Promoting Actor Co-operation

The most prominent measure for ensuring security and minimising risks in the 2001 Proposal – and a core component of the EU’s cyber security discourse – was actor co- operation. In 2001 this co-operation was manifested in sharing best practice (European Commission, 2001a, p. 21). One of the most important elements in developing resilient systems to protect critical infrastructures was for the actors involved in service provision and maintenance – the private network operators and national authorities – to exchange information on threats as they occurred. It was noted that experienced engineers were surprised by the novelty of some incidents. This highlighted the need for a reliable warning system and framework for information-sharing across the EU (European Commission, 2001a, p. 21). It was further noted that Computer Emergency Response Teams (CERTs) had been established in some Member States by 2001. Belgium was specifically mentioned (European Commission, 2001a, p. 21). However, it was also noted

that co-operation between these CERTS was problematic due to differing operational parameters and levels of expertise.

The Commission therefore proposed to develop measures to strengthen co-operation and facilitate information exchange. It also intended to examine, in co-operation with Member States, “how to best organise at European level data collection, analysis and planning of forward-looking responses to existing and emerging security threats” (European Commission, 2001a, p. 22). This was of particular importance for tackling online crime. In a foreshadowing of the establishment of a high-tech crime centre at Europol the following year, the 2001 Proposal envisaged the establishment of an EU forum on cyber- crime to “enhance mutual understanding and co-operation between all interested parties” (European Commission, 2001a, p. 19). The sharing of information and best practice would be vital tools in the fight against cyber-crime, and the EU with its inherent internationality, was ideally placed to facilitate this.

The NIS Proposal was an important step in EU cyber security policy-making because of these policy choices. It was the first recognisable “cyber security” policy. While previous

acquis documents had addressed the core aspects of cyber security and initiated important

policy paths, the NIS Proposal was the first time these had been brought together. The sum total of all of these actions was that the 2001 NIS Proposal drew together the elements which established the path dependencies of EU cyber security policy-making in subsequent years. The ultimate aim of EU policy in the period between 1985 and 2001 was the protection of economic viability and capabilities. This was to be achieved through ensuring that the systems and networks which underpinned this economic viability were able to continue functioning and providing the services for which they were designed (European Commission, 2001a, p. 3). To achieve this, the NIS Proposal defined exactly what NIS was, clarified the threats involved and provided a clear policy framework in order to address those threats. In 2001 this framework was based on harmonising private sector protocols, the sharing of information on security breaches, ensuring the continuity of critical services and an explicit commitment to treat malicious incidents as criminal acts.

6.6. Conclusion

This chapter has shown that important cyber security policy paths were established between 1985 and 2001. In 1985 the Single Market was established with a focus on ICT as an industry for investment and economic growth. In 1987 the Single European Act entered

into force, followed by the Maastricht Treaty in 1992. These two Treaties established the EU’s competences in economic affairs and restricted its capacity in external security and defence policy. Together, these three milestones created a socio-economic environment in which future cyber security policy would develop. It was in this environment that the EU first began to respond to cyber threats.

These threats were described in socio-economic terms: copyright breaches, payment card fraud, illegal drug production, libel and even the protection of minors. Due to a combination of competences restricted by successive Treaties and the division of policy responsibility initiated by the Maastricht Pillar system, the EU addressed cyber security concerns through an economic lens, establishing an interpretation of the problems. This influenced the manner in which these issues were approached and conceptualised. Instead of tackling issues such as distributing harmful content online, credit card fraud or libel as solely criminal justice problems requiring criminal justice solutions, the EU approached them by seeking to minimise their impact on the economic potential of cyberspace. As stated explicitly by the Commission in COM (1996) 487 on Illegal and Harmful Content

on the Internet “the presence of illegal and harmful content on the Internet has direct

repercussions on the workings of the Internal Market” (European Commission, 1996a, p. 4). These threats were to be managed in such a way as to cause minimal damage to the continued operation of the Internal Market. This management and limitation of impact created a policy path which would influence the nature of the EUCSS in 2013. That policy does not establish methods or techniques for seeking out malicious actors and criminal activity. Rather it seeks to ensure the continued functionality of cyberspace and the Internet (European Commission, 2013a, p. 5). The important point to make at this juncture is that Union competences locked a socio-economic discourse in place despite themselves being formalised after the initiation of EU interest in ICT and cyber issues. This demonstrates that institutional arrangements such as the EU’s system of competences can have significant effects on pre-existing policy paths.

The chapter provided tabular analyses comparing important acquis milestones with the EUCSS. This provided evidence of the linear connection between the EUCSS and its predecessors without lapsing into determinism or historical causality. There is a linear progression between the earliest cyber security acquis and the EUCSS of 2013, showing that these documents are part of an underlying discourse.

The chapter also showed that the socio-economic interpretation was cemented in 2001 with the publication of the NIS Proposal. This was the first publication which includes recognisable cyber security elements. Despite containing specific threat typologies and a codified definition of cyber security, the Proposal established the EU’s approach as one which sought to ensure the continued exploitation of this developing commercial domain. NIS was seen as a tool for ensuring economic growth and social advantage, as opposed to a function of national security or defence.

The identification of the initiation of path dependencies in the timescape is important for a number of reasons. First, these paths were instrumental in setting the tone for the incremental development of a socio-economic cyber security discourse. Second, while a purpose of this thesis is to identify those institutions which have had an influence on the EU’s cyber security discourse and policy-making, it is just as important to identify why such a discourse developed. The convergence of the establishment of the Single Market in 1985 and the signing of the Single European Act, with its explicit security restrictions, represents the point at which that socio-economic cyber security position began. This is an important point in an HI analysis: the establishment of path dependencies. Once these paths are in place – i.e. once particular policy choices have been made – there then follows a period of consolidation and policy entrenchment. This consolidation will be the focus of the following chapter.

At this point in the analysis it would be too early to declare that the path to the EUCSS of 2013 was laid out in any deterministic manner. The seeds were nevertheless planted in the mid-1980s. The clarification in Treaties of the EU’s security competences as well as the initiation of the Single Market established path dependencies which, as will be shown in the following chapters, would prove highly resilient (Pierson, 2000, p. 263). From an HI perspective the principles and procedural norms established between 1985 and 2001 created strong path dependencies, which would be consolidated in later years. This process of consolidation occurred between 2002 and 2006.