Anyone who carefully reads the report A7-0167/2012 of 05.16.2012 on the protection of critical information infrastructure of the European Commission will notice that the authors of the report, members of the Committee on Industry, Research and Energy, are very worried. We can also analyze the opinion of the Committee on Civil Liberties, Justice and Home Affairs of the EU with this report and see —you don’t need to read between the lines— that not only those with direct relation with the issue are concerned, but also commissions that aren’t apparently directly affected by issues related to cyber security of critical infrastructures.
If you also have the patience to study the recent report on cybersecurity and cyberdefense 2012/2096 (INI) of the Committee on Foreign Affairs, dated October 17th, 2012, you will realize that the concerns sometimes turn into “fear”, urging everyone to put to work enumerating countless reasons why we should do it (the “considerations” are impressive…).
The outlook is bleak because the “considerations” show many points that we should be working on and even though there is work done, they are not functional for many reasons, all of them logical. The fact is that everything that has to do with cyberthreats is moving very fast, too fast, and the European institutions very slow, too slow. As a society we should be prepared to take control of the situation but, unfortunately, this is one of those cases where I get the impression that the regulator is ahead of civil society because society is not aware of the magnitude of the threat.
This report on cybersecurity and cyberdefense literally says, “the danger posed by cyber-threats and cyber-attacks against government, administrative, military and international agencies is growing rapidly, both in the EU and in the world, and there are important concerns that state and non-state actors, especially terrorists and criminal organizations, can attack critical infrastructures of information and communication institutions and members of the EU, with the chance of causing significant damages including kinetic effects“, taking into account that most cyber incidents, as stated in the report, both in the public and private sector go unreported, urging the authorities to assess the possibility that a EU member state may suffer a cyberattack and talking about the possibility of implementation of the mutual defense clause (Article 42, paragraph 7 of the EU Treaty) without prejudice to the principle of proportionality. In this sense, could be a cyberattack considered a state-backed casus belli?
We leave the question open but in the case that the answer to the above question is yes, there are still other troubling statements in that report: It “notes that recent cyberattacks against European information networks and state information systems have caused extensive damage from the viewpoints of economic and security whose scope has not been adequately evaluated“.
Clearly cyber defense should be part of the common security and defense policy (CSDP) to, among others, to protect and preserve the lives of people, digital freedoms and respect for human rights online. However until June 2012, only 10 Member States have adopted a cybersecurity strategy, the first step to get to work. In Spain is under development.
In any case, both reports urge to develop strategies for cybersecurity and emergency plans for their own systems, asking explicitly to all institutions and agencies to address in their risk analysis the consequences of cyber crisis and emphasizing the importance of awareness. The members are encouraged to increase their investment in R&D in defense to 2% to make it one of the principal support of cybersecurity and cyberdefense.
This is alright, but they are nothing more than petitions done by the EU commission to the European Parliament through its reports and draft reports but… what happens in the meantime in the real world? Are we really doing our duties in this matter? Are we aware of the danger as a society? Are politicians who run our country aware of these risks? Yes? To what degree?
I have my own pinion. We see it in the work we do every day. And we will have to do an enormous effort to awareness society that this is a very important problem for all of us…
(1) Casus belli refers to the fact that is considered a cause or pretext for military action. The term appears in the context of international law of the late nineteenth century as a result of the ius in bello political doctrine. The casus belli, as part of the ius in bello or “law of war”, seeks to regulate the military actions of different countries, so a priori it prohibits the use of armed force to resolve conflicts, but allows the military power against another country under the principle of ultima ratio, ie as a last resort.
(2) In 2010 only a European member had reached 2% in research and development in defense, and thar year five countries had invested nothing.