BRUSSELS — The European Commission is calling for EU member states to develop national network information security cooperation plans to be activated in the case of cyber incidents.
In a strategy unveiled Feb. 7, the commission argues that member states should be able to clearly allocate roles and responsibilities to optimize response. Information sharing between national entities and with the private sector should be encouraged to enable the member states and the private sector to maintain an overall view of different threats and get a better understanding of new trends and techniques used to commit cyber attacks, says the strategy.
“The prevention, detection and response to cyber incidents should improve and member states and the Commission should keep each other more closely informed about major cyber incidents or attacks,” the commission says.
“If the incident seems to relate to cyber espionage or a state-sponsored attack, or has national security implications, national security and defence authorities will alert their relevant counterparts, so that they know they are under attack and can defend themselves. Early warning mechanisms will then be activated and, if required, so will crisis management or other procedures,” says the commission.
“A particularly serious cyber incident or attack could constitute sufficient ground for a member state to invoke the EU Solidarity Clause (Article 222 of the Treaty on the Functioning of the European Union),” it adds.
In response to a question about cyber attacks coming from China, the EU’s foreign policy chief, Catherine Ashton, refused to comment on intelligence operations regarding the origins of cyber attacks. However, she did say that cybersecurity was an increasing part of the EU’s dialogues with other countries, including China, India and the U.S.
The commission also makes it clear that it is not planning to take on a supervisory role with regard to cybersecurity.
“Given the complexity of the issue and the diverse range of actors involved, centralised, European supervision is not the answer. National governments are best placed to organise the prevention and response to cyber incidents and attacks, and to establish contacts and network with the private sector and the general public across their established policy streams and legal frameworks,” it says.
In terms of civil-military coordination, the strategy pushes for “coordination and collaboration” among the EU’s Network Information Security Agency, the Europol Cybercrime Centre and the European Defence Agency (EDA) “in a number of areas where they are jointly involved, notably in terms of trends analysis, risk assessment, training and sharing of best practices.”
The EU military staff and the EDA cyberdefense project team can be used as the vector for coordination, adds the strategy.
The strategy will now be sent to EU countries and the European Parliament for their endorsement. Progress toward achieving these objectives will be assessed at a high-level conference in a year’s time.