Co-operation as a modus operandi

According to the EUCSS, the central methodological approach of the EU to achieving its conceptual goals is facilitating co-operation. Cyberspace is a borderless domain and cyber-risks and threats have a cross-border dimension (European Commission, 2013a, p. 9). The EU institutions and bodies are ideally placed to facilitate the development of a co- ordinated and collaborative approach to mitigating these risks (Interview, Smith and Jones, eu-LISA, 2014). That includes bringing the private sector into formal joint-working protocols such as the European Public-Private Partnership for Resilience (EP3R) (European Commission, 2013a, p. 6) or co-ordinating international cyber security exercises between nation states (European Commission, 2013a, p. 7; Interview, Purser, ENISA, 2014).

The reason for this focus on co-ordination in the EUCSS was a recognition that such work on the part of the EU should not be carried out at the expense of Member State initiatives, or in lieu of Member State capabilities. The EU sought to “bring together law enforcement and judicial authorities and public and private stakeholders from the EU and beyond” (European Commission, 2013a, p. 10). The aim was to complement rather than supersede the work of the Member States. This also enabled the EU to maintain its adherence to subsidiarity.

This is exemplified by the fact that the EU engaged in an arms’-length approach to achieving security predicated upon encouraging and incentivising the private sector and national agencies. In the 2006 Strategy for a Secure Information Society (SSIS) the EU established itself as a facilitative actor. Its function was not to prescribe specific solutions or recommend specific technical measures (Interview, Purser, ENISA, 2014). This reflected a longer-term trend of seeking to develop co-operation between actors throughout the cyber security policy-making timescape, as shown in Table 5-6 below.

Table 5-6: Linear continuity of “co-operation” as an ideational element

The rationale was that if all actors co-operated and co-ordinated their efforts, cyber security would be closer to being realised (European Commission, 2013b, p. 8,9). The purpose the EU was giving itself between 1985 and 2013 was to facilitate that co- operation. This is because it is acknowledged that no single actor can achieve cyber security on its own (European Commission, 2010b, p. 3, 2013a, p. 17; European Parliament and Council of The European Union, 2011, p. 6). Co-operation, information- sharing, on-going dialogue, co-ordinated regional, national and international measures are the fundamental aims of the EUCSS. The Strategy tasked agencies such as ENISA and Europol with pursuing those aims (European Commission, 2013a, p. 10).

The concept of co-operation also defined what kind of cyber security actor the EU was seeking to be. Due to restricted competences and an explicit acknowledgement that

1994 – Bangemann Report; 1996 - illegal

and harmful content

2001 – NIS Proposal 2006 – SSIS 2013 - EUCSS

Even if a published document is removed from one server as a result of intervention by the authorities, it can easily and quickly be copied to other servers in other jurisdictions, · so that it continues to be available unless and until such sites are also blocked. Thus

additional international co-operation is required to avoid "safe havens" for documents contrary to general rules of criminal law. (European

Commission, 1996a, p. 12)

Co-operation is essential to ensure early warning throughout the Union through the

instantaneous exchange of information on the first signs of attack in one country. Therefore co-operation with the CERT system within the European Union should be strengthened as a matter of urgency. A first action aiming at strengthening the public/private co- operation on dependability of information infrastructures (including the development of early warning systems) and improving co-operation amongst CERTS has been agreed in the context of the eEurope action plan. (European Commission, 2001a, p. 21)

The global dimension of network and information security challenges the Commission, both at international level and in co-ordination with Member States, to increase its efforts to promote global co- operation on NIS, notably in implementing the agenda adopted at the World Summit on the Information Society (WSIS) in November 2005. (European Commission, 2006a, p. 7) To promote cyber resilience in the EU, both public authorities and the private sector must develop capabilities and co- operate effectively. Building on the positive results achieved via the activities carried out to date further EU action can help in particular to counter cyber risks and threats having a cross- border dimension, and contribute to a co- ordinated response in emergency situations. (European Commission, 2013a, p. 5)

responsibility for achieving cyber security remained with the Member States, the EU set itself up as a facilitative actor. It was to be a lynchpin in international efforts designed to tackle transnational cyber risks. This is a role which the EU has the capacity, resources and crucially the competence to play30. It has set up specialist agencies tasked with operationalising certain aspects of co-operation and co-ordination in specific policy areas. The European Defence Agency (EDA) and the European External Action Service (EEAS) facilitate co-ordination and co-operation in foreign and defence policy. The European Network and Information Security Agency (ENISA) assists Member States with ensuring the resilience of infrastructures vital to the internal market and Europol, through the European Cyber-Crime Centre (EC3), co-ordinates vast amounts of data and law enforcement resources in tackling online criminal activity. On a conceptual basis, co- operation was therefore a core element of the EU’s entire approach to tackling cyber security threats and risks, and continued to be so throughout the 28 year timescape of policy development.

5.3. Conclusion

This chapter has shown that the EU developed a specific approach to cyber security as a policy sector over the 28 years between 1985 and 2013. That approach – its discourse – was focussed on treating the field as a socio-economic issue. Cyber security challenges, including criminal activity, breaches of privacy and even state-sponsored acts of aggression, were treated as threats to the ongoing functionality of the internal market. From the time the internal market was initiated, ICT and the burgeoning Internet were seen as vital sectors for the EU which could be used to promote economic growth and employment. Cyberspace and cyber security were crucial for the ongoing economic wellbeing of the Union. The EU’s unique position as a transnational actor meant that it was ideally positioned to tackle such issues as cyber-crime, with a view to promoting private citizen and commercial trust in new technologies. The EUCSS, representing the sum total and culmination of a policy-making process, is the exemplar of this discourse. Its initial chapters – in which the context for all EU cyber security policy in 2013 is set out – are founded upon that socio-economic discourse.

The chapter also included a comparative analysis of the EUCSS with its conceptual predecessors. The results of this analysis demonstrate that it was not a stand-alone

30

document. It was the culmination of a long-term process of applying a discourse constructed around five core ideational elements created at the initiation of the EU’s interest in ICT in 1985. These elements are: maximising economic potential; promoting trust; protecting fundamental rights; tackling cyber-crime and achieving these through fostering co-operation. These elements persisted in an unaltered manner throughout the EU’s timescape in this policy sector. In the 143 pieces of Union acquis identified for this thesis, these five ideational elements are the most frequently occurring concepts, underpinning the EU’s cyber security policy narrative. They are paths from which the EU did not deviate throughout the 28 years of the policy-making process and underpin the EU’s socio-economic discourse.

The EUCSS is therefore not just a part of a policy discourse, but the result of a cumulative, linear, evolutionary progression. By comparing key elements, namely five ideas underpinning a socio-economic policy, this chapter has demonstrated that linearity. By tracing the policy-making process through its various iterations in 1996, 2001 and 2006 the chapter has shown that the policy discourse was static. In the 28 years between 1985 and 2013 the threat landscape may have changed and new tools developed to address those threats, but the EU’s underlying discourse did not change. It remained focussed on the socio-economic priorities key to EU policy.

While not inferring a deterministic policy-making progression, the continued presence of these ideational aspects represents the strongest element of path dependency in EU cyber security policy and policy-making. The strength of this path dependency will be demonstrated in subsequent chapters of this thesis, when the resilience of the discourse to institutional stresses is examined.

The next task of this thesis is to examine how this path dependent discourse came about and look at why the EU’s discourse remained static. As stated in Chapter 1, a supplementary question for this thesis is whether or not the institutional influence of Union competences – the rules and standard procedures regulating policy-making – created an environment in which only socio-economic solutions could develop. The following chapters will examine the empirical data gathered to answer this question. This will address a key aspect of the substantive research question of this thesis by identifying an institutional arrangement which contributed to policy continuity in cyber security.