MSc Political Science: European Union in a Global Order 2013/2014 Author: Katerina Kokesova (10601376)
Towards a ‘Europeanised’ approach to critical
information infrastructure protection:
the role of ENISA
Research project: European Security Politics Supervisor: Stephanie Simon
Date of submission: 27.06.2014
I have read and understood the School’s rules on plagiarism and assessment offences, and the work herein is my own, apart from properly referenced quotations.
Table of Contents
1. INTRODUCTION 3
2. WHAT IS CRITICAL? 8
2.1.CRITICAL INFRASTRUCTURE 8
2.2. CRITICAL INFRASTRUCTURE IN CYBER AGE 9 2.3.EUROPEAN APPROACH TO CIIP 12
3. EUROPEANISATION AND SECURITY GOVERNANCE 14
3.1.PERSPECTIVES ON THE PROCEESS OF EUROPEANISATION 14
3.2.EUROPEAN SECURITY GOVERNANCE 17
3.3.GOVERNANCE IN CYBERSPACE 21
3.4.METHODOLOGY 24
4. ENISA 27
4.1.THE UNINTENDED SIDE-EFFECT OF SUCCESSFUL NETWORK SOCIETY 27 4.2.SENSE-MAKING OF THE CYBER THREAT 31
4.2.1.DEFINING EMERGING RISKS AND COMMON ENEMIES 32
4.2.2.PREPARING FOR A CATASTROPHE 35
4.2.3.BUILDING A CYBER RESILIENT EUROPE 39
4.3.DEVELOPING A CULTURE OF EUROPEAN SECURITY 41
4.4.MISSING:A GREATER INVOLVEMENT OF THE PRIVATE SECTOR 47
5. CONCLUSION 50
1. Introduction
In April-May 2007, Estonia, a country with the highest broadband connectivity in Europe, experienced a series of Distributed Denial of Service (DDoS) attacks. The attacks began to target the country’s government and private sector websites, which were in consequence unavailable and financial operations were severely compromised. The attacks have gone down in history as one of the largest coordinated cyber assaults involving thousands of machines, with ‘dramatic’ consequences (Greenemeier, 2007). In the words of the former White House cybersecurity advisor and former chief security officer at eBay and Microsoft Howard Schmidt, ‘Estonia has built its future on having a high-tech government and economy, and these have been brought to their knees’ as a consequence of over a hundred of separate DDoS strikes against the country’s cyber infrastructure (cited in Greenemeier, 2007). Moreover, step-by-step instructions published online allowed any Internet user to get involved and experiment with launching individual attacks. These attacks drew attention to the existing vulnerability of European member states, whose societies depend on the uninterrupted functioning of the Internet and services reliant on information communications technologies (ICT), to disruption or penetration of these very systems. Additionally, they have highlighted the lack of cooperative arrangements at the European level, which would have helped the affected country facing a large-scale cyber attack.
Estonia’s experience subsequently, provides an exemplary illustration of what Ulrich Beck (1992) has termed ‘reflexive modernisation’. In an age of reflexive modernity, society confronts itself as opposed to confronting an external adversary. In this sense, it is defending itself against the by-products of its own progress epitomised in our case by the growth of the network and information society. The process of modernisation leads to unforeseen and unintended consequences – ‘manufactured risks’ – which we have little or no prior experience for tackling (Giddens, 1999). As a result, our age comes to be defined by what one may call ‘consequence management’. The risks emanating from cyberspace are an ultimate example of what Beck calls the ‘de-bounding of uncontrollable risks’, which takes place within three dimensions – spatial, temporal and social (Beck, 2002: 41).
Cyber risks are de-bounded spatially as they disregard all existing boundaries – they are truly global. Moreover, they are de-bounded temporally given their latent character – they may be incubating within our systems without us being aware of their existence. And lastly, concerning their social dimension, it is difficult to discern who is responsible for them. In an environment characterised by uncontrollable risks, nation-states face new security challenges, which are beyond their ability to confront them on their own.
Consequently, Beck’s theory of risk society and reflexive modernisation does not merely offer an innovative outlook on the emerging security environment. Even more importantly it provides a useful tool for analysing the emergence of new supranational institutions (Beck and Grande, 2007) and the increasing nation-states’ willingness to coordinate their security policies on a supranational level. Traditionally, security policy has been the bastion of member states’ national politics. In the current environment, however, nation-states find themselves no longer capable of ensuring the security of their citizens through their own means, which forces them towards seeking cooperative arrangements on the interstate level. As such, the current trend represents a fruitful room for academic inquiry into the process of Europeanisation of nation-states security practices.
This statement particularly applies to the study of critical infrastructure protection (CIP) from cyber attacks. Critical infrastructures form the backbone of states’ societal and economic development and as such they have come to appear at the top of national security agendas. There is a growing perception among states that their societies are exposed to an ever-increasing number of potentially catastrophic vulnerabilities associated with CIP as well as to a growing willingness of dangerous actors to exploit them (Dunn Cavelty and Kristensen, 2008: 1). This perception does not apply to individual states alone, but also to the EU as a whole. Yet, despite the integrated nature of European economies, whose functioning relies on the availability and integrity of critical infrastructure and critical information infrastructure, member states’ CI(I)P policies remain fragmented and uncoordinated (Hammerli, 2010: 13). Such lack of harmonisation, however, may in the future prove problematic. Although the initial responsibility for CIP
lies at the national level, given the interconnected nature of CII the level of granted protection (or the lack there of) entails repercussions beyond the borders of individual member states. Consequently, it is appropriate to state that ‘the Union is only as secure as its weakest link’ (Robinson et al., 2013b: 4).
The starting point of this thesis is thus an apparent dilemma facing the Union: on the one hand member states will seek to maintain the policy area of CIIP within their remit, which however may on the other hand lead to insufficient security measures being adopted by some members of the Union, thus putting in peril the EU as a whole. The key question for the Union therefore is, how to achieve a standardised level of security and ensure an effective level of preparedness and willingness to cooperate among the member states. In particular, there are two dimensions the EU needs to focus on. Firstly, and as already mentioned, critical infrastructure is viewed as a national security issue, which in turn leads to a tension between national and European security. Secondly, in the majority of cases critical infrastructure ownership lies in the hands of the private sector and as such is beyond the control of national governments. Consequently, at the heart of this thesis lies the question of how does the EU intend to create a ‘Europeanised’ CIIP so that member states would afford more space to ‘Europe’ in their formulation of CIIP policies; what are the tools and techniques through which the development of ‘European’ preferences with regards to CIIP are sought to be achieved? A special focus will be given to the European Union Agency for Network and Information Security (ENISA), its knowledge production and subsequently its prominent role in the ‘Europeanisation project’1
. As such, the thesis seeks to enrich the academic debate on the subject of the processes of Europeanisation as well as the topic of European approach to cybersecurity. While the scholarly debate on Europeanisation is extensive, the same cannot be said about the literature on European cybersecurity strategy and even less so on the role of independent agencies, such as ENISA in the process.
1 Due to space constraints, this thesis will focus purely on ENISA’s activities as drivers of the
‘Europeanisation project’. The developments of individual member states’ CIIP policies, their similarities and differences, will not be discussed.
In this regard, February 2013 marked a turning point in the European Union’s (EU) approach to cyber security. Having published its own Cybersecurity Strategy, entitled ‘An Open, Safe and Secure Cyberspace’ together with a proposal for a Directive on Network and Information Security (NIS), the EU has reaffirmed its commitment to taking the challenges arising from cyberspace as a security issue in its own right and at the same time proposed ways for dealing with key problems of cyber security governance (Dunn Cavelty, 2013a: 4). The EU’s approach to cyber security can be divided into two key policy areas – one, which nevertheless does not form a part of this thesis, focuses on addressing cybercrime and cyber terrorism through the means of law enforcement (Bakowski, 2013: 4). The second area, on the other hand, focuses on enhancing critical information infrastructure protection (CIIP) and network resilience to potential attacks as well as ensuring effective incident response capacities. According to the Strategy, ICT is a ‘critical resource which all economic sectors rely on; it underpins the complex systems which keep our economies running in key sectors such as finance, health, energy and transport, while many business models are built on the uninterrupted availability of the Internet and the smooth functioning of information systems’ (Commission, 2013a: 2). In particular, the Strategy points to the existing capability-gap across the EU in first of all, managing cyber crisis, secondly, in coordination when it comes to cross-border incidents and lastly in terms of private sector involvement and preparedness (Ibid.: 5).
In an effort to close these gaps, the Commission has proposed the NIS Directive, which seeks to ‘enhance public and private capacities, resources and processes to prevent, detect and handle cyber security incidents’ (Ibid.). The key institution involved in the implementation of the Directive is the European Agency for Network and Information Security (ENISA). Believing, however, that ENISA plays merely a supervisory role would be erroneous. Despite its limited human and financial resources – the Agency is only sixty people strong – ENISA has adopted a proactive approach towards achieving greater interstate coordination of security policies and cooperation in avoiding, identifying and mitigating the consequences of a cyber assault. ENISA’s role in the development of European policies regarding CIIP is particularly worthy of academic discussion. Although the Agency does not benefit from a high-profile status enjoyed by
other European institutions and although it does not dispose of legislative or regulatory powers, its impact on member states’ approaches to cybersecurity cannot be disregarded. ENISA’s authority stems from its designation as ‘a centre of expertise’ providing reliable information to European bodies and member states. ENISA’s staff, composed of apolitical security experts, thus produces and disseminates specific, technical knowledge aimed at raising member states’ awareness about what it is that needs to be protected, against what type of dangers, by whom and by which means. Knowledge, however, should not be seen in simplistic and static terms, as the understanding of a subject through experience and education. Instead, knowledge is constitutive of power since power is constituted through accepted forms of knowledge, presented and acknowledged as the ‘truth’ (Foucault). Consequently, ENISA can be seen as an epistemic community, defined as ‘a dominant way of looking at social reality’, whose status of a centre of expertise enables it to act as a policy innovator, framing the issues to be addressed as well as the context in which new data is to be interpreted. As such, it presents an interesting case for analysing what role it has to play in the process of harmonising member states CIIP policies and whether it is employing the power of its knowledge to its full potential.
In the ensuing pages, I will outline the importance of critical infrastructures and especially their growing ‘criticality’ in the era of information age. I will subsequently present the theories of Europeanisation and European security governance, which will set the scene for the analysis of ENISA’s role in establishing a ‘Europeanised’ approach towards CIIP and in governing the European cyber landscape. Critical infrastructure and especially its protection from cyber attacks is an ideal lens through which to analyse broader changes in society in general and security thinking in particular (Waever in Dunn Cavelty and Kristensen, 2008: x). By and large societies characterise themselves through the delineation of crucial objects to be defended and as such looking at EU’s approach to cyber security with regards to critical infrastructure will provide us with an insight into what type of Europe is in creation, and how is Europe’s role as a security actor evolving.
2. What is critical?
2.1. Critical infrastructure
In itself, the English use of the term ‘infrastructure’ has a very recent origin, dating back to the year 1927, when it was defined as ‘the underlying foundation or basic framework of a system or organisation’ (Merriam-Webster online). The term ‘critical infrastructure’ alters the meaning to designate those infrastructures, whose significant damage or complete destruction would have a destabilising impact for the society, which finds itself dependent on it. Labelling infrastructure as ‘critical’ therefore underscores its importance for the society and places it above ordinary subjects. Critical infrastructure thus becomes problematised as being in need of protection, which allows for political interventions in this domain (Aradau, 2010: 501).
While in the United States national security after the break up of the Soviet Union and the disappearance of the Soviet threat came to be identified in terms of the security of vital systems (Collier and Lakoff, 2008: 30), the EU began to struggle with the challenge of defining the criticality of critical infrastructure, understanding what threatens it and formulating approaches to protect it only after the attacks of 9/11 and especially after 2004 when several critical events (terrorist attacks in Madrid and following year in London, internal infrastructure disruptions, rise of hacktivism etc.) shifted attention to the vulnerabilities facing critical infrastructures (Hogselius et al., 2013: 3; Burgess, 2007: 475). Nevertheless, how are we to identify what is valuable enough to be in need of protection; what is indispensable for our society?
Burgess (2007: 480) distinguishes between two conceptions of value – economic and cultural. For the former, all objects have an intrinsic value, which can be transformed or added, while for the latter, value lies in the quality of an object, which makes it valuable. Burgess himself privileges the social / cultural approach, arguing that ‘it is not the
materiality of infrastructure that determines its value to society; it is rather the social,
culturally determined ideas of value, historically, geographically, environmentally and also economically determined standards and measures’ (Ibid. emphasis original).
Consequently, contrary to those authors for whom given the materialistic nature of our society, objects in themselves and for their material connectivities ‘have become instrumental in understanding what it means to secure societies’ against emerging risks and hazards (Aradau, 2010: 491), critical infrastructures are not and should not be seen as critical merely for their material aspects. When it comes to critical infrastructures’ breakdowns, it is not only the infrastructure itself that we are concerned about, but rather the consequences its disruption would have on our lives.
Subsequently, the European Commission defines CI as ‘an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens’2. This definition emphasises the network aspect of critical infrastructures, highlighting that the criticality lies not in the value of a single component but rather in its systemic relevance (Angelini et al., 2013: 2). The services CIs provide have become an indispensable part for the functioning of modern societies that our existence without them seems unimaginable. Consequently, the criticality of critical infrastructure lies in the cultural and political significance they have acquired (Burgess, 2007: 479). As a result, the threat represented by attacks on CI, may they come in any form, constitutes not solely an assault on their economic value, but more importantly on the culture and values they represent. In this sense, CIs that cross borders within Europe have the quality of linking Europe as an economic entity as well as a political and a cultural ensemble, thus making it an attractive target to potential adversaries.
2.2. Critical infrastructure in cyber age
While in the past society’s dependence on CI stemmed primarily from geographical and physical connections, today, society’s infrastructures are growingly dependent on information and communications systems that criss-cross national boundaries and span the globe (Tabansky, 2011: 62). According to a recent Chatham house report on ‘Cyber
2
Security and Global Interdependence’ (Clemente, 2013), cyber-enabled critical infrastructure dependencies are redefining what constitutes critical infrastructure. At the height of the Information age, ‘electronic communications infrastructure and services have in themselves become ubiquitous utilities in the same way as electricity or water supplies, and at the same time constitute vital factors in the delivery of electricity, water and other critical services’ (Regulation No 526/2013). Consequently, although cyberspace is often categorised as a domain of its own, it is entrenched so profoundly within other sectors as to make this distinction meaningless. The cyber dimension serves as a ‘nervous system’ running through all other critical information sectors, enabling them to function and interconnect. The critical infrastructure of each country is increasingly electronically managed. The gradual introduction of network, monitoring and control systems, as well as the growing level of interdependence have on the one hand improved the effectiveness of critical infrastructures but at the same time made them more vulnerable to cyber attacks and the risk of a domino effect.
Critical information infrastructure has thus become an important CI in itself, which at the same time supports several elements of other CI. The growth of the cyber dimension into each and every aspect of our lives means that ‘critical infrastructure today necessarily refers to an information infrastructure’ (Tabansky, 2011: 62). According to some, such expansion of the term ‘infrastructure’ leads to an ambiguity in defining and delineating critical infrastructure and their associated dependencies, arguing that when ‘everything’ is deemed critical ‘nothing is’ (Clemente, 2013: 3-5). In one sense, this ambiguity is desirable as it makes it more difficult to ascertain who is responsible for taking effective security measures. Nevertheless, when an incident occurs, citizens hold their national governments accountable and as such it is in the governments’ interest to be able to delineate, prioritise and effectively protect systems vital to the functioning of their society – and the society itself.
The governments’ task of securing their societies, however, is becoming increasingly difficult since with the unprecedented level of interdependence come new sources of vulnerabilities. Cyberspace embodies a unique domain for interaction where ‘the
technical meets the social’. The human becomes inseparable from the technological, forming together a complex ecosystem where ‘technology becomes constitutive of novel forms of complex subjectivity, characterised by an inseparable ensemble of material and human elements’ (Dunn Cavelty, 2013b: 5). The proximate connection between and the mutual constitution of technological and human factors gives rise to a society, which finds itself dependent on the critical infrastructures that support its existence and at the same time a society, which in the process has become a critical infrastructure in itself. This thought leads us back to Burgess’ (2007: 479) belief that there is more to CI than its materiality, embodied in the ‘networks of socially and culturally determined values, which precede, presuppose, surround and help to operate the physical installations’. Nevertheless, once society itself is perceived as a CI, the apparent threat landscape changes in turn and the necessity to engage in critical infrastructure protection increases. As a result, the present concern with CIP is tied firstly, to the wide spread perception that modern societies are exposed to ever-increasing number of potentially catastrophic vulnerabilities and secondly, to the belief in the growing willingness of malicious actors to exploit these newly emerged vulnerabilities (Dunn Cavelty and Kristensen, 2008: 2).
Seeking to protect CII against cyber attacks consequently reflects the arguments put forward by risk scholars, who point to the reflexive nature of modernity. While on the one hand modernity presents infinite opportunities for society’s development, it is itself problematic as it conceals behind its progressive facade a multiplicity of unforeseen and unintended consequences (Beck, 1992). As such, the present modern age is reflexive, as it confronts itself in the form of risks produced via its own successes in terms of the scale of production, innovation and the compression of time an space (O’Malley, 2004: 2). Critical infrastructure protection is therefore representative of two important features of contemporary political life – the fear of the future (Bigo, 2006) and the presence of risk. Yet, risk is not only that, which ‘induces irreversible harm, generally remains invisible and is based on causal interpretations’ (Beck, 1999:23). According to Rose risk represents an assemblage of ways of thinking and acting, which involves predicting probable futures in the present followed by interventions into the present for the purpose of controlling that potential future (in Aradau, Lobo-Guerrero and van Munster, 2008:
149). The primary characteristic of the risk society is therefore the presence of the future – ‘the ontological and epistemological status of what has not and may never happen’ (Anderson, 2010: 778) – and equally the continuous debate on the society’s ability to control the future. The practice of controlling the future is primarily based on the concept of anticipation – the identification of threats and risks in advance in order to allow for the adoption of preventive measures. At the same time, the majority of political debates and reports present attacks on CII as impossible to predict and exhibit a sense of powerlessness vis-à-vis the complex and interdependent nature of modern technology, which seems to be unmanageable, beyond control. I will particularly return to these ideas when discussing ENISA’s attempts to control / manage the member states’ responses in the future, which cannot be predicted nor controlled and yet must be prepared for.
2.3. European approach to CIIP
In an age of Information, critical information infrastructure (CII) has become the cornerstone of Europe’s society and economy. This has been reflected in the growing number of communications and directives, addressing the challenges facing network and information security (NIS) and designing ways for protecting against them. First such Communication on Critical Information Infrastructure protection was adopted by the Commission in 2009 and seeks to protect the EU from cyber disruptions by increasing security and resilience of CII. The result of the Communication was an Action Plan, which is carried out within and in parallel with the European Programme for Critical Infrastructure Protection (EPCIP). The Plan is based on five pillars: preparedness and prevention, detection and response, mitigation and recovery, international cooperation and criteria for the identification of European CI. In 2011, the Commission followed upon the Plan, publishing a Communication on ‘Achievements and next steps: towards global cyber-security’, which analysed achieved results and concluded that national approaches to tackling security and resilience challenges alone are not sufficient. Instead, it argued for a coherent and cooperative approach to be developed and adopted throughout the Union.
The latest additions to the EU’s policy on CIIP are the Cyber Security Strategy of the European Union and the proposed Directive on Network and Information Security, both adopted in February 2013. EU’s Cyber Security Strategy, however, has so far failed to compel the member states to introduce harmonised policies, and instead focused on establishing general principles on access, responsibility, fundamental rights in cyber space and its democratic governance. On the contrary, the proposed NIS Directive establishes specific requirements for member states and covered entities (public administrations and market operators from the energy, finance, healthcare, transport and internet sector). The central aim of the Directive is to improve member states’ preparedness and increase inter-state cooperation in the area of critical infrastructure protection.
The collaboration framework consists of sharing early warnings on risk and incidents as well as the establishment of common minimum requirements for network and information security on national level. One of the key elements of the Directive is the required establishment of competent national authorities, which would take the responsibility for developing policy on cyber security (Art. 6). The pan-European aspect of the Directive is visible in Art. 8, which states that competent authorities are to be connected through a protected network so that they will be able to circulate early warnings on risks and incidents; ensure a coordinated response; exchange information and best practices at member state level and with the Commission to help build capacity; organise peer reviews on capability and preparedness; organise NIS exercises at Union level and participate in international exercises. In addition, the Directive makes it compulsory for states to establish Computer Emergency Response Teams (CERTs) responsible for handling incidents and risks. These CERTs will, in addition to monitoring incidents at national level, provide early warnings and disseminate information to relevant stakeholders about risks and incidents; respond to incidents; provide risk management and situational awareness as well as build broad public awareness of the risks linked to online activities. The covered entities are under the obligation to notify member state competent authorities of NIS incidents that have ‘a significant impact upon the security of the core services they provide’ (Art. 14(2)). All in all, regular notifications
are intended to provide for better understanding and a complete analysis of evolving trends.
A regulatory framework for achieving a Europeanised approach to CIIP is consequently on the rise with ENISA playing a central role in ensuring its successful coordinated and timely implementation. Nevertheless, ENISA’s main role is not regulatory. Instead, it is intended to construct common ideas and perceptions, around which member states’ interests would converge. This is a key technique in the Agency’s Europeanisation project.
3. Europeanisation and security governance
3.1. Perspectives on the process of Europeanisation
Although an agreed upon definition of ‘Europeanisation’ is absent in scholarly literature, in the widest sense, Europeanisation stands for a process of ‘structural change, variously affecting actors and institutions, ideas and interests’ (Featherstone, 2003: 3). Above all, its impact is usually cumulative, asymmetrical and irregular over time and space – national and subnational.
Three relevant uses of the term are discernible in academic discussions: firstly, Europeanisation is used to describe the impact of EU institutions and decision-making processes on national policies (‘downloading’). In the earlier writings on Europeanisation, the phenomenon was defined as an ‘incremental process reorienting the direction and shape of politics to the degree that EC political and economic dynamics become part of the organisational logic of national politics and policy-making’ (Ladrech, 1994: 69). Here, Europeanisation is argued to come about either via a direct adjustment pressure from the EU or to be driven by member states themselves (Sedelmeier, 2012). In the former case, domestic change occurs only as a result of mediating factors, which interact with the pressure to adjust. For rational institutionalism, governments’ choice of complying with EU rules and policies is decided upon through cost-benefit calculations. For constructivist
institutionalism, on the other hand, domestic adjustment is a consequence of social learning. The constructivist emphasis on social learning, consensual political culture and norm entrepreneurs has gained vast number of followers and its influence is evident in the most widely used definition of Europeanisation put forward by Bulmer and Radaelli. In their definition:
‘Europeanisation consists of processes of a) construction, b) diffusion and c) institutionalisation of formal and informal rules, procedures, policy paradigms, styles, ‘ways of doing things’ and shared beliefs and norms which are first defined and consolidated in the EU policy process and then incorporated in the logic of domestic (national and subnational) discourse, political structure and public policies.’ (Bulmer and Radaelli, 2004: 4)
This definition will also serve as a guide in assessing the process of Europeanisation of CIIP policies across member states while specific emphasis will be given to ‘learning’ as a mechanism of Europeanisation. Especially in the issue under discussion, learning, defined as ‘change of beliefs or the development of new beliefs, skills and procedures as a result of the observations and interpretations of experience’ (Alecu de Flers and Muller, 2012: 28), is a key factor driving domestic change and harmonisation of member states’ attitudes and policies. In the case of recipient-driven Europeanisation, European rules are complied with due to lesson drawing and emulation, triggered by domestic policy failures or delegitimisation of domestic policies (Ibid.: 6).
Secondly, the term refers to the engagement of individual member states with European institutions in order to better fulfil their national preferences and policy objectives as well as to ‘use the Union as a shield’ (see Tonra, 2013: 5 or Pirro and Zeff, 2005: 215) against globalisation or other destabilising external factors (‘uploading’). Lastly, scholars have pointed to a third dimension of ‘cross-loading’ whereby a change occurs ‘within Europe’ as states learn horizontally from one another and transfer their ideas and norms to the point of developing shared interests and preferences (Tonra, 2013: 6). Consequently, it becomes apparent that Europeanisation is not merely a one-way process as was initially
understood. Instead, the process involves multiple channels of cause and effect and importantly a reciprocal relationship between national and EU level policy making (Ibid.: 4).
In addition, Europeanisation can also be analysed from the theoretical perspective of reflexive modernisation. Through the means of this theory, Ulrich Beck and Edgar Grande (2007) develop four hypotheses about the construction of Europe and its consequences for the nation state. Firstly, Europeanisation is to be examined as a component of a comprehensive process of reflexive social modernisation – the structural break theorem – according to which political, economic and scientific institutions of the first modernity are being supplemented and substituted by new institutional arrangements of transnational governance (Beck and Grande, 2007: 30). Consequently, the process of EU’s reflexive modernisation ‘gives rise to the structures of a new, transnationally interconnected society that breaks out of the container of the nation-state and simultaneously transforms its own basic institutions’ (Ibid.: 31). Secondly, the evolution of the second modernity has not completely negated the first one. Instead, it presumes the realisation of the first modernity and as such, it presupposes the continuing existence of the nation state as well as the evolving expansion of Europe. Thirdly, since the transition occurs as a result of internal dynamics, it must be conceptualised as ‘meta-change’ – meaning, change within the parameters of change. Lastly, and with a special relevance from the point of view of this thesis, the transition from first to second modernity does not take place through revolutions but ‘as the unintended reverse side of the successes of primary modernisation’ (Ibid.). This, however, does not mean that political leaders have no say over the process of Europeanisation. While, as Beck and Grande (2007: 36) argue, Europe grows ‘behind the backs of actors through the power of side effects’, it has at the same time always been the product of political decisions. Nevertheless, in its finality it develops into a product, which none of its creators has intended nor authorised. Consequently, Europeanisation ‘takes place and operates in the specific mode of institutionalised improvisation’ (Ibid.: 37).
An important question for the unfolding discussion is: how do side-effect politics come about and who is at their origin? For Beck and Grande (Ibid.), the politics of side effects is both hidden and anonymous, which enables the process of Europeanisation to advance without any prior political or societal legitimation. Certainly, the process itself does not happen by chance. In order for Europeanisation to take place, political opportunities must exist for it to realise. The ‘constructive potential’ of these opportunities must, in addition, be seized by ‘cosmopolitan entrepreneurs’ and implemented (Ibid.: 36). The following section will shed more light on the role of such ‘entrepreneurs’, which in this thesis are epitomised as epistemic communities. These communities, through their knowledge production and institutionalisation of common definitions and practices contribute to the Europeanisation project.
3.2. European security governance
In order to understand how the Europeanisation project in the field of security politics unfolds, this thesis will use the concepts of governmentality and governance.3 The Although the two concepts originate in distinct intellectual and disciplinary traditions, they do come together in their effort to tackle the issue of regulating, governing or conducting individuals, organisations, systems, the state and the society in modernity (Amos: 1).
Firstly, Foucault’s concept of governmentality illustrates that power techniques and forms of knowledge are mutually constitutive (Lemke: 1). According to Foucault, the coin of governmentality has two sides. The first is to define specific forms of representation. Government delineates a discursive field, in which it rationalises the exercise of power. In his critical scrutiny of power and governing, Foucault brings our attention to the development and institutionalisation of political practices. Rather than taking them at face value, Foucault points to the fact that ‘practices’ do not exist without a certain regime of rationality and at the same time, political rationality should not be considered as ‘pure, neutral knowledge which simply represents the governed reality’
(Lemke, 2000: 8). Instead, political rationality itself constitutes the intellectual processing of reality, which political technologies consequently deal with. This includes agencies, procedures, institutions, and legal forms, which are meant to enable the governing of the objects and subjects of political rationality. By providing definitions of concepts, specifying objects and borders, providing arguments and justifications, government makes it possible for a problem to be addressed and offers certain strategies for addressing it. As a result, it provides a structure for specific types of interventions (Lemke: 1-2).
With regards to the concept of governance within the EU, Webber et al. (2004: 4) focused specifically on the concept of European ‘security governance’, seeking to locate some distinctive ways in which European security has been coordinated, managed and regulated. In their definition, the concept of ‘security governance’ involves ‘the coordinated management and regulation of issues by multiple and separate authorities, the interventions of public and private actors, formal and informal arrangements, structured by discourse and norms and purposefully directed toward particular policy outcomes’. ‘Governance’ corresponds to the way in which individuals and institutions from both public and private realms manage their common affairs. Even in the field of security politics, epitomised as the harbinger of state sovereignty, the state’s oversight has been in dissolution as the role of non-state actors in implementing and monitoring security policies grows in importance. According to James Rosenau ‘governance is a system of rule that is as dependent on inter-subjective meanings as on formally sanctioned constitutions’ (cited in Webber et al., 2004: 7). Often, inter-subjective meanings are more decisive for facilitating and driving inter-state cooperation than formal rules and procedures. In fact, ‘soft governance’ – agreed upon norms and values, which determine actions – is considered to form the backbone of cooperation among states. The instruments of soft governance are increasingly present within the EU and demonstrate themselves in the form of regulatory and advisory agencies, voluntary agreements, harmonised technical standards or codes of conduct. As opposed to ‘hard governance’ – formal procedures – these instruments are to a large extent voluntary, they enjoy a higher degree of administrative decentralisation and are articulated around
self-organising dynamics of partly autonomous organisations (Borras: 1). The success of informal arrangements supports the conclusion that ideas and norms matter for inter-state cooperation. Nevertheless, as Webber et al. (2004:7) point out, ideas, norms and values do not necessarily have a life of their own – ‘they are embedded in material structures and thus reflect and reproduce relationships of power’. Consequently, the ideas on which European security governance is being currently constructed emerge from a struggle between various actors with varying interest, seeking to realise specific purposes in the security sphere.
While power is constitutive of knowledge, the opposite is also true. Knowledge can be seen as ‘the key to power’ (Faleg, 2011) or even become ‘power’ in its own right. Knowledge, defined as ideas, information, expertise and understanding about an issue is necessary for taking decisions. National and transnational networks of experts foster institutional and policy learning by promoting new principled and causal beliefs, leading to new values and strategic prescriptions. The acquirement of new knowledge originating from these networks may thus lead to the development of new policies and institutional change. Especially in complex issue specific fields such as cyber security, where the technical nature of threats demands a significant involvement of experts in the decision-making process and where individual leaders responsible for negotiating issues related to cyber space in majority of cases possess little understanding about the field, expert knowledge increases in importance and impact (Singer and Friedman, 2014: 37). As such, communities of experts play a vital role in the transfer and diffusion of knowledge by promoting policy innovation, policy diffusion, policy selection and policy evolution as learning (Adler and Haas P. in Faleg, 2011: 5).
In his When Knowledge is Power, Ernst Haas attributes institutional change to the way ‘knowledge about nature and society is married to political interests and objectives’ (Haas, 1990:11). Political action can then be explained as an ‘exercise of defining and realising interests informed by changing scientific knowledge about man and nature’ (Ibid.). The power of knowledge thus lies in its ability to inform and shape state interests. The available knowledge about a problem at stake influences the way decision-makers
define their interests and craft solutions to the issue (Ibid.:). Expert knowledge of
epistemic communities (defined as ‘a dominant way of looking at social reality, a set of
shared symbols and references, mutual expectations and a mutual predictability of intention’) therefore enables them to act as policy innovators, delineating the nature and scope of an issue-area and framing the context in which new data and ideas are interpreted. In this environment, where experts guide policy makers in their choice of the appropriate tools and institutions within which to manage given problems, state interests become determined as a result of how issues are framed by experts (Faleg, 2011: 7). Consequently, the role of ideas and discourse of epistemic communities in surmounting national policy legacies has been and will remain essential (Webber et al., 2004: 17).
Epistemic communities thus play a key role in the process of ‘institutional learning’. According to Haas, an institution has learned, when groups of bureaucratic units within governments and organisations have agreed on a new way of conceptualising a problem (Haas, 1990:). Learning, defined as a change of beliefs or the development of new beliefs, skills, procedures and structures as a result of the observations and interpretation of experienced events (Levy, 1994: 283) may also be conceived as a mechanism of Europeanisation. Through the means of information sharing, learning from collective experiences and the evolution of common knowledge, member states may alter the ways in which they perceive given problems and re-evaluate their initial preferences. This process is evident within the EU, which has been considered a fertile arena for cross-border policy exchange, where member states may share among themselves impressions about their practices, policies and methods (Alecu de Flers and Muller, 2012: 29).
While being aware of the constitutive power of knowledge, norms and ideas enriches our understanding of the process of governance within the EU, it remains important to inquire into the ways in which particular forms of knowledge and ideas are selected while others are disregarded, which leads us back to Ulrich Beck. Beck (1992) characterises modern risk society as a ‘catastrophic society’ where ‘the state of emergency’ threatens to ‘become the normal state’. Within such society, the role of security experts has become crucial. According to Beck, risks are also market opportunities, leading to a growing
antagonism between those affected by risk and those who profit from their dissemination (1992: 46). In the age of risk society relies on the knowledge of security experts, who define and calculate the risks we face in order to prepare for them and pre-empt them. The more we know, however, the more at risk we feel; yet the more we want to know. As such, the role and importance of security experts has grown exponentially, especially after the events of 9/11. Although logic dictates that the proliferation of expert knowledge and recommendations should enhance the perceived and actual sense of security, such conclusion is premature. Instead, it has been argued that security experts construct problems in order to perpetuate the use of their traditional tools, thereby manufacturing an unsettled environment to legitimise their activities (Bigo, 2002: 121). Security experts thus have the power to unite detached issues and to form ‘a web of meaning of securitarian resonance’, which authorises the use of exceptional practices as a solution to identified problems (Ibid.:142). Once expertise ceases to be questioned, security industry and private authorities gain the authority to design and build security architecture based on requirements of efficiency rather than political imperatives. The role of security experts and engineers is ever so important when we talk about a field as complex as cybersecurity.
3.3. Governance in cyberspace
The politics of cyber security is also amenable to being studied via the lens of governance. Using Michael Dean’s analytics of government, whereby governmentalities are constructed via discourses centred on particular problem constructions and a set of politically privileged response to these problems, David Barnard-Wills and Debi Ashenden (2012) analyse the ways in which cyberspace is constructed as well as the ways in which governments seek to govern this emergent space. Their analysis is especially valuable for realising the constructed nature of the virtual realm, which is on the one hand non-physical and yet its nature is real with genuine physical, societal and political consequences. Despite our inability to fully comprehend the scope of cyberspace, this should not divert us from seeing it as a construction – both physical, one produced
with networking information technology and social, one formed according to how institutions understand, interpret and talk about the space in public (Ibid.: 111).
Within political and technical discourse, cyberspace has been primarily presented as an ungovernable, unknowable common inhabited by hostile actors and therefore inevitably threatening and making us vulnerable (Ibid.: 116). Cyberspace is primarily a man-made domain, which continuously changes based on inventiveness and participation of the end users. Additionally, cyberspace is subsequently constructed as amenable to frequent technological change since the end-to-end principle allows for generative technologies to be introduced into cyberspace by end users, which leads to great variation, innovation but also unforeseen security risks and problems of regulation. This means that cyberspace is defined as much by the cognitive realm as it is by the physical or digital one (Singer and Friedman, 2013: 15). As such our perceptions of cyberspace matter since they inform its internal structure.
Many features of cyberspace challenge the traditional understanding of politics and security governance. First of all, cyberspace replaces traditional temporality with instantaneity – the time lapse between a cyber attack and its effects, both technical and physical, is minimal if not nonexistent. Secondly, cyberspace transcends constraints of geography and physical location, penetrating boundaries and in consequence national jurisdictions. As General Michael V. Hayden, USAF, retired former director of the National Security Agency has observed ‘man can change [cyber] geography and anything that happens there actually creates a change in someone’s physical space’ (cited in Hurley, 2012:16). Cyberspace eradicates distance, brings public and criminal activity into close proximity and erodes the distinction between internal and external threats. The open and easily accessible nature of cyberspace, moreover, reduces barriers to activists, criminals or terrorists to engage in their activities; while at the same time conceals their identities. Cyberspace is infamous for its lack of visibility and inspectability, as a result of which the attribution of activities realised via the Internet is extremely difficult, if not impossible. Subsequently, the ability to hold the perpetrators accountable for their actions is similarly rendered unfeasible. Consequently, cyberspace is presented as a realm, which
either merely privileges the powerful actors with harmful intentions or in a worse case actively encourages criminal behaviour. It brings along new types of asymmetries, which alter established power relations and provide possibilities for weaker actors to threaten their stronger counterparts.
Moreover, framing the nature of cyberspace as inherently ‘unknown’ and ‘unknowable’, the threat of cyber attacks is conceptualised as ‘unpredictable’, yet inevitable and imminent with potential catastrophic consequences. The emphasis on the possible catastrophic impacts of an attack committed through cyberspace is exemplary of the tendency (especially from the part of military and security organisations) to exaggerate the risk of cyberwar and cyber terrorism at the expense of overshadowing the more mundane but persistent damage caused by cybercrime (Schneier, 2013). Such thinking unavoidably leads to an increased feeling of urgency for political action (De Goede, 2012: 194). To think of a catastrophic event, however, ‘is to think an open future that cannot be secured’ (Anderson, 2010: 228). According to Aradau and van Munster (2011) catastrophe challenges the limits of possibility. It is a temporal concept that points towards an unexpected future, which departs from the way modern society has come to understand future as predictable and linear – an ‘extended present’ as well as the past.
The emergence of threats from cyberspace, however, should not be misunderstood as radically new and different from what we have experienced before. It should rather be viewed through the lens of continuity and discontinuity. Traditional threats have not been simply substituted by ‘cyber threats’; instead they have been complemented, broadened and reformed. One way, in which the presence of cyber threats represents continuity is the continuing security debate on whether a state or in this case the EU should concentrate on the external dimension of security - focusing outwards on stopping threats at the source (international security strategy) or rather expend its efforts on reducing internal vulnerabilities (internal security strategy). According to a report by the Brookings Institution ‘being secure is not just about keeping the bad guys on the outside; it’s about making the systems inside less vulnerable’ (cited in O’Connell, 2012: 208). Within the EU, this has become one of the principle tasks of ENISA.
As a response to the growing uncertainty and complexity surrounding the ‘cyber threat’, European security policy began to shift towards administrative actors. While the European Parliament is being marginalised from these specific issues, other European institutions are being displaced by administrative organisations such as ENISA, Europol, EDA, CEPOL and MESA. By the virtue of their informal and non-hierarchical nature, these organisations provide an arena for an exchange of ideas and experiences, which in turn facilitates coordination and harmonisation of practices. The focus of this thesis will be on ENISA - the European Network and Information Security Agency. It will be argued that ENISA is not merely an arena where member states exchange their ideas and experiences. Its unique position as a hub of expertise with regards to network and information security, bestows upon the Agency a considerable amount of authority and power in defining what it is that needs to be secured, from which threats and by what means. Through the production of this type of knowledge, the Agency has the power to influence the process of Europeanisation in this particular field. Yet, so far it has not been able to leverage its distinctive position in order to forge a harmonised approach towards cyber crisis management across the Union. Before we start unpacking the individual parts of the argument, however, let us first consider the methodological approach adopted in this study and reflect on the data used for the argumentation, which I have just outlined.
3.4. Methodology
According to Jacques Rancière method should be perceived as a path that is created by the researcher rather than a pre-given path that one follows (in Aradau, 2013). The chosen method for this project was consequently developed in close relation to the selected theoretical approaches, in order to answer the empirical questions raised. This section will firstly outline, why I have decided to concentrate in my analysis on the European Agency for Network and Information Security. Secondly, I will explain what data I used as well as how I collected and analysed them.
Within the EU cyber security is increasingly growing in importance as a distinctive policy area. This development is reflected by the proliferation of new agencies tasked with cyber security as well as by the widening scope of security issues in the portfolios of already established institutions in the Union. Consequently, the objectives of the European Cyber Security Strategy touch upon the work of both the Directorate General for Home Affairs as well as the European External Action Service. It can be argued, however, that the international aspect of the Strategy remains at an immature stage and is subsequently difficult to analyse given the limited amount of information available. By way of an example, the European Cyber Defence Policy Framework is only to be presented over the course of this year; and the information on the EU’s acquirement of cyber offensive capabilities is of highly secretive nature.
As a result, it is more fruitful to consider the internal aspects of the Cyber Security Strategy, where especially two agencies have gained a key role with regards to addressing cyber security challenges – the European Cybercrime Centre (EC3) and ENISA. Established in 2013 within Europol following a feasibility study conducted by RAND Corporation Europe, the EC3 has become EU’s central agency for fighting cybercrime. ENISA, on the other hand, is a more deep-seated agency, being set up in 2004. Its remit, moreover, is directly related to the central topic of this thesis – critical information infrastructure protection. Since the European Cyber Security Strategy encompasses two albeit overlapping strands – fighting cybercrime through law enforcement and ensuring protection of critical infrastructure – and since the focus of this thesis is on the latter, it becomes logical that the agency to be studied is ENISA.
Moreover, despite its relatively long existence4 and gradually expanding responsibilities, ENISA has attracted little academic attention. In general, the available literature on cyber security primarily concentrates on the United States and its approach. It is only now after the publication of the European Cyber Security Strategy that the European approach towards cyber issues has appeared in scholarly literature. Consequently, this thesis seeks
4 Although ten years for a European agency can be considered as a short existence, when considering the
relatively recent political and academic fascination with cyber related issues, then ten years for an agency focusing on cyber security is a considerable period.
to add to the emerging literature on EU’s approach towards cybersecurity by looking at a particular agency, its knowledge creation, formulation of best practices and subsequently the effects this has on the EU’s security role.
In order to make this project realisable, I accordingly collected information by analysing documents and reports published by ENISA, which are available on its website. My key interest was to examine activities through which the agency seeks to aid member states in preparing for, detecting, mitigating and responding to cyber attacks. Subsequently, I have focused on ENISA’s annual Threat Landscape reports; its Emerging and Future Risks Framework; reports on its Cyber Europe exercises, International Conferences on Cyber Exercises as well as the individual presentations given at the occasion of the Conferences by ENISA staff, academics, EU officials, and representatives of national cyber security communities5. In addition, I have examined Commission’s regulations establishing the Agency as well as those that expanded its mandate, and I analysed the way in which the Agency’s role is portrayed in EU documents related to CIIP and cybersecurity. For the purpose of broadening the amount of information for my analysis, I also used interviews with ENISA staff conducted by third parties and published online, either on the agency’s website or in technological online magazines.
The analysis of the material was done based on content analysis – the ‘careful, detailed, systematic examination and interpretation of a particular body of material in an effort to identify patterns, themes, biases and meanings’ (Berg, 2006: 303-304). It is ‘any technique for making inferences by systematically and objectively identifying special characteristics of messages’ (Holsti in Berg, 2006: 306, emphasis original). Content analysis, contrary to its original understanding, ought not to be merely reductionist and positivist in its approach. In fact, it is in the belief of this writer that an objective positivist study, especially within the realm of International Relations or European studies, is unfeasible. Contrary to the positivist logic, it is not possible to make a distinction between the observer and the object observed. Moreover, facts are not easily
5 These sources may be found in the bibliography either with the author mentioned as ‘ENISA’, or for those
separable from value. Consequently, the facts we choose to select depend both on our subjective evaluation and perception of the world. As E. H. Carr (1987: 23) wittily declared, facts are like fish swimming around in dark murky ocean and the type of fish we catch depends on the net we use to catch them – our philosophical and normative presuppositions and assumptions.
Subsequently, rather than seeking a positivist, quantitative understanding of the collected data, my approach is closer to what Bogdan and Bilken call ‘data interpretations’ (in Berg, 2006: 307-308), which entails developing ideas about collected information and interpreting the meanings that appear to be expressed. This type of analysis then has enabled me to scrutinise the way in which the authors of the examined material perceive their surroundings, what are the intentions conveyed behind their messages and in what ways they seek to realise them. The content analysis used in this project is latent rather than manifest, since no coding methods were employed. As such, the way I analysed the data was in a form of interpretive reading, whereby the symbolism underlying the physical data was observed and clarified in order to uncover the deeper structural meaning expressed within the textual material (Ibid.).
4. ENISA
4.1. The unintended side-effect of successful network society
Established in 2004 to carry out specific technical and scientific tasks in the field of Network and Information Security, the agency’s mission is to spread awareness, assess risk and push the topic of network information security on top of political agenda. ENISA directly contributes to the work of the European Commission, by ensuring that its legislation and policy proposals reflect operational experience (Purser interviewed by Field, 2013). Subsequently, the reasons for the creation of the Agency lied in the exigency of having ‘a centre of expertise at European level providing guidance, advice and assistance’ on issues related to network and information security, ‘which may be relied upon by the European Parliament, the Commission or competent bodies appointed
by the Member States’ (Regulation No 460/2004: (10)). Cyberspace security may often bear resemblance to the analogy of the blind men and the elephant (Caton, 2012: 1), meaning that the scope of activity reflects only the part of cyberspace encountered. Nevertheless, since cyberspace is constantly changing, a gulf emerges between the cyberspace as we perceive it and its actual shape and constitution. In consequence, it is the task of ENISA to aim at closing this gap at the Union level by providing information to EU member states and continuously monitoring the cyber landscape.
Over its ten years of existence, ENISA’s mandate was already renewed three times – first in 2008 until March 2012 and consequently only for one year until September 2013. The latest extension of seven years was agreed upon by Regulation No 526/2013 of the European Parliament and of the Council, which came into force in June 2013. This regulation not only prolonged the agency’s existence, more importantly it provided it with new roles and tasks. According to Steve Purser, ENISA’s head of operations (in an interview with Field, 2013), the new mandate ‘gives ENISA a lot more scope for increasing its impact, more adaptability and capability to focus’. The most implicit difference between ENISA’s old and new mandate is the wording of the new document, which is now more precise and explicit about the new roles attributed to the agency. The new mandate openly mentions ENISA’s involvement in member states’ capability building as well as in the organisation and planning of pan-European cyber exercises (Ibid.). Consequently, ENISA has now acquired a more proactive role. Whereas in the past the agency merely tracked the development of standards in NIS, now it is actively engaged in facilitating the establishment of these standards (Helmbrecht et al., 2013: 9). As a result of the new mandate, ENISA has become ‘a part of the motor’ driving the progress of NIS, rather than being a passive observer as it was at the start.
While the European Cyber Security Strategy outlined five strategic priorities – achieving cyber resilience, developing industrial and technical resources, reducing cybercrime, developing cyber defence policies and capabilities, and establishing a coherent international cyberspace agenda for the EU – ENISA has direct role within first two and indirect role in fighting cybercrime and establishing a European international agenda
(Purser in Field, 2013). Given its new mandate, the Agency is now tasked with supporting the creation of a European culture of cyber security, including the establishment of good practices, training and awareness raising (Robinson et al., 2013a). Currently, the Agency works on three interlinked levels – supporting policy and governance, facilitating cross-border collaboration and contributing to preparedness and knowledge (ENISA, October 2013: iv). In published interviews as well as in writing, ENISA’s staff stresses the fact that their agency does not possess any operational nor response capability - its tasks lie solely in the area of preparation (Purser in an interview with Field, 2013). Nevertheless, others have argued that despite member states’ official unwillingness to grant the Agency with such powers, the Agency has effectively acquired them anyway (Robinson et al., 2013a). Consequently, it is reasonable to ask, how can we explain, however, that member states are willing to increase the powers of an independent agency within a policy domain, over which they claim their sovereignty?
Official statements and documents provide a straightforward answer to this question – ‘it’s (for) the economy, stupid’. As a result of the proliferation of information systems into every aspect of our lives, ‘electronic communications, infrastructure and services are essential factors in economic and societal development (Regulation No 526/2013: (1)). Their disruption ‘has the potential to cause considerable economic damage, underlining the importance of measures to increase protection and resilience’ of CII (Ibid.). Accordingly, ‘our growth, our welfare, everything is at stake’ if we do not take cybersecurity seriously (Oerting interviewed by SDA, 2011). Consequently, ‘given the increasing significance of electronic networks and communications, which now constitute the backbone of the European economy, and the actual size of the digital economy, the financial and human resources allocated to the Agency should be increased to reflect its enhanced role and tasks, and its critical position in defending the European digital ecosystem’ (Regulation No 526/2013: (17)). Similarly, ENISA’s director has highlighted the need to ‘invest more in cyber security prevention and preparedness and to equip EU bodies (most likely referring to his own Agency) with the right resources, if we are to protect the economy and modern society of Europe’ (ENISA, April 28, 2014). According to the Directive on attacks against information systems (2013/40/EU: (3)), these attacks
and particularly ‘attacks linked to organised crime are a growing menace in the Union and globally’ and ‘there is an increasing concern about the potential for terrorist or politically motivated attacks against information systems, which form part of the critical infrastructure of member states and of the Union’. Since these are considered as threatening to ‘the achievement of a safer information society and of an area of freedom, security and justice’, they require ‘a response at Union level and improved cooperation and coordination at international level’ (Ibid.). In addition, the focus on the potential economic and financial loss is particularly visible from the speeches of representatives from the private sector. According to Paul MacGregor, director of the Italian Finmeccanica Cyber Solutions, ‘the economic prosperity of the entire EU and of individual countries is at stake. We need to invest sufficiently and measure that investment against the value of the assets that we have in cyberspace rather than in the value of the technology in cyberspace’ (SDA, 2011).
Taking into account these statements, security, one could argue, is not seen as a value in itself but rather as a means towards higher objectives. In particular, cybersecurity, when considered from the point of view of the above-mentioned assertions, has the purpose of driving the information society forward. In the Information Age, ‘connectivity is valued over and beyond security’ (Clemente, 2013: vi). Following Beck’s argumentation outlined in the previous chapter, the expansion of ENISA’s powers could thus be interpreted as a side effect of the successes of the network and information society. The proliferation of information and communication technologies (ICTs) has enabled a greater economic advancement but at the same time led to the emergence of new threats that could ‘negate the promise that ICT holds in terms of economic and societal development’ (Helmbrecht et al., 2013: 1). For this reason, ENISA makes a case for the realisation of coherent and consistent approach to securing ICT systems across EU member states (Ibid.: 2). With this aim in mind, ENISA seeks to achieve the convergence of member states policies in the realm of CIIP (Ibid.). The following sections of this chapter will analyse the means through which ENISA aims at reaching its stated objective and assess whether its intentions are being realised in practice.
