Cybersecurity in the EU Common Security and Defence Policy ... · PDF fileInterim report presentation ... - Scope • Analysis - Challenges - Capacity building - Cyber ... Cybersecurity

European Union Agency for Network and Information Security

Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EUENISA - a study for the STOA PanelInterim report presentation| Brussels | 23 March 2017

2

• Project overview

- Background

- Methodology

- Project status

- Scope

• Analysis- Challenges

- Capacity building

- Cyber and CSDP

- Policy options (draft)

• Conclusions

Outline

Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EUENISA - SERVICE CONTRACT EPRS/STOA/SER/2016/214

3

Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU

• Study for the European Parliament - Subcommittee on Security and Defence (SEDE)

The Science and Technology Options Assessment (STOA) Panel

• Commissioned the European Union Agency for Network and Information Security (ENISA) to curry out the study under SERVICE CONTRACT EPRS/STOA/SER/2016/214

Background


4

Methodology

• Policy challenges

• Capacity building

• CSDP

• NATO experience

Questionnaires

• EU Institutions

• Academia

• NATO

• Public Sector

• Meetings

• Drafting

• Reviewing

• Validation

• Policies

• Capacity building

• EU action plans

• CSDP

Literature research

External consultation

Internal collaboration


5

Contributors

EU Institutions

Academia

NATO experts

EEAS, EDA

Global Cyber Capacity Centre, LUISS School of Government, Oxford University

CCDCoE, Allied Command Operations, NHQC3S

Secure infrastructure and services unit

Data security and standardization unit

Operational security unit (Project manager)

Public sector MELANI


66

Project status

90%

Tasks:

• Delivery of the Interim report - D1 √• Integration of comments on the Interim report √• Presentation of the Interim report - D2 √• Policy options and final report- D3 (Ongoing-90%) - Delivery 31st March• Presentation of the final report – D4 - Delivery 6th April


7Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA

Scope

Risks Challenges Opportunities

EU’s cyber reaction in the CSDP context

Strategic decision making

Resilience of infrastructure

Imp

rove


Thematic areas

Policy challenges

• At EU, Member State and International levels

• Technological innovation and cyber norms

• EU-level and International cooperation

Capacity building

• State of play within and beyond the EU

• Attribution of cyber-attacks

• The role of the private sector

CD & CSDP

• Threat landscape for CSDP missions

• Integration of Cyber Defence into Operational Planning

• EU-NATO cooperation

1

2

3

9

Policy options

Cyber resilience

Cyber defencepolicy

CSDP Capabilities

Industry

Technology

International cyber policy

Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA

Policy options

EU’s cyber reaction in the CSDP context

Strategic decision making

Resilience of infrastructure

Imp

rove

Analysis

Cybersecurity in the EU Common Security and Defence Policy (CSDP) –Challenges and risks for the EU| ENISA

11Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| Georgios Chatzichristos

Gap analysis

CSDP context Goals

?


Policy challenges

Capacity building

CD & CSDP

1

2

3

Cybersecurity policy and strategies

Cyber culture and society

Education, training & skills

Legal & regulatory frameworks

Standards, organization & technology

1

2

3

4

5

Theme areas

CSDP

Modelling cyber capacities


Policy challenges

The delicate balance between MSs & EU powers

and responsibilities

The complex set of mandates within EU

institutions

Use of cyber space in warfare? Is law of

armed conflicts applicable?

Hybrid technologies Cyber taxonomyThe number and diversity of cyber

actors

Military and civilian overlaps

Limited availability of data to support

policy development


Cyber norms and CBMs

Cyber norms

Technological innovation


Current statusEU cyber defence policy framework

5 priorities44 action items

Do we need something more than

this?


Current statusEU cyber defence policy framework

Gaps?How about the Operational and tactical

layer?

5 priorities44 action items

17

Analysis

Cybersecurity policy and strategies

Cyber culture and society

Education, training & skills

Legal & regulatory frameworks

Standards, organization & technology

1

2

3

4

5

Identify gaps at the Political/Strategic layer

Propose measures at the Operational & tactical

Covering all five dimensions of the CMM model

Cover gaps at the Political/Strategic layer



Cyber and CSDP


Cyber and CSDP

Good

guys

Bad

guys

Rather

Good guys

Rather Good

guys

Good

guys

Good

guys ?

->Cyber ?

20

Cyber and CSDP

Good

guys ?

Bad

guys ?Rather

Good guys?

Rather Good

guys ?

Good

guys ?



CSDP missions


Organisational issues

Different Operational Commands

Coordination

Ad hoc structures

Cyber space

Cyber defence is a collective effort

23

Cyber Domain relatedOther Domain relatedINFOSEC related


Threat landscape

THREATLEVEL

DESCRIPTION TIER ACTOR

AKnown

vulnerabilities 1 Practitionersrelying on

others

2 Developers

BUnknown

vulnerabilities 3 Developerswith a plan

4 Criminal or State actors

CCreation of

vulnerabilities 5 State actors

6 States

Networks & systems controlled and assured by CSDP mission

commander

Networks & systems vital for the CSDP mission, controlled &

assured by non-EU institutions or public or private entities outside

the EU


assured by EU institutions or public/private entities within the

EU


Threat landscape

Networks & systems controlled and assured by CSDP mission

commander

Cyber Domain relatedOther Domain relatedINFOSEC relatedNetworks & systems vital for the

CSDP mission, controlled & assured by non-EU institutions or public or private entities outside

the EU


assured by EU institutions or public/private entities within the

EU


Policy options

under development

EU cyber defence policy framework


Policy options

Maintain coherent cyber policies and strategies at the EU level

Promote cyber culture

Develop cyber skills

Enhance legal & regulatory frameworks

Develop standards, organization & capabilities

1

2

3

4

5

Incident response

CIP Cyber defense Cyber resilience

Cyber mind-set

TrustIdentity

protection

Cyber crime

Social media

Cyber competenciesIntegration to CSDP OPS

& Exercises

LegislationLaw

enforcement

Norms & CBMs

International Cooperation

Cooperation with the private

sector

Adopt common standards

Standing CSDP CD structure

Develop capabilities at EU & MS level

2727

Summary

01Cyber domain is not limited to CSDP - aspects/policies/options beyond CSDP need to be considered

02 Coherence and maturity through modelling

03 Build of trust – the human factor

04 Organisational weaknesses

05 Integration of cyber into CSDP operations (military/civilian)


PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

[email protected]

www.enisa.europa.eu

Thank you

https://www.facebook.com/ENISAEUAGENCY

https://www.linkedin.com/company/european-network-and-information-security-agency-enisa-

https://twitter.com/enisa_eu

mailto:[email protected]

http://www.enisa.europa.eu/

Documents

Cybersecurity in the EU Common Security and Defence Policy ... · PDF fileInterim report presentation ... - Scope • Analysis - Challenges - Capacity building - Cyber ... Cybersecurity