Russia’s cyberattacks on Ukraine in the lead-up to its invasion should be a wake-up call for Europe. The EU must quickly adopt the revised Network and Information Security (NIS2) Directive and improve its operational readiness.
Ukraine has been at war for a month. But the conflict is not only being fought on the ground but also partly via its computer networks and information systems. In the days before the Russian invasion, a wave of cyberattacks – “the largest in the history of Ukraine” – impeded access to government websites, including those of the military and banks. In parallel, Russia activated the computer virus “HermeticWipe” to delete the data of the infected terminals and delay the recovery of normal activity. Traces of this malware also appeared in EU countries like Lithuania.
On 24 February, as Russian troops entered Ukraine, a cyberattack disrupted communication networks in Donbas. These attacks affected not only physical but especially space infrastructure. Cyberactivity knocked out communication satellites from Viasat, an American firm providing space-based broadband services across Europe. Consequently, the attacks affected Ukraine and other European customers that rely on the firm’s services.
These cyberattacks demonstrate that network interconnectedness is a critical element of cyberspace and our physical world. This reminder comes at a time when the EU is reviewing its Network and Information Security (NIS) Directive 2016/1148 – the basic cybersecurity framework for EU companies and institutions – and working on a proposal for a European Cyber Resilience Act. The recently adopted Strategic Compass also proposes creating a common EU cyber defence policy framework.
What are three important lessons for developing EU cyber policy further in these troublesome times?
Lesson 1: Protect our space assets
Space infrastructure is increasingly important for the European economy, as both an emerging industry and support for critical ground-based infrastructure (e.g. power grids, essential communication). Currently, financial transactions, military operations, communications, border controls and natural disaster forecasting – to name but a few – rely on space infrastructure. Space assets also ensure internet access in remote areas without (easy) access to fibre.
Cyberattacks on space systems, therefore, represent a significant risk for Europe’s economy and security. And yet the space sector is still not sufficiently recognised as an important sector for the EU economy. Companies managing space assets have fewer cybersecurity obligations than, for example, those managing energy systems.
Today, as per the NIS Directive, EU member states designate the operators providing essential services – but space systems rarely make the cut. The review of the directive (NIS2) would finally establish the space industry as an essential sector for the EU economy. Consequently, the operators of space systems would have to increase cybersecurity and monitor and communicate cyber incidents.
Lesson 2: Ensure operational readiness
Despite said attacks, Ukraine’s networks remain functional. This is partly thanks to the readiness of the Ukrainian cyber command – especially after the 2015 power grid hack attributed to Russia – and other countries and organisations (including hacktivist groups) helping Ukraine better defend, mitigate and recover from such cyberattacks.
Days before Russia’s invasion, the Lithuanian defence ministry announced the deployment of an EU Cyber Rapid Response Team (CRRT); a project borne from EU military cooperation. The 8 to 12 cybersecurity experts from EU countries like Estonia, Poland and Romania assist Ukraine’s cyber defence in defending its networks.
The Ukrainian war is the first case where a CRRT has been deployed. It proves EU countries’ ability to work collaboratively in response to cyber threats in a real-life crisis. It also opens the door for stronger collaboration among member states and with partner actors in the future.
More generally, the Ukrainian crisis demonstrates that the EU’s collaboration with partners is as important as having a suitable framework to pool resources – information, knowledge, tools, expertise – to respond to a cyber crisis. The CRRT is one such framework, as is the Joint Cyber Unit (JCU), one of the initiatives proposed under the 2020 EU Cybersecurity Strategy. The EU should speed up the creation of the JCU and ensure that its functions do not overlap those of CRRTs. In addition, it should establish a mechanism that allows both units to collaborate in the military and civil fields.
Lesson 3: Strengthen cyber deterrence
The Ukrainian war reinforces the notion that in a world of growing geopolitical competition and instability, achieving a high degree of cyber resilience is crucial to guard the European economy and security against cyberattacks. But beyond resilience – which refers to the ability to detect, protect, respond and recover from cyberattacks –, a step forward is to adopt an active cyber defence posture that supports deterrence.
A European active cyber defence posture is controversial because it often involves invasive methods. This is why critics argue that the limits of what constitutes a defensive action are vague. Since some active defence measures, such as “hack-backs”, require real intrusion into the attacker’s networks, misinterpretation of the defender’s objectives can lead to escalation. This is a real risk that is influencing the conversation about whether active cyber defence should be part of the final text of the NIS2 Directive.
But on the other hand, the EU could benefit from enhanced rapidness when responding to malicious cyber activities, thereby improving its capacity to mitigate threats. If data is stolen, an active cyber defence could help limit its circulation. An active cyber defence would also help retrieve information about the attacker and the tools used. Lastly, attackers would feel the cost of retaliation, thus improving the EU’s capacity of cyber deterrence.
With new resources and a revised legal framework in place, the EU would see an improved cyber resilience, which is much needed for its physical and economic security. The Union should take a bold step forward and adopt a credible active defence posture; one that is tempered, leveraged and built with a framework providing legal and operational certainty to all its actors.
Andrea Garcia Rodriguez is Lead Digital Policy Analyst in the Europe’s Political Economy programme at the European Policy Centre.
This article was originally published on 28 March 2022 by the European Policy Centre here. It has not been changed by us and we re-publish it with the author’s consent for which we are grateful.