11 minute read
4.3. Cyber Security/Defence and the CSDP (Jan Peter Giesecke
4.3. CYBER SECURITY/DEFENCE AND THE CSDP
by Jan Peter Giesecke
Advertisement
Our modern information society is deeply dependent on the availability of free and secure access to cyberspace and to the internet. This is true in nearly all areas of our lives, including, of course, in foreign and defence policy. The EU’s Common Security and Defence Policy (CSDP) activities, including civilian and military missions and operations, are no exception. They benefit from the digital world and their success is directly linked to the availability of assured information and functioning communication and information systems.
THE NEW THREAT LANDSCAPE
Cyberspace and the internet are increasingly becoming a new battlefield. Cyber-attacks are part of daily business, and at the same time are becoming more sophisticated, ranging from massive denial-of-service attacks to advanced and complex intrusions aimed at gathering, stealing, encrypting or manipulating and compromising information. Adversaries vary from ‘script kiddies’ and hacktivists to criminals, terrorists and state actors – or are supported by them. They have identified our dependencies and target our vulnerabilities, using the cyber domain to gain an asymmetric advantage and accomplish economic, political or military objectives anonymously and unattributed, while remaining below the threshold of armed conflict.
The EU institutions’ networks too are constantly being probed and tested, and although there is no evidence yet of their being targeted, CSDP operations and missions are already facing a growing cyber dimension. Today’s conflicts are increasingly supported by disinformation campaigns based on social media, or by destabilisation operations with cyber-attacks on enabling sectors. Cyber activities must therefore be considered as part of all future scenarios, comprehensively examined, and integrated into the broader crisis response and taken into account when countering hybrid threats. With this in mind, what can we do and what has been done so far, in particular in the area of CSDP?
Cyberspace and the internet are increasingly becoming a new battlefield.
POLITICAL FRAMEWORKS
In 2013, recognising the need for increased cyber security and for an ‘open, safe and secure cyberspace’, the EU institutions developed the EU Cybersecurity Strategy. Based on this, the European External Action Service (EEAS), as the home of CSDP, developed an EU Cyber Defence Policy Framework (CDPF) in 2014. The aim of the policy framework was to improve cyber defence resilience and capabilities for the implementation of CSDP activities, by tracking, interconnecting and coordinating all of the work carried out by the various stakeholders at the EEAS and beyond.
Recently, the Global Strategy for the European Union’s Foreign and Security Policy designated cyber security and defence as a priority, focusing on both resilience and protection, and addressing in particular the need to cooperate and to share information among Member States (MS) and also with military and civilian partners.
These strategic documents form a valuable foundation and framework for cyber security and defence in CSDP. But what does this all mean in a practical sense? CYBER SECURITY AND DEFENCE IN PRACTICE
Cyber security and defence have been taken into consideration in CSDP operations and missions for several years, but to varying degrees. Cyber capabilities depend primarily on what mission or operation commanders request, mainly based on the situation, their perception of the cyber threat and their decision on how much to ‘invest’ in various capabilities. Thus cyber security and defence measures in ongoing operations and missions vary from rather basic security and information assurance measures to well-established, stateof-the-art protection and resilience to defend command and control and communication and information systems.
In future, all CSDP missions and operations will have to give appropriate consideration to cyber security and defence. For the three most recent of them (EUMAM RCA, EUNAVFORMED SOPHIA, EUTM RCA) this has already been done. However, for the moment the topic has been introduced only on a best practice
European Union/EU Military Staff
Cyber defence organisation within the Common Security and Defence Policy.
level. There are as yet no formal structures or procedures for the assured and effective consideration of cyber threats in planning which could form a basis for defining appropriate requirements for the cyber defence capabilities to be made available for missions and operations.
THE CYBER DEFENCE CONCEPT
In view of this, in 2016 the EUMS, as the EU’s and the EEAS’s provider of military expertise, developed a new version of the EU Concept for Cyber Defence for military operations and missions, reflecting the specific organisational and procedural aspects of military planning and military force generation and addressing requirements for MS’ provision of cyber capabilities for CSDP activities. As civilian missions do not depend on MS’ capabilities, work has started on a complementary concept for the implementation of cyber security in purely civilian missions, addressing the specific aspects thereof and taking into account the military concept.
At this point, we must understand that the EU and the EEAS use the term ‘cyber security’ mainly in the civilian context and link the term ‘cyber defence’ to military action, even though the two concepts are closely connected, covering the same threats, relying on the same basic principles and using similar measures. While the statements made in this article are, in principle, valid for the broader term ‘cyber security and defence’, it will focus on cyber defence and the principles and guidance reflected in the Cyber Defence Concept.
Planning cyber defence
The first principle for ensuring effective cyber security and defence, similar to a lesson identified during recent planning activities, is to consider cyber aspects as early as possible in the EU’s crisis management and planning processes. Cyber aspects must therefore be considered and included
In 2013, recognising the need for increased cybersecurity and for an open, ‘safe and secure cyberspace’, the EU institutions developed the EU Cybersecurity Strategy.
in the overall threat evaluation for the planned operation or mission. Information in the form of a cyber threat landscape should be provided by the EU’s strategic intelligence structures, based around EEAS INTCEN and the INTEL Directorate of EUMS, and should be supported by information sharing, for instance with the EU’s cyber information hub (CERT-EU), military partners such as NATO, and of course MS’ cyber information providers.
Together with INTEL experts, the EUMS cyber defence team will assess the information provided and support the operation/mission planning teams, inserting a cyber narrative into initial planning documents (notably the Crisis Management Concept and the Initiating Military Directive) and thereby providing a sound basis for further planning. On that basis, the designated operation or mission commander and his or her staff – supported by further intelligence and a more in-depth analysis of threats and risks from cyberspace in the area of operations – is able to take a decision on the importance of cyber defence and to define, in the concept of operations and the operation or mission plan, how an effective defence against potential threats from cyberspace can be achieved, requesting the necessary capabilities to ensure the resilience and protection of the IT systems and networks to be used for the mission or operation.
Since the EUMS does not provide or deploy any operational cyber capabilities, these must generally be requested from the MSs which are supporting the CSDP activity in question and are willing to provide forces. Therefore, in general, MSs are responsible for providing capabilities. They are given guidance and advice on this in the Cyber Concept. But what is meant by this general term ‘cyber capabilities’?
Implementing cyber defence
The implementation of cyber security and defence in the CSDP involves far more than simply providing some protection mechanisms in networks. The term ‘capabilities’ has therefore been considered in the Cyber Defence Concept in a broader context, covering doctrinal, organisational, training/exercise, material, leadership, personnel, facilities and interoperability aspects (using the DOTMLPF-I scheme). Besides ‘simple’ material protection it is mainly concerned with the preparation of systems, structures, procedures and, especially, the people involved, to ensure their resilience against threats from cyberspace. This cyber resilience and the related capabilities must in fact be established and put into practice long before the planning processes start.
Information and communication technology (ICT), which is the basis for the systems and networks used in CSDP action, cannot be made cyber-resilient when being handed over to a commander. ICT providers, whether they are MS, EU institutions or contractors in general, must develop their systems in compliance with standardised basic design requirements and necessary security and assurance rules (‘design-to-security’).
As during the planning phase, organisational elements and procedures to ensure effective cyber defence must also be put in place during the conduct phase of operations and missions. Therefore, structures known as ‘cyber cells’ should be established within every OHQ/FHQ, to provide a continuous assessment of the cyber threat information received from the supporting intelligence structures. A cyber cell should advise decision-makers in the HQ, providing agreed and appropriate actions or reactions. Therefore, the cells work closely with the security operation centres (SOCs), which are responsible for running the risk management for the mission’s networks, observing the networks and identifying, prioritising and mitigating risks. Standardised operations procedures (SOPs) are needed to complement these organisational elements, and will ensure that both the strategic and the operational level of missions and operations act and react appropriately and without delay and allow for ‘defence in depth’.
Mitigating the human risks
The most important aspect of resilience is to prepare the people involved. The most common ‘cyber-vulnerability’ remains the human element. Mitigating the human risks essentially requires a change in culture and behaviour in handling and working with ICT, to be achieved through constant education and training. This must be supplemented with up-to-date knowledge and awareness of the threat environment through regular cyber awareness training. In addition, between this basic education for all ICT users and the training for deep specialists (the ‘geeks’) at the other end, there are various specific training requirements, for instance for cyber advisers, for specialists in the definition of cyber capability requirements and in cyber intelligence, and in particular for decision-makers and their planners, including legal and political advisers. They must be able to understand detailed cyber-related information and intelligence reports and to know about the impact of cyber operations when immediate decisions are required on how to react in the event of an incident. It is therefore essential to provide them with training and exercises on these issues, so as to bridge the typical ‘mind gap’ between the higher-level decision-makers and the real specialists, and to build up broader operational excellence for an effective posture against threats from cyberspace.
http://www.norse-corp.com
While the Cyber Defence Concept addresses the various aspects of an effective cyber defence capability at a fairly high level, this must be translated into actionable work packages.
One major aspect of this is the development of more concrete requirements and specific cyber capability packages which can be implemented by potential providers – mainly the MS, but also civilian contractors.
As a basis for building the new capability requirement catalogue in the framework of the implementation of the Global Strategy, cyber aspects and a threat landscape must be injected into existing scenarios, considering cyber as an operational domain.
Subsequently, concrete and detailed cyber capabilities must be defined, supported and flanked by the studies carried out by the European Defence Agency (EDA) and its cyber defence project team.
Although the new Cyber Defence Concept already provides a basic understanding for appropriate action and reaction, SOPs must be developed as a next step in cooperation between the EUMS and operational stakeholders from HQ level.
This also comprises the development of business continuity and recovery plans, to ensure that operations can continue even in a degraded and contested cyber environment.
A third aspect is of course education, training and exercises and the streamlining of the EU’s cyber defence education and training landscape.
Supported by the EUMS and the MSs, the cyber discipline within the EU Military Training Working Group, the European Security and Defence College (ESDC) and the EDA are working hand-in-hand on new initiatives for the design, development, conduct and evaluation of training activities and exercises, from awareness training up to courses for high-level decision-makers.
COOPERATION WITH PARTNERS
A key enabler for the implementation of these aspects is cooperation with civilian and military partners. While cyber expertise from industry and academia is linked to the processes mainly by the EDA and the ESDC, the EUMS interacts closely with NATO on military aspects of cyber defence, although this remains rather informal as yet. The implementation plan of the EU-NATO Joint Declaration, which was adopted by Council conclusions in December 2016, gives huge impetus not only to the common use and development of training and exercises by the two organisations, but also on exchanges and involvement in cyber policy work and cyber information sharing, to increase synergies, avoid duplication and allow the organisations to understand each other’s mechanisms.
Besides this, some first steps have also been taken towards closer cooperation between cyber security and defence in CSDP and cyber security in civilian sectors (counter-terrorism and crime, energy and aviation) which are covered by the Commission and related agencies like the Network and Information Security Agency (ENISA) or the European Cyber Crime Centre in Europol (EC3), for instance in pooling and sharing training and mutual attendance of and support for exercises (such as ‘Multi Layer’ and ‘Cyber Europe’). CONCLUSION
The success of cyber security and defence in CSDP operations and missions remains dependent on a well-balanced combination of state-ofthe-art technology, well-functioning structures and procedures, and of course educated, aware and competent staff. But more than ever this has to be enabled by cooperation and information-sharing agreements, both with external partners such as NATO and internally across MS and EU institutions. Facing the upcoming structural changes and the integration of civil and military elements in crisis management and response, there is a strong need for an integrated approach to counter cyber threats (including hybrid threats), and hence to merge the somewhat divided cyber security and cyber defence efforts and measures to allow for a stronger posture across all military and civilian CSDP activities.
