Europe is at a far worse state when it comes to cyber defense than are the United States, Australia, and Japan. The reason is very simple: The way the European Union is set up is totally contra-productive to how public leadership should be able to address a rapid and cascading set of nation-state cyberattacks.
Pre-Internet institutional arrangements may cripple the future ability to utilize cyber as a national security instrument. The European Union, which is a separate entity with some overlap to the North Atlantic Treaty Organization, would naturally be a potential cyber powerhouse. A confederation of 28 countries—with ambitions to grow to more than 30—it represents a sizeable economy, over 300 million people, and a well advanced information technology establishment.
There is no supreme commander in the European Union. Each country has the right to design its own defense posture. Seen from a cyber-perspective the question is how to be able to react to rapid interchanges and attacks, which are escalating to a conflict, if there has to be a joint decision by 28 supreme commanders? Technically that can be solved by preauthorizing and dedicating specific agencies, but that would work only as long as the interchanges are limited and are not seen as a national security threat. Cyber has short decision time frames. Institutional arrangements such as the European Union´s defense are unfit for dealing with digital national security. The networked society forces nation states to reevaluate pre-Internet institutional arrangements, as these can undermine the cyber effort.
Returning to the question about the European cyberdefense, how will Europe create a uniform, cohesive approach to address cyberattacks and cyberaggression by foreign states? Especially, if that requires redefining what the European Union is by integrating its defenses into one body. Europe can be defended by NATO because the vast majority of the European Union countries are NATO members, but then it is not the European Union that defends itself. Those EU countries that are not also in NATO are then assumed to arrange their own cyber-defense.
(Page 2 of 2)
It would be each US state figuring out its own cyber strategy, implementation, research, and knowledge dissemination with no leadership or guidance.
The European information security agency, ENISA, is not an actively participating operative agency like the U.S. National Security Agency, but a body set up to be subject matter experts on information security and support the European Union efforts. The epicenter for European Union political and bureaucratic power is in Brussels, Belgium, where both the EU and NATO headquarters are located. The combined EU and NATO headquarters are European power.
Where is ENISA located? The primary agency for European information security is located in Heraklion, Greece. Where is that? On some island in the Mediterranean. From an American perspective it is similar to placing a central agency for federal cyber defense in Fairbanks, Alaska, or perhaps on the upper peninsula of Michigan. I use the ENISA location as an example how dysfunctional European cyber defenses are and how other non-relevant interests, such as Greece also wants an agency of significance that can be place at a remote spot to promote the rural economy, prevails. Europe is far behind to withstand a national cyber crisis.
The epicenter of cyber is Washington, D.C., and the discourse radiates from the national capital outward. The question is how far from the Beltway it reaches. Does the rest of this nation care about the national security threat that is embedded in future adversarial cyber operations?
One of my major cyber concerns for the next 10 years is how to disseminate the cyber knowledge into small-town America. The vast majority of the utilities, plants and local government facilities are located in small towns and communities. The United States has 3,500 counties, 18,000 state and local police departments, and 50,000 water utilities of various sizes — just to give you an idea of the scale of local government. This disconnect between the federal level and the local communities is nothing unique for cyber. Implementation is a challenge for every public program just because the sheer size of the volume of information and guidance that have to be communicated, disseminated and checked.
Cyber is unique because it allows states to engage in a conflict within another country and engage the target with limited ability for the targeted nation to identify, intercept and prevent the attack. This increases the number of potential targets astronomically and it also affects the society at all levels and locales when every part of our society can be cyber attacked.
I live in a small town with two Waffle Houses, one IHOP and one post office where you are greeted as family, but it also has three major food-processing plants, a rubber factory, a larger energy utility and a sizeable sawmill. Cyber security is naturally a part of the operating procedures for the major corporations, but is not really on most people’s mind. Here lies the challenge: How can we change the mindset so cyber is seen as a local problem and not an issue to be handed off to the federal government?
The critical infrastructure and the manufacturing base of America are located in thousands of these small towns. If the drive for increased cyber security and ability to reach national cyber resilience do not reach these communities, these incentives are pointless exercises.