It was long awaited and it carried with it great expectations. The first EU Cyber Security Strategy was published on 7 February and the report underlines right from the start the increasingly fundamental role that a robust, free and secure internet plays in our lives and our continued prosperity.
The report's stated purpose is to establish EU-wide cyber security rules and practices and coordinated responses to cyber threats. Its scope is very broad: it includes internet fraud and illegal downloading, child pornography and international security. The Strategy identifies five strategic priorities: achieve cyber resilience, drastically reduce cybercrime, develop a cyber defence policy and capabilities, develop the industrial and technological resources for cyber security and establish a coherent international cyberspace policy for the EU.
The EU Strategy responds to debates over human rights and the internet, especially regarding censorship, by reaffirming fundamental rights, democracy and the rule of law in cyberspace. What I find interesting is that, according to the Strategy, there is no human 'right' to access the internet. This is what can be inferred from the affirmation that everyone 'should' (not 'has to') be able to access the internet. On the other hand, internet security and integrity 'must' be guaranteed so that all can have safe access. So, in a nutshell, access to the internet is construed more as an obligation on governments than as a human right of citizens.
How does the Strategy affect us? The document promotes a shared responsibility approach to cyber security. This means that we all have a role to play: not just governments or the private sector, but also individual citizens. EU member states will be asked to guarantee minimum resources and capabilities to adequately react to threats, as well as promote cyber education at different levels. Member states will also have to create a national computer emergency response team (CERT) if they have not established one yet and firms dealing with banking, transport, energy, health, the internet and public administrations will be required to notify their national and the EU authorities whenever their computers are hacked.
The Strategy also recommends that EU businesses adopt more robust, embedded and user-friendly security features in their products and services, especially 'cloud' computing providers, reduce their reliance on 'foreign' technology suppliers and that the implementation of a 'kite mark' certification on products could make it easier for consumers to make informed choices in the digital age.
Will all this help us feel more confident in sharing our data online, especially in the cloud computing age? I am not so sure. The duty to report might be difficult to digest for the private sector, because of business confidentiality, extra costs and possible damage to reputation. For us citizens, the duty to report could risk giving national authorities access to information from almost everyone who is online, in breach of human rights law.
Cyber defence rightly receives a lot of attention in the Strategy, which calls for both civilian and military cooperation and actions. The Strategy assimilates a 'particularly serious cyber incident or attack' to an act of terrorism or a natural or man-made disaster. On the other hand, there is little if any reference to cyber attacks as a form of warfare that states could use against each other (think of Stuxnet, the worm allegedly developed by the US and Israel to destroy centrifuges at the Natanz uranium enrichment facility in Iran). In that, the EU maintains the ambiguity that already characterises NATO policies on collective reactions in case of a major cyber attack. This will need to be moved forward and clarified in a Cyber Defence Strategy that the EU plans to adopt in the near future.
One point needs to be emphasised: the EU Cyber Security Strategy clearly affirms that the laws that apply in the 'real' world also extend to cyberspace: there is no need to negotiate special cyberspace rules. The rules that extend to cyberspace include not only human rights law, but also the laws of war, in case an armed conflict spreads to cyberspace, as was the case of the Russia-Georgia conflict in 2008. I could not agree more: as I have argued elsewhere, the tired debate on the need for an international treaty on cyber security brings to mind the situation in Constantinople in 1453, where the doctors of faith were debating the issue of whether angels have a gender while the Ottoman army was attacking the city.