cybersecurity in the eu common security and defence policy ... · cybersecurity in the eu common...
TRANSCRIPT
European Union Agency for Network and Information Security
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EUENISA - a study for the STOA PanelInterim report presentation| Brussels | 23 March 2017
2
• Project overview
- Background
- Methodology
- Project status
- Scope
• Analysis- Challenges
- Capacity building
- Cyber and CSDP
- Policy options (draft)
• Conclusions
Outline
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EUENISA - SERVICE CONTRACT EPRS/STOA/SER/2016/214
3
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU
• Study for the European Parliament - Subcommittee on Security and Defence (SEDE)
The Science and Technology Options Assessment (STOA) Panel
• Commissioned the European Union Agency for Network and Information Security (ENISA) to curry out the study under SERVICE CONTRACT EPRS/STOA/SER/2016/214
Background
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EUENISA - SERVICE CONTRACT EPRS/STOA/SER/2016/214
4
Methodology
• Policy challenges
• Capacity building
• CSDP
• NATO experience
Questionnaires
• EU Institutions
• Academia
• NATO
• Public Sector
• Meetings
• Drafting
• Reviewing
• Validation
• Policies
• Capacity building
• EU action plans
• CSDP
Literature research
External consultation
Internal collaboration
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EUENISA - SERVICE CONTRACT EPRS/STOA/SER/2016/214
5
Contributors
EU Institutions
Academia
NATO experts
EEAS, EDA
Global Cyber Capacity Centre, LUISS School of Government, Oxford University
CCDCoE, Allied Command Operations, NHQC3S
Secure infrastructure and services unit
Data security and standardization unit
Operational security unit (Project manager)
Public sector MELANI
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EUENISA - SERVICE CONTRACT EPRS/STOA/SER/2016/214
66
Project status
90%
Tasks:
• Delivery of the Interim report - D1 √• Integration of comments on the Interim report √• Presentation of the Interim report - D2 √• Policy options and final report- D3 (Ongoing-90%) - Delivery 31st March• Presentation of the final report – D4 - Delivery 6th April
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EUENISA - SERVICE CONTRACT EPRS/STOA/SER/2016/214
7Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Scope
Risks Challenges Opportunities
EU’s cyber reaction in the CSDP context
Strategic decision making
Resilience of infrastructure
Imp
rove
8Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Thematic areas
Policy challenges
• At EU, Member State and International levels
• Technological innovation and cyber norms
• EU-level and International cooperation
Capacity building
• State of play within and beyond the EU
• Attribution of cyber-attacks
• The role of the private sector
CD & CSDP
• Threat landscape for CSDP missions
• Integration of Cyber Defence into Operational Planning
• EU-NATO cooperation
1
2
3
9
Policy options
Cyber resilience
Cyber defencepolicy
CSDP Capabilities
Industry
Technology
International cyber policy
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Policy options
EU’s cyber reaction in the CSDP context
Strategic decision making
Resilience of infrastructure
Imp
rove
Analysis
Cybersecurity in the EU Common Security and Defence Policy (CSDP) –Challenges and risks for the EU| ENISA
11Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| Georgios Chatzichristos
Gap analysis
CSDP context Goals
?
12Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Policy challenges
Capacity building
CD & CSDP
1
2
3
Cybersecurity policy and strategies
Cyber culture and society
Education, training & skills
Legal & regulatory frameworks
Standards, organization & technology
1
2
3
4
5
Theme areas
CSDP
Modelling cyber capacities
13Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Policy challenges
The delicate balance between MSs & EU powers
and responsibilities
The complex set of mandates within EU
institutions
Use of cyber space in warfare? Is law of
armed conflicts applicable?
Hybrid technologies Cyber taxonomyThe number and diversity of cyber
actors
Military and civilian overlaps
Limited availability of data to support
policy development
14Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Cyber norms and CBMs
Cyber norms
Technological innovation
15Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Current statusEU cyber defence policy framework
5 priorities44 action items
Do we need something more than
this?
16Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Current statusEU cyber defence policy framework
Gaps?How about the Operational and tactical
layer?
5 priorities44 action items
17
Analysis
Cybersecurity policy and strategies
Cyber culture and society
Education, training & skills
Legal & regulatory frameworks
Standards, organization & technology
1
2
3
4
5
Identify gaps at the Political/Strategic layer
Propose measures at the Operational & tactical
Covering all five dimensions of the CMM model
Cover gaps at the Political/Strategic layer
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
18Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Cyber and CSDP
19Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Cyber and CSDP
Good
guys
Bad
guys
Rather
Good guys
Rather Good
guys
Good
guys
Good
guys ?
->Cyber ?
20
Cyber and CSDP
Good
guys ?
Bad
guys ?Rather
Good guys?
Rather Good
guys ?
Good
guys ?
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
21Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
CSDP missions
22Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Organisational issues
Different Operational Commands
Coordination
Ad hoc structures
Cyber space
Cyber defence is a collective effort
23
Cyber Domain relatedOther Domain relatedINFOSEC related
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Threat landscape
THREATLEVEL
DESCRIPTION TIER ACTOR
AKnown
vulnerabilities 1 Practitionersrelying on
others
2 Developers
BUnknown
vulnerabilities 3 Developerswith a plan
4 Criminal or State actors
CCreation of
vulnerabilities 5 State actors
6 States
Networks & systems controlled and assured by CSDP mission
commander
Networks & systems vital for the CSDP mission, controlled &
assured by non-EU institutions or public or private entities outside
the EU
Networks & systems vital for the CSDP mission, controlled &
assured by EU institutions or public/private entities within the
EU
24Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Threat landscape
Networks & systems controlled and assured by CSDP mission
commander
Cyber Domain relatedOther Domain relatedINFOSEC relatedNetworks & systems vital for the
CSDP mission, controlled & assured by non-EU institutions or public or private entities outside
the EU
Networks & systems vital for the CSDP mission, controlled &
assured by EU institutions or public/private entities within the
EU
25Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Policy options
under development
EU cyber defence policy framework
26Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
Policy options
Maintain coherent cyber policies and strategies at the EU level
Promote cyber culture
Develop cyber skills
Enhance legal & regulatory frameworks
Develop standards, organization & capabilities
1
2
3
4
5
Incident response
CIP Cyber defense Cyber resilience
Cyber mind-set
TrustIdentity
protection
Cyber crime
Social media
Cyber competenciesIntegration to CSDP OPS
& Exercises
LegislationLaw
enforcement
Norms & CBMs
International Cooperation
Cooperation with the private
sector
Adopt common standards
Standing CSDP CD structure
Develop capabilities at EU & MS level
2727
Summary
01Cyber domain is not limited to CSDP - aspects/policies/options beyond CSDP need to be considered
02 Coherence and maturity through modelling
03 Build of trust – the human factor
04 Organisational weaknesses
05 Integration of cyber into CSDP operations (military/civilian)
Cybersecurity in the EU Common Security and Defence Policy (CSDP) – Challenges and risks for the EU| ENISA
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you