EU Announces New Joint Cyber Unit to Protect Against Critical Attacks
Joint Cyber Unit will create more situational awareness and guarantee preparedness to large-scale cybersecurity crises
The cyber threat to critical infrastructure has grown dramatically over the last few years – to such an extent that western governments are finally accepting that they need to get more involved. In the EU, this has taken the form of a new Joint Cyber Unit (JCU), situated next to ENISA’s offices in Brussels.
ENISA is the EU Agency for Cybersecurity (formerly known as the European Network and Information Security Agency). The new unit will be implemented over the next two years, with the final process of involving private sector partners scheduled to be ‘by June 2023’; and ENISA will play a major part in its evolution.
The unit is officially described as solely for the purposes of defense: ‘response’ means local response against the attack itself, not a remote active response directed against the perpetrators. ENISA described the primary purpose in a statement to SecurityWeek:
“The tasks of the Joint Cyber Unit will be to ensure EU coordinated response, create more situational awareness and guarantee the preparedness to large-scale cybersecurity crises. The Unit’s support is to identify where the operational capabilities lie and to mobilize the EU cybersecurity rapid reaction teams. The capabilities would still be on the national level. However, the Unit would put the tools and processes in place to be able to react in an agile manner when a cyber crisis would occur.”
This immediately highlights the difficulties and complexities that lie ahead in the evolution of the Joint Cyber Unit. Compare the EU and the U.S. The EU has no centralized federal forces able to take unilateral action on behalf of the entire ‘country’. Major cyber incidents would be defined as national security events; and each EU member state still has responsibility and authority over its own national security.
In the U.S., this would be like a dark blue state adjacent to a dark red state, both suffering from the same cyberattack. Each state would be free to respond as it wishes. One might choose to launch a retaliatory strike, while the other might prefer a diplomatic solution – and both might happen simultaneously. Communication between the blue state and the red state might also not be perfect.
For such reasons, the purpose of the JCU is limited to cyber defense. The ecosystem is defined as ‘resilience’, ‘law enforcement’, ‘cyber defense’ and… ‘cyber diplomacy’. In reality, any active retribution would be difficult without the UK’s involvement – absent since Brexit and officially not a part of the JCU.
The UK is probably Europe’s strongest cyber nation, and has access via GCHQ to the worldwide 5-Eyes intelligence group (which includes the NSA). It is not known whether the JCU will have contact with GCHQ.
When asked, GCHQ referred SecurityWeek to the NCSC, which referred SecurityWeek to the relevant government department. This is a well-proven roundabout method of saying nothing without admitting that it will say nothing. However, ENISA told SecurityWeek, “The EU-UK Trade and Cooperation Agreement includes cooperation on specific cybersecurity activities. However, it does not include operational cooperation during cybersecurity incidents or crises.”
The implication is that JCU may well have access to some 5-Eyes intelligence via the UK, but any unilateral retributive action (which the UK has already said it feels free to take) will be down to the UK and have nothing to do with JCU.
“Based on what is out in the public domain,” Jens Monrad, EMEA director of Mandiant Threat Intelligence told SecurityWeek, “there are no current plans for a collective European offensive action. For the EU to collectively reach an agreement to respond using offensive capabilities towards an attributed ‘enemy’ will require a lot more groundwork to be covered on how to assess cyber as a domain. Additionally, I believe that it would change how the EU is addressing attacks or threats today.”
None of this helps with the JCU’s primary problem of getting individual member states to cooperate in areas they may feel are primarily their own concern. “The political attention cyberattacks are getting today is most welcomed,” comments Jens Monrad, EMEA director of Mandiant Threat Intelligence. “However, it remains to be seen how effective it will be when it comes to a joint task force deploying response teams across the EU. Today, many EU countries still control their national security, and even within agreed EU treaties, there are exempts on law enforcement collaboration.”
Peter Starr, global director of sales engineering at Cyren, expands on this concept. “From experience,” he says, “EU member states treat cyber threats very differently. So, it’s going to be difficult for them to agree on effective rules of engagement. What happens if a breach becomes classified information in one of the member states? This can be seen in other multi-national coordination efforts the EU takes part in. For example, intelligence sharing in NATO is fraught with pitfalls and delays as decisions must be made as to what is shared, and most importantly, when it is shared.”
Not everyone is a doubter. Raghu Nandakumara, Field CTO at Illumio, believes the JCU is a positive step. “It’s a logical progression from the 2016 NIS Directive which required individual member states to be appropriately equipped, facilitated strategic cooperation and information exchange, and imbibed a culture of security in sectors critical to the economy and security,” he said.
Nominet, which is the official registry for UK domain names and has a cyber security branch that operates the NCSC Protective DNS program, is unsurprisingly supportive. “There is a middle ground… where countries can benefit from centralized intelligence, overarching strategies and broad reaching tactics,” says Steve Forbes, a government cyber security expert at Nominet. “With similar threats faced across the European Union – particularly against critical infrastructure – often with the same adversaries, pulling together will allow the bloc to make step changes in its cyber defense. The new cyber unit will set a powerful precedent for international collaboration as central to our future global cyber defense.”
But his phrase ‘international collaboration’ raises another concern. The global nature of cybercrime can hardly be deterred by a limited amount of international cooperation. Ilia Kolochenko, CEO and chief architect at ImmuniWeb, expanded on this to SecurityWeek. “International collaboration is indispensable to curb surging cybercrime,” he said. “Thus, the EU initiative is a very promising project. We should, however, bear in mind that coordinated defense, response and eventual prosecution of cybercrime is virtually impossible without cohesive global cooperation.
“The EU countries may face the well-known challenges of foreign jurisdictions that continually refuse to extradite their citizens charged with cybercrime. Moreover, modern nation-state hacking groups increasingly ‘frame up’ some of their rivals (such as neighboring countries) by hacking their infrastructure and then proxying their attacks through the breached systems.
“Eventually, even the best forensic investigation will be misled and likely misattribute the attack. This uncertainty undermines cyber self-defense, as you risk blaming an innocent party, provoking further escalation, and violating international law.”
There is one further common concern about the JCU evolution plan – the introduction of the private sector at the end rather than the beginning of the process. “What is also not clear,” comments Cyren’s Starr, “is how the Joint Cyber Unit is going to work with private industry. More often than not, it is private sector specialists who identify breaches as they have the cutting-edge skill sets to do so.”
The general feeling is that the EU’s JCU is a good idea, but that it does not, and possibly cannot, go far enough. It has some difficult mountains to scale before it can be effective. In the meantime, the Biden approach may be more productive. This can be paraphrased as, “I don’t trust (the other side), but I do expect them to do what we agree… or else…”