EDA Study Discovers Weaknesses in Europe's Military Cyber Defenses

From European Defense Agency: The European Defence Agency (EDA) presented on 24 May 2013 results of its stocktaking study of military cyber defence capabilities. Using an in depth methodology, the study benchmarked the degree of “Cyber Defence Readiness” of 20 participating Member States (pMS) and different EU level organisations. The landscaping exercise shows a mixed picture with respect to military cyber defence capabilities on national and European level. It recommends strengthening cooperation, exchange of information and proposes avenues for pragmatic Pooling & Sharing of some cyber defence capabilities. The study supports the relevance of the cyber defence activities launched by the EDA in the areas of cyber training ranges and deployable situational awareness kits for CSDP missions.

“Cyberspace can be described as the fifth dimension of warfare, equally critical to military operations as land, sea, air and space. Our study reveals important gaps in military cyber defence capabilities across the EU. The Agency is offering Member States a range of projects to cooperate in the area of cyber defence capabilities as well as in the research & technology domain”, says Peter Round, Capabilities Director of the European Defence Agency. . . .

Methodology

This stocktaking exercise included research into the different EU level organisations involved in cyber defence activities in the context of CSDP missions as well as data collection on cyber defence capabilities in pMS. The research was carried out via document review, semi-structured interviews and a questionnaire.

Cyber defence information was analysed according to a commonly understood military framework of capability, known as Defence Lines of Development. These contributors are: Doctrine; Organisation; Training; Material; Leadership; Facilities and Interoperability (DOTMLPF-I). To measure and to a certain degree benchmark the degree of “Cyber Readiness” the study utilised a five step maturity model with 69 discrete and weighted indicators for maturity, broken down within the DOTMLPF-I structure to achieve the required granularity. Each country was qualitatively assessed for each contributor against this weighted maturity model.

Results

On the national level, the study revealed a mixed picture with respect to military cyber defence capability. Generally speaking, in pMS where key decision-makers are familiar with cyber-security, cyber defence capabilities are more advanced. The 20 pMS exhibit strengths in the three capability domains of Leadership, Personnel and Interoperability. In the areas of Doctrine, Organisation and Training, an early level of maturity was defined which might be linked to the fact that these three areas require more complex and longer-term efforts to establish organisational structures. Facilities is the capability domain which remains to date highly immature or non-existent. Individual country profiles are classified and cannot be made available.

As regards cyber defence among EU organisations, the study highlights the complex operational set-up between the different institutions involved (e.g. EDA, the Member States, European External Action Service, European Commission, General Secretariat of the EU Council and related EU agencies). While threat analysis and cyber-intelligence gathering capability appears to be emergent, incident response capabilities could be deepened. The study also reveals that the culture of cyber-security good practice needs to be nurtured and that the use of military specific standards and tools is still poorly understood.

Recommendations

Military cyber defence on the European level is at a relative early stage of maturity. The study therefore makes high-level recommendations such as enhancing EU network protection, strengthening intelligence capability, deepening incident response capabilities, creating a culture of cyber-security, promulgating security standards and tools, and reinforcing links between NATO and the EU for cyber defence issues.

On the national level, greater attention should be given to the development of cyber defence training and education initiatives. pMS are encouraged to consider exchanging information on equipment solutions and Pooling & Sharing for cyber defence capabilities, and on processes and shared escalation procedures, especially in EU-led missions. Finally, the study suggests pMS consider sharing – to a certain extent – facilities and to take into account interoperability aspects of cyber defence.

Together with the Irish Presidency of the European Union and the Estonian Ministry of Defence, the EDA will also co-host a high level conference on Cyber Security Cooperation in the European Union on 20 June 2013.

From RAND Europe: Many countries have set up organisations specifically to deal with cyber defence: 19 out of 20 had some kind of unit dedicated to cyber defence missions in their ministries of defence, and this was linked to the national Computer Emergency Response Team (CERT); in 18 out of 20 countries this was linked to other incident response capability (other types of CERT).

But doctrine is lagging behind (only 6 out of 20 states had a specific cyber defence strategy and 5 out of 20 had a cyber defence doctrine).

Training and learning also needs to be strengthened (9 out of 20 states had cybersecurity as a specific technical career path), as does interoperability (only 5 out of 20 participated in EU-wide exercises). (graphic: EDA)

Issue briefs and reports

Fast Thinking

New Atlanticist

Inflection Points

UkraineAlert

MENASource

Econographics

EDA Study Discovers Weaknesses in Europe’s Military Cyber Defenses