As the member states rapidly progress in their own personal cyber arms race, the bloc’s institutions risk being left behind.

The European Commission was hacked back in November and it took until mid-January for the EU to announce that it wants to invest more in cyber defence.  The attack, carried out on 24 November, involved millions of requests being made to access the executive’s website, crippling its servers. It happened in the afternoon and meant many officials were unable to keep working.

But the bloc’s plans to counter hacking and government-launched hoaxes have already come in for criticism. German MEP Jan Phillip Abrecht (Greens/EFA) said that there are so far no tangible measures to protect critical infrastructure or to tackle Fake News. Much is still “under discussion”.

Things have moved on further in the member states though, where military and IT analysts have been working for years on how best to protect themselves from the growing threat of cyber-attacks. The stakes are also being raised. At least 15 EU members have incorporated a military element into their cyber strategies, although “few admit to having invested in cyber weapons”, according to a European Parliament working paper.

France is a leader in the European cyber arms race. In December, it launched its first cyber unit, which is designed specifically to counter attacks and which is expected to grow to employ 2,600 specialists.

French Defence Minister Jean-Yves Le Drian made a stark warning about a “new cyber battlefield”, which would mean “the whole art of war would have to be rethought”. The new team of hackers will be expected, according to Le Drian, to “break through the systems of our enemies” and “neutralise temporarily or permanently” their networks.

One month earlier the United Kingdom also revealed its new cyber plans. A total of €2.1 billion has been earmarked to bolster its web defence, as well as offence.

Germany is also keen not to miss out on the digital arms race bandwagon. The ministry of defence announced that it will this year set up its own cyber command centre. Existing capacity is set to be centralised under one umbrella, giving the so-called CIR a total manpower of some 14,000 individuals.  Official statements maintain that the mandate of this ‘cyber army’ is limited to fending off external attacks. The federal government insists that the mantra is very much one of defence.

A leaked paper from the defence ministry, later played down by Defence Minister Ursula von der Leyen, included a number of questions relating to the use of offensive cyber weapons.

Candid Wüest of IT security firm Symantec warned that the boundaries between defensive and offensive capabilities in this regard are often difficult to draw. “If I know how someone is attacking me, then this knowledge can be used to launch my own separate attack,” she explained.

This assessment is one that is shared by the German army, the Bundeswehr. The final report relating to the CIR said that “if someone has the capability to defend, then they can also launch a worldwide attack”. As a result, “the boundaries between war and peace become blurred”.

Germany launching its own cyber-attacks is a thought that is clearly conceivable to domestic security agency chief Hans-Georg Maaßen.  He recently even publicly called for Germany’s cyber troops to be deployed on an offensive basis, insisting that the Bundesrepublik must “be able to attack the enemy”.

Source: Cyber Security Intelligence