Cyber security is increasingly becoming a fundamental issue that requires urgent attention. Digital technologies, such as the Internet, play a key role in the European societal and economic landscape. Incidents within cyber space, whether intentional or accidental, are growing at an alarming rate and, more importantly, are likely to disrupt essential services, such as water distribution, electricity and health care. As Dutch power outage case of March 2015 demonstrates, we have become deeply dependent on critical infrastructures not only for our daily lives but also our survival. Since the cyber-attack against Estonia, in April 2007, paralysed most of the infrastructure of the country, cyber security has become the subject of closer attention for worldwide governments. Unsurprisingly, the former United States Deputy Secretary of Defence William J. Lynn has described cyber space as the ‘fifth domain of conflict’, and several States have started to develop cyber security strategies. The European Union (EU) is no exception to this general trend, having labelled cyber security one of the most prominent policy priorities within the European agenda. The presence of numerous institutions, as well as a variety of state and non-state actors has led to the creation of a dense matrix of initiatives under the common roof of a EU cyber security policy. The 2013 Cyber security Strategy also represents an important step for the EU in its effort to become a credible international security actor. In this context, it is important to ask what kind of cyber security actor the EU is attempting to become.
In April 2015, the Aston Centre for Europe organised an international workshop that proposed to explore the EU’s emerging cyber security actorness. Contributions stemming from International Relations, Public Policy, Law, and Philosophy provided thorough analyses of the EU’s security initiatives and approaches to cyber space. Above all, the workshop revealed a picture of the EU as an actor still attempting to find its footing in a ‘crowded policy implementation space’, and whose attempts at developing a coherent strategy have so far hit an intra-institutional cooperation brick wall. Within this broad picture, the workshop identified five relevant key topics: the role of the EU in Internet Governance; the governance of Critical Information Infrastructures; the EU agencies and institutions shaping policy development; the direction of cyber crime policies; and the place of privacy within cyber security.
Where Internet Governance is concerned, the United States and other western countries have for some time now been attempting to fragment the Internet, by imposing jurisdictional regulations. As a response, numerous Latin American and Asian countries started to build coalitions in order to balance the American control of the Internet. In this context, the workshop analysed different approaches used for Internet Governance: if, on the one hand, the American multistakeholder governance is no longer widely accepted, on the other hand, it is uncertain whether a multilateral approach could be a solution. A ‘coalition of the liberal’ between the US, the EU and other western democracies is seen as a credible solution, although one that is difficult to achieve.
Regarding the governance of Critical Information Infrastructures, the workshop underlined the importance of these structures for the good functioning of European societies, as well as their increased reliance on digital technologies and public-private partnerships (PPP). Such degree of dependency has led to serious concerns over the security of critical infrastructures. In particular, the issue of whether a public good such as security can, nevertheless, be handled as a private one, raised considerable doubts. For instance, there seems to be an evident contradiction, within market logic, in using network redundancy in order to achieve resilience of critical information infrastructures. Notably, duplication of information is clearly in contrast with the business rationale of efficiency. Looking at the banking sector practices, this statement can only be confirmed. It is nevertheless important to keep in mind that profits are directly linked to the proper functioning of critical information infrastructures and, therefore, to their safety as well. Bearing in mind the inherent contradictions between private and public actors’ priorities, new solutions must be devised in order to promptly address critical information infrastructures’ vulnerabilities. The European Commission should play a more prominent role, especially in terms of coordinating, as well as strengthening European cyber culture. Workshop participants, however, advised against the idea of ‘privatisation at all costs’.
In order to understand which actors are currently governing cyber space, the workshop also explored the role of European agencies, notably ENISA and EC3. This analysis provided a deeper insight into the European cyber security decision-making process, as discussions focused on these agencies’ regulatory and policy shaping potential in the area of cyber crime and cyber security. Looking at recent developments in the field of cyber space governance, it emerged from the workshop that the traditional Justice and Home Affairs model of cooperation agencies might be slowly in the process of being replaced by a regulatory policy shaping agencies’ model. In this context, the consequences that this shift may have on the European governance of cyber space were explored, in particular in terms of transparency and accountability.
Cyber crime was another key topic discussed in the context of the workshop. The reduction of cyber crime through the enhancement of operational capability represents one of the main priority objectives in the 2013 European Union’s Cyber Security Strategy (EUCSS). It is questionable, however, whether the EU has indeed effectively achieved a higher degree of security resilience in this area. As an example, the operational success of EC3 in enhancing the capabilities of member states is continually challenged by cultural, political, legal and economic issues. The differences between member states’ legal frameworks makes the real time sharing of intelligence, data and information even more challenging. Another example of the EU’s limited action regarding cyber crime is its role in addressing Internet radicalisation and in countering cyber recruitment for jihad.
The right to privacy in the context of cyber space was also an important focus of discussions. Given the multi-layered nature of cyber space, cyber security incidents have the potential to compromise both data and services. The balance between security and privacy, however, is complicated to achieve. The European legal framework regarding the protection of privacy and personal data has demonstrated that the EU has clear difficulties in conciliating fundamental rights with the growing need for security. Such difficulties are particularly noticeable on two different fronts: at the EU level, with differences arising between institutions, and at national level, with member states developing diverging stances. In this respect, the harmonisation of European national laws seems to remain one of the biggest challenges for ensuring the right to privacy.
As declared in the 2013 European Cyber Security Strategy, the EU is attempting to emerge as a new policy actor within the cyber dimension. Nevertheless, there are still numerous issues that must be faced. In particular, some member states still do not recognise cyber security as a key priority. As a result, harmonisation, coordination, and the efficient governance of the digital space have remained difficult to achieve.
 On the 27th of March 2015, large areas of The Netherlands were left without electricity for 10 straight hours, affecting telecommunications, transport and hospitals. For further information please see: http://rt.com/news/244537-power-outage-north-holland/ Last accessed on 5th May 2015.
 Lynn, W.J. III (2010). Defending a New Domain: The Pentagon’s Cyberstrategy, in Foreign Affairs, pp. 97–108.
 Renard, T (2014). The European Union: A new Security Actor? EUI Working Paper RSCAS 2014/45. Available at: http://www.egmontinstitute.be/wp-content/uploads/2014/05/140501-T.Renard-RSCAS-2014_45.pdf
 Majone, G (1989). Argument, Evidence and Persuasion in the Policy Process. Yale University Press: New Haven.