Last week the EU published its cybersecurity strategy. It is a fairly succinct and interesting document, which rests upon the sensible assumption that cybersecurity is far too important a matter to be left to the experts.
A strategy is something that formulates a number of ends and then decides how to achieve these ends using specific means. A European cyberstrategy does just that, in the area of cybersecurity and for the 27 member states.
Cybersecurity is an interesting test case, because it is an area in which threats and vulnerabilities are essentially comparable across the board. Developing a common response to these common threats therefore is likely to be more effective than doing so in 27 different ways. The EU’s cyberstrategy is predicated on just such logic. It aims to plug capability gaps across the EU and to this end it sets out a number of means.
Firstly it calls on member states to produce their own national cybersecurity strategies and thereby establish clear national “strategic objectives, and concrete policy actions”. As Nick Witney has noted, insisting upon the need for cybersecurity is of little use if you are not prepared to decide whose job it is to ensure it. For example, it helps to ask whether the armed forces are really the national authority best placed to deal with such threats. Accordingly the document goes on to recommend member states “designate national competent authorities for NIS [network and information security]”, which could act as “focal points for cross-border cooperation at Union level”.
What such a document achieves is start to establish a common frame, give member states a collective reference point, and turn a motley collection of national policies into a strategy. On the whole, it is likely to increase effectiveness at both national and European level. So the real question is – why is the exercise so remarkably rare at EU level? Why is not Europe more strategic?
With its position on the global scene shifting so decidedly, you would be forgiven for thinking Europe could well do with a bit more strategy. And yet rather than fashion a coherent, proactive foreign policy, the EU has mostly been content to meander along, sporadically reacting to those crises that unfold in its backyard. With the worst of the crisis over, EU states are busy shifting the focus back to domestic issues -- and so Europe turns inwards once more, impervious to the blistering pace at which the world is changing around it.
What is Europe's strategy in Libya, Syria or Mali? As Richard Gowan recently pointed out, the EU seems to have simply settled for improvisation over strategy as a default modus operandi. At first glance, there is a wealth of strategic documents that purport to answer such questions: the EU has a number of regional sub-strategies, covering the Sahel or the Horn of Africa. It has a constellation of low-level, technical and operational papers, and an internal security strategy. But there is a yawning gap at the top that drowns the impact of such documents. The fact that the European Security Strategy has not been updated in ten years is only one illustration of this drought in high-level strategic thinking. So it’s not just a document we need, it’s a discussion.
Take the cybersecurity strategy. It has been lambasted on various counts already – alternatively for being too top-down, or not top-down enough; done on too small a scale, or too grand a scale. No matter. This is the kind of debate and the kind of criticism we need, at a time when the broader European foreign policy arena lacks people using the same language to describe the same things. It is the brand of discussion that gets people around a table, using the same language to thrash out a common vision. Only with a modicum of shared strategic culture are we ever likely to draw up a useful document.
Creating a measure of informed debate is therefore the more difficult part, but it is already underway. A number of public policy initiatives have burgeoned, and will hopefully continue to do so in the run-up to the EU Council of December 2013 for which defence is on the agenda. The rest is comparatively less difficult. The EU cyberstrategy itself, in fact, uses a number of the necessary building blocks.
Firstly it suggests any effective cyberstrategy must be buttressed by a clear set of values Europe seeks to promote, and a coherent international policy. It advocates development of EU cyberdefence capabilities in all areas: doctrine, leadership, organisation, personnel, training, technology, infrastructure, logistics and interoperability. It deplores unnecessary duplication and insists on EU/NATO interaction. It pushes for a more integrated global approach, “given that threats are multifaceted, synergies between civilian and military approaches in protecting critical cyber assets should be enhanced.” It recommends developing industrial and technological resources, promoting a single market for cybersecurity products, fostering R&D investments and innovation. Finally it looks to foster collaboration amongst cybersecurity agencies and the European Defence agency.
In principle, it is all there – high-level strategy, foreign policy priorities, values, doctrine, capability development, operational issues, a single market, an industrial and technological base. We just need to make sure we understand what we mean by it all.
Special edition of China Analysis
Essay collection on China's rise and Asia's response.
Chinesische Experten und Intellektuelle analysieren im ECFR-Essayband „China 3.0“ die politischen Trends, die das neue China ausmachen.