BLOG

As part of their Lisbon Summits of November 2010, both the EU and NATO prioritized securing cyberspace as key to the collective security of Europe and of the alliance. Separately, each organisation is making incremental progress, but if the EU and NATO combine the power and resources of both organizations, they could achieve a far more effective response to cyber threats.
At the end of September 2011 both the EU and NATO announced plans for their respective incident response centres. The NATO Cyber Incident Response Center (NCIRC) should obtain full operational capability for 24/7 incident detection and response capabilities across NATO organisations and infrastructures by the end of 2012. It took 10 years to achieve this vision (originally conceived as part of the Prague Summit in 2002) and its success requires the co-commitment of NATO and national funds from the allies. Meanwhile, on 22 September the European Commission launched the stand- up of the Computer Emergency Response Team (CERT)-EU. Its mandate will be similar to the NCIRC: to provide operational incident management for EU institutions. Today, CERT-EU offers access to technical advice and security-related news and advisories. Once this EU initiative obtains greater capability, information should flow freely between this and the national CERTs across the 27 EU member states. 

At the same time, NATO has plans to stand-up its “Alliance Watch and Warning Network”, where the NCIRC extends its reach and possibly support to each member state’s CERT.Yet given the debt crisis and other fiscal pressures, it is only logical to ask whether it makes sense to artificially separate a multilateral cyber-posture along civilian and military lines, and duplicate all the effort and expense in this manner? After all, NATO and EU policy makers meet monthly to exchange technical information and to bring transparency to their respective efforts. 

Perhaps this is an area where they can align agendas; possibly even realizing the principles of pooling and sharing that lie at the heart of the co-called “smart defence” initiative. The 24/7 operational capability that both organisations are creating is in high demand – but this is a limited and expensive technical resource. By combining the power of both institutions, everyone could achieve economies of scale and a stronger defensive cyber posture. Another area where the EU and NATO should cooperate is in the area of preparedness or readiness. On 3rd November the United States and the EU conducted a day-long exercise entitled Cyber Atlantic 2011. 

It helped member states explore how to cooperate and respond to a cyber-attack against critical infrastructure, including a power grid. NATO conducts similar exercises as part of its Cyber Defense Awareness, Education, Training and Exercise program. 

Such exercises help the allies understand how NATO will defend its networks and infrastructures. These exercises also highlight shortfalls in crisis management arrangements between civilian and military authorities. Given that both institutions are exercising roles and responsibilities in the event of a crisis, wouldn’t it be prudent to understand which organisation is in charge and under what circumstances?

Both will admit that the private sector sits at the crux of their ability to address a crisis and restore essential services. NATO doesn’t necessarily have the same ability to turn to industry to help solve the problem as does the EU, which can use its policy, regulatory and financial instruments. How will NATO leverage the EU’s ability to call upon industry as partners in the event of a crisis? It would seem that a combined exercise between NATO and EU officials could help both organisations deconflict operational lines of authority and begin to streamline policy. 

The power of both working together may lead to a more holistic cyber posture as envisioned by their Lis- bon Summits, and take us one step further in realising NATO Secretary General Rasmussen’s vision of “smart defence”.

Finally, the Internet does not distinguish between military and civilian functions; nor does it distinguish between private and public sectors. The Internet has made us interdependent, which requires us to work together toward common security priorities.

The EU and NATO need a roadmap for cooperation which recognises that cybersecurity sits within both institutions’ purview. Shrinking national budgets demand more efficient use of resources, and that requires policymakers to work together. 

They can do so by optimising information sharing, facilitating collaboration, assuring digital interoperability and transparency and, in the event of a crisis, leading the response and restoration of essential services and functions.

We can’t afford to have bureaucracy get in the way of progress; we need to leverage the power of both institutions.

By Melissa Hathaway

Melissa E. Hathaway is the former acting Senior Director for cyberspace in the US National Security Council. 
She is since founded Hathaway Global Strategies, and is also an advisor on cyber-security issues at Harvard University.
She is in the GCSEC Council of Experts.