The institutionalization of cybersecurity management at the EU-Level : 2013-2016

Backman, Sarah

January 2016

International cybersecurity is arguably one of the most serious, complex and recent security-issues of our time. The connectivity between EU member states regarding cybersecurity due to the borderless nature of cyber, together with increasing threat-levels, has made the need for a common response widely acknowledged in the EU for several years. Even so, a common EU cybersecurity response involves problems such as reluctance of member states to share information, that cybersecurity management is linked to national security and therefore touches upon sovereignty, and different levels of cybersecurity development between member states. Despite this, the Network and Information Security Directive was adopted by the European Council in May 2016, involving EU-wide binding rules on cybersecurity. This thesis examines and explains, through a neo-functionalistic approach, how and why this development towards supranational management of cybersecurity in the EU has happened. The author finds that cybersecurity management seems to have institutionalized from a nascent phase during 2013, moving towards an ascendant phase during the end of 2013 and 2014, to end up between an ascendant and a mature phase during 2015 and 2016 – which makes the adoption of the NIS-directive logical. The neo-functionalistic explanation to the development of supranational cybersecurity management in the EU highlights the role of the Commission as a ‘policy entrepreneur’ and the publication of the EU cybersecurity strategy, accompanied by the proposal for the NISdirective in 2013. These regulatory outputs sparked further institutionalization by providing many opportunities and venues for member states to interact and build networks on cybersecurity issues, by initiatives with normative impact to foster an EU ‘cybersecurity community’, by the continuous strengthening of supranational cybersecurity actors such as ENISA, and by supranational cybersecurity cooperation platforms, such as the NIS-platform and the European Private Public Partnership on cybersecurity. Between 2013 and 2016, 21 EU Member States published national cybersecurity strategies, almost all referring clearly to their commitment to EU cybersecurity initiatives. This provides an indicator of a high level of legitimacy of supranational cybersecurity management. However, the thesis also finds that the strongest supporters of EU cybersecurity management are not the most powerful member states but rather the smaller ones. While not expressing a strong commitment to EU initiatives in cyber policy documents, the most powerful member states still agreed to the NIS-directive. This supports the neo-functionalist notion about the “stickiness” of an institutionalization-process, and the possibility that powerful states might have double paths, committing to EU regulation and institutionalization while still continuing their own way.

EU cybersecurity management

EU

cybersecurity

institutionalization

neofunctionalism

the NIS-Directive

Kybernetická bezpečnost ve vesmírném prostoru: Rámec zvládání rizik spojených s kybernetickými útoky a model vylepšení evropských politik / Cybersecurity for Outer Space - A Transatlantic Study

Perrichon, Lisa

January 2018

Cyber attacks can target any nodes of the space infrastructure, and while these attacks are called non-violent, there is a credible capability to use cyber attacks to cause direct or indirect physical damage, injury or death. However, the vulnerability of satellites and other space assets to cyber attack is often overlooked, which is a significant failing given society's substantial and ever increasing reliance on satellite technologies. Through a policy analysis, this dissertation assess the set of political provisions provided by the European Union to address the cyber security issue of the space infrastructure. Such study aims at exploring the geopolitical consequences linked to space cyber security risks, and at assessing the political preparedness of the European Union to address these challenges. The perspective of transatlantic cooperation to further support both American and European effort to tackle this security risk is also addressed. The overarching value of the study is to contribute to future European cyber security for space and transatlantic debates by providing useful perspectives and key takeaways on these two domains. Ultimately, he existing set of policies are not sufficient to address the cyber security issue in Outer Space, a unified approach by the European Union and the United...

Case study: testing Wahlgren’s escalation maturity model within public sector organisations in Sweden : Studying model support for operators of essential services in meeting NIS directive requirements for incident escalation

Ferguson, Isaac Yaw

January 2021

Critical infrastructures are vital services, and attacks on such systems affect people's social and economic well-being. Therefore, operators of such services must have appropriate measures in place to handle IT-related incidents. However, reports show that organisations classified as Operators of Essential Services (OES) do not have appropriate measures to handle IT-related incidents. A case study approach is used in this study to test the usability and the applicability of Wahlgren's Escalation Maturity Model level within various public sector organisations in Sweden regarding their escalation and communication of IT-related incidents. A follow-up semi-structured interview is also conducted with employees at the technical level to determine if the current organisation's maturity level shortcomings are known across different organisational levels. The tool's maturity level scaling attributes are difficult to understand because all organisations in this study achieve the same level of maturity, even though there is a wide range of performance regarding the number of questions answered in the affirmative. The data output generated from the testing of the model can assist organisations in improving their incident escalation activities. However, the lack of precision of the model makes it challenging to apply in the public sector. The results reveal that all the five organisations obtained an escalation maturity level of zero (0), non-existent, regarding escalation of IT-related incidents. As a result, with the current model, the participating organisations will have a difficult task complying with the NIS Directive's security and notification requirements.

IT security

maturity model

IT-related incidents

NIS directive

operation of essential services

escalation maturity

Information Systems, Social aspects