Analysts have broadly welcomed the formation of a new cyber unit to coordinate responses among member states to cyber-incidents, though warn its effectiveness could be compromised by distrust toward EU bodies.
The European Commission on Wednesday laid out plans to build a new Joint Cyber Unit to coordinate responses among members states and EU bodies to the rising number of serious cyber-incidents impacting on the bloc’s public, commercial and private arenas.
The EU, like the rest of the world, has been struggling to meet the threat of what is being called “an epoch of intensifying cyber-insecurity”. In April, a range of EU institutions, including the Commission, were hit by a significant cyber-attack, part of a growing spate of brazen attacks being committed by states conducting espionage and seeking vulnerabilities, as well as criminal gangs often operating out of Russia, Iran and China.
The true scale of the problem is hard to assess, though Bitdefender’s 2020 Consumer Threat Landscape Report estimated ransomware attacks increased by 485 per cent in 2020 from the year before. So far this year, losses of over $350 million have been incurred in ransomware attacks, according to US Homeland Security Secretary Alejandro Mayorkas.
The EU’s planned Joint Cyber Unit, to be located next to the new Brussels office of the EU Agency for Cybersecurity (ENISA) and the Computer Emergency Response Team for EU institutions, bodies and agencies (CERT-EU), is an attempt to create a platform to ensure the bloc can provide a coordinated response to large-scale cyber-incidents and crises, as well as to offer assistance to member states in recovering from these attacks.
As such, it will bring together European cyber-security communities – including civilian, law enforcement, diplomatic and cyber-defence, as well as private sector partners – which it says too often operate separately. Invited participants will be asked to provide operational resources for mutual assistance within the Joint Cyber Unit.
Ultimately, the Joint Cyber Unit would allow for protocols for mutual assistance between member states and EU bodies, and for national and cross-border monitoring and detection.
The Commission said it wants to establish the unit on a phased basis over four steps, with plans for it become operational by June 2022 and fully established by June 2023.
“We need to pool all our resources to defeat cyber-risks and enhance our operational capacity,” Margaritis Schinas, vice-president of the Commission, told a press conference.
The move was broadly welcomed by cyber-security analysts, who said that if the purpose of the Joint Cyber Unit is to have a pool of IT experts which can be thrown into the frontline of cyber-warfare, then it is a positive move.
However, Marcin Zaborowski, Policy Director of Globsec’s Future of Security Programme, warns that the new agency risks becoming like the EU Battlegroups in security and defence, which were formed in 2005 but have remained on standby ever since because there was never a time when all EU members states could agree on their deployment. “I am worried you might have the same thing here, that the rules of engagement will mean it is unable to get the unanimous agreement from all member states,” he tells BIRN.
He cites this week’s cyberattack on Poland’s top politicians and officials, which Jaroslaw Kaczynski, Poland’s chairman of the Committee for National Security and Defence Affairs, said in a statement was “wide-ranging” and carried out from the territory of the Russian Federation.
Aside from continuing confusion over whether this was actually an external attack or merely sloppy internet security by key officials, there remains the question over to what extent a Eurosceptic government like Poland would be prepared to give EU bodies like the new Joint Cyber Unit access to very sensitive, privileged national information.
“I would like to see tasks of the Unit drawn up that are truly workable and practicable, and areas of operation where the EU member states do feel comfortable. If it tries to get into things that are easily blocked by member states because they do not want to share information, then you have an announcement of the Unit but nothing more than a policy,” Zaborowski says.
Jonathan Terra, a Prague-based political scientist and former US diplomat, cautioned that being very public about ramping up and coordinating your ability to respond may, paradoxically, provoke more attacks than otherwise might have happened.
“Hackers, especially those doing covert state work, will attempt to defeat any new measures to show that they can act at will. Then as the cooperative ‘EU cyber-response’ mechanism goes into action, and damage assessment takes place, it will become clear that the key to dealing with this threat is to have a strong deterrent, which the EU doesn’t really have as an independent unitary actor,” he says.