Rapid development of technologies and fast digitalization of all spheres of life around the globe increased the importance of providing cyber security at all levels. Since 2015 the number of cyberattacks targeted at the EU member states has increased by 300%. The necessity to tackle cyber crimes, events of cyber terrorism, cyber espionage and attacks makes countries and organizations develop new approaches to providing security. One of such approach is cyber resilience which unlike cyber security does not aim for achieving overall protection of cyber risks – it stresses that the risks are unavoidable and the efforts should be put into reducing their harm and quick recovery. From policy perspective, the attention to cyber security and cyber resilience is constantly growing within the recent years. However, both concepts are being used interchangeably and not consistently.
While the development of technologies and digital communications in the EU has started long ago cyber security issues have been put on the agenda only recently. A high number of cyber attacks on critical infrastructure, businesses and ordinary citizens which went beyond national borders prompted the logical idea of coping with cyber security threats within the common EU policies and strategies.
The first attempt to address cyber security in the EU was reflected in the 2005 Council Framework Decision on Attacks against Information Systems and the newly created structures – European Network and Information Security Agency (ENISA) and European Cybercrime Center Europol. This is when the EU also started to incorporate the idea of resilience against cyber threats through efficient coherence and coordination inside the organization. To support this idea even further the EU adopted its first Cyber Security Strategy in 2013 which apart from the attempt to strengthen the coordination on cyber security between Member states also spoke about the inalienable role of businesses and private sector to respond to attacks as well as necessity to unite efforts with other international partners and neighbors in the area of security. However, the nature of the Strategy as a legislative instrument does not allow for concrete actions and obligations of the member states. Therefore, the next step the EU took to strengthen its cyber security policy was the introduction of the Network and Information Security Directive (NIS) the aim of which is to obligate private sector to report on cyber security incidents.
To reinforce the capabilities on cyber security some financial instruments and infrastructure were set up. 600 million were invested in research and innovation for cyber security for the period 2014-2020; every Member state were requested to established cyber security centers; public-private partnerships were created to connect governments and businesses and underpin the emerging Digital Single Market.
In October 2017 European Council stressed on further strengthening of the EU Cyber Security Strategy and other legislation in the area. Thus, the EU’s role in streamlining common approach on cyber security was again underlined and resulted in enhancing ENISA’s functions. It is planned to turn ENISA into EU Cybersecurity Agency and establish obligatory certification on cyber security for digital services and goods as one of the Digital Single Market’s pillars.
Although the common approach on cyber security in the EU has been clearly introduced in terms of legislation and additional capabilities a number of challenges in the area remain: private sector is still very little involved in addressing cyber security issues on the level of the EU; there is very scarce public awareness of cyber security risks; not all member states are equally contributing in tackling cyber security threats in the EU. Furthermore, despite the existing legislature on cyber security there is very little understanding on what is cyber resilience and how to achieve it together with the insufficient level of funding for innovations and research which is necessary to be able to respond to constantly evolving cybercrime and attacks tools.
Cyber security and cyber resilience. The conceptualization of cyber resilience
Resilience is a notion borrowed from material sciences and describes the ‘ability of a material to recover its shape after a deformation’ (Dahlman, 2011:40). Stephen Cauffman defines resilience as ‘the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions’. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. Within various policy fields, resilience is discussed as the answer to a ‘world of rapid change, complexity and unexpected events’ .
Resilience is aimed to change focuses and responsibilities for security. Resilient subjects exist due to the shift from ‘government to municipalities, from national to local, from security authorities to the citizen – expecting and encouraging beneficial self-organization in the face of crisis by those units that are both knowledgeable of local contexts and directly affected by the adverse event’ . Civil society which is self-organized plays a crucial role in achieving resilience and acts as a central subject of this concept. The role of private sector and cooperation with a state in the form of public-private partnerships is also emphasized. Public-private partnership is “a long-term contract between a private party and a government
Resilience can also be seen as ‘as a precursor to security—that is, as a process leading to and inducing security (Bourbeau, 2015:383). However, in case of applying ‘security does not refer to the absence of danger but rather the ability of a system to reorganise to rebound from a potentially catastrophic event.’ (Cavelty, 2013: 23). Resilience approach is focused more on solutions rather than problems implying more defense spending . In the field of crisis management and emergency response international organizations together with the United Nations, have introduced resilience as a ‘new organizing principle, the development of which is perceived as critical to preventing unacceptable levels of human suffering and reducing the costs of international emergency response’. The definition provided by the UN thus portrays resilience as a solution to reduce costs by involving all stakeholders to preventing and reducing the negative consequences of crises.
Cyber resilience in its turn is was introduced as an answer to increasingly inadequate response to the modern cyber threat landscape provided by the concept of cyber security. Cyber security according to IT scholarship claimed that computer system can be protected from any potential cyber risk. Cyber resilience on the contrary accepts that a ‘cyber attack will inevitably succeed’ (IT Governance, 2017). Cyber resilience thus is about identification and responding to cyber attack in order to achieve the survival of a computer system. Cyber resilience concept was built on the merge of traditional cyber security approach and business resilience. It consists of two main components:
- Ensuring cyber security without reducing some capabilities of computer systems.
- Having a business plan which would stipulate the way to secure critical information in case the cyber attack is successful.
Cyber resilience also stresses on changing the general perception of security in IT. It focuses on changing the culture and behavior when dealing with computer systems. Apart from setting a business plan and improving organizational leadership it talks about working with all employees who deal with computer systems. ‘Investment in research, education, and identification of best practices needs to underpin this cultural aspect in the long-term’ (Nicholas, 2016:23). Cyber resilience from the point of view of IT sphere thus can be defined as the ‘preparations that an organization has made with regard to threats and vulnerabilities, the defences that have been developed, and the resources available for mitigating a security failure after it happens’ (World Economic Forum papers, 2012).
Cyber resilience concept in political science was applied by George Christou in 2016 towards EU activities in cyber dimension. He fused the concepts of cyber governance and resilience in order to look at cyber security as resilience. By doing so he looked at resilience as proactive rather than reactive by ‘accepting not resisting the inevitability of change and the creation of a system that is capable of adapting to new conditions and imperatives’ . At the same time traditional security governance approach does not focus much attention on the complexity of meta-governance and relations between private and public sector. Therefore, the success of the cyber security as resilience concept lies in ‘coalitions of different actors working together in partnership to construct new ﬂexible and adaptive institutions and operating procedures, set the agenda and implement policies’ (Christou, 2016). Such coalition should be supplemented by the decent level of IT education of citizens. Investment in research, education, and identification of best practices needs to underpin the ‘cultural aspect’ of cyber resilience in the long-term (Nicholas, 2016).
Among actors which have to be involved in providing cyber security are civil society which is a key element in building resilient communities and businesses. Private sector as mentioned can cooperate with a state on a basis of private-public partnership models. Usually critical infrastructure is owned at least by 50% by private companies which provide tools such as antiviruses, IT security trainings to ensure security of cyber component of their enterprise. However, if an attack takes or may take place and its source is hard to find a country has means ‘collect foreign intelligence, collaborate with other international agencies, and gain access to critical information regarding potential threats’ (Jagasia, 2017:2). There are many models upon which a business and a state can form a partnership and its selection depends on many factors ranging from interest of parties to cooperate, level of trust, available resources etc. One of the examples of efficient private-public partnership in cyber security was established in Netherlands between local businesses and a state. Both institutions responsible for decision making on national cyber security within a state – Cyber Security Panel and Government Regulatory Body are formed on the basis of private-public partnerships to increase trust between all partners, discuss mutual interests and prospects of cooperation.
In strategic view, cyber resilience can be understood as an element of ‘deterrence by denial, or persuading the enemy not to attack by convincing him that his attack will be defeated – that is, that he will not be able to achieve his operational objectives.’ Thus, in events of hybrid warfare and its component cyber warfare resilience is aimed to prepare the nation to the extent that the attack will not make sense to be placed (Pernik, 2015). For this purpose the following goals are to be achieved:
- Good societal competencies in understanding the nature of cyber warfare tools and ways to oppose them (Cavelty, 2015)
- High level of trust between civil society and government provided through efficient government communication, political leadership and integrity of political system (Pernik, 2015).
- Strong sense of community between different groups of citizens, availability of local opportunities for citizens aimed at their empowerment, equity in economy that helps to reduce possible tensions between different groups in society and a state (Pernik, 2015).
- High level of development of volunteering culture in the country specifically with regard to security and defense; existence of grass root security organizations and initiatives aimed at strengthening national security (Pernik, 2015).
- High economic development as well as economic diversification and preparedness to reduce the possible damages of a cyber attack targeted at state`s economic activities.
- Ability of critical infrastructure, as well as ICT systems to reduce the impact of cyber attacks, espionage or sabotage, adapt and continue working in the normal regime. (Yost, 2013).
- Efficient coordination of all actors involved in providing cyber resilience. ‘A high degree of cooperation capacity translates into fewer transactions costs that impede both shared sense-making and collective action-taking’ (Rhinaud; Sundelius, 2014).
- Necessary amount of reserves such as financial resources, technical equipment and software which would allow to quickly renew damaged objects and avoid a possibility of an attack to have a broad negative impact on ‘the nation’s will to persevere’ (Yost, 2003).
Cyber resilience criteria
Thus, having analyzed the approaches to resilience from different perspectives the following criteria are identified as necessary to achieve cyber resilience:
- Efficient coordination and cooperation of all actors involved in providing cyber security.
Special role in this regard is played by state agencies and bodies, their transparency and readiness to share critical information with all stakeholders including foreign partners and due to often international nature of cyber attacks. Coordination is also needed to avoid duplication of a high number of actors involved in achieving cyber security. Leadership and high level of trust is required to act fast on both strategic and operational level in the event of a potential cyber attack or in case a cyber attack occurred to quickly regroup and reduce shortcomings (Yost, 2003).
- Private-public partnerships between businesses and government.
Business can provide not only resources and tools regarding national cyber resilience but also unique expertise which by being formed in the business and competitive environment is considered to be more ‘proactive and risk-managing oriented. Private-public partnerships may be established under different conditions in accordance with the agreement between a state and business.
- Social capital built on strong communities and volunteers are crucial for achieving resilience in any sphere including cyber.
The resilience approach moves ‘from government to municipalities, from national to local, from security authorities to the citizen – expecting and encouraging beneficial self-organization in the face of crisis by those units that are both knowledgeable of local contexts and directly affected by the adverse event’ (Dunn Cavelty, 2012). Robert Deibert maned civil society as an “increasingly recognised and important stakeholder in cyberspace governance” (Deibert, 2011). Grass root organizations and initiatives are able to respond quickly to potential or actual threats. High level of trust between governmental bodies and agencies and communities are crucial for the efficient work of such communities (Pernik, 2014).
Cyber resilience in the EU
Coordination at the EU level
Coordination in providing cyber security in the EU has significantly strengthened over the recent years. Such move was marked by the adoption of legal measures, such as the 2005 Council Framework Decision on Attacks against Information Systems, and the creation of new infrastructures, including the creation of the European Network and Information Security Agency (ENISA) in 2004 and of the European Cybercrime Centre at Europol (EC3), in 2013. In 2013 EU also adopted the Cyber security strategy which proclaimed achieving cyber resilience as it’s main goal. The indicator which would measure the achievement of this goal is the involvement of private sector and establishment of private-public partnerships in the domain of cyber security. Another indicator of the goal would be the strengthened coordination among all actors ‘in cases of incidents spanning across borders’. To this end the ENISA’s mandate has been strengthened and the Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) has been introduced. The goal also mentions the launch of raising awareness campaigns on cyber security.
Coordination of cyber security incidents in the EU is well framed on the policy level, however the practical execution of this ambition shows another side of the coin. There are number of issues which impede coordination in cyber security in the EU. Firstly, Member-states act more reluctantly with regard to decision-making on cyber security via the Council in contrary to other EU institutions such the Commission and Parliament. Cybersecurity is regarded, on the one hand, as a sensitive area where the sharing of information does not come naturally to all Member States. Some Member states prefer to cooperate on tackling cyber attacks through other sub-regional platforms such as the Visegrad countries plus Austria, which created the Central European Cyber Security Platform (CSCSP) which establishes co-operation between their respective CERTs and Computer Security and Incident Response Teams (CSIRTs) (Carrapico; Barrinha, 2017). There is also the issue that national governments have different systems of information exchange in cyber security which complicates the system of coordination on cyber security in the EU (Christou, 2016; Guitton, 2013). Moreover, a number of countries do not make the ‘financial commitment that is involved in creating the necessary infrastructure and as a result tend to not prioritize cybersecurity; (Carrapico; Barrinha, 2017:15). As a result, the finances which the EU allocates on cyber security needs are low. In the United States, for example the budget allocated for cyber security in 2017 was 19 billion USD (Statista.com; 2018). From the other hand, the EU’s ENISA has an annual budget of €11 million (ENISA, 2016a), the European Cybercrime Centre, EC3, had an initial budget of €7 million (Carrapico; Barrinha, 2017).
Establishment of public-private partnerships at the level of the EU has been one of the major EU priorities to provide cyber security. Furthermore, it has been emphasized that PPP is the precondition of achieving cyber resilience (EU Commission; 2016). The analysis of existing legislation and documents on PPP in this area shows that instead of cyber security the term cyber resilience is used more often which gives grounds to prioritize PPPs as a necessary component of cyber resilience.
The European Commission has signed on July 2016 a PPP with the private sector for the development of a common approach and market on cybersecurity. The aim of the EU cyber security PPP is to ‘foster cooperation between public and private actors at early stages of the research and innovation process in order to allow people in Europe to access innovative and trustworthy European solutions (ICT products, services and software); stimulate cybersecurity industry, by helping align the demand and supply sectors to allow industry to elicit future requirements from end-users, as well as sectors that are important customers of cybersecurity solutions (e.g. energy, health, transport, finance); coordinate digital security industrial resources in Europe’. A specific institution – European cyber security organization has been created to engage with the European Commission in PPP. For the purpose of achieving PPP in this area EU has allocated 450 million euro into Horizon 2020 program and is also expecting to attract 1,800 million euro from private sector.
While there is a clear understanding on the importance of PPP for the sake of cyber security the number of issues make the cooperation between businesses and public sector are practically complicated. Firstly, businesses and state actors have diverging interests ‘where the private sector privileges efficiency and profit, and the public sector prioritizes security’ (Dunn Cavelty and Sutter, 2009).
Interestingly, businesses are ready to cooperate with public sector to different extend depending on the area of their work. Thus, financial sector is usually more opened to cooperation and dialogue on cyber security with the government rather than telecommunications. This may be explained by the higher level of risks which financial sector bears online, however some authors also argue that telecommunication businesses fear that information exchange can result in eroding of a competitive edge (Giacomello, 2014)
Furthermore, PPPs in cyber security are often associated with cyber threats of the national security level such as for the example the attacks against electric grids or critical infrastructure which are usually relevant to large businesses already associated with the public sector. This excludes businesses which operate in other areas or/and are small or middle-sized.
Although traditionally main responsibility for providing cyber security is played by the state or international governmental organizations, such non-state actors as NGOs can not only assist state actors in providing valuable expertise but also by raising awareness of society about existing cyber threats and responsible use of internet.
Societal cooperation between NGOs and other grass-root initiatives in the EU have crossed member-states’ borders and in majority of cases are interested to become international and EU-backed. This helps in knowledge and information sharing, builds extra capacities of NGOs and communities and helps to think of cyber threats as a phenomenon which endangers not only specific states but people everywhere, including the EU.
However,the role of NGOs and civil society in informing society on cyber risks and dangers is quite limited. Very few think-tanks and NGOs which focus their work on security and building resilient communities rarely raise the issue of cyber security in their projects, information and raising awareness campaigns. There is also no EU common approach on strengthening civil society’s capacity in cyber security and society education in this regard. The reason for that may be the fact that digital literacy in the EU countries which are regarded to be most developed in the world is stunningly low. ‘60 million Europeans have never used Internet, indicating that they have no need for it or that it is too expensive. Almost half of Europeans (44%) still lack the basic digital skills to use an electronic messaging services, use publishing tools, or install new devices.’ Thus, cyber security does not come to be an urgent issue which concerns EU citizens. Nevertheless, another half of EU population which are active users of Internet may require basic skills on how to protect themselves online. And this is where the common EU policy on strengthening societal cyber resilience can be at hand. The only EU initiative on raising awareness on cyber security among citizens is the EU Cyber security month which is held every October. While is it largely observed in the EU the crucial role in the campaign is played by governments of member-states, the European Union Agency for Network and Information Security (ENISA) and the European Commission DG CONNECT. Civil society and NGOs do not play a decisive and proactive role in the campaign while their role may be crucial in strengthening societal resilience.
Having looked at EU’s capacity to maintain cyber resilience it can be concluded that cyber resilience in the EU can be characterized as an emerging policy field with a ‘lack of clearly delineated areas of responsibility and accountability among the different institutions’ (Bendiek, 2012, p. 12).
EU’s attempts to establish coordination within cyberspace continues to be fragmented due to little interest in information sharing among EU member-states; different level of vulnerability towards cyberattacks of EU member states; unequal financial shares on cyber security coordination structures among member states. From the other hand, legislation on cyber security in the EU has been strengthened in recent years and is believed to be one of the most comprehensive in the world.
While there is a clear understanding on the importance of PPP for the sake of cyber security the number of issues make the cooperation between businesses and public sector are practically complicated due to the fact that different businesses prioritize cyber security to different extent; cyber security is often associated with tackling cyberattacks targeted at critical infrastructure or large businesses but not small or middle-sized. However, the potential of PPPs in cyber security is emphasized in all legislative and policy documents and is strengthened by relatively generous financial support at the level of the EU.
Finally, the role of NGOs and civil society in informing society on cyber risks and dangers is quite limited. There is no EU common approach on strengthening civil society’s capacity in cyber security and society education in this regard. Cyber security does not come to be an urgent issue which concerns EU citizens almost half of which lack the basic digital skills to use an electronic messaging services, use publishing tools, or install new devices.