Since then, the criticality of cyber networks – and how much the modern world depends on their proper functioning – has been driven home to all, from the ordinary consumer to the highest-level policymaker. Whether civil or military in nature, cybersecurity today extends far beyond the backroom to encompass training at all organisational levels, focused exercises, research and development of advanced cybersecurity tools and processes, coordination with auxiliary stakeholders and, not least of all, creative approaches to deploying society’s limited resources against virtually unlimited cybersecurity threats and attempts at subterfuge.
In one way or another, EDA has been a player in all these areas, be it cyber training and exercises, research and development, optimising resources among its Member States or outreach to stakeholder groups. For example, the latter activity – outreach – has been a particularly important EDA activity to facilitate the exchange of technical information and lessons learnt among Europe’s front-line organisations involved in fighting or defending against cyber-attacks.
Multi-player cooperation
A good example of EDA’s outreach is its May 2018 Memorandum of Understanding (MoU) with three other EU organisations involved in cybersecurity: ENISA (cybersecurity), European Cyber Crime Center (EC3)/Europol (law enforcement cooperation) and CERT-EU, the Union’s computer emergency response team for EU institutions. The MoU’s purpose is to leverage civil and military synergies among the players to boost the safety and security of the cyberspaces in which they all operate.
At their most recent meeting in July 2019, the MoU partners reported significant progress in the exchange of views and knowledge regarding the policy, technical, and operational aspects to cybersecurity. Their shared ‘collaboration roadmap’ calls for closer cooperation on training and cyber exercises, capacity building, stronger information exchanges and, of course, ways to avoid duplication of effort. They will stage another major event in the second half of 2020, to carry forward these issues, along with a special focus on improved incident-response mechanisms.
Another example of EDA’s cooperative approach to cybersecurity is its participation in research and development. Aside from the R&D projects that it funds on its own or organises among its Member States (see box below on CySAP project), EDA is involved in several EU-funded cybersecurity research projects.
A trio of projects are cases in point. Each of the projects was launched in February 2019 as a pilot to test the viability of the EU’s forthcoming European Cybersecurity Competence Network. The network will facilitate the EU’s support and retention of the cybersecurity technological and industrial capacities needed to secure its digital single market. Though the legislation is still being drafted, the main goal is to create a cybersecurity competence centre by 2021 which will coordinate the EU’s funding for research, as distributed via the network to national entities.
The three research projects are CONCORDIA, ECHO, and CyberSec4Europe. Within each, EDA has a supporting role vis-à-vis their advisory board regarding the project’s dual-use or military cybersecurity potential. Given that a vast swathe of software and cybersecurity measures lend themselves to either civil and military application, it makes eminent sense to involve EDA in the network in observation/advisory mode to keep an eye on innovation that could benefit Europe’s militaries.
The reliance of Europe’s militaries on cutting-edge cyber technologies is so important that these have been incorporated into the recent work by the Agency and its Member States on capability development. Known as Strategic Context Cases (SCCs), these scenarios were approved in June 2019, and will transfer their releasable versions to industry in November.
One SCC is based on cyber and contains five modules: cooperation; education and training; research and technology; land, air, maritime and space operations; and finally, systems engineering for cyber operations. Regardless of its subject focus, however, each of the SCCs is designed to operationally frame the short-, medium- and long-term capabilities that Europe’s militaries need to consider, and how to develop them.