Responding to Increasing Security Concerns

The initiation of the Single Market in 1985 and the Bangemann Report of 1994 were crucial milestones in the development of EU cyber security policy because they established the Union’s economic focus in this sector. The provisions of the SEA and the Treaty of Maastricht were similarly important as they codified the capacity of the EU to engage in security matters.

While the EU was keen to exploit the economic, social and political opportunities of new digital media, the path to that exploitation was not without issue. The chronology of EU cyber security acquis demonstrates that, by 1996, concern was emerging that the Internet was being used to transmit harmful or illegal material – such as extreme pornography or content inciting racial hatred – as well as being “misused as a vehicle for criminal activity” (European Commission, 1996a, p. 3). This established a conceptual basis for the need for some sort of security policy addressing citizen and business interaction over the Internet. This set the stage for more specific network and information security (NIS) policies in the future.

The combined effects of these two paths can be seen in the Commission’s 1996 Communication entitled Illegal and Harmful Content on the Internet (European Commission, 1996a). This was another milestone in the development of cyber security

policy as it established the core security components of what would become the EUCSS

within the socio-economic framework established by its antecedents. Chief amongst these

components was a list of security concerns set out in the Communication’s introduction. The Commission cited these threats and risks as having the potential for direct repercussions on the functioning of the Internal Market35 (European Commission, 1996a, p. 3). They are significant contributions to the cyber security policy timescape and hence merit citing here in full (emphasis in original):

 national security (instructions on bomb-making, illegal drug production, terrorist activities);

 protection of minors (abusive forms of marketing, violence, pornography);

 protection of human dignity (incitement to racial hatred or racial discrimination);

 economic security (fraud, instructions on pirating credit cards);

 information security (malicious hacking);

 protection of privacy (unauthorised communication of personal data, electronic harassment);

 protection of reputation (libel, unlawful comparative advertising);

 intellectual property (unauthorised distribution of copyrighted works, e.g. software or music)

The list of security threats is significant for two reasons. The first is that it retained the socio-economic prioritisation placed on ICT resulting from that sector’s importance to the Single Market (European Council, 1993a, p. 26) and formalised in the Bangemann Report. Protection of copyright, fraud prevention, illegal advertising and abusive marketing are predominantly economic concerns as they could affect user confidence in the EU’s digital space (European Commission, 1996a, p. 16). Data privacy and the protection of minors (European Commission, 1996a, p. 3) are predominantly social concerns, focusing on citizen safety and wellbeing.

The second reason this list is significant is perhaps more pertinent to the evolution of a recognisable “cyber security” policy. Issues such as the dissemination of bomb-making instructions, terrorist activities, protection of personal privacy, the incitement to racial hatred36 and electronic harassment37 were specifically cited as security and safety issues. A comparative exercise examining the content of the EUCSS and the Commission’s

35 _{This further reinforces the economic approach of the EU to this field.}

36 _{Comparable to Conway’s (2005) conceptualisation of extremist propaganda as “cyber-cortical warfare”.} 37

Communication on Illegal and Harmful Content (an exercise similar to that carried out

between the EUCSS and the Bangemann Report in the previous section) demonstrates the similarity and linear progression evident between the two documents. This comparison is shown in Table 6-2 below.

Table 6-2: Comparison of the EUCSS and COM (1996) 487

COM (1996) 487 (European Commission, 1996a)

European Cyber Security Strategy 2013 (European Commission, 2013a) national security (instructions on bomb-

making, illegal drug production, terrorist activities);

protection of minors (abusive forms of marketing, violence, pornography);

Cybersecurity efforts in the EU also involve the cyber defence dimension. To increase the resilience of the communication and

information systems supporting Member States' defence and national security interests, cyber defence capability development should

concentrate on detection, response and recovery from sophisticated cyber threats.

protection of human dignity (incitement to racial hatred or racial discrimination);

Cybercrime comprises traditional offences (e.g. fraud, forgery, and identity theft), content- related offences (e.g. on-line distribution of child pornography or incitement to racial hatred).

The EU international engagement in cyber issues will be guided by the EU's core values of human dignity, freedom, democracy, equality, the rule of law and the respect for fundamental rights.

economic security (fraud, instructions on pirating credit cards);

Across the EU, more than one in ten Internet users has already become victim of online fraud. information security (malicious hacking); Cybercriminals are using ever more

sophisticated methods for intruding into information systems, stealing critical data or holding companies to ransom. The increase of economic espionage and state-sponsored activities in cyberspace poses a new category of threats for EU governments and companies protection of privacy (unauthorised

communication of personal data, electronic harassment);

Protecting fundamental rights, freedom of expression, personal data and privacy.

Cybersecurity can only be sound and effective if it is based on fundamental rights and freedoms as enshrined in the Charter of Fundamental Rights of the European Union and EU core values. Reciprocally, individuals' rights cannot be secured without safe networks and systems. Any information sharing for the purposes of cyber security, when personal data is at stake, should be compliant with EU data protection law and take full account of the individuals' rights in this field.

protection of reputation (libel, unlawful comparative advertising);

intellectual property (unauthorised distribution of copyrighted works, e.g. software or music)

Cybercrime comprises traditional offences (e.g. fraud, forgery, and identity theft), [and] content- related offences.

The only category which does not continue directly from 1996 to 2013 is that of protection

of reputation. That being said, the specific subheading under the 1996 category includes

libel and unlawful comparative advertising. It can be inferred that the modern phenomenon of “trolling” – publishing negative, deliberately damaging or hurtful comments on social media – could conceivably fall into both the 1996 category as being damaging to reputations and the 2013 category of protecting human dignity and rights38.

In the same way that there is a demonstrable linear progression from the economic policies of the Bangemann Report to the EUCSS, there is also such a linear progression from the Commission’s Communication on Illegal and Harmful Content to the EUCSS. When combined with the path dependencies established in 1994, this demonstrates that the EU’s

cyber Security Strategy was a product of policy decisions made in the 1990s.

This continuity or linearity is further demonstrated by the enduring nature of the security challenges faced. Security concerns regarding the exponential increase in the use of ICT by private citizens and commercial enterprises had up until this point been focussed on the protection of “natural persons” when their data was being processed via digital technologies (European Council, 1992, p. 29). To ensure adequate protections, and to engender trust in the new digital infrastructure, in 1992 the Commission issued proposals for two Directives which addressed issues which would become more widely known as “data protection”. One related to the protection of computer databases (European Commission, 1992a) and the other related to citizens’ personal and private information contained in those databases (European Commission, 1992b).

The objective of these Directives was to address the disparity of legal protection across Union membership and to recognise that unauthorised access to such databases could have “the gravest economic and technical consequences” (European Commission, 1992a, p. 1). There was an acknowledgment that some form of coherence and harmonisation of efforts across the Member States in the field of digital information protection would improve citizen and corporate trust in new media as well as facilitate the development of the internal market as a whole (European Parliament & Council of The European Union, 1995, p. 31, 1996, p. 20). This demonstrated that the focus for the EU at this point was not on the physical infrastructure underpinning cyberspace, but on digital information.

38 _{The protection of human dignity and minors in audio-visual and information services was itself the subject} of a separate Commission Green Paper published in the same year, demonstrating the importance placed by the EU on this particular sub-field (European Commission, 1996f).

In a rare move in the field of cyber security policy, legislation was passed between 1995 and 1997 to protect personal data, databases and personal privacy (European Parliament & Council of The European Union, 1995, 1996, 1997)39. The move towards legislation began in 1991 when it was recognised that computer programmes necessary for networked communication were not sufficiently protected by current legislation in all Member States. Such legislation that did exist was not standardised (Council of the European Union, 1991, p. 1). The same was true of computer databases where citizen and corporate information was being stored (European Parliament & Council of The European Union, 1996, p. 1). The primary purpose of this legislation, therefore, was to introduce that missing coherence by bringing all Member States up to a certain minimum level of legal protection for both databases and the software on which those databases ran. Coherence and harmonisation would later become core elements of EU cyber security policy and action (Interview, Purser, ENISA, 2014).

In addition equivalency of protection would be achieved across the Union Membership, particularly for personal and private citizen data (European Parliament & Council of The European Union, 1995, p. 32). This was to be achieved by all Member States being required to “bring into force the laws, regulations and administrative provisions” (Council of the European Union, 1991, p. 7) required in order to ensure compliance. The appetite for legislation continued with the passing in 1997 of the Data Protection Directive. That Directive sought to achieve:

the harmonisation of the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the telecommunications sector and to ensure the free movement of such data and of telecommunications equipment and services in the Community (European Parliament & Council of The European Union, 1997, p. 4).

The ultimate goal of this legislation, however, was to facilitate the free movement of data within the Union while at the same time ensuring a high level of protection for individuals

39 _{While it was, and still is, unusual for the EU to pass formal legislation on cyber issues, it is important to} note that the legislation passed in this first Phase were Directives. In the typology of EU legislative

instruments – Regulations, Directives and Decisions (European Union, n.d.) – a Directive is “a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.” (European Union, n.d.). Directives therefore establish a framework or set of goals to be achieved, but Member States are left to their own devices when implementing or establishing measures designed to achieve those goals.

with regard to the processing of their personal data and ensuring the development of open telecommunications networks.

It is apparent that the EU was at this point beginning to engage in the facilitative role identified by commentators in Chapter 2 (Christou, 2016). It was flexing its muscles and enjoying the confidence boost of the successful initiation of the Single Market. Passing legislation on a specific aspect of that Market was symptomatic of this increased confidence. The backdrop to these specific measures to increase harmonisation and equivalency however, was twofold. On the one hand was the requirement to carry out these measures for the smooth functioning of the new Single Market (European Parliament and Council of The European Union, 1996, p. 20, 1995, p. 31; European Commission, 2000b, p. 17). On the other, there was a growing realisation that the new technologies being advocated had the capacity to transmit potentially harmful content, make the dissemination of illegal material easier and for the technology itself to be misused by criminal elements. While the benefits of the exponential growth of the Internet and its content far outweighed any potential drawbacks, the effects of illegal and harmful content could not be ignored (European Commission, 1997b, p. 1). To address this, the EU developed an action plan for promoting the safe use of the Internet designed to establish a common approach to the threats posed by illegal and harmful online content, as well as to draw together the disparate instruments used in that approach.

An obstacle to achieving this facilitative role became apparent at this point. By the late 1990s, the EU’s approach to cyber security consisted of a large collection of acquis

communautaire of varying types. There was an array of regulations, policies, Council

Conclusions and other acquis instruments which addressed issues ranging from personal privacy (EEA Joint Parliamentary Committee, 1994; European Parliament and Council of The European Union, 1995) to unauthorised access to the communications of the European Commission. There was, however, no unifying strategy covering security issues in cyberspace.

Seeing the need to ensure citizen and commercial trust and confidence in an increasingly interconnected society and information-driven economy, the European Council, under the presidency of Sweden, resolved in 2001 to work with the Commission to develop a “comprehensive strategy on the security of electronic networks including practical implementing action” (European Council, 2001, p. 23). ICT was becoming increasingly

important to economic growth, competitiveness and the development of a more inclusive society (European Commission, 2000b, p. 2; European Council, 2001). In addition, digital technology was becoming increasingly important to the functioning of critical national infrastructures (European Commission, 2001a, p. 7). Securing these would be achieved through international co-operation (European Commission, 1998, p. 4).

The result of this convergence of recognition was the first formal attempt to produce a unified EU policy dealing with cyber security; a document entitled Network and

Information Security: Proposal for a European Policy Approach published by the

European Commission in 2001 (European Commission, 2001a).

6.5.

Creating a Recognisable “cyber security” policy: