library of Ethics, Law and Technology, Volume 21. Springer. https://doi.org/10.1007/978-3-030-29053-5_5
Krüger, P. S., & Brauchle, J. P. (2021). The European Union, cybersecurity, and the financial sector: A primer. Carnegie Endowment for International Peace. Retrieved from https://carnegieendowment.org/files/Krueger_Brauchle_Cybersecurity_legislation.pdf
National Cyber Security Centre. (n.d.). What is cyber security? National Cyber Security Centre. Retrieved May 21, 2023, from https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security
Sarah Backman (2023) Risk vs. threat-based cybersecurity: the case of the EU, European Security, 32:1, 85-103, DOI: 10.1080/09662839.2022.2069464