«Cybersecurity and cyberdefence EU Solidarity and Mutual Defence Clauses SUMMARY Faced with an increasing number of complex crises with a trans-border ...»
Cybersecurity and cyberdefence
EU Solidarity and Mutual Defence Clauses
Faced with an increasing number of complex crises with a trans-border dimension, the
European Union has invested significant energy and resources in strengthening its
crisis- and disaster-management capabilities. To that effect, the Treaty of Lisbon
equipped the Union with two provisions aimed at improving the EU’s response to
natural or man-made disasters (the Solidarity Clause) and military aggression against an EU Member State (the Mutual Defence Clause).
For some time, both clauses remained purely theoretical concepts, without clear rules regarding their activation or procedures once either of the two is invoked by a Member State. In 2014, after many months of discussion, the Member States agreed on arrangements for the implementation of the 'Solidarity Clause'. The 'Mutual Defence Clause' has yet to see similar progress. Whether backed by procedures or not, so far the Member States have been reluctant to make use of either of the two provisions.
Many areas of human activity are increasingly dependent on information technology.
At the same time, over the past year some major media outlets and companies – including Sony and TV5 Monde – have become victims of cyber-attacks. Consequently, policy-makers are increasingly preoccupied about the risk of cyber-attacks with disastrous consequences for critical national infrastructure. Given the interconnectedness between the Member States and their inherent limitations to tackle a complex disaster provoked by a cyber-attack alone, there is some debate about the likelihood of the Solidarity and Mutual Defence Clauses eventually being invoked. The European Parliament has addressed these issues on three different occasions but its role once any of the clauses is activated remains to be defined.
In this briefing:
Background Understanding the nature of a (cyber)crisis Solidarity Clause Mutual Defence Clause Complementary approaches The European Parliament Main references Annex EPRS | European Parliamentary Research Service Author: Patryk Pawlak Members' Research Service EN PE 559.488 Cybersecurity and cyberdefence EPRS Background Faced with complex crises, the European Union (EU) has made significant efforts to improve its response capacities, including the adoption of the EU Integrated Political Crisis Response (IPCR) arrangements and the transformation of the Monitoring and Information Centre (MIC) into the Emergency Response Coordination Centre (ERCC) in
2013.1 Solidarity and Mutual Defence Clauses were introduced in the Treaty of Lisbon – Articles 222 TFEU and 42(7) TEU respectively – to strengthen cooperation between Member States and the EU institutions in case of a crisis or armed aggression respectively.2 The Solidarity Clause goes further by creating an obligation on all Member States to act jointly and to assist one another in the event of disasters and crises which exceed their individual response capacities.3 While the Treaty provision concerning the Solidarity Clause has been supplemented with more detailed implementation guidelines – thus providing a more operational meaning to the concept – the Mutual Defence Clause remains a rhetorical concept and its implementation still needs to be defined.4 With many areas of human activity being heavily dependent on information technology on the one hand, and a growing number of security breaches on the other, there is a tangible risk of a cyber-attack resulting in a large-scale disaster. The possibility of employing the Solidarity Clause to mitigate the damage of such an attack has been mentioned in a number of cyber-related documents, even though neither the Treaty articles nor the decision on the arrangements for the implementation by the Union of the Solidarity Clause make explicit reference to cyber-attacks, but only to the more broad concept of man-made disasters. The EU Cyber Security Strategy proposed jointly by the European Commission and the High Representative in February 2013, tackles the question of EU support in case of a major cyber incident or attack. According to the Strategy, ‘a particularly serious cyber incident or attack could constitute sufficient ground for a Member State to invoke the EU Solidarity Clause’. In addition, the June 2013 Council Conclusions on the Cybersecurity Strategy of the EU, welcoming the proposed Strategy, invite Member States ‘to take into account cybersecurity issues in light of ongoing work on the solidarity clause’. Furthermore, the EU Cyber Defence Policy Framework adopted by the Council in November 2014 states clearly that ‘the objectives of cyber defence should be better integrated within the Union's crisis management mechanisms. In order to deal with the effects of a cyber-crisis, relevant provisions of the Treaty on the EU and the Treaty on the Functioning of the EU may be applicable, as appropriate’. Both the Solidarity Clause and the Mutual Defence Clause are mentioned explicitly in the footnote and could potentially be activated. It is important to note, however, that activation of the Solidarity Clause would occur to deal with the consequences of a cyber-attack and not the cyber-attack itself.
Understanding the nature of a (cyber) crisis As digital networks now constitute the backbone of our societies' functions (i.e. financial systems, energy infrastructure and communication tools), there is a risk that organised criminal groups or foreign governments will exploit their vulnerabilities. Many countries have included the protection of critical information infrastructure in their national security strategies. Therefore, strengthening the security and resilience of critical infrastructure against cyber-threat is a priority on policy agendas, including with regard to crisis management.
According to United States intelligence, only a limited number of countries have the capacity to invade and possibly disable the computer systems of power utilities,
cyber-crisis. In the case of a Source: Symantec.
multinational cyber-crisis, the causes or impact need to concern at least two countries. Through a combination of contact points, guidelines, workflows, templates, tools, and good practices, the EU-SOPs generate shared technical and non-technical knowledge, which then allows for a better understanding of the context and identification of effective action plans. In addition, the EU's response capacity – including at a technical, political and operational level – is regularly tested through cybersecurity exercises like 'Cyber Europe 2014', completed in early 2015.
Nevertheless, the risk of computer-based attacks on critical infrastructure – defined as 'those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in the Member States' – exists and cannot be ignored due to their potentially high impact. These could include attacks on energy infrastructure, healthcare institutions, water and food supplies, or other industries which rely on internet networks. Most of these facilities and services rely on Industrial Control Systems (ICS) which are Members' Research Service Page 3 of 10 Cybersecurity and cyberdefence EPRS responsible for monitoring and controlling industrial processes such as electricity distribution, water treatment or management of transport networks. 6 Following a decade-long transformation process, ICS systems have evolved from isolated systems to open architecture and standard technologies, which expose them to cyber-attacks like any other computer connected to the internet (see Figure 1).7 For instance, upgraded electricity networks facilitating two-way digital communication between supplier and consumer, allowing for more efficient transmission and distribution of electricity – also known as smart grids – are vulnerable to rogue codes in the software or remotely operated 'kill switches' and hidden 'backdoors' on hardware.8 Cyber-attacks such as Stuxnet in 2010, cyber-espionage campaigns like Dragonfly, and the targeted malware campaign, Sandworm, in 2014, demonstrate that attacks against ICS have matured and are becoming more frequent.9 The EU has taken a number of steps to reduce the vulnerabilities of critical infrastructure due to their networked nature. In 2009, the European Commission adopted a Communication on Critical Information Infrastructure Protection (CIIP) entitled ‘Protecting Europe from large-scale cyber-attacks and disruptions: enhancing preparedness, security and resilience’. Recognising that many critical infrastructure platforms rely on information and communication technologies, the Communication aimed at ensuring a high level of preparedness, security and resilience capability, both at national and EU level. Two years later, the Commission took stock of the implementation and concluded that purely national approaches to tackling security and resilience challenges are insufficient, and announced follow-up actions in the Communication on CIIP on 'Achievements and next steps: towards global cybersecurity'. The proposed Network and Information Security (NIS) directive, put forward by the Commission on the same day in 2013 as the EU Cybersecurity Strategy aims to further strengthen a number of elements in the EU's preparedness and response capacity, including improving cooperation between various stakeholders (public and private sector, Member States), while at the same time obliging critical sectors to adopt risk management practices and report major incidents. The proposal received its first reading in April 2014, in the outgoing Parliament. Negotiations between the EP (rapporteur Andreas Schwab, EPP; Germany) and the Council are continuing with a view to concluding an early second reading agreement.
Solidarity Clause Legal framework The EU Solidarity Clause was introduced with Article 222 of the Treaty on the
Functioning of the European Union (TFEU), which states that:
The Union and its Member States shall act jointly in a spirit of solidarity if a Member State is the object of a terrorist attack or the victim of a natural or man-made disaster. The Union shall mobilise all the instruments at its disposal, including the military resources made available by the Member States, to … assist a Member State in its territory, at the request of its political authorities, in the event of a natural or man-made disaster.
For a long time, there was no clarity on how the invocation of the Solidarity Clause would work in practice and what would be its implications. After many months of discussion in a 'Friends of the Presidency' Group, the Council adopted rules and procedures for the implementation of the Solidarity Clause in June 2014. The Council Decision (2014/415/EU) clarifies the definition of the concept of a ‘disaster’ in the Members' Research Service Page 4 of 10 Cybersecurity and cyberdefence EPRS context of Article 222. It is defined as ‘... any situation which has or may have a severe impact on people, the environment or property, including cultural heritage’. The same document defines 'crisis' as 'a disaster or terrorist attack of such a wide-ranging impact or political significance that it requires timely policy coordination and response at Union political level'. Such a broad definition implies that it would be possible to activate the Solidarity Clause in order to address the consequences of a severe cyber-attack, dealing with the consequences of which would be beyond the capacities of a Member State.
Invocation of the Solidarity Clause Based on Decision 2014/415/EU on implementation of the Solidarity Clause, the political authorities of the affected Member State may invoke the Clause if they conclude that the crisis overwhelms their response capabilities. The implied condition, however, is that the possibilities offered by existing means and tools at national and Union level have already been exploited. The invocation should be addressed to the Presidency of the Council, and to the President of the European Commission through the Emergency Response Coordination Centre (ERCC), which acts as the central roundthe-clock contact point at Union level with Member States' competent authorities and other stakeholders, 'without prejudice to existing responsibilities within the Commission and the HR and to existing information networks'.10 The Presidency informs the President of the European Council and the President of the European Parliament of the Solidarity Clause's invocation (see the annex). Subsequently, the political and strategic direction of the Union response is ensured by the Council whereby the Council Presidency activates Integrated Political Crisis Response arrangements (IPCR) and provides information to Member States.
The ERCC facilitates the production of Integrated Situational Awareness and Analysis (ISAA) reports – in collaboration with the EU Situation Room and other Union crisis centres – that should allow for a strategic overview of the situation within the Council.
The European Commission and the High Representative of the Union for Foreign Affairs
and Security Policy are tasked to:
Identify all relevant Union instruments – including military capabilities – that can best contribute to the response to the crisis, and propose the use of resources within the remit of Union agencies;
Advise the Council on whether existing instruments are sufficient;
Produce regular integrated situational awareness and analysis (ISAA) reports to inform and support coordination and decision-making at political level in the Council.
Implementation of the Solidarity Clause by the EU should rely on existing instruments to the extent possible, and should increase effectiveness by enhancing coordination and avoiding duplication. The EEAS contributes to raising situational awareness by providing intelligence and military expertise, as well as through the network of EU Delegations that may also contribute in the response to threats or disasters on Member States' territory, or to crises with an external dimension. Depending on the crisis, relevant contributions may also be required from the EU agencies under the Common Foreign and Security Policy (CFSP) and Common Security and Defence Policy (CSDP) structures.