The Influence of Competence on Establishing Cyber Security Principles

6.3.1.

The 1987 Single European Act

In the years between 1985 and 2001, the period in which EU cyber security policy foundations were established, two important Treaties entered into force which had a direct impact on all areas of policy-making, including cyber security: the Single European Act of 1987 and the Maastricht Treaty of 1992.

In September 1985, two months after the Commission published its landmark White Paper on completing the Internal Market (European Commission, 1985), a move commenced to

re-evaluate and reform the Treaties governing the functioning of the European Communities. Amidst acrimonious debates in the European Council, an intergovernmental conference (IGC) began (Dinan, 2010, p. 80). Buoyed by the relative success of the Single Market, negotiations progressed towards a radical reshaping of the Communities system through a Single European Act (SEA).

One of the most important elements of the SEA was that for the first time a treaty base for European political co-operation (EPC) was set out (Smith, 2015, p. 287). This established measures for future co-operation across the whole range of Union activities and moved the EU away from intergovernmentalism (Staab, 2013, p. 18). The SEA also mentioned the concept of “security” for the first time in this EPC framework. What is of particular consequence for cyber security policy-making is that it restricted the EU to “political and economic aspects” of security (European Union, 1987, p. 1049). In 1987 this softer approach to security was of greater symbolic significance than of practical importance. In its infancy as the European Coal and Steel Community the EU’s purpose was to facilitate the development of an international system which veered away from military conflict. It did this by promoting economic, social and political co-operation (Dinan, 2010, pp. 17– 18). To have this enshrined in a treaty seemed logical. This restriction was codified in the Petersberg Tasks of 1992 which specified that any military action under an EU banner would be restricted to peace-making, peacekeeping and rescue tasks (EEAS, n.d.). The SEA and Petersberg Tasks were, however, of crucial significance for future attempts to address security problems, in particular those which arose from cyberspace.

The SEA’s restriction of European involvement in security and foreign policy issues to their political and economic aspects drastically reduced the EU’s capacity to develop a truly holistic approach to cyber security. The scale of interconnectedness of the Internet, as well as the number of critical infrastructures which would rely on a functioning cyberspace by 2013, was a problem unforeseen in 1987. To borrow a phrase from chaos theory, the drop in the ocean that was the logical restriction of the EU to non-military, non- defence security considerations would create serious ripples (Gleick, 1997) when it was recognised by the 2000s that these areas were intricately linked due to the nature of cyberspace.

Because this issue was not foreseen, the EU continued on its softer security path post-SEA. By 1992 the restriction to socio-economic aspects of security was further entrenched by the

signing and entry into force of the Treaty on European Union, better known as the Maastricht Treaty. While the SEA established the parameters for security policy, the Maastricht Treaty set up a policy-making framework which would further curtail the EU’s capacity to develop policy in foreign and security matters. It placed this sector in an intergovernmental policy-making and legislative process. This would require unanimous decision-making in the Council of the European Union. By contrast, economic decisions could be passed by a qualified majority. This divided system would become known as the Pillar System of the EU.

6.3.2.

The 1992 Maastricht Treaty and the creation of policy

pillars

It is not the aim of this section of the chapter to enter into a lengthy analysis of the terms of the Maastricht Treaty. Such analyses have been conducted elsewhere (Bache et al., 2011; Bulmer, 1997; Dinan, 2010). However it is beneficial to briefly consider the terms of the Treaty and how it affected Union policy- and decision-making in general before examining its precise impact on cyber security policy paths.

While the SEA established a co-operative framework for EU policy, the Maastricht Treaty was the first major revision of the Union’s structure, policy-making processes and organisation since the 1957 Treaty of Rome. At its heart were measures to introduce elements of political union (Europa, n.d.). In addition to tools for co-operation, the Treaty initiated specific measures to promote greater political and economic integration. These included preparations for economic and monetary union (Dinan, 2010, p. 82; Staab, 2013, pp. 19–21) and the creation of a “European Union” founded on the European Communities (European Union, 1992, p. 7). Core aims of the Treaty were the completion of the Internal Market project begun in 1985 (European Union, 1992, p. 4) predicated upon the free movement of goods, services, persons and capital (European Union, 1992, p. 12). One of the most important aspects of the Treaty was the establishment of jurisdictions of responsibilities between the Member States and the EU: the areas of “competence” for each party.

For the EU, these competences were designed to set out in which areas the Union could create legislation and policy. As examined in Chapter 4, under this system, there were certain areas of “exclusive competence”, where the EU had sole jurisdiction. Under the principle of subsidiarity, it made more sense for the supranational entity that was the EU to

draft policy or legislation than for the individual Member States to do so due to the nature or scale of the policy area (European Union, 1992, p. 13; Interview, Purser, ENISA, 2014).

One level down from exclusive competence was shared competence, where decision- making would be carried out by both the EU and the Member States. The majority of areas of Union policy would fall under this heading and incorporate the policy- and decision-making processes of the Treaty of Rome. Decisions in these policy areas would be taken via the “Community Method”, whereby votes in the Council of the European Union were passed by a qualified majority (QMV). The functioning of the Internal Market and other aspects of economic policy fell into this category, including the nascent field of cyber policy. This comprised the first “pillar” of the new European Union.

The European Commission was afforded a right of initiative in this area, whereby it could propose policy and legislation if it saw a need (without instruction from the Council of the European Union or the Parliament). These proposals were subject to final decisions being made by the Council.

The Treaty also established two other fields of policy-making. These were the areas of the Common Foreign and Security Policy (CFSP)33, and co-operation in the fields of Justice and Home Affairs (JHA). The key difference in these areas was the method of decision- making. Rather than using QMV, unanimous intergovernmental decisions were required.

The result of this division of remits was a system of three specific areas of Union policy, defined by their decision-making setup. These became known as the “Pillars of the EU”, illustrated in the diagram below34.

33 _{The Common Foreign and Security Policy pillar was established despite the EU having very limited} external competence (See Chapter 4). The aim of the CFSP was to enable the EU to speak on the international stage with one voice (European Union, 2016). Although military competence is highly

restricted, in the field of diplomacy and international partnership, the EU speaking as a single entity has more “clout” than were each individual Member State to engage in its own.

34 _{Image Source}

http://www.cvce.eu/en/obj/the_three_pillars_of_the_european_union_maastricht_7_february_1992-en- 37b4b8c8-0f00-4c1c-bec8-bcdf4b26807d.html

Diagram 6-1: The Pillars of the EU post Maastricht

As stated above, the Internal Market fell into the First Pillar, the Communities. Due to their importance to the Internal Market, ICT (cyber) issues also came under this policy- and decision-making system. This enabled the EU to engage proactively with those issues in an economic sense due to its shared competence. Union cyber security policy contains at its core a strong economic focus. The origins of this economic focus have been shown to be traceable to the initiation of the internal market in 1985 (European Commission, 1985, p. 20), and to subsequent moves to establish a secure information society (Bangemann, 1994; European Commission, 1996a, p. 96). The Treaty of Maastricht served to solidify this approach by placing cyber issues within a decision-making Pillar, the bulk of which concentrated on the functioning of the internal market.

Placing cyber policy within this First Pillar had another consequence, however, particularly since criminal justice matters were handled under the Third Pillar of JHA. It further restricted the manner in which the EU could address security issues emanating from cyberspace. The reduced security competence enshrined in the SEA and the codification of foreign and security policy into the intergovernmental CFSP Pillar therefore restricted EU cyber security policy to socio-economic matters. It is significant, however, that this

institutional restriction was put in place after the EU’s socio-economic interest in ICT was established. What that restriction did was prevent any deviation from already established paths and lock out other potential avenues of cyber security policy or solutions outside of the socio-economic discourse.

This does not mean that the EU was naïve in its perception of the developing digital domain, or its own information society (European Commission, 1996e, p. 5). As the 1990s progressed, the EU became increasingly aware of the capacity for cyberspace and the internet to be abused (European Commission, 1996a). However, the placing of criminal justice policy in a separate Pillar to the Internal Market complicated the capacity of the EU to respond to this abuse. It necessitated a creative approach on the part of the Union to such issues in order to be able to effectively address them and ensure the viability of the Single Market. That approach would be to interpret online criminal activities as threats to the ongoing functionality of the Single Market, thus making them socio-economic issues.