Cyber-attacks have become a major concern for European security. The International Monetary Fund (IMF) has estimated the annual loss due to cyber-attacks at 9% of banks’ net income globally, and the EU views disinformation campaigns and attacks on critical infrastructure as the main cyber threats to its security. According to Microsoft analytics, 59% of nation-state attacks are committed by Russian actors. The Russian Federation has become a significant threat to European cyberspace by spreading fake news in EU states, hacking the web resources of government officials and organisations, conducting DDoS attacks, etc. The situation further escalated with the Russian invasion of Ukraine. Just before launching its invasion on 24 February, Russia led a major cyberattack that disrupted satellite Internet connections across Europe, and the number of attacks continues to grow. So how does the EU develop its cybersecurity? What strategies does the EU have, and is it ready to counter Russian cyberattacks?
What legislation and strategies guide EU cybersecurity?
The upcoming year of 2023 will be the half mark of the EU Security Union Strategy 2020-2025. Together with the EU Cybersecurity Strategy presented in 2020, these two documents guide the current cybersecurity field in the EU. The EU outlines eight key strategic initiatives in developing its cybersecurity, which can be summarised as the promotion of international standardisation processes and the UN Programme of Action to Advance Responsible State Behaviour in Cyberspace, the protection of human and children’s rights in cyberspace, and the development of the multi-stakeholder community in dialogue with third countries to promote responsible cyberspace utilisation. Contrary to the strategies developed by the US and Ukraine, the EU cybersecurity strategy does not mention any particular adversaries to EU security. Both the US and Ukrainian strategies outline the Russian Federation as a significant threat to national cybersecurity, with the US conducting an even more detailed analysis and outlining the main Russian state and state-supported cybercriminal groups. On the other hand, the EU strategy only refers to cybercriminal state and non-state actors and makes a relatively small assessment of potential actors as threats to EU cybersecurity.
The Threat Landscape 2022 posted by the European Union Agency for Cybersecurity (ENISA) mainly views Russian and Chinese state, state-supported, and proxy cybercriminal groups as the main threat to EU cybersecurity. The Russian threat is mainly evaluated in three realms: disinformation campaigns, attacks on critical infrastructure and governmental bodies, and state-supported cybercrime groups. While Russian disinformation campaigns with Russian state media, deepfakes, and bot farms do not need an introduction and deserve a separate article, Russian state-supported cybercriminals extensively use DDoS attacks to target EU member states. During the last 12 months, there were several major DDoS attacks including the targeting of several Romanian public government sites in April 2022 and the Italian websites of the Senate and the Ministry of Defence in May 2022. Overall, during the last year, Microsoft analytics and ENISA outline a spike in the number of cyber-attacks conducted from Russia, a doubling of the number of attacks on critical infrastructure, an increase in misinformation campaigns, and claim that 90% of Russian attacks detected targeted NATO member states. In addition, ENISA outlines a threat of a spill-over of Russian malware employed in cyberwarfare against Ukraine that might disrupt EU systems as well.
Some experts argue that this focus on vague concepts and reliance on international law and organisation, combined with the undefined vector of potential threats, make the strategy useless and more of a general declaration than a defence strategy. However, more recent security publications address this issue and outline more definitive steps and courses of action. For example, the Strategic Compass for Security and Defence for the EU clearly defines Russia as a threat to EU cyber and information security and provides the needed actions to develop EU cybersecurity. The Strategic Compass still outlines the EU Cybersecurity Strategy of 2020 as a basis, and cybersecurity experts claim that a new joint EU strategy should be developed, especially if the EU aims at forming a security union.
As for legislation, all the main cybersecurity terms and processes in the EU are defined by the Regulation (EU) 2019/881 on ENISA and on information and communications technology cybersecurity certification, and by the EU Cybersecurity Act No 526/2013. The EU defines cybersecurity as “the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threat”. Cybersecurity is a relatively new field, and not much legislation has been passed to regulate it, but the EU continues to develop the field. During the last year, several important laws were passed, for example, the EU Cybersecurity Act that unified the EU’s cybersecurity into a single framework with ENISA as its main core, and the Cyber Resilience Act that makes it mandatory for hardware and software manufacturers to include and update the cybersecurity of their products.
After reviewing the EU legislation, the definition of cyberterrorism becomes interesting when considering the current cyber situation between the EU and Russia. The EU legislation states that “cyber terrorism involves the use of computers and/or related technology with the intention of causing harm or damage, in order to coerce a civilian population and influence policy of target government or otherwise affect its conduct”. In light of the recent Russian cyber-attacks and intervention in domestic politics of the EU member states that were recognised by the EU and NATO officials, the Russian Federation can be legally recognised as the first cyberterrorist state.
How does the EU prepare for potential Russian cyber-attacks?
Defending critical infrastructure
The integration of new digital technologies into traditional critical infrastructure makes its work much more efficient but at the same time makes it susceptible to cyber-attacks. The EU, and particularly the European Commission, fully understand the risks that come with digitalisation, as the targeting of critical infrastructure is the main threat of potential cyber warfare. EU legislation and strategies focus greatly on the development of cybersecurity of critical infrastructure, and initiatives like the Cybersecurity certification establish standards for the cybersecurity of critical infrastructure objects.
The EU not only develops its strategy but also conducts practical exercises to deter cyber-attack on critical infrastructure. In 2021, a Wizard Spider cybercriminal group based in Saint Petersburg launched an attack on the Irish Health Service Executive. This led to about 7,000 patients a day having their appointments cancelled and at least €100 million in damage. Such an attack on European healthcare infrastructure became a scenario for the Cyber Europe 2022 cyber war game exercise that involved 29 countries and more than 800 cybersecurity experts.
Cybersecurity for private businesses
The use of cyber proxy groups is one of the main tools utilised by the Russian Federation. Russian-aligned groups like Evil Corp or Killnet, which according to the US CIS work under Russian governmental protectorate, pose a threat to private entities and continue stealing money, intellectual property, and personal information. The development of cybersecurity for and cooperation with private businesses has thus become an important aspect of deterring the Russian cyber threat.
The EU policy on cyber defence, adopted in November 2022 focuses greatly on strengthening coordination between the military and civilian cyber communities. Cyberspace is viewed as a shared realm and only by developing cooperation between stakeholders can the EU guarantee cybersecurity for EU member states and their citizens. The EU has created several platforms to develop such cooperation, for example, the EU cybersecurity month, which became a “hub” for EU cyber stakeholders and this year focused on phishing and ransomware. The EU also implements new legislation that strengthens cybersecurity requirements across the EU and sets specific standards for cybersecurity for private entities.
Cyberspace is considered the fifth domain of warfare and the EU continues its cooperation in the cybersecurity field with NATO. On 10 November, the European Commission proposed two additional defence action plans that in part calls for reinforcing the cooperation with NATO. Despite the EU developing its cybersecurity strategy, it mainly focuses on combating cybercriminal activity conducted by non-state groups and has almost no mention of cybersecurity against cyber warfare or cyber-attacks conducted as military actions. In this case, the responsibility for cyber warfare and its deterrence in the EU is placed on NATO as the main security alliance in the region. NATO and the EU are cooperating through a Technical Arrangement on Cyber Defence signed in 2016. The NATO Cooperative Cyber Defence Centre of Excellence is located in Tallinn, and Estonia has become the centre for EU and NATO research and development on cybersecurity. NATO is also planning to develop its Cyberspace Operations Centre in Brussels, which will be fully operational in 2023 and will give NATO the ability to conduct full-scale cyber-warfare under joint command.
As the world becomes more reliant on new technologies, cyberspace has become the fifth realm of modern warfare. The fact that there is no precedent of cyber-attacks being recognised as an official act of war is extensively exploited by the Russian Federation. The ruthless behaviour of Russian cybercriminal groups represents a significant threat to the EU’s critical infrastructure, financial system, and media. In the context of a Russo-Ukrainian war, it is crucially important for the EU to continue working on its cybersecurity capabilities and developing cooperation with its allies and stakeholders in the field.
Although cybersecurity is a relatively new field, the EU has made significant developments to defend European cyberspace. The EU managed to formulate a joint strategy, create plans for future results, and conduct practical exercises to build its cybersecurity. However, as the EU moves toward a security union, a more defined strategy is needed. To be prepared for future challenges a new cyber strategy should clearly define the potential adversaries, conduct thorough research on their methods, and prepare a set of countermeasures in case of cyber warfare.