Analysis
Attacks and Vulnerabilities
News
Regulation, Standards and Compliance

EU Policy on Cyber Defence strengthens action against cyber threats while raising cooperation, investments in defense

November 11, 2022
EU Policy on Cyber Defence strengthens action against cyber threats while raising cooperation, investments in defense

The European Union (EU) Commission and the High Representative proposed on Thursday a joint communication on an EU Cyber Defence policy and an Action Plan on Military Mobility 2.0. The EU Policy on Cyber Defence works on ​​enhancing the EU’s ability to prevent, detect, deter and defend against cyberattacks aimed at the Commission and its member states using all means available. It also addresses the deteriorating security environment following Russia’s aggression against Ukraine and works on boosting the EU’s capacity to protect its citizens and infrastructure.

The EU Policy on Cyber Defence aims to boost EU cyber defense capabilities and strengthen coordination and cooperation between the military and civilian cyber communities. It will enhance efficient cyber crisis management within the EU and help reduce strategic dependencies in critical cyber technologies while strengthening the European Defence Technological Industrial Base (EDTIB). It will also stimulate training, attracting, and retaining cyber talents and step up cooperation with partners in the field of cyber defense.

The EU Policy on Cyber Defence has been largely structured around four pillars that cover various initiatives that will help the EU and member states. These pillars include acting together for a stronger EU cyber defense, securing the EU defense ecosystem, and investing in cyber defense capabilities, while also partnering to address common challenges.

The EU Cyber Defence Policy also links up to recent work on the protection of critical infrastructure. The increase in the number and sophistication of cyberattacks targeting military and civilian critical infrastructure in the EU was one of the main reasons why the EU Policy on Cyber Defence required an urgent update. The interdependency between physical and digital infrastructure and the potential for significant cybersecurity incidents to disrupt or damage critical infrastructure illustrates that the EU needs close military and civilian cooperation in cyberspace to become a stronger security provider for its citizens. 

The move lies at the heart of the proposal for a Council Recommendation on a coordinated approach by the Union to strengthen the resilience of critical infrastructure presented last month.  

“The EU Policy on Cyber Defence shows that by bringing our civilian and military instruments together we can make a stronger impact against cyber threats,” Margrethe Vestager, executive vice president for Europe Fit for the Digital Age, said in a statement. 

Since armed forces depend to a large extent on civilian critical infrastructure, be it for mobility, communications, or energy, the EU Policy on Cyber Defence aims at enabling the cyber defense community to benefit from stronger civilian and military detection and situational awareness capabilities.  

At the request of the Council, the Commission, the High Representative, and the NIS Cooperation Group are developing risk scenarios for digital infrastructure security. 

Moreover, the Commission will also propose further actions to strengthen preparedness and response actions across the EU. This would include the testing of essential entities operating critical infrastructure for potential vulnerabilities based on EU risk assessments, the gradual set-up of an EU cyber reserve, and development of an EU Security Operation Centre infrastructure, providing a true cyber shield for the European Union.

The EU will reinforce its coordination mechanisms among national and EU cyber defense players, to increase information exchange and cooperation, and further support military Common Security and Defence Policy (CSDP) missions and operations. It will create an EU Cyber Defence Coordination Centre (EUCDCC) to support enhanced situational awareness within the defense community, and set up an operational network for milCERTs (Military Computer Emergency Response Teams), while also developing and strengthening the EU Cyber Commanders Conference. It also develops a new framework project CyDef-X to support EU cyber defense exercises and works on information exchange between the cyber defense community and the other cyber communities. 

Even non-critical software components can be used to carry out cyber-attacks on companies or governments, including in the defense sector. This calls for further work on cybersecurity standardization and certification to secure both military and civilian domains.

To this effect, the EU will provide a platform to support member states in the development of non-legally binding recommendations for the defense community. It also develops recommendations on EU cyber defense interoperability requirements and risk scenarios for critical infrastructure of importance to military communication and mobility to target preparedness actions including through penetration testing. It also works towards fostering cooperation between civilian and military standardization bodies for the development of harmonized standards for dual-use products.

The EU Policy on Cyber Defence laid down that member states need to significantly increase investments in modern military cyber defense capabilities in a collaborative manner, using the cooperation platforms and funding mechanisms available at the EU level, such as PESCO and the European Defence Fund. 

To address these challenges, the EU will update priorities for cyber defense capability development and further support member states in developing their cyber defense capabilities in cooperation, develop an EU cyber technology roadmap to reduce dependencies on critical technologies using all EU instruments, and develop Emerging Disruptive Technologies (EDTs) Strategic Assessment to support long-term investment decisions of member states. 

Furthermore, the EU Policy on Cyber Defence recommended that member states explore the possibility to develop a set of voluntary commitments for the development of national cyber defense capabilities, and develop EU cyber defense training and exercises, including through the ESDC Cyber Education, Training, Exercises and Evaluation (ETEE) platform, and set up an EU Cyber Skills Academy, considering needs for specific skills for different professional profiles and sectors of activity, including in the defense workforce.

Building on existing security and defense as well as cyber dialogues with partner countries, the EU will seek to establish tailored partnerships in the area of cyber defense. In this regard, the EU Policy on Cyber Defence will strengthen EU-NATO cooperation in the field of cyber-defense training, exercises, education, situational awareness, standardization, and certification. It will also include cyber defense in EU-led cyber as well as security and defense dialogues with key partners and support partners in cyber defense capacity building. 

Going forward, the Commission and the High Representative will present an annual report to the Council of the EU to monitor and assess the progress of the implementation of the actions in the Joint Communication on the EU Policy on Cyber Defence. Member States are encouraged to contribute with their inputs on the progress of the implementation measures taking place in national or in cooperation formats. An implementation plan could be set up in cooperation with member states.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Related

CISA issues ICS advisories covering hardware vulnerabilities in Rockwell, Mitsubishi Electric equipment
US CISA issues ICS advisories on hardware vulnerabilities in Rockwell Automation, alpitronic, Delta Electronics
Transnational cybersecurity agencies release guidance on secure procurement of digital products, services
Transnational cybersecurity agencies release guidance on secure procurement of digital products, services
Hexagon releases HxGN Networks in the cloud for utilities and telecoms geospatial asset management
Hexagon adds Tom Kurtz, Joe Nichols to its leadership team, set to solidify EAM and APM teams
68 software manufacturers commit to CISA's Secure by Design pledge for enhanced product security
68 software manufacturers commit to CISA’s Secure by Design pledge for enhanced product security
Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
Cyble detects critical vulnerabilities in CyberPower PowerPanel Business Software used in critical infrastructure
Cyolo, Dragos partner to unveil holistic secure remote access offering for critical infrastructure
Cyolo, Dragos partner to unveil holistic secure remote access offering for critical infrastructure
Dnsmasq
New Siemens Simatic Automation Workstation to offer streamlined factory control
Nozomi, Mandiant extend alliance to boost threat detection and response for global critical infrastructure
Nozomi, Mandiant extend alliance to boost threat detection and response for global critical infrastructure
National Cybersecurity Strategy Implementation Plan (V2)
US administration updates National Cybersecurity Strategy Implementation Plan to meet growing challenges
Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild
Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild