Even if it’s not conducted with “hot” weapons, Information Warfare is not the Cold War because the world is not bipolar anymore. We live in a multipolar world, and the war for information and knowledge spreads to the rest of the West and to ongoing conflicts. Information manipulation exists and is used by everyone: from those who want to support a protest to those who wish to support a government instead, from private non-State actors to international alliances.
The multipolar scenario is particularly critical for the European Union. That’s never been a geopolitical and military superpower but, due to its location, can’t avoid its role and responsibilities.
European Union is a complex security actor, covering an increasing number of areas and policies and coping with integrating the systems of 27 different countries. A characteristic trait of this complexification has been the EU’s emphasis on merging internal and external security and developing policies, actors, and instruments that are coherent within this security context.
This is particularly relevant when considering cybersecurity. With the General Data Protection Regulation (GDPR), issued by the European Union in 2016, IT has become the backbone of European societies. The EU has made cybersecurity one of its main security priorities. Such prioritization has been reflected at the level of new initiatives being proposed and the idea that for the EU to be an effective cybersecurity actor, it needs to be fully coherent. Cybersecurity as a unified domain is still a recent field of action for the EU because the EU’s first strategy in this area only dates to 2013, but things are evolving.
The publication of the 2013 EU Cyber Security Strategy – An Open, Safe and Secure Cyberspace (EU-CSS) is particularly representative of the push towards a more coherent approach. It resulted from a combined effort between then Home Commissioner, the High-Representative and DG Connect Commissioner. The EU-CSS rests on three main action pillars: critical information infrastructure protection, cybercrime, and cyber defense. The strategy aimed to improve the coordination between these three dimensions, which gradually came to be included in the area of cybersecurity but were still regarded as fairly separate. In particular, the concept of cyber defense, which aims to safeguard the communication and information systems based on national defense mechanisms, was put in place for the first time.
Then, on 13 September 2017, the Commission adopted a new cybersecurity package. The Cybersecurity Act, entered into force on June 27, 2019, is probably the most relevant element. The changes this new EU regulation brings about mainly a comprehensive reform of ENISA (European Union Agency for Network and Information Security) and creating a certification framework.
The Cybersecurity Act bestows a permanent mandate upon ENISA, together with more significant financial and human resources, to provide support to the Member States, EU institutions and businesses in key areas, including the implementation of the Directive on security of network and information systems (NIS), that provides legal measures to boost the overall level of cybersecurity in the EU. The refactored agency also has the mandate to help step up operational cooperation and crisis management across the EU.
The Commission’s blueprint for rapid emergency response provides a plan for a large scale cross-border cyber incident or crisis. It sets out the objectives and modes of cooperation between the Member States and EU Institutions in responding to such incidents and situations and explains how existing Crisis Management mechanisms can make full use of existing cybersecurity entities at the EU level.
Then, in September 2018, the European Commission issued a package of measures to support free and fair European elections, including a recommendation “on election cooperation networks, online transparency, protection against cybersecurity incidents and fighting disinformation campaigns in the context of elections to the European Parliament”, experimented in the last elections in May 2019, when all the institutional bodies of EU have been renewed.
The new European Commission faces unique challenges in the information warfare domain. While single countries still have the first say on national security, the EU is increasingly leading a coordinated fight against four specific phenomena: Russian disinformation campaigns, Chinese state-backed hacking, cybercrime, and surveillance threats. Likely, a plan to revise the EU’s legal framework on critical infrastructure will be discussed in the next five years, moving along with the declared intention to set the global standard on the security of the cloud, 5G, and more. In this phase, a handful of EU countries lead attempts at the United Nations to stop cyber warfare proliferation.