By Jean-Baptiste Houdart. Originally published on 2013/02/14

On January 11, 2013 the European Union (EU) established the European Cybercrime Centre as part of the Europol offices[1]. This important event raises the question of the instruments established by the EU to address cyber security issues. This article argues that the mode of governance developed by the EU in order to address the issue of cyber security is coherent and comprehensive of all aspects of cyber security. It however notes that to complete this mode of governance, the EU is lacking a crucial link which is an international endorsement of the European vision.

In order to draw the map of the governance of the EU in the field of cyber security, one must first understand the nature and scope of the field analysed. The Internet as we know it appeared in 1983, when the Transmission Control Protocol/Internet Protocol (TCP/IP) was originally initiated, bridging Autonomous Systems –i.e. individual networks- around the globe by providing them a common language and IP addresses to communicate. In other words, the Internet is a series of town squares interconnected by digital bridges where billions of devices communicate (almost) freely with each other. Since then, the Internet has increasingly attracted new users. In June 2012, the surged number of new users lead to the launch of the IPversion 6 which expands the limit to 2^128 addresses—more than 340 trillion, trillion, trillion- because the stock of addresses available under the IPv4 exhausted in February 2012[2]. Statistics show that since 2000, the amount of users has increased by 566.4%, counting today around one third of the world’s population[3]. This tremendous increase of users makes the Internet the new playground for many companies wishing to reach out a broader audience and thus, creates new opportunities from social and economic aspects.

However, this impressive increase of users has been simultaneously followed by growing cyber threats and crimes. Those threats can be divided into two categories: Crimes and attacks on critical infrastructures. The first category represents criminal behaviour that affects individuals or private companies, and encompasses child pornography on the Internet, online bank robbery, and ID or information theft. The recent controversies over the activities of the group WikiLeaks[4], as well as the claim that the “most closely guarded secrets” of the U.S. have already been stolen[5], underpin the issue at stake. The second category of threats regards attacks that can damage or destroy critical infrastructures, which could lead to network paralysis or even the loss of information. The development of cyber viruses like the Flame and Stuxnet and their use to break down Iranian nuclear facilities[6], parallel to the recent online disturbance of six banks in the U.S. since September 2012[7] speak for themselves. If these threats are not to be taken seriously, government officials and experts warn that the increase of attacks on critical infrastructures may lead to a “cyber Pearl-Harbour”[8], so they focus their efforts on preventive actions

To sum up, the digital environment might have great potential for “exploration”, but threats are lurking by the corner. Nevertheless governments saw the harvested fruits outnumbering by far the respective threats and drawbacks of the new technologies, although it was only in the late nineties did they start developing cyber security systems to prevent as many cyber incidents as possible.

Although the international community is divided in this regard, cyber security can be defined as “the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets”[9]. It entails the prevention against both Cyberwarfare, considered a state-sponsored cyber offensive directed towards another state, its infrastructures or its population, and cybercrimes, understood as a non-state-sponsored cyber offensive directed towards another individual or company[10]. In other words, the aim of cyber security is to provide protection against unauthorized access, manipulation and destruction of critical resources, as well as against criminal behaviour which threatens individuals.

[1] C. Malmström, January 11, 2013, “EC, a European response to cybercrime”, EU Press Release

[2] V. Cert, June 6, 2012, “World IPv6 Launch: Keeping the Internet growing”, Google Blog

[3] Internet World Statistics

[4] J. Tate & E. Nakashima, January 9, 2013, “Judge refuses to dismiss charge against WikiLeaks suspect Bradley Manning”, The Washington Post

[5] J. Benitez & J. Healey, July, 2012, “Cyber Offenses is King”, Atlantic Council

[6] P. Foster, June, 2012, “Scale of cyber-attacks on Iran further unveiled with Flame Stuxnet link”, The Telegraph

[7] N. Perlroth, September, 2012, “Attacks on 6 Banks Frustrate Customers”, NYT

[8] E. Bumiller & T. Shanker, October 11, 2012, “Panetta Warns of Dire Threat of Cyberattacks on U.S.”, NYT

[9] ITU-T Study Group 17, April, 2008, “Overview of Cybersecurity”, ITU

[10] B. Baseley-Walker, 2011, “Transparency and Confidence-building measures in cyberspace: towards norms of behaviour”, Confronting cyberconflict, UNIDIR

About the author:

Jean-Baptiste Houdart obtained a Master in European studies from the KU Leuven, Belgium in 2012. He is currently interning at the sector of disarmament at the Permanente Delegation of the European Union to the United Nations in Geneva.