Europe is at a far worse state when it comes to cyber defense than are the United States, Australia, and Japan. The reason is very simple: The way the European Union is set up is totally contra-productive to how public leadership should be able to address a rapid and cascading set of nation-state cyberattacks.
Pre-Internet institutional arrangements may cripple the future ability to utilize cyber as a national security instrument. The European Union, which is a separate entity with some overlap to the North Atlantic Treaty Organization, would naturally be a potential cyber powerhouse. A confederation of 28 countries—with ambitions to grow to more than 30—it represents a sizeable economy, over 300 million people, and a well advanced information technology establishment.
There is no supreme commander in the European Union. Each country has the right to design its own defense posture. Seen from a cyber-perspective the question is how to be able to react to rapid interchanges and attacks, which are escalating to a conflict, if there has to be a joint decision by 28 supreme commanders? Technically that can be solved by preauthorizing and dedicating specific agencies, but that would work only as long as the interchanges are limited and are not seen as a national security threat. Cyber has short decision time frames. Institutional arrangements such as the European Union´s defense are unfit for dealing with digital national security. The networked society forces nation states to reevaluate pre-Internet institutional arrangements, as these can undermine the cyber effort.
Returning to the question about the European cyberdefense, how will Europe create a uniform, cohesive approach to address cyberattacks and cyberaggression by foreign states? Especially, if that requires redefining what the European Union is by integrating its defenses into one body. Europe can be defended by NATO because the vast majority of the European Union countries are NATO members, but then it is not the European Union that defends itself. Those EU countries that are not also in NATO are then assumed to arrange their own cyber-defense.(Page 2 of 2)
It would be each US state figuring out its own cyber strategy, implementation, research, and knowledge dissemination with no leadership or guidance.
The European information security agency, ENISA, is not an actively participating operative agency like the U.S. National Security Agency, but a body set up to be subject matter experts on information security and support the European Union efforts. The epicenter for European Union political and bureaucratic power is in Brussels, Belgium, where both the EU and NATO headquarters are located. The combined EU and NATO headquarters are European power.
Where is ENISA located? The primary agency for European information security is located in Heraklion, Greece. Where is that? On some island in the Mediterranean. From an American perspective it is similar to placing a central agency for federal cyber defense in Fairbanks, Alaska, or perhaps on the upper peninsula of Michigan. I use the ENISA location as an example how dysfunctional European cyber defenses are and how other non-relevant interests, such as Greece also wants an agency of significance that can be place at a remote spot to promote the rural economy, prevails. Europe is far behind to withstand a national cyber crisis.