Cyber-defence needs to be implemented in EU's military activities

Cdr Jan-Peter Giesecke is Head of the Cyber Defence Team of the EU Military Staff (EUMS) within the EEAS

All Common Security and Defence Policy (CSDP) activities of the European Union, including military missions and operations, are dependent on effective command and control, on assured information and functioning, as well as on uncontested communication and information systems.

They rely on the availability of free and secure access to the internet or – using the newer and broader term – to ‘cyberspace’. But cyberspace is becoming a new battlefield. Cyber-attacks are daily business, and part of foreign affairs as well as CSDP operations and missions.

Anonymously, without attribution, and below the threshold of armed conflict, adversaries are using the cyber domain to accomplish their political, economic and military objectives in emerging ‘hybrid’ scenarios. The means vary from sharing disinformation in social media and influencing public opinion and electoral behaviour to more severe, destabilising operations: cyber-attacks targeted at energy, transport or banking systems, and even direct cyber operations on the EU’s CSDP networks.

Although there is no evidence yet being specifically targeted, operations and missions are facing growing cyber-threats.

In 2014 – in the follow-up to the publication of the EU Cyber Security Strategy – the European External Action Service developed a framework policy to improve Europe’s resilience against cyber threats in CSDP activities and develop capabilities for cyber-security and defence implementation.

Recently, the Global Strategy for the EU’s Foreign and Security Policy designated cyber-security and defence as a priority. These high-level documents form a valuable foundation for the implementation of cyber-security and defence in CSDP activities.

For the three most recent EU military missions, an appropriate consideration of cyber-defence aspects was achieved in planning; resilience and protection of command, control and communication information have been implemented successfully.

The missions also identified four lessons for the future:

* Human risk mitigation: The most important aspect of resilience is to prepare the people involved, as the most common ‘cyber-vulnerability’ is the human element. This essentially requires a change in culture and behaviour in handling and working with information and communication technologies, which can be achieved through constant education and by regular cyber-awareness training.
* Early planning: To ensure effective cyber-security and -defence during conduct, it is essential to consider cyber aspects as early as possible during the planning phase.
* Sharing Cyber Intelligence information: Cyber aspects must be included in and seen as part of the overall threat evaluation for the planned operations or missions. Any planning and conduct of cyber-defence has to be supported by continuous cyber-intelligence information. This information is to be provided by the EU’s strategic intelligence structures, underpinned by intensified information-sharing between member states and other partners.
* Increased awareness: Importantly, commanders and their staff must be able to understand detailed cyber-related information. They have to know about the relevance of the cyber domain in today’s conflicts ‒ to be accepted and used as the fifth operational domain equal to land, air, sea and space ‒ and the impact of cyber operations.
In view of the above-mentioned challenges and reflecting the lessons learnt, the EU Military Staff (EUMS) developed a new ‘EU Concept for Cyber Defence for Military Operations and Missions’ in 2016. The aim was to describe the process of an assured and effective consideration of cyber aspects in (military) planning and give means to implement cyber-defence measures in operations and missions, addressing cyber-specific organisational and procedural aspects as well as requirements for member states’ provision of cyber-capabilities for CSDP activities.

The Cyber Defence Concept also defined follow-up activities to implement cyber-defence in CSDP activities. A major task is building up resilience, mainly through education, training and exercises, and the streamlining of the EU’s cyber-defence education and training landscape.

Supported by the EUMS and the member states, the EU Military Training Working Group (EUMTG), the European Security and Defence College (ESDC) and the European Defence Agency (EDA) are working hand-in-hand on new initiatives for the design, development, conduct and evaluation of training activities and exercises, from awareness training to courses for high-level decision-makers.

A key enabler for this work is cooperation with civilian and military partners. While cyber-expertise from industry and academia is linked into the processes mainly by the EDA and the ESDC, the EUMS interacts closely with NATO on military aspects of cyber-defence. The implementation plan of the EU-NATO Joint Declaration, adopted by the European Council in December 2016, gives a huge impetus also to the common use and development of training and exercises by the two organisations.

The success of cyber-defence in security operations and missions remains dependent on a well-balanced combination of state-of-the-art technology, well-functioning structures and procedures, as well as educated, cyber-aware and competent staff.

But, more than ever, this success has to be enabled by agreements on cooperation and sharing of information on cyber incidents, both with external partners, such as NATO, and internally, across member states and EU institutions.

With likely organisational changes and the integration of civil and military elements in crisis management and response, there is a clear need for an integrated approach to counter cyber- (and hybrid) threats for a stronger stance and more resilience across all military and civilian security and defence activities.