1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

EU Cyber Security

James Panichi, BrusselsJanuary 21, 2013

The European Union is working on legislation which will force member countries to work together in responding to cyber attacks. But not everyone is on board. DW examines the proposals.

computer chaos club
Image: picture-alliance/dpa

It's a worst-case scenario the modern world just can't ignore: a cyber attack which brings down essential services and infrastructure.

Yet government experts across Europe are taking this network doomsday idea seriously enough to develop strategies to respond to large failures of information systems. The problem is that not all of the EU's 27 members are giving cyber security the same priority. 

The planned overhaul of Europe's myriad cyber security response capabilities - expected to be announced later this month - is recognition that the majority of EU states are failing to keep up with the standards being set by a core group of seven or eight countries. And with information networks now going beyond national borders, cyber security in Europe is only as strong as its weakest link.

The European Commission - the EU's executive - will adopt a wide-ranging cyber-security policy by the end of this month, in an attempt to harmonise the myriad national responses to cyber threats. However, the centrepiece of the legislative package is attracting criticism.

No rising Tsar

Cyber security refers to the defence of large information systems which may affect key services and infrastructure - for example hospitals, power plants and transport. The protection of personal data and the defence of individual privacy come under a separate EU legislative framework and are not included in these reforms.

Incidents which can affect the security of information systems range from natural disasters, human error or even a system failure - for example, a failed software upgrade. But "cyber incidents" may also be the result of criminal activity, from people hacking into a network for profit or from terrorists or state-sponsored attacks.

The purpose of the reforms put forward by the EU's Commissioner for the Digital Agenda Neelie Kroes is to get lagging European countries up to speed in developing adequate strategies to respond to cyber attacks. It is also an attempt to create a network of offices within European ministries capable of working together, while also promoting compatible legislative reform around Europe.

However, the European Commission - the EU's executive - is keen to stress that the plan will not include the creation of a US-style cyber security "Tsar" in Brussels. Commission officials say responsibility for cyber security will remain with national governments.

Mandatory reporting

The legislative reform at the heart of the new framework will force companies which store information on the internet to report all major security breaches.

Thomas Boué of the Brussels-based Business Software Alliance
Thomas Boué of the Business Software Alliance sees problems with mandatory reportingImage: Business Software Alliance

Under the proposed directive, all critical infrastructure - even that run by private or publicly listed companies - will have to notify relevant national authorities if they have suffered data breaches.

The mandatory reporting will also extend to information "enablers" - any private actor used by essential services and infrastructure to store data. This could include cloud computing, social networks, and even companies such as PayPal, Google, Facebook, Amazon and eBay.

The reporting of breaches, which would not necessarily be made public, is designed to force often secretive companies to share information and develop adequate responses. It would also help government cyber-security experts to better understand the nature of the threat and how it may affect essential infrastructure.

Yet the proposed forced disclosure of cyber attacks has raised some concern among internet companies operating in Europe.

The Business Software Alliance, whose members include Apple, IBM and Intel, supports the goals of the directive but fears the disclosure component could bring security risks of its own.

"We are concerned that if companies disclose this highly sensitive information, this will […] create opportunities for the exploitation of these vulnerabilities by bad actors," the Alliance's Thomas Boué told DW in Brussels.

"[We would prefer] reporting once the issue has been addressed, in order to show compliance, […] that things have been clarified and there is no more problem," Boué says.

Security or defence?

Some critics of the proposed changes fear that they could lead to what one group has called the "militarisation" of cyber security. In other words that funds ear-marked for cyber security could be channelled into military cyber security initiatives rather than genuine policing.

The European Digital Rights group (EDRI), a civil rights NGO, says the reforms are "totally misguided" because they create government-to-government links rather than bringing in law enforcement agencies from across Europe.

This, EDRI argues, leaves the door open to cyber security being taken over by member countries' defence priorities.

But EU officials have rejected the suggestion, saying they expect the initiative will be run from the states' telecommunications ministries and that it will incorporate European values of peace and transparency.