The European Defence Agency (EDA) presented on 24 May 2013 results of its stocktaking study of military cyber defence capabilities. Using an in depth methodology, the study benchmarked the degree of “Cyber Defence Readiness” of 20 participating Member States (pMS) and different EU level organisations. The landscaping exercise shows a mixed picture with respect to military cyber defence capabilities on national and European level. It recommends strengthening cooperation, exchange of information and proposes avenues for pragmatic Pooling & Sharing of some cyber defence capabilities. The study supports the relevance of the cyber defence activities launched by the EDA in the areas of cyber training ranges and deployable situational awareness kits for CSDP missions.
“Cyberspace can be described as the fifth dimension of warfare, equally critical to military operations as land, sea, air and space. Our study reveals important gaps in military cyber defence capabilities across the EU. The Agency is offering Member States a range of projects to cooperate in the area of cyber defence capabilities as well as in the research & technology domain”, says Peter Round, Capabilities Director of the European Defence Agency.
The one-year stocktaking study aimed to establish a high-level understanding of cyber defence capabilities across EDA pMS to support progress towards a more consistent level of cyber defence capability across the EU. 20 countries were included in the study.
This stocktaking exercise included research into the different EU level organisations involved in cyber defence activities in the context of CSDP missions as well as data collection on cyber defence capabilities in pMS. The research was carried out via document review, semi-structured interviews and a questionnaire.
Cyber defence information was analysed according to a commonly understood military framework of capability, known as Defence Lines of Development. These contributors are: Doctrine; Organisation; Training; Material; Leadership; Facilities and Interoperability (DOTMLPF-I). To measure and to a certain degree benchmark the degree of “Cyber Readiness” the study utilised a five step maturity model with 69 discrete and weighted indicators for maturity, broken down within the DOTMLPF-I structure to achieve the required granularity. Each country was qualitatively assessed for each contributor against this weighted maturity model.
On the national level, the study revealed a mixed picture with respect to military cyber defence capability. Generally speaking, in pMS where key decision-makers are familiar with cyber-security, cyber defence capabilities are more advanced. The 20 pMS exhibit strengths in the three capability domains of Leadership, Personnel and Interoperability. In the areas of Doctrine, Organisation and Training, an early level of maturity was defined which might be linked to the fact that these three areas require more complex and longer-term efforts to establish organisational structures. Facilities is the capability domain which remains to date highly immature or non-existent. Individual country profiles are classified and cannot be made available.
As regards cyber defence among EU organisations, the study highlights the complex operational set-up between the different institutions involved (e.g. EDA, the Member States, European External Action Service, European Commission, General Secretariat of the EU Council and related EU agencies). While threat analysis and cyber-intelligence gathering capability appears to be emergent, incident response capabilities could be deepened. The study also reveals that the culture of cyber-security good practice needs to be nurtured and that the use of military specific standards and tools is still poorly understood.
Military cyber defence on the European level is at a relative early stage of maturity. The study therefore makes high-level recommendations such as enhancing EU network protection, strengthening intelligence capability, deepening incident response capabilities, creating a culture of cyber-security, promulgating security standards and tools, and reinforcing links between NATO and the EU for cyber defence issues.
On the national level, greater attention should be given to the development of cyber defence training and education initiatives. pMS are encouraged to consider exchanging information on equipment solutions and Pooling & Sharing for cyber defence capabilities, and on processes and shared escalation procedures, especially in EU-led missions. Finally, the study suggests pMS consider sharing – to a certain extent – facilities and to take into account interoperability aspects of cyber defence.
Cyber defence is one of the Agency’s top capability priorities. Complementary to activities derived from the EDA Capability Development Plan (CDP), such as research on human factors in cyber defence, the establishment of a cyber defence research agenda and a common cyber defence training curriculum, there is a focus on the most pressing gaps identified in the landscaping study like training and education, or cyber defence situational awareness in CSDP operations. Consequently EDA is initiating three ad hoc projects with Member States:
(1) The Cyber Ranges project aims at Pooling & Sharing of current and future resources for Cyber Defence Training, exercise & testing in order to increase availability and efficiency of existing assets, and to mainstream and improve cyber defence training, exercises & testing at European level.
(2) The deployable cyber situational awareness kit initiative aims at providing, Pooling & Sharing a common and standardised cyber defence planning and management platform. It shall allow Commanders and their staff in EU-led operations to fulfil their cyber defence related tasks throughout all phases of an EU-led operation.
(3) The “Advanced Persistent Threats Detection (APT-D)” project initiative is focusing on improved capabilities in early detection and smart mitigation of APT.
Together with the Irish Presidency of the European Union and the Estonian Ministry of Defence, the EDA will also co-host a high level conference on Cyber Security Cooperation in the European Union on 20 June 2013.