EU Cyber Security Policy in the Age of Snowden
The European Union is pursuing a new comprehensive strategy on cyber security that could lead to significant divergences with US policy. The Snowden revelations have re-framed the discussion in Europe about the degree of necessary protections for data privacy at a time when the EU is re-visiting laws on the issue. US-EU policies on cyber security and data protection could lead to a more fractured digital environment if not more closely coordinated.
state militaries are developing. This year, the EU established within Europol its European Cybercrime Centre (EC3), which addresses information-sharing among national law-enforcement agencies on large -scale online fraud and child pornography. On February 7, 2013, five days prior to the Obama administration’s executive order on cyber security, the EU took its most sweeping policy step to date, releasing its long-anticipated European Cyber Security Strategy. The strategy was a joint inter-
agency document prepared by Home Commissioner Cecilia Malmström and the EU’s homeland-security department, Catherine Ashton’s European External Action Service, the EU’s foreign-policy arm, and Commissioner Neelie Kroes’ DG Connect, a special EU department responsible for developing an innovative digital marketplace across EU member states. The EU’s justice department, DG JUST, was not part of the draft exercise although it worked closely with the three lead agencies.
JANUARY 2014
Over the past decade, the European Union has been slowly building the legal framework and institutions to coordinate cyber security across the 28 member states. The EU established the European Network and Information Security Agency (ENISA) in 2004 to oversee that coordination, maintain Computer Emergency Response Team (CERT) coordination, and provide training and support. Since then, ENISA, along with the European Defense Agency, has also been working to ensure coordination on the nascent offensive capabilities that member-
The strategy is based on five main pillars: 1) enhancing resilience and response to cyber attacks; 2) reducing cybercrime; 3) developing a foreign policy and defense capability in cyber; 4) building an indigenous industrial base for cyber security-related R&D; and 5) promoting global Internet freedom and governance in a manner consistent with EU values. The strategy is complemented by implementing legislation in the Network and Information
Security (NIS) Directive and policies aimed at creating the institutional infrastructure to coordinate cyber policy across the EU. The EU is also seeking to revise its dataprotection regime, upgrading legislation to a binding regulation that would apply across the EU. The debate around this regulation has intensified in the wake of Edward Snowden’s disclosures of NSA surveillance programs such as PRISM, which some members of the European
Parliament (EP) feel should be addressed in the new law. Given the deep digital integration of the US and EU economies and the trans-Atlantic alliance structure, EU cyber policy will have immediate and noteworthy ramifications for American policymakers.
The European Cyber Strategy and the NIS Directive A primary deficiency noted in the strategy is the wild divergence in preparedness across member states. The strategy sets three key benchmarks for addressing this. First, it calls on each member state to designate one national agency to act as a coordinating “one-stop shop” for cyber policy and operations. Second, it requires that each member state have coordinating national CERTs that would act as operational hubs, or “cyber FEMAs”, in the event of major cyber incidents. Third, it calls for all member states to ratify the 2002 Budapest Convention as a baseline policy for combating cybercrime. The NIS Directive aims at operationalizing the goals of the cyber strategy by establishing minimum standards on network and information security. The legislation, slated for its first vote in EP plenary in March 2014, includes provisions to establish national cyber regulators and CERTs, uniform breach reporting, and enhanced networks for information sharing across member states and with the private sector.
While American observers of EU cyber policy have generally welcomed the legislation, it diverges from the emerging cyber framework in the US in several ways. First, the NIS Directive requires compulsory disclosure to national authorities in the event of a breach, unlike CISPA’s voluntary information-disclosure requirements. This tough reporting requirement has unsettled many American IT companies, particularly given that thresholds for required notification remain undefined. Notably, the compulsory requirement for companies to report incidents to governments is not matched by similar requirements for governments to share information with industry. US stakeholders in Europe have criticized this “one-way” requirement, claiming that the strategy lacks incentives for companies to collaborate with national authorities. Governments can maintain timely and actionable information classified, leaving cooperating companies vulnerable and limiting the ability of others to integrate lessons learned and other best practices from past incidents. In the US, by contrast, the information-sharing arrangement between government and the private sector is mutual.
The second major divergence from emerging US cyber policy is the definition of “critical infrastructure”—the sectors that will be required to comply with reporting requirements. The NIS Directive identifies a wide array of sectors including energy, transport, banking and healthcare. A number of Internet companies are also included, a major departure from the Obama administration’s executive order and NIST Framework. The European strategy even explicitly lists a number of companies that will be required to provide breach information to governments. These include enabling providers such as ecommerce markets (eBay, Kayak), social networks (Facebook, Twitter) and search engines (Google, Yahoo!). A preponderance of attention has been paid to US companies in the designation of critical infrastructure, which has been an additional source of American concern. Finally, the strategy and NIS Directive draw attention to the underdeveloped state of the indigenous industrial base for cyber security technology, which is increasingly seen as a security risk. The strategy calls for increased R&D, product standardization, and financing incentives that would allow ICT to become a strategic sector. The draft legislation even compares the cyberindustrial base to the aviation sector. The strategy hints at linking funding for cyberresearch projects through the EU’s massive R&D program, Horizon 2020, to their development within the EU. It remains unclear how US-based universities and research institutions would have access to these tenders and collaborate with EU partners.
JANUARY 2014
Given the differences in preparedness across member states, the directive offers a degree of flexibility for each state to transpose the strategy into national law in accordance with its own legal framework and political system. From Estonia, where the information ministry coordinates a massive, nationwide preparedness, resilience and response effort, to some countries in the eurozone south, which have yet to designate a coordinator, approaches to cyber-coordination vary markedly. Most countries lie in the middle
of the range, with interior ministries serving as government coordinators. This designated national coordinating body— usually the interior ministry— would also be the agency to which businesses would be required to report major cyber incidents.
2
Re-thinking Privacy In addition to new cyber legislation, the EU has been working to develop its online privacy regime, an area that has also led to friction with the US. The 1995 Data Protection Directive, the basis for enshrining integrity, confidentiality and availability of EU citizens’ personal data in accordance with the European Charter for Human Rights, is considered a “gold standard” in Europe. In January 2012, the European Commission proposed a unified General Data Protection Regulation to harmonize the EU approach to data protection and hold foreign companies accountable for all EU citizens’ data. Revelations in summer 2013 of data collection by the NSA led to debates about using the regulation to more forcefully guarantee compliance by US companies by forcing them to comply with European data -protection standards. When adopting its
position for negotiations with Council, the EP re-inserted tougher provisions into the draft data-protection law, putting strict limits on conditions under which users’ data can be transferred to third countries. Companies flouting this provision could be hit with a financial penalty of up to five percent of global turnover. The rule, misleadingly called the anti-NSA provision, maintains an exemption for matters related to national security. In the aftermath of the Snowden disclosure, some have questioned if the US propagates a similar extraterritorial enforcement of its laws by compelling European (and other) subsidiaries of US companies such as Amazon, Google and Facebook to render data to American authorities. The EU measure attempts to address the potential extraterritorial application of US law in Europe but could compel US digital
companies to adhere to diametrically conflicting sets of legal requirements. The EP voted on a version of the regulation in October 2013, but completion of the regulation before EP elections in May 2014 appears unlikely. The NSA revelations are also affecting other areas of EU online economic policy. Some European “sovereign cloud” projects are gaining traction as alternatives to USbased services due to their more stringent adherence to emerging EU breach and privacy laws. These projects are marketed to prospective users as local alternatives to major American IT service providers, which are perceived to have cozy data-sharing relationships with US intelligence agencies.
Trans-Atlantic Cooperation on Cyber Security US-EU cooperation on cyber security has been mixed. In 2010, the two established a cyber-security working group on the margins of a Lisbon US-EU summit. The working group on cyber security intends to hold a joint simulation exercise in 2014 as a follow-on to their 2011 Cyber-Atlantic simulation. The working group, however, is still perceived as somewhat inactive. Prior to the NSA revelations, the highly sensitive dynamic on information-sharing and data flows had not been significantly incorporated into talks on cyber security. Recent agreements between the two sides, including on the Terrorist Finance Tracking
Program (TFTP) and the Passenger Name Record (PNR), dealt with intelligence related to suspected terrorists. In addition, the US and EU have been negotiating a separate comprehensive data-protection framework agreement. In the wake of the Snowden revelations, talks have intensified, and the role of digital commerce and data flows has become an essential point of contention for the EU. Many members of the EP contend that a Comprehensive Data Protection Agreement must be concluded before the EP ratifies the Transatlantic Trade and Investment Partnership (TTIP), the prospective US-EU free-trade agreement. However, the extent
to which forthcoming TTIP negotiations will address data protection and cyber security remains unclear. What is clear is that the NIS Directive and Data Protection Regulation could lead to conflicting legal regimes across the Atlantic, creating a jurisdictional “spaghetti bowl” in which compliance with one regime negates compliance with the other. Without greater US-EU cyber-security cooperation, trans-Atlantic pre-eminence in online security and prosperity could be under threat.
JANUARY 2014 3
Key Players to Watch on EU Cyber Policy
EU High Representative for Foreign Affairs and Security Policy and Vice President of the European Commission: Baroness Catherine Ashton
European Commissioner for Digital Agenda and Vice President of the EC: Neelie Kroes
European Commissioner for Home Affairs: Cecilia Malstrรถm
Rapporteur for Data Protection Regulation, European Parliament Committee on Civil Liberties, Justice and Home Affairs: Jan Phillip Albrecht (MEP-Germany)
Rapporteur for Network and Information Security Directive, European Parliament Committee on Industry, Research and Energy: Pilar del Castillo Vera (MEP-Spain)
Rapporteur for Network and Information Security Directive, European Parliament Committee on Internal Market and Consumer Protection: Andreas Schwab (MEPGermany)
JANUARY 2014 4