EU proposes a united cyber defense front following Russia’s invasion of Ukraine

The European Commission proposed a new cybersecurity policy on Thursday to ensure member states can coordinate their digital defenses in the wake of Russia’s war on Ukraine.

The EU Cyber Defense policy calls on member states to “significantly increase investments in modern military cyber defense capabilities in a collaborative manner” and stressed the importance of strengthening the bloc’s “key partnership” with NATO.

“Russia’s unjustified and unprovoked military aggression against Ukraine has been a wake-up call for all questioning the EU’s approach to security and defense, its ability to promote its vision and defend its interests, including in cyberspace,” the Commission said in its Joint Communication with the High Representative for Foreign Affairs and Security Policy.

The proposed policies are intended to increase coordination between member states at a national and military level, as well as to secure cyber defenses throughout Europe. They would be implemented by member states working with the Commission and Council on a range of initiatives, including setting up an operation network for military computer emergency response teams (milCERTs) and developing EU cyber defense exercises. 

In September, the Commission introduced new security standards for internet-connected products — from smartphones to fridges — as the bloc attempts to address the growing threat posed by cyberattacks. In the joint communication released Thursday, they noted that “even non-critical software components can be used to carry out cyberattacks.”

Also mooted during a press conference on Thursday morning in Brussels were offensive cyber capabilities. Thierry Breton, the French commissioner for the Internal Market, told journalists: “You have to be able to pre-empt, you have to be able to plan, you have to be able to defend yourself, to protect yourself, but you also have to be able to attack.”

France has historically been a strong supporter of the idea of a European Army. Under the existing treaties of the European Union, defense and security matters remain a sovereign issue for each member state.

Although the document’s language was not explicit about such offensive operations, it did call for “active defense.” 

“The EU needs to take on more responsibility for its own security. This requires modern and interoperable European armed forces. Member States must therefore, with urgency and priority, commit to increase investments in full-spectrum cyber defense capabilities, including active defense capabilities. Whilst remaining fully committed to international law and norms in cyberspace, the EU should signal its willingness to use these capabilities in a coordinated way in case of a cyberattack on a Member State.”

Clarifying his statement to journalists, Breton said: “Of course, we need to be credible… It’s not in our hands [the Commission’s]. [Member states] are the ones to act in this field, of course. But the question is that some of them want to be more coordinated.

“Some Member States have the capacity today to react, and it’s important that one — could be privatized, could be hackers, could be whoever — should know that we have the ability to detect and to react,” he said.

Max Smeets, the director of the European Cyber Conflict Research Initiative and a senior researcher at ETH Zurich, told The Record Breton’s statement could be correctly interpreted several ways. On one hand, it is in line with a “trend” in EU policy.

“In recent years, the EU has started to look into options to respond more forcefully to cyber operations. Indeed the last EU Cyber Security Strategy in 2020 talks about the importance of ‘Building operational capacity to prevent, deter and respond’,” said Smeets. 

But he argued that Breton’s statement is also “remarkable” for having explicitly interpreted the Joint Communication’s reference to “active cyber defense” as being “able to attack” — a concept which the European Union has been hesitant to fully endorse.

“Unlike the U.S., the EU rarely talks about going on the ‘offense’ in cyberspace,” said Smeets. “It is more common to use the concept of ‘active cyber defense’ –- even if policy makers have not yet fully spelled out what it means.”