European Union and NATO Global Cybersecurity Challenges: A Way Forward

Over the past two decades, European countries have had to meet the same cybersecurity challenges that the United States has faced. However, while the U.S. has benefitted from its sovereign authority (a single foreign policy, a centralized military, and the legal and budgetary power of the federal government), European governments have had to take steps to develop cybersecurity policies at the national level while simultaneously pooling their sovereignty through the North Atlantic Treaty Organization (NATO) and the European Union (EU) to bolster their defenses.This article describes the approaches that NATO and the EU currently use to defend their members' interests against such threats. In the last decade, both organizations have recognized that cybersecurity is a key challenge to their core objectives, and they have adopted increasingly ambitious strategies, established new organizations, and (in the EU's case) promulgated legislation to address these threats. Specifically, NATO and the EU have begun to come to terms with the fact that all major security conflicts going forward will have both a cyber and a kinetic component. Cybersecurity failures will increasingly be equivalent to or indicative of broader national security failures. These failures will also lead to the degradation of economic and privacy interests within the member states of NATO and the EU. This reality is forcing all international diplomatic and security-focused organizations, alliances, and associations to retool existing structures or to create new ones through which they can achieve cyber defense and cybersecurity goals.Three of the most prominent examples of cyber aggression between nation-states are those on Estonia (2007), Georgia (2008), and Ukraine (2014, 2015) by Russia and its proxies. In 2007, Russian nationals launched sustained Distributed Denial of Service (DDoS) attacks against Estonia that disrupted the Web services of the Estonian government and private sector for weeks.1 The following year, three weeks prior to kinetic hostilities, Russia's conflict with Georgia over South Ossetia began in cyberspace with DDoS attacks and Website defacements that later blended into Russia's overall warfighting strategy.2 Finally, in 2014 Russia and Ukraine were engaged in cyber attacks, integrated alongside physical conflict that targeted government and media infrastructure, contributing to the fog of war surrounding Russia's annexation of Crimea.3 Russia squared off against its neighbor again in December 2015 when it attacked Ukraine's electric grid and subsequently launched DDoS attacks, which left 230,000 residents without power for up to 6 hours.4 These examples demonstrate not only a growing threat to European security from an increasingly aggressive Russia, but also the trend toward a single concept of conflict that makes cyber and kinetic aggression inseparable. It is important to note that China, Iran, and North Korea, to varying extents, also have the capability and intent to threaten the security of NATO and EU member states through cyber means.5Developments in the cybersecurity operations of both NATO and the EU have paralleled the growth of cybersecurity as a major policy concern to the United States and other national governments. The digital revolution has also changed the basic environment in which governments operate, necessitating increasing levels of cross-border interdependence and connectivity. European countries have responded to the need to increase coordination and cooperation through new initiatives at the national level and under the auspices of NATO and the EU. Nevertheless, the relationship between national capabilities and sovereignty, and the authority of these two international organizations, remains unsettled. The efforts of NATO and the EU to mainstream cybersecurity into existing activities have thus far proven insufficient to fully address the growing cyber threat landscape.NATO's Development of Cross-border Cyber Defense Policy and CoordinationNATO forecasted today's cyber threat environment in 2010: "Cyber attacks are becoming more frequent, more organized and more costly [. …