How the EU Hinders Cyber Security Policy

I am presently employed in cyber threat intelligence, but throughout my career I have worked across a wide range of the other intelligence disciplines.

In order to manage teams and develop effective strategies, I have looked into how the EU deals with cybersecurity in detail and threat intelligence sharing as a whole. The approach of the EU which I have seen to cyber is bureaucratic, disjointed and lacks a coherent strategy. You could say that for a lot of national strategies on cyber, but the EU approach to these issue makes this lack of clarity worse. I have looked at their approach in detail, and this lack of a sensible, operationally driven, approach is a real problem.

Lack of coordination between ENISA, Europol and the European Commission

ENISA (which is one of the main EU bodies dealing with cyber) is based (for some bizarre reason) on Crete, hundreds of miles away from Europol (the Law enforcement hub it should be working beside). I have asked the question why this is the case, and never received a logical answer, as many of the staff are either German or Scandinavian.

Although ENISA is probably the most mature EU institution dealing with cyber security issues, the lack of coordination between ENISA, Europol and the European Commission has the feeling of an internal power struggle (which many EU institutions do) over who will take the lead on cyber policy, this lack of clarity has lasted for years, and continues to this day.

The EU approach on developing a cyber security strategy is breeding a “race to the bottom” in terms of standards, which helps no one. The UK (which has relativity good data security standards when compared with a number of other member states) has a more business friendly and less bureaucratic methodology, whereas the Scandinavia, Germany and France adopt a much more heavily regulated approach which strangles the associated processes and is more in line with wider EU institutional thinking. This is compounded by the release of reams of poorly thought out, wooly “guidance” which is written in “EU Speak” (almost unintelligible to anyone else and wide open to interpretation) and dramatically compounds the issues.

Intelligence lost to the EU’s black hole

Secondly, there is always an additional view (which I have heard on many occasions and agree with from my own experience), that in terms of intelligence sharing, the EU (and particularly Europol) is also pointless. The institution makes all the right noises, but very little substance or intelligence of any operational use comes out of the other end. I have dealt with Europol before on a number of sensitive issues and you always got the feeling you were shoveling actionable intelligence into a black hole, and nothing was ever actually done with it. Bi-lateral intelligence sharing does not work like that, as it allows you pick the countries and agencies that it is worth sharing with (because you know who will give you intelligence back that you can use). Dealing with EU institutions always has a feeling of them being very political driven, with no real drive to get operational results, , and when working in intelligence that is of no use. The speed of response (on the rare occasions there is a response) tends to take weeks as well, again making the whole exercise pointless as with many threat issues the window of opportunity to take action is usually days (with cyber in particular, hours in many cases).

I did give the EU approach yet another chance recently, and download the EU computer emergency response team app onto my I phone, thinking this might possibly have improved. However, I quickly realised this was an academic talking shop at the very best (as many of these things at an EU level are) and therefore again operationally pointless.

Morally questionable political moves

Thirdly, and most worryingly in my view, there is my assessment of the 2014 incidents in Ukraine, where I believe that the EU jumped to support a government which was at best morally questionable, as they were following a territorial expansionist agenda to the east with almost obsessive drive. The elections which put President Yanukovych in power were endorsed by both the EU and UN, and I would not question that assessment, therefore he was the democratically elected president of Ukraine. When he took the decision to stay within the Russian sphere of influence and rejected the EU overtures, you could sense almost tangible anger from the EU that he had dared halt their territorial expansion to the East. Although his actions in the subsequent protests were abhorrent, what we witnessed was closer to a coup, putting into power the Euromaiden movement (which had a very nasty ultra nationalist, anti-Russian core to it). I could fully understand why this concerned the Russians.

This whole incident felt more like a coup and EU tinkering in foreign affairs of a sovereign state, and I think the immediate support the EU gave to the new authorities (who remember came to power in through violent protests) approach inflamed the situation and made an already tense situation worse. I think the EU’s actions in this case and their seeming constant need to tweak the nose of the Russians has led almost directly to Putin’s much more aggressive stance on foreign affairs, and made the world a more dangerous place. Just imagine what would have happened if the EU had its own army on call during this issues?

Power struggles in Brussels hamper effective security response

There is also the EU’s seeming drive to set up their own intelligence agency, army and wider security apparatus, which genuinely concerns me. One of the key drivers in any scale of security response is an ability to respond quickly to issues as they emerge. If the refugee crisis has graphically illustrated anything, it is the total inability of the EU to do anything quickly due to the embedded bureaucracy which drives the institution. Nation states are clearly much faster, more responsive and able (particularly in the case of the UK) able to secure their own borders and protect their national interests, which is hampered by the EU and its drive to take control of all these levers of state security on (their lobbying for the expansion of frontex being a good example of this). This was graphically illustrated during the attacks on Paris and Brussels, where both countries quickly moved to secure their borders in the immediate aftermath of the incidents and then to work together to address the threats. The EU and Europol were irrelevant in both cases. Had control of the borders rested with Frontex at this time, I am almost sure that we would still be debating what to do rather than actually doing anything.

In summary, I think the EU hampers development of cyber security policy at national levels, as those with responsibility fo cyber security policy across the EU worry that any regulations they work to bring in will be superseded by EU ones, which are likely to be time consuming, poorly thought out and add another expensive tier of compliance and administration). There is no “one size fits all” in this area across the EU and the behind the scenes power struggles in Brussels also hamper any real, timely or effective response.

Best and worst case scenarios 

Effective intelligence sharing across the whole EU is impossible, and bilateral agreements (which are hampered and discouraged by the EU), are the only sensible approach in this area. This way you can respond in hours, not weeks, as the modern fast paced threat landscape dictates.

Finally, imagine the nightmare scenario of the EU having had an army during the crisis in Ukraine? We would now be at best in a new cold war with Russia, at worst a spark away from a hot one. I do always come back to the question, why does a trading block (which is what we joined allegedly) need so much firepower anyway?

Implications of Brexit will be the focus of a panel discussion taking place at IFSEC International 2016. Speakers on the panel include CEO of FIA, CEO of BSIA, CEO of ASFP, Managing Director of BRE Global, President of Euralarm and Executive Director of EFSN. The panel will take place at 13.20 on 23rd June, the day of the EU Referendum. Register here