"If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. [...] This is why we need a European Cyber Defence Policy, including legislation setting common standards under a new European Cyber Resilience Act."
With these strong words in her 2021 State of the Union address, European Commission President Ursula von der Leyen expressed the geo-strategic dimension of cybersecurity and cyberdefence.
And why it is essential for Europe to invest substantially and urgently in the face of cyber threats of all kinds: security, defence, hybrid.
The world is vulnerable to large-scale cyber attacks
Recent events remind us of the extent to which Europe, and more generally the world, remains vulnerable to large-scale cyber attacks.
These include attacks on the Irish health care system in the midst of a health crisis. The ransomware identified by Kaseya. The hacking of the Colonial Pipeline. Or the cyber attacks against the municipality of Anhalt-Bitterfeld in Germany or those targeting Thessaloniki in Greece.
According to the European Union Agency for Cyber Security, ENISA, attacks on our supply chains will increase fourfold in 2021 compared to last year. And attacks on cloud infrastructure have increased fivefold in one year. Transport, government and industry sectors are the most affected.
With the explosion of connected objects and the increased use of industrial data, the risk surface is merging with our entire continent.
Moreover, cyber technologies are by definition dual. The line between cyber security and cyber defence is becoming increasingly blurred. Whether the attack is motivated by greed or by a desire to destabilise a country, an economy, or democratic processes such as elections, the penetration techniques are often the same.
Faced with these new kinds of threats, we cannot remain with our usual silo reflexes. We must have a common European approach that integrates all the dimensions of cyber, whether civilian or military.
To protect ourselves better, our only option is to act together, at European level. In an interconnected single market, we are only as strong as the weakest link. We must therefore improve our level of security collectively.
Today, given the diversity and sophistication of attacks, no country can face a cyber threat alone, as it knows no borders.
To do this, we need advanced technology, secure infrastructure, common requirements, increased operational cooperation and effective sanctions.
This is what President Ursula von der Leyen has announced.
Europe must become a leader in cybersecurity, through a genuine European Cyber Defence Policy, in order to protect, detect, defend and deter.
This new policy will of course build on what has already been put on the table, both in terms of regulation and technology. It will be a matter of taking our ambition a step further.
Increasing our collective resilience
Firstly, protect, to increase our collective resilience.
To do this, we must ensure our technological sovereignty in the cyber field. Our real strategic autonomy and ability to act will depend on our ability to master and develop cutting-edge technologies in Europe.
We estimate that the EU, its Member States and the private sector could invest up to €4.5 billion over the period 2021-2027 in the development and deployment of cyber security technologies. This amount should be complemented by investments from Ministries of Defence as well as from the European Defence Fund.
I am counting heavily on our new European Cybersecurity Competence Centre based in Romania to organise European technological research more effectively and to strengthen our technological sovereignty. However, in order to mobilise all efforts in a coherent manner and to avoid duplication, I believe that we must work together, within the framework of the Cyber Defence Policy announced by the President, to draw up a specific European cyber capability plan integrating all civilian and military needs. This would make it possible, for example, to combine all efforts in the field of research and quantum technology, which will ultimately change the security of the digital space as we know it today. We will build on the Observatory of critical technologies that we have set up.
In addition to technology, we must also act on the regulatory front to raise the level of security within our single market. We have therefore proposed a revision of the Network Security Directives (NIS) to provide a framework for the obligations of the main economic players.
In order to increase our resilience, we need to establish common European cyber security standards for products (especially connected objects) and services that are placed on our market. This will be the purpose of the European Cyber Resilience Act announced by the President. I believe that this Act should also have a defence dimension in order to maximise synergies, enabling, for example, defence requirements to be taken into account.
From 190 days to several hours to detect a sophisticated attack
Today, it takes an average of 190 days to detect a sophisticated attack. We must drastically reduce this time to a few hours. This is an imperative condition for greater resilience. Because early detection means that the necessary countermeasures can be put in place quickly.
This will involve setting up a European network of Security Operation Centres (SOCs) which will – in conjunction with national and private SOCs – scan the network using artificial intelligence technologies and detect weak signals of attacks. A true "cyber border guard" of our European information space, this network of SOCs must be able to integrate information from national or, in the long term, European military SOCs (financed, for example, by the European Defence Fund).
Joint Cyber Unit
Europe must be better equipped to deal with a major attack. This is the ambition and the objective of the Joint Cyber Unit that we presented last June in order to lay the first foundations for an operational crisis management capability and European solidarity.
We have clearly identified the shortcomings of the current system: too many cybersecurity players, who work in silos, in a fragmented way.
So we need more operational and technical coordination.
Such a unit could thus work closely with the Joint Situation Awareness Centre mentioned by the President.
Develop a real doctrine on cyber attacks
To become a global player in the cyber field, Europe needs to develop a real doctrine on cyber attacks as well as operational and offensive cyber defence capabilities.
We must be able to move forward on our attribution capabilities and develop a real cyber diplomacy as we have just done with the first sanctions against those having carried out cyber attacks in Europe.
The aim must be to gradually develop a genuine operational cyber pillar as an integral part of our ambition for a common European defence. Yes, it is a complicated and delicate subject because it touches the heart of our Member States’ national sovereignty, but now is the time to address it. I believe that this will be one of the important elements of the Strategic Compass carried by the High Representative Josep Borrell.
Faced with cyber threats, the European Union cannot compromise and must do everything possible to increase our resilience, together with its Member States. To preserve our industry, our public services, our infrastructures, our security and defence.
That is also what European technological sovereignty is all about.
- Publication date
- 16 September 2021
- Directorate-General for Communication