MEMO ONCYBER SECURITYThe State of PlayThe US and Europe have seen a dramaticincrease in cyber incidents in the pasttwo years. An analysis of such eventssince 2006 shows that of 97 known majorincidents, 44 were aimed at US-basedtargets and 28 at European targets,including the highly publicized attacksin Estonia in 2007 and Georgia in 2008. 1Even excluding unreported incidents, thedanger these subversive activities pose tothe most essential arteries of economicactivity in the US and Europe is clear. TheUS intelligence community believes cyberespionage represents a larger threat thantraditional espionage. 2 And these threatsare increasing.Two trends are changing the threatlandscape. First, with greater relianceon smartphones and other handhelddevices, networks are increasingly goingmobile. Storage and access points aregrowing via new network resources suchas cloud computing. Second, service andcontrol functions, including commercialpayments ranging from large moneytransfers to small retail purchases withswipe cards, are migrating online. Thesecommercial transactions are not solelymonetary; they are also tied to transfersof highly sensitive personal identitydata. In both cases, cultural shifts aredriving individual online connectivityand eroding barriers of state-basedjurisdiction, increasing vulnerabilities fornefarious actors to exploit.When the Internet was created, theinitial concern was openness, notsecurity. Its guiding philosophy has longbeen one of open access developed bya “self-regulated, non-governmentalcommunity”. 3 As a result of this openness,two factors color the cyber securityapproach of early-adoptive digitalsocieties such as the US and Europe:The central tension of cyber security policy is theinherent tradeoff between regulating a secure andsafe cyber space while creating an online environmentthat fosters optimal economic and political outcomesfor citizens across the globe.1) offensive capabilities dominatedefensive capabilities; and 2) the primarydeterminant of vulnerability is the degreeof technological integration. For thesereasons, a Maginot Line against cyberincidents will not work. 4Cyber security policy cuts across atangle of interlocking policy areas,from defense to homeland security,from criminal justice to commercialpolicy and civil liberties. Protection ofmilitary assets, cyber cover in combatoperations and offensive militarycapabilities are the areas to which theUS government and EU member stateshave devoted the greatest resources.Protecting areas of the private sectorthat are fully dependent on the Internet,hardening the defense and resilience ofcritical infrastructure, and combatingcyber crime and e-espionage, all directlylinked to economic security and lawenforcement, is also important. At thesame time, maintaining a free and openglobal Internet that is a conduit for civildiscourse and organization has becomea central tenet of democracy. The centraltension of cyber security policy is theinherent trade-off between regulatinga secure and safe cyber space whilecreating an online environment thatfosters optimal economic and politicaloutcomes for citizens across the globe.The Government Accountability Office(GAO) has sounded the alarm aboutUS cyber policy’s failure to keep pacewith the threats. 5 The lack of neededskills across government agencies anddepartments is magnified by the needto create a coherent international policyon cyber security. The inability of the112th Congress to pass comprehensivecyber security legislation means that theadministration will have to set policyon these issues within the limits ofcurrent law, domestic and international.Exploration of collective cyber defensewith Europe will require mergingdisparate security concepts into anoverarching cyber policy encompassingtrade, offensive capabilities, resilience,data protection and the creation ofinternational norms. 6US and European threat assessmentsare similar, and Europe represents anatural cyber security partner for theUS, bilaterally and internationally.Indeed, there is a robust trans-Atlanticlinkage for much of the financial sectoras well as for many Internet services andsocial networks that are repositories forhighly sensitive personal information.US military bases in Europe are alsoreliant on the continent’s infrastructure.But the dense net of interconnectivityfacilitated by the size and opennessof European states, the formationof their single market and their earlyadoption of Internet technology all makeEurope a uniquely challenging cybersecurity landscape.Some analysts have advocated for aclear division of labor on Europeancyber security policy between a pooled4 4Cyber Security
offensive capability centered at NATOand protection of civilian assets centeredat the EU at the continental level. Butunbundling these aspects could opengaps in policy. Given that, the US’s longtermapproach to Europe as a partneron cyber security should direct as muchcooperation as possible on civilian-basedpolicy and Internet governance to the EUlevel, limiting NATO to narrowly defineddefense-based cooperation. Pressure onthe European Commission to establishminimum standards on incidentresilience and response, including theneed for all states to have contingencyplans for cyber incidents and laws oncyber crime has slowly been increasing.The EU has an important role to play,particularly in citizen- and industrycenteredpolicies of defensive resilience,raising of awareness and public-privatepartnership development.The US’s long-termapproach to Europe as apartner on cyber securityshould direct as muchcooperation as possible oncivilian-based policy andInternet governance to theEU level, limiting NATO tonarrowly defined defensebasedcooperation.The NATO and US-EU Lisbon summitsin 2010 were the first to place cybersecurity policy at the heart of the trans-Atlantic relationship. NATO’s 2010Strategic Concept called on the allianceto create a cyber security policy and anaction plan for implementation, whichwas later adopted at the 2012 Chicagosummit. 7 Work since then has aimed toimprove centralization of NATO-assetcyber protection, hardening networks inmember states and refining policy andtraining. Meanwhile, US and EU leadersestablished a joint working group oncyber security with a mandate in fourpolicy areas: 1) incident management; 2)public-private partnerships; 3) awarenessraising; and 4) cyber crime. 8 After a rockystart, the US-EU working group hasdelivered some promising outcomes. AHigher degree of preparedness(four stars or greater)Lower degree of preparedness(fewer than four stars)November 2011 joint exercise, entitled“Cyber Atlantic”, ran scenarios dealingwith critical infrastructure compromisesand cyber theft. 9 The issue of marketaccess and source-code disclosurerequirements in third countries, an areain which the EU could prove to be apotent partner, was added to the agenda. 10And cooperation in 2012 on botnetsand smart grid protection demonstratefurther momentum.European PerspectivesAlthough there has been a markedincrease in discussion on cyber securityat the European level, Europeanpolicy for handling incidents is patchy.Differences among states range fromsome of the most sophisticated resilienceand offensive capabilities to some of theweakest in the developed world. Cybersecurity is a market-based issue, andas its single market develops, the EUhas rightfully sought to increase its rolein policymaking.Especially in states that are lagging,the EU has an important role to play insetting and standardizing cyber policy. Anuneven legal framework is complicatedby varying conceptions of privacy anddata protection. As with policy questionsrelated to homeland security and onlineintellectual property rights, cyber securityconcerns will be a political focal pointat the national and EU levels in comingyears. The US should monitor thesedevelopments closely.The EU can be a confusing cyber securitypartner for the US. The EuropeanExternal Action Service (EEAS) is stillplaying catch-up in its efforts to establishCyber Preparedness Stress TestsLarge European statesFrance, Germany,Spain, UKItaly, Poland, RomaniaSmall European statesDenmark, Estonia,Finland, Netherlands,SwedenAustriaSource: Cyber Security: The Vexed Question of Global Rules, SDA and McAfee, January 2012. EU memberstates not included in the stress test survey: Belgium, Bulgaria, Cyprus, Czech Republic, Greece,Hungary, Ireland, Latvia, Lithuania, Luxembourg, Malta, Portugal, Slovakia, Sloveniaa coherent external face for Europeancyber policy. The EEAS has a role as anexternal actor, but the EU’s CommonForeign and Security Policy (CFSP) hasyet to promulgate an international profilefor EU Internet governance.Furthermore, protection of EU institutionsis still seen as underdeveloped; aEuropean Parliament report bluntlystated that EU institutions are “poorlyprotected”. 11 A CERT for EU institutionswas established in 2011 after a batteryof high-profile breaches to criticalinstitutions including the EEAS, the EPand the EU’s emissions trading system.The long-term spying on the EuropeanCouncil by a Chinese cyber syndicatelinked to the Chinese People’s LiberationArmy is the most recent high-profilerevelation that reaffirms the vulnerabilityof Brussels-based institutions.In terms of ambition and developmentof offensive capability, the UK hews mostclosely to the US. London’s 2010 nationalsecurity strategy recognized cybersecurity as one of four top threats. 12 Cybersecurity is also one of only two areas inthe UK national budget that was not cutamid recent austerity measures. Highlysophisticated exercises between thepublic and private sectors, in particularthe financial-services industry, havecreated solid national crisis-managementnetworks. London has taken a leadingrole in crafting international norms.France’s cyber security policy, meanwhile,benefits from a highly centralized, statedrivenculture. The state’s central positionin security and economic life and itsregulatory propensity foster a high degreeCyber Security4 5
- Page 3: Field Manual to EuropeIntroduction
- Page 6: multilateral channels. Europeanshav
- Page 9 and 10: JuneBritish presidency of UNSCJune
- Page 12 and 13: US-EU Investment vs. Global Nationa
- Page 14 and 15: economic conditions in the eurozone
- Page 17 and 18: MEMO ONTHE EUROZONE CRISISThe State
- Page 19 and 20: attitude toward moral hazard. Withw
- Page 21 and 22: Greece: 2010 Bailout BreakdownGreec
- Page 23 and 24: the deficit from 4.5 percent to thr
- Page 27 and 28: NATO thus faces an uncertain future
- Page 29 and 30: 1. Consider NATO’s defensespendin
- Page 31 and 32: of-area operations and worldwidepar
- Page 33 and 34: concurrent terrorist attack in Beng
- Page 35: 2. Strengthen regionalpartnerships
- Page 38 and 39: MEMO ONCOUNTERTERRORISM ANDHOMELAND
- Page 40 and 41: home affairs (JHA), particularly in
- Page 43: Status of EU Countries in the US Vi
- Page 47 and 48: socialized, i.e. there is a tacit e
- Page 49 and 50: such technology, such as deep packe
- Page 51 and 52: MEMO ONENERGY & CLIMATE CHANGEThe S
- Page 54 and 55: identifying the agents most qualifi
- Page 56 and 57: MEMO ONTURKEYThe State of PlayTurke
- Page 58 and 59: as a rising regional and internatio
- Page 60 and 61: CASE STUDY: TURKEY’S ENERGY ROLE:
- Page 62 and 63: 22%12%Turkey’s Main Trading Partn
- Page 64 and 65: MEMO ONRUSSIAThe State of PlayIn Pr
- Page 66 and 67: EU-Russia security apparatus. Themo
- Page 68 and 69: greater market access for US busine
- Page 70 and 71: MEMO ONCHINAThe State of PlayIn 201
- Page 72 and 73: But China’s competitive meridian
- Page 74 and 75: in millions of USDUS-China Bilatera
- Page 76 and 77: 7 6Acknowledgements
- Page 78 and 79: CITATIONSINTRODUCTION1See “Confid
- Page 80 and 81: 20Castle, S. (17 September, 2011).
- Page 82 and 83: ARAB UPRISING1Koch, C. (summer 2011
- Page 84 and 85: COUNTERTERRORISM & HOMELAND SECURIT
- Page 86 and 87: 21Healey, J. (January 2012). Beyond
- Page 88 and 89: 20Berlemont, I. (25 July, 2012). Fr
- Page 90 and 91: 24Putin, V. (6 September, 2012). An
- Page 92: Bertelsmann Foundation1101 New York