Cyber policy and resilience of the European Union : can cyber defence without supranational authority be effective?

(1)

Cyber Policy and Resilience of the European Union:

Can Cyber Defence without Supranational Authority be Effective?

Kaja Karlson (11378751) Professor Jonathan Zeitlin (supervisor) Professor Marieke de Goede (second reader) Master thesis Political Science European Politics and External Relations kaja.karlson@student.uva.nl June 2017

(2)

Introduction

The development of network and information technologies has created a new dimension to information security. Finance, health, energy and transport are only some of the fields that have become increasingly reliant on information and communications technology (European Commission JOIN(2013): 2). However, problems may arise when this technology is connected to a vast computer network and becomes accessible to malicious third actors. One such example occurred in 2016 when around 40,000 Tesco Bank account owners became victims to one of the largest cyber crimes in Europe, which illegally removed money from around 20,000 accounts (Network Security 2016: 3). Private companies, including banks and critical infrastructure providers, have become the most often targeted subjects by cyber criminals (Locke 2017: 8), indicating a clear threat to EU’s market interests and citizens’ privacy. In more extreme cases, cyber attacks may even constitute a threat to a state’s sovereignty, as happened in 2007 in Estonia when the country became under a 22-day-long distributed denial of service (DDoS) attack – meaning an attack that takes a server or information system out of order (Appendix 2). During the attack, the services offered by the country’s two largest banks, phone operators, newspapers, and government websites were compromised or shut down (Joubert 2012: 1). With growing market integration, incidents like these have generated a Union-wide need for more harmonised cyber resilience – ability to prepare, respond and recover from cyber attacks (Walkate 2014: 415).

As the EU is moving towards a single market, its cyber policy requires harmonisation to assure an equal level of resilience in all of its Member States. The European Union public documents server, EUR-Lex, has gathered 1,727 Decisions, Directives, and Regulations involved with network and information security since 1987. However, the first comprehensive document, outlining common interests of the Member States, was only produced in 2013 by the European Commission in the form of Cyber Security Strategy of the European Union (European Commission JOIN(2013)). According to the Strategy, the aim of the Union is to harmonise the level of cyber security and ensure safe access and use of the Internet across the Union (Ibid.: 2). By emphasising cooperation between private actors and harmonisation of cyber security regulation across the EU (Ibid.: 8), cyber security moves beyond the conventional intergovernmental domain that is still often present in security studies

(4)

(Bickerton et al 2015), opening new windows for redefining the EU’s position in the common security of its Member States.

This thesis analyses the role of EU institutions in the cyber resilience of EU businesses and assesses the effectiveness of the Union’s cyber security regulation. The central institutional body in this thesis is the European Network and Information Security Agency’s (ENISA), which has 152 Computer Emergency Response Teams (CERT) as their members (ENISA 2017a). The aim of the CERTs is to assist private companies, should they become victims of cyber attacks (Appendix 2). The ways in which the Agency contributes to capacity building are elaborated in the third chapter and illustrated with more practical examples in the fourth, composing the core analysis of this thesis. The thesis examines the rapidly developing cyber policy of the EU’s private sector, taking off from the emerging literature on security partnerships where “the defining question of international security policy […] is not whether to cooperate, but how to do so” (Nance & Cottrell 2014: 301). In order to define the EU’s position in cyber security and assess the effectiveness of the relevant regulation, the thesis focuses on the following three sub-questions:

1. Which regulatory features make cyber resilience effective and what is the role of EU’s supranational institutions? (Elaborated in the first chapter.)

2. Which theory best explains EU cyber resilience? (Elaborated in the second

chapter.)

3. How is the EU increasing its level of cyber resilience? (Elaborated in the third

and illustrated by case studies in the fourth chapter.)

Insofar as the EU’s approach in promoting cyber resilience may be found to be non-hierarchical, these three inquiries lead to the following central question of the thesis:

- How effective are the EU’s common cyber resilience measures without supranational governance? (Analysed in the fifth chapter.)

The thesis is divided into five main parts. Firstly, the cyber security terms are explained in a form of literature review. The importance of this section is to explain how different cyber security fields require distinctive theoretical approaches. The section concludes with a scholarly assessment of the measures that contribute to the effectiveness of cyber resilience. Secondly, the thesis explains recent EU policy

(5)

polyarchy, making experimentalist governance one of the possible approaches among new governance theories to analyse cyber resilience. This chapter ends by outlining features that make experimentalist governance effective in crisis situations. In the following chapter, the first part of the main analysis of the thesis is conducted, focusing on EU legislation and institution building. By using two case studies and examples on how ENISA contributes to cyber awareness, the fourth section illustrates the EU’s involvement in cyber resilience. The final chapter concludes the main analysis by critically assessing the effectiveness of the EU’s cyber security Directives and the Union agencies’ work with the national CERTs.

(6)

Chapter 1 – State of the field

1.a. From cyber security to cyber resilience

Cyber security literature has experienced a rapid development over the last two decades. As the first cyber policy studies emerged from the conventional political science theoretical approaches (Eriksson & Giacomello 2006), the more recent academic endeavours often exclude the link between cyber resilience and political theories, focussing instead on the effectiveness of cyber policies (Klimburg & Zylberberg 2015; Björck et al 2015; Christou 2016). The following sub-sections (1.a – 2.a) will provide an overview of the previous works on cyber resilience while explaining for relevant terminology, ways to measure effectiveness, and theoretical shortcomings to clarify some of the basic concepts of this thesis and generate a list of indicators that are later used in assessing the effectiveness of EU cyber policy.

Cyber security extends beyond the conventional understanding of the intergovernmental security literature. This is mainly due to the fact that cyber attacks easily cross borders, meaning that solving them requires international cooperation, and target both state and non-state actors, calling for incident response not only from the state but also from the targeted private actors. Due to the nature of cyber attacks, the first respondent to an incident is always the targeted actor (CCD CoE interview 2017). Therefore, although security privatisation is visible in the private ownership of the antivirus companies, security scholars merged the independent cyber security area with the widening security concept in the 1990s when critical infrastructures were first considered to be part of the security narrative (Dunn Cavelty 2014: 18). Hence, the cyber security of private actors has always been the area where the lines between conventional governance and non-hierarchical governance meet (Ibid.). In its most developed form, the relationship between private companies and states has taken the form of public-private partnerships (PPPs), which are supposed to facilitate and protect the services (such as telecommunication and banking) that are vital for the state’s functioning (Ortiz 2013). In cyber security, these partnerships are managed through the EU’s network of newly emerged institutions (elaborated in Chapter 3.b).

Cyber security management in the EU raises the question of what are the roles of the political actors in EU governance. Scholars and professionals in the field widely believe that the central role in the cyber attack response mechanism is taken by the

(7)

private organisations and affected individuals (Björck et al 2015: 313; Conklin & Shoemaker 2017; CCD CoE interview 2017). Therefore, people are identified as the most serious vulnerability (Klimburg 2015: 22; Conklin & Shoemaker 2017: 20), but also the most important decision-makers. Since cyber attacks affect nearly everyone, increasing the capacities of the private organisations has been identified as the primary measure against the cyber threats (De Crespigny 2012: 7). The EU is interested in cyber resilience because cyber incidents have a remarkable impact on the economic wellbeing of the single market. The 2016 ENISA report on the cost of incidents affecting critical information infrastructures concluded that some EU Member States have witnessed a loss of 1.6% of their GDP due to cyber attacks in 2015 (ENISA 2016f: 25). Although the report emphasises several shortcomings in the consistency of information gathering (Ibid.), the EU takes the fact that cyber attacks are halting the work of services seriously. Economic integration is moving the EU towards a co-dependent and interrelated system where the wellbeing of each actor is determined by the wellbeing of others (Dunn Cavelty et al 2015: 5). Hence, private actors across the Union have to face the problems from an equally high level of preparedness.

Due to the polyarchic nature of cyber resilience, the role of the EU in this field cannot be described purely in supranational or intergovernmental terms. Although the Treaty of Lisbon emphasises that “national security remains the sole responsibility of each Member State” (Treaty of Lisbon, Article 3a), the EU has created multiple agencies (e.g. the European Union Agency for Network and Information Security or ENISA in 2004, the European Cybercrime Centre or EC3 in 2013, and the Joint Cybercrime Action Taskforce or J-CAT in 2014) that have their purpose in facilitating cooperation between different actors across the Union. One of the measures against cyber attacks is simply creating a more knowledgeable society, whilst the actors in this system are the first respondents to cyber attacks. Such co-dependence is the first incentive for cooperation and information sharing between private and state actors, constructing a system of trust-based governance.

Due to the involvement of the private companies, cyber policy has to include an extensive number of actors. Setting up regulatory mechanisms for network and information systems can, therefore, be analysed as securitisation of the private sector, which has taken place in a different manner to the securitisation of other fields where the states constitutes the primary authority. In EU cyber security, private businesses

(8)

are pressurised to take some of the responsibility in protecting their own systems (Deibert 2006: 24), whereas the centralised bodies under the states’ domain only assist the private actors. Therefore, cyber defence in the private domain (Table 1) could be understood as cyber resilience, not security applied by intergovernmental actors. Hence, the term “cyber resilience” in this thesis is used to describe the cyber defence of the private sector.

Several definitions of cyber resilience emerged in the early 2010s (Dunn Cavelty et

al 2015: 6; Björck et al 2015). One of the definitions is provided by Fredrik Björck et al who claim that cyber resilience is “the ability to continuously deliver the intended

outcome despite adverse cyber events” (Björck et al 2015: 311). In other words, the goal of the subjects under attack is to overcome the incident and limit the damage caused by the malicious activity as much as possible. This definition overlaps with the inclusive explanation provided by Sandra Walkate, Ross McGarry and Gabe Mythen (Walkate et al 2014) who agree that resilience means “the ability to bounce back, to absorb shock, […] to retain functionality over time” with the connotation of moving towards a better future (Ibid.: 411-412).

Similar definitions are found in the EU legislation and communications. The 2013 Cyber Security Strategy adapted by the European Commission and the High Representative of the European Union for Foreign Affairs and Security Policy, construes cyber security as “the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructures. Cyber security strives to preserve the availability and integrity of the networks and infrastructure and the confidentiality of the information contained therein” (European Commission JOIN(2013): 3 footnotes), whereas cyber resilience marks the ability of the actor to continue its work despite being under attack (Björck 2015: 311). Therefore, the core difference between cyber security and cyber resilience is that the former is applied by the state and the latter grows out through the preparedness and knowledge of the private sector.

Cyber resilience has to cope with a wide array of on-line activities, including financial crime, cyber war, cyber terrorism, and cyber espionage (Fahey 2014: 47). The European Commission gives a broad definition to cyber crimes, which are referred to as “a broad range of different criminal activities where computers and

(9)

Cybercrime is comprised of traditional offences, (e.g. fraud, forgery, and identity theft), content-related offences (e.g. on-line distribution of child pornography or incitement to racial hatred) and offences unique to computers and information systems, such as attacks against information systems, denial of service and malware” (European Commission JOIN(2013): 3 footnotes). Considering that cyber resilience focuses on effective continuation of business functioning even under attacks, this thesis is excluding the EU measures to capture cyber criminals, which remains a matter for the police forces in the attacker’s country of origin.

The polyarchic nature of cyber resilience also generates the question of which governance theory can best explain for cyber resilience. Just like cyber resilience abandons the state-centric approach, security scholars have recognised similar tendencies in other security sectors. In 2012, Joylon Howorth conceptualised EU security integration as supranational intergovernmentalism (Howorth 2012: 449). Relying heavily on the work of May’a Davis Cross (Davis Cross 2010; 2011), he claimed that the European Defence Agency (EDA) facilitates military decision-making between Member States that are already sharing similar foreign policy and security interests (Howorth 2012: 438). Emphasising the widespread consensus seeking between local actors, he also stated that the EU Member States often agree with the regulation that is modified and harmonised by the supranational body after it has consulted local actors (Ibid.: 449). The second chapter (2.d) will return to this thought by analysing similar tendencies in EU security governance through an experimentalist lens.

The following sub-chapter (1.b) claims that by moving away from classical

governance and international relations theories (supranationalism and

intergovernmentalism) and focussing on new governance theories, it is possible to present a more accurate analysis of cyber security in the EU private sector. Many scholars have noted the shortcomings of conventional security governance approaches by claiming that these theories provide no explanation for multi-level policy fields, such as cyber security (Christou 2016: 29-30; Shore et al 2011: 8), as the classical concepts of security are built around state sovereignty and national security. However, many cyber security areas go beyond this classical state-centred concept (Ilves 2016: 15:00-16:00 min. of speech). The following sub-section elaborates this issue further by stating that the relevant governance theory needs to emerge from precise definition of cyber defence and its different fields. The underlying claim of the next sub-section

(10)

is that each individual cyber defence domain may require a different theoretical approach, as the actors in each field have a diverse set of tasks.

1.b. Cyber resilience in governance-theoretic terms

Cyber defence can be divided into several fields, each of which have their own actors, as there is no single governance body or institution that is able to cover all the aspects of cyber defence (Deibert 2011: 26). Although mostly focussed on Swiss national cyber security (Dunn Cavelty 2014), Myriam Dunn Cavelty has also contributed to the EU cyber resilience literature. Additionally, much of her work later became the basis for the writings of several other EU cyber security scholars (Christou 2016; Sliwinski 2016; Betz & Stevens 2011; Shore et al 2011), which is why some of her statements are used as the foundation for the following typology. She has concluded that the cyber security literature, as well as cyber security field in general, can be divided in four large categories. These divisions are 1. technical, 2. crime-espionage, 3. civil defence, and 4. military (Dunn Cavelty 2014: 12-22). From a governance point of view, all cyber attacks are technical, which is why it can be said that the second, third and fourth sectors are part of the technical discourse. Furthermore, the remaining three categories can be divided between two domains: the private and the state domain.

Dunn Cavelty’s typology is similar to the three pillars of EU cyber policy, which was emphasised in the 2013 Cyber Security Strategy (European Commission JOIN(2013)) and has become the basis of another contributor to this thesis – George Christou (Christou 2016). The three pillars entail a network and information security, law enforcement, and defence domains (European Commission JOIN(2013): 17). Table 1 extends these typologies by indicating relevant response measures from the European Union Cyber Security Strategy and a suitable class or school of theoretical approaches for each of these sectors. As the cyber security areas entail different actors and response measures, they cannot always share the same theoretical approach. Table 1. Cyber security policy fields, based on Myriam Dunn Cavelty’s typology of cyber security fields and the European Union Cyber Security Strategy (Dunn Cavelty 2014: 12; European Commission JOIN(2013): 17).

(11)

Crime against whom?

1. Private domain, including cybercrime against the business sector

2. State domain, including cybercrime directly against governmental and military forces Objectives of the attack 1.1 Crime-espionage (e.g. sensitive business or political information) 1.2 Civilian assets (e.g. sensitive personal and fiscal information; shutting down services)

2.1 Government and Military assets (e.g. sensitive political and military information; shutting down services) Sector: networks sensitive to aggression

Private and public: business networks and government networks

Private and public: infrastructures and networks related to the society’s functioning Nation/state level: Government and military networks Actors (from first to second responders) From business actors (private companies), antivirus industry to law enforcement and intelligence community From civil defence/homeland security to optional national security experts

Military and national security experts

Type of response

Non-hierarchical (with the voluntary request for state or EU institutions involvement)

Non-hierarchical (with the voluntary request for state or EU institutions involvement) State-centred Applicable theoretical approach New governance

theories New governance theories Classical theories (intergovernmental branch) and to some extent new

governance theories (new

intergovernmentalism, which merges new governance and intergovernmentalism (Bickerton 2015) or experimentalism (Monar 2015) in the emerging cooperation in cyber security from the cooperation platform created by EDA in CSDP matters (European Parliament 2017).

(12)

This thesis focuses on the private domain, which is shown in the Table 1’s section 1.2. This is the sector where the private actors are involved in assuring their own cyber resilience, making it one of the most complicated areas to regulate. One of the most important standpoints of this thesis is that, although conventional governance-theoretic approaches see governance as a hierarchical structure where the states are designated to govern the private sphere, in cyber resilience the two coexist on the same level with the goal of solving commonly acknowledged problems. In other words, state-owned information platforms are attributed the same level of importance as the privately owned systems. In practice, this means that, for example, a Distributed Denial of Service (DDoS) attack against a private bank may paralyse the everyday functioning of the state as much as shutting down a governance information system. The level at which the private companies are being regulated varies greatly among the EU Member States, leading to more diverse cyber resilience capabilities across the Union. The following chapters explain the role of the EU in harmonising the level of cyber resilience.

Before moving forward to the effectiveness analysis of cyber resilience, the definition of cyber incidents in the context of resilience must be clarified. Although the definition of incidents affecting cyber resilience vary across the EU and often even within states and cyber defence institutions (Ilves 2010), these differences usually do not affect cooperation between relevant response institutions (CCD CoE interview 2017). Hill includes in the definition of cyber attacks all types of denial of service attacks, as well as eavesdropping to collect and read data without authorisation (Hill 2015: 120). Also, he explains that cyber attacks can be conducted by anyone: countries, organised groups, and individuals (Ibid.: 127), making it difficult to identify the attacker, as state actors may hide behind private groups or individuals. The objectives of the cyber attacks against EU cyber resilience are mainly twofold – aggressions with a political incentive or attacks with an economic motive. Cyber attacks generally have an impulsive character even if organised by a state against another for political reasons (Goodman 2010). Attacks against the private sector have increasingly involved ransomware attacks since 2015, posing a direct threat to the EU economies (ENISA 2016e). In this environment, the efforts of the EU become extremely valuable in providing better preparation for the private companies. The following sub-section observes the ways that make the EU’s regulation more

(13)

1.c. Assessing the effectiveness of cyber resilience

Many recent cyber security scholars have focussed on measures that increase the effectiveness of cyber resilience regulation (Björck et al 2015; Christou 2016; Conklin & Shoemaker 2017). In fact, the analysis of the effectiveness of cyber resilience has received great attention in articles and books published since 2015. Before outlining the similarities in the work of the previous cyber resilience scholars in order to work out the concrete measures on how to assess effectiveness, the goal of cyber resilience must be delineated. According to Björck et al, the importance in cyber resilience relies not so much in capturing the attacker, but stopping the attack before it halts the work of the private industry (Björck et al 2015: 311). Therefore, the goal of cyber resilience measures is the continuation of the work of businesses and services they offer. Stability and security are closely intertwined in the context of cyber resilience (Kaljurand 2017). Hence, effective cyber resilience regulation should provide a flexible and efficient background framework to prepare companies against potential cyber attacks and to increase the possibilities of maintaining stability.

Currently, the EU does not have a single standardised metric that could be implemented in measuring cyber resilience. However, there are several types of standards that could be applied in different cyber resilience areas. Steve Purser has mentioned four primary areas – technical standards, business continuity metrics, definitions, and organisational aspects – that are in use across the EU (Purser 2014: 100). In the context of this thesis, the business continuity metrics would be the most relevant. These measures involve calculating the loss in monetary values after attacks have occurred. However, in this case, the impact of the EU regulation is difficult to measure in numbers, as its goal is to only provide assistance and relevant information. What makes the EU’s effectiveness assessment even vaguer is that the information that the EU shares between private actors may have a long-lasting influence on the behaviour of the companies, but also because not all private companies turn towards national CERTs that are the EU regulated points of contacts expected to assist private firms in case an attack has taken place. This means that important information may not be able to reach to everyone at the right time. Therefore, this thesis analyses the values and benefits of EU cyber policy in a non-numeric way.

(14)

The question in cyber resilience is how to measure the impact of knowledge because everything in solving cyber attacks evolves around the speed of distributing relevant data. Different scholars have emphasised different cyber resilience aspects that make the policing of this field more flexible, as the cyber resilience needs to be able to adapt to a changing environment. One of the most fundamental aspects of cyber resilience, and what distinguishes it from cyber security, is cooperation between states, EU agencies and non-state actors. Considering that resilience of the private companies often grows out from within the organisation, allowing continuation of practical tasks of the organisation during the attack (Conklin & Shoemaker 2017: 20), the EU emphasises cooperation between law enforcement institutions and the private actors. Therefore, EU cyber policy in resilience requires a comprehensive approach that includes all governance levels, from local to supranational, and specific industry sectors (Björck et al 2015: 312; Christou 2016: 29). This includes common goal setting between the European Union supranational institutions, national and regional governments, organisations and individuals (Björck et al 2015: 312).

As mentioned before, the role of the EU can be to increase the resilience of the Member States’ networks. Hereby, the task of the state institutions becomes to supervise and facilitate the work of private organisations to minimise the damage caused by unexpected incidents. Therefore, policy-making in EU cyber resilience cannot be hierarchical, as it only assigns supervisory roles to the EU institutions and allows the private companies to stand up for their interests.

A resilient cyber network is able to continue its work throughout the period of being under attack. To achieve that, governance needs to have certain features that allow greater involvement of the private actors. Scholars have outlined several features that make cyber resilience more effective. Many of the aspects they distinguish greatly overlap with the aforementioned argumentation. The following list comprehensively lays out the five main features that influence the effectiveness of cyber resilience:

1. building new institutions and trust between actors in order to create an information sharing system and enhance cooperation;

2. shared understanding among stakeholders that cyber security in the private

sphere means cyber resilience;

(15)

4. ability to be flexible towards new basic operating assumptions and institutional structures;

5. harmonisation of legal and policy practices and increasing awareness of cyber threats among all stakeholders to avoid single points of failures (Björck 2015: 311; Klimburg & Zylberberg 2015: 21; Christou 2016: 173). These five points are achievable with the right measures of institutional capacity building. Policy-making that enables the abovementioned features to appear is visible in experimentalist governance – how these five features coincide with experimentalist governance is elaborated in sub-section 2.e. By emphasising diverse and flexible governance logics, effective cyber policy excludes the practical role of supranational institutions – cyber resilience is too broad and complex for the simple top-down or bottom-up policy-making. Therefore, as the first sub-question of the thesis asked what

are the regulatory aspects that make cyber resilience effective and what is the role of the supranational institutions, it can be concluded that these five aspects are the

points, on which cyber resilience effectiveness is depending and that the supranational institutions only have a supervisory and harmonising role in EU cyber policy.

The thesis will come back to these five points in the final chapter to assess how the EU regulation and practice are in line with these features. The third and fourth chapters analyse how the features are in accordance with the new governance theories and how they are reflected in the cyber resilience regulation across the EU.

1.d. Public sources

The thesis is conducted by using qualitative research methods. In addition to a literature review, methods used involved analysis of documents, reports from public sources, and interviews with researchers and advisors from Computer Emergency Response Teams and other cyber security institutions operating in the EU – NATO Cooperative Cyber Defence Centre of Excellence (CCD CoE) and national cyber security agencies, such as the Information System Authority in Estonia. The interviews allowed in-depth insights into the subject and explained the sensitivity of the issues by drawing clear boundaries between public and confidential information. The added value of the interviews is the first-hand evaluation on the findings of the thesis, as well as statements that were previously published by cyber security scholars

(16)

and relevant professionals in the field. Since the interviewees were not able to discuss information that has not already been shared publicly, the interviews evolved around the findings from public sources. Additionally, an interview with a cyber policy officer at ENISA was conducted, but asked not to be referred to it in detail in the thesis.

I will assess the effectiveness of EU cyber resilience by analysing the EU documents: more specifically, the 2013 Communication on Cyber Security Strategy and the 2013 and 2016 Directives concerning measures for a high common level of security of network and information systems across the Union. Since the cyber security rules are written in the form of directives (Directive 2013/40/EU; Directive (EU) 2016/1148), which by nature make it possible for the Member States to apply different measures in reaching the outlined goals, taking into account the local preferences – which would be less likely if the legislation would be in the form of Regulations – it may be possible to apply new forms of governance theories in cyber resilience. Additionally, some of the most relevant written sources were the ENISA reports, the Agency’s minutes of meetings that provide insights to their events that have been organised for the CERT community, and feedback reviews. These documents allow for the possibility of an in-depth study of the work of the Agency and its attitude towards local actors, which became vital in determining the relevant governance-theoretic terms in the context of this thesis.

The influence of the EU is illustrated with relevant case studies in the fourth chapter. Considering that the EU institutional network for cyber resilience benefits different types of companies and organisations differently, the thesis elaborates on the effectiveness of the EU in two separate case studies. The first reflects the EU’s positive influence on large corporations that have strong means and developed internal systems to tackle the cyber threats by themselves. The second indicates the effects that the cyber resilience regulation has over small and medium size organisations.

(17)

Chapter 2 – Theoretical framework

2.a. Previous theoretical approaches in explaining cyber security

In political science, cyber security literature became more popular in the mid-2000s (Eriksson & Giacomello 2006: 221), when cyber attacks were first recognised as a political tool. Although cyber incidents have taken place already in the 1980s mainly in the form of simple password hacking (NATO 2016; Appendix 1), the first coordinated cyber attacks did not take place until 2007 (Joubert 2012: 1), confirming that the area of network and information systems is vulnerable and can pose a real threat to the wellbeing of the citizens and sovereignty of nation states. However, scholars of that period stumbled upon a problem – conventional international relations theories were not able to explain a field where private organisations take the centre stage in protecting themselves. As a result, more recent literature has refrained from implementing grand theories (Klimburg & Zylberberg 2015; Christou 2016) and focussed on more pragmatic concepts, such as attack response (Compert & Libicki 2015) and effectiveness analysis (Christou 2016; Conklin & Shoemaker 2017), dedicating little room for the political theories.

Many authors have explained how the political science and classical international relations (IR) theories are not applicable to the fast-changing field of cyber security (Ruohonen et al 2016; Eriksson & Giacomello 2006). One of the primary arguments by these scholars is that whereas cyber security is an issue for all governance levels – private, state, and supranational – realism, liberalism and constructivism consider the states as the central actors (Ruohonen et al 2016: 746). Although liberalism is able to explain the involvement of non-state actors, it still emphasises the strong presence of hierarchy (Eriksson & Giacomello 2006: 230). Therefore, although the three classical IR theories all provide partial explanations of the field, none of them have a large explanatory power in the polyarchic policy-making in cyber security (Ibid.: 236).

Similar theoretical issues appear also in the different forms of intergovernmentalism, which position the state at the centre of political decision-making. Liberal intergovernmentalism, stating that the European integration occurs “as a series of rational choices made by national leaders” (Moravcsik 1998: 18), includes private actors only in the first level (national preference formation) of the state-centric three-level approach. From the more contemporary side, new

(18)

intergovernmentalism recognises that since Maastricht, EU policy-making has been determined by policy cooperation at all levels “from heads of state or government in the European Council down to national experts in comitology committees“ (Bickerton

et al 2015: 704). This is a step closer to the pragmatism needed in explaining for

cyber resilience, which pressurises the private actors to provide their own security, but still represents a version of hierarchical governance (Ibid.: 704). Due to its hierarchical and state-centred nature, new intergovernmentalism cannot be used in cyber resilience where states and supranational governance only have a supervisory and assisting role.

To bridge the gap between theory and practice in cyber security, previous scholars have advised the use of more pragmatic approaches (Eriksson & Giacomello 2006: 221). Pragmatism in this context means that a suitable theory is able to explain polyarchic governance in a more nuanced manner, covering the emerging institutional networks and regulatory developments over time. A suitable theoretical framework also needs to include local actors. Since an effective cyber resilience policy is flexible (Christou 2016: 12), a relevant theoretical approach needs to be able to describe the rapidly changing environment of the EU legal system as well as its institutional network. Pragmatism is one of the primary reasons why this thesis turns towards new forms of pluralist governance to explain the practical aspects of cyber resilience. These new governance theories are expected to explain the institutional development over time, involvement of the local actors in attack response and policy-making, which makes them useful in crisis situations.

2.b. New forms of governance

The 1990s marked the emergence of a great number of new governance theories. Over time, cooperation between international institutions has increased, leading to new concepts in polyarchic governance. Several new approaches – multi-level governance, regulatory state, network governance and experimentalist governance – started to take shape (Kohler-Koch & Rittberger 2006: 33; Cohen & Sabel 1997). Anne-Marie Slaughter named the form of new network governance a “new world order” (Slaughter 2004: 15) after it became visible that emerging networks of different institutions can shape the decision-making process, greatly reducing the use

(19)

of previous hierarchical governance structure. She renamed features of this development in Europe the “regulation by networks” (Slaughter 2004: 16), which functions similarly to the combination of International Monetary Fund and the World Bank. Network governance and experimentalism have several overlapping features. Both include a wide variety of decision-makers and recognise the involvement of local and private actors (Kohler-Koch & Rittberger 2006: 34; Cohen & Sabel 1997: 314). Both approaches also shift the role of the states from being the governing body to being the supervisor of the private actors that are now the primary problem solvers, emphasising the role of actors from multiple governance levels (Kohler-Koch & Rittberger 2006: 34-35; Cohen & Sabel 1997: 316). Therefore, it may be asked, which theoretical approach is more suitable for analysing cyber policy and resilience? Although experimentalism also emphasises the role of different institutions, it focuses more on the increasing institutionalisation of practices and improvement through open participation and feedback (De Búrca et al 2013: 723), which is where the primary difference between network governance and experimentalism appears. When network governance relies on trust-based relationships between actors (Kohler-Koch & Rittberger 2006: 34), experimentalist governance allows revision of the governance systems through dialogue between actors from different governance levels (Cohen & Sabel 2017). The latter is visible in EU cyber policy regulation (3.a). Therefore, this thesis uses experimentalism so as to better explain for EU cyber policy, its development and implementation.

One important aspect of cyber resilience is that all states in the EU have noted the importance of protecting their private companies, whereas the Member States are still willing to maintain their sovereignty. Magnus Ekengren has emphasised that “nearly all EU policy sectors” (from food safety to military peacekeeping) have started to prepare for transboundary breakdowns (Ekengren 2015: 267-268) where problem solving becomes the issue of actors from multiple Member States. In these situations, hierarchical rule enforcement is not an appropriate approach, as there are extensive differences between the Member States (Ibid.: 270). One possible solution to this problem is to use broadly defined goals, which are then adapted for each particular case. Experimentalist governance is able to offer exactly that. Several experimentalist governance authors – Gráinne de Búrca, Robert O. Keohane, Charles Sabel and Jörg Monar – have emphasised its capability to support cooperation in achieving common goals without compromising national interests (De Búrca et al 2013; Monar 2015:

(20)

258). They claim that experimentalist governance emerges in situations where all actors agree on the common goals, but do not know in advance how best to achieve them (De Búrca et al 2013: 723). Due to national interests, cyber resilience constitutes one such case, which is the fundamental reason why cyber security of the private sphere could be analysed through an experimentalist lens.

In practice, experimentalist governance is one of the more pragmatic theoretical approaches that has the potential to explain several aspects of EU cyber policy and resilience. The following sub-section analyses the experimentalist governance model, outlining its features for further analysis on its effectiveness in EU cyber security regulation.

2.c. Experimentalist governance model

The developments in the EU networks have shifted the Union towards directly deliberative polyarchy – in other words, experimentalist governance. Experimentalist governance as a theoretical framework emerged in European Union politics in the mid-1990s when Joshua Cohen and Charles Sabel called it directly deliberative polyarchy or DDP (Cohen & Sabel 1997). The two terms – directly deliberative polyarchy and experimentalist governance – may be interpreted as identical (Sabel & Zeitlin 2008: 276-277). In a 1997 article by Joshua Cohen and Charles Sabel, DDP was defined as participatory democracy where individuals who are influenced by governance decisions participate in the decision-making (Cohen & Sabel 1997: 313-314). The roots of this governance model proliferated from the unsatisfactory problem-solving capacity of previous EU modes of governance and from the democratic nature designed by the public participation (Ibid.: 314-315). More recent definitions are able to offer a more detailed explanation of experimentalism. Gráinne de Búrca et al delineate experimentalism as a pluralist mode of governance that “describes a set of practices involving open participation by a variety of entities (public or private), lack of formal hierarchy within governance arrangements, and extensive deliberation throughout the process of decision-making and implementation” (De Búrca et al 2013: 738).

Experimentalist governance embodies all three keywords of the term “directly deliberative polyarchy”. It is direct because decisions are made and revised after

(21)

receiving feedback from local actors, indicating an extensive involvement of the non-state actors. The feedback, often in a form of systematic reports, forms a dialogue between the centre and the local actors, directly shaping the future regulation (Sabel & Zeitlin 2008: 272). It is deliberative because, through the dialogue, the local actors are able to instruct the central bodies that give out rules and regulations (Ibid.: 272). In this case, the decisions reflect agreed solutions to common problems (De Búrca et

al 2013: 738). Finally, by emphasising the social nature of the European

policy-making (Sabel & Zeitlin 2008: 272), local actors often take over the regulation through mutual learning, disciplining and bench-marking (Ibid.: 276), creating a polyarchic and in many cases a self-regulating system.

Although the concept of experimentalism is relatively broad, four primary stages of the policy-making stand out and include various smaller features. These four steps create the structure of the analysis presented in the third chapter, which focuses on the EU cyber policy. The third chapter observes the ways these four steps are represented in EU cyber policy-making by using relevant EU documents (Cyber Security Strategy, the 2013 and 2016 Directives on Network and Information Systems), and in the Union’s institutional network. In the presence of all four elements, the system is altered into a flexible and revisable policy-making where new regulation emerges in order to advance the existing problem-solving capacity. In this case, the regulatory system can be considered as an effective solution in strategic uncertainty. Since experimentalist governance often appears to be the solution in crisis situations (De Búrca et al 2013: 726), it becomes relevant for the field of cyber resilience, which is constantly facing emerging problem areas that can be solved by effective cooperation and information sharing.

The first of these four steps is the broad framework goals, meaning that common objectives are agreed upon in a dialogue between the central and the local stakeholders (Sabel & Zeitlin 2012: 169) and that the end goals are defined in an open-ended way (De Búrca et al 2013: 739). To meet these goals, the Member States are expected to set specific metrics to assure that the development is taking place towards the commonly agreed direction. What makes this point useful in cyber resilience is that it helps to set common goals even if Member States experience different threat levels. An example from EU cyber landscape can clarify this. The interviews conducted for this thesis and public information about the Member States’ cyber resilience indicate that countries have different threat perceptions when it

(22)

comes to cyber resilience – some countries that have experienced extensive cyber attacks, such as Estonia in 2007 (Joubert 2012), have already set in reporting systems for financial organisations before the 2016 Directive will extend the reporting obligation to all essential financial services providers across the EU by mid-2018. Nevertheless, despite the different threat perception across the EU, the Union is still able to agree on common goals.

The second stage is where the local actors receive broad discretion to pursue these

goals in ways suited to their own circumstances (Sabel & Zeitlin 2012: 170). The

importance of this trait is that the level of preparedness and capacities of the local actors vary across the EU. By letting the local actors modify the regulation according to their specific needs, a higher level of effectiveness is expected to be achieved (De Búrca et al 2013: 739). Additionally, duplication of regulatory mechanisms is avoided by allowing the Member States to decide whether they should create new rules and institutions or only modify the already existing ones. In cyber resilience, this point is one of the core aspects that make experimentalism an effective political approach because it allows the involvement of local actors who are pressurised to defend their individual interests. That way, the EU decreases the possibility of single failures.

The third step involves reporting and feedback from local levels (Sabel & Zeitlin 2012: 170). The lower-level actors are constantly asked to provide reports on their performance and to participate in peer review, which helps to distinguish specific weaknesses in the activities of the local actors (Ibid.). This regularly shared data is expected to help to revise the regulation (De Búrca et al 2013: 739), leading the experimentalist policy-making to the fourth experimentalist step, which involves

revising the regulation (Sabel & Zeitlin 2012: 170). In this stage, the feedback

provided by the local actors takes the central stage when modifying the regulation. Such recursive revision means that the experimentalist policy-making is constantly evolving and flexible, being able to meet the changing needs of the developing policy areas. This is relevant in cyber resilience, as the cyber attacks are changing rapidly (Appendix 1).

There are several aspects that make experimentalism an effective policy mode in cyber resilience – regular information sharing between peers, revision of regulation, and mobilisation of local actors to decrease single points of failures. However, some scholars have expressed concerns about the effectiveness of the experimentalist

(23)

more effective results (Börzel 2012: 381). In cyber resilience, several features argue against this claim. Firstly, a more centralised approach is too narrow to be able to cover all vulnerabilities of the extensive online protection of the private companies. Secondly, cyber resilience is evolving in time as the cyber attacks become more sophisticated (Appendix 1). Therefore, the aim of the centralisation can only be to assure that all the actors meet the minimum requirements of cyber resilience preparedness. The problem-solving capacity of experimentalist policy-making in cyber resilience is the subject of the third and fourth chapters of this thesis, which will clarify the presence and tasks of centralised actors.

2.d. Experimentalism in EU security studies

Before the experimentalist model can be analysed in practice, it should be noted that experimentalist features have previously also been identified in other security spheres. Explaining EU security through experimentalist governance literature appeared in the first half of the 2010s despite the fact that experimentalist features in security policy had already emerged by the end of the Cold War (Monar 2015: 264). Relying on Marina Caparini’s work, Mark T. Nance and Patrick Cottrell see the pluralisation of security as the reason for the shift from state-centred security to the involvement of the private actors (Nance & Cottrell 2014: 283). This shift can be observed as the result of privatisation. Caparini stressed that pluralisation of security involves multiple types of authorisers and providers of security, which include public authorities and institutions, private actors and their hybrids (Caparini 2006: 264). The role of the centralised government in this case is to serve as the overseeing actor supporting the private and hybrid participants (Ibid.: 266). Similarly, experimentalist governance distinguishes the role of institutions as problem identifiers and problem-solvers (Cohen & Sabel 1997: 327). On the EU level, central institutions carry the responsibility of creating the framework objectives and inspecting how these goals are met (Sabel & Zeitlin 2008: 275), playing a supervisory, not a directly governing role.

Experimentalism in EU security is notably intertwined with the creation of new institutions that focus on emerging problems in specific policy areas. Magnus Ekengren explains that in order to increase the EU crisis management capabilities, the Union needs relevant institutional frameworks (Ekengren 2015: 268). This points to a major shift in the EU’s role as a policy organiser, as the Union was originally not

(24)

created for crisis management purposes. Currently, extended security fields, such as immigration and criminal matters, are managed through cooperation, which is organised through centralised coordination where the lower-level authorities and private actors are guided by the European Commission decisions. The institutional network can become the basis for the information sharing function, which creates the possibility for mutual learning processes to occur. Through information sharing and mutual learning, the new institutional network is able to harmonise crisis management capacity across the EU (Ibid.: 270). How this institutional network has created in cyber resilience is observed in the third chapter (3.b) of this thesis.

Since experimentalism accepts national diversity, it allows cooperation between different actors. Jörg Monar illustrates this by using the example of the Area of Freedom, Security and Justice (Monar 2015). Although he focuses more on relations with the third countries, similarities can be seen in how experimentalist governance creates ways for cooperation between actors with the same goals but a strong tendency to remain sovereign (Ibid.: 254-257). Monar explains that capacity building between the EU and the ENP countries requires broad framework goals and mechanisms to overcome the differences in legal and political contexts. Similar differences are also visible in the EU cyber policy within the Union itself, as the Member States are interested in cooperation to solve common problems, without giving out too much sensitive information about their own country. The ability to allow cooperation in sensitive areas is one of the main reasons why experimentalist governance proves to be effective in crisis situations. However, the benefit for the EU Member States is that they are in the position where, as a result of being part of the Union, mutual learning takes place (Ekengren 2015: 292).

2.e. Effectiveness of experimentalist governance in crisis situations

Experimentalist governance often emerges in crisis situations to increase the EU’s effectiveness in solving complicated and unexpected problems. The four steps of experimentalist governance are making this type of policy-making flexible and fast to adapt to changing circumstances. Flexibility becomes vital in emerging crisis situations where the problems cannot always be foreseen at the time of writing the EU directives and regulations. As indicated by several recent cases, such as the Eurozone crisis (Zeitlin 2016: 4-11), as well as incidents with offshore oil and gas platforms

(25)

(Sabel et al 2017), the key in solving such issues is usually provisional, particularly when international cooperation is required. In Sabel et al’s words, “under uncertainty, […] neither the regulator nor the regulated firms knows what needs to be done” (Ibid.: 3). Therefore, it can be said that crisis situations create the basis for experimentalist problem-solving. Cyber resilience is a field where uncertainty is inevitable, as the malicious third actors can always compromise the system by making use of the emerging technology and new ideas on how to use the developments to their advantage (Conklin & Shoemaker 2017: 17). Therefore, experimentalist structures may prove to be effective in increasing the EU’s cyber resilience.

Experimentalist policy-making has several characteristics that could speed up the incident recovery process. One of the contributors to this is a system of incident reporting. Sabel et al have stressed the importance of incidence response systems as effective measures in overcoming a crisis (Sabel et al 2017: 9). The two primary components of the response systems are cooperation and information sharing, which spread knowledge of potential incidents and their causes, as well as prepare others to tackle similar incidents faster (Ibid.: 1). The institutional network in cyber security, involving local Computer Emergency Response Teams, is managed by the European Network and Information Systems Agency (ENISA). The latter also functions as a contact point and information facilitator between the local teams and the European Commission. A more detailed overview of the institutional network in cyber resilience is provided in the third chapter (3.b).

To trigger an effective and timely response to an attack, the reporting system needs to be functioning before a major incident takes place, as uncertainty increases the incentives for firms to cooperate more frequently with other cyber resilience actors (Sabel et al 2017: 7). Sabel et al call the reporting system experimentalist because it works as a measure to constantly revise the regulatory mechanism according to new circumstances (Ibid.: 4). The reporting system has two primary aims, of which the revision is part of the second goal. Firstly, the system intends to supervise the private companies and non-state organisations in identifying vulnerabilities (Ibid.: 3). Secondly, the reporting system aims at improving the reporting standards and frequency (Ibid.: 4).

Additionally, experimentalism allows local actors to implement the EU guidelines while also taking the local knowledge and circumstances into account. Although not all EU directives indicate that their implementation and development is part of new

(26)

forms of governance, the experimentalist governance regulation is usually in the form of Directives, making it possible for the Member States to modify their content (Zeitlin 2016: 2). The feedback from these local actors primarily carries two purposes. Firstly, the Commission will later use it in revising the Directives and strategies. Secondly, ENISA is able to give out more precise and effective guidelines for the national CERTs. Both reasons are particularly important in the rapidly developing cyber security and resilience.

The EU has taken several strategic steps in its pursuit of increasing the Union’s cyber resilience. Two of the most visible actions have been the harmonisation of the legal system (3.a) and the institutional framework that functions as an extensive incident response system (3.b). These steps greatly overlap with the experimentalist measures that are used to increase the EU’s problem-solving capacity. Therefore, the answer to the second sub-question that asked which theory best explains EU cyber

resilience can be found in the new governance theories and, more particularly, in

experimentalist governance. Moreover, several aspects of the experimentalist governance overlap with the five effectiveness assessment points that are mentioned in the first chapter (1.c). More precisely, Magnus Ekengren has outlined three features of the experimentalist governance that make it an efficient and effective policy-making approach (Ekengren 2015: 270). There are some similarities and overlapping aspects between the outlined five cyber security effectiveness aspects and the three effectiveness features proposed by Ekengren. The following repeats the three aspects of experimentalism mentioned by Magnus Ekengren and points out which of the five cyber resilience aspects illustrate these experimentalist features.

1. The EU creates tools for shared threat outlook (Ibid.) – this aspect

accommodates the first, second and third points from the list of cyber resilience effectiveness measures (1.c), which state that in order to achieve effective cyber resilience, actors are required to develop common understandings of cyber resilience and cooperate in achieving their collective goals.

2. The EU includes local and private actors in policy-making (Ibid.) – this

aspect coincides with the fourth point of the cyber resilience effectiveness measures that deals with flexibility of the EU policy and assure inclusion of all actors.

(27)

3. The EU pressurises the Member States to bring their systems to an equal level and implement common decisions (Ibid.: 270-271) – this point overlaps

with the fifth feature in the cyber resilience effectiveness assessment list, which states that harmonisation of legal and policy practices and increasing general awareness of cyber threats make cyber policy more effective by decreasing the possibility of having single points of failures in the cyber landscape.

These three paragraphs are able to assure the suitability of the theory to the practical side of EU cyber policy. By creating a harmonised incident response system, the aim of the EU in harmonising its cyber resilience policy is to increase the common level of network and information security in all Member States (Fahey 2014: 50). At the same time, the EU is not imposing a one-rule-fits-all approach across the Union. For example, the EU requests for incidents to be reported, but asks the member States to determine which companies have to do it (ENISA 2017c: 29). Thereby, the EU only sets the critical thresholds in incident reporting by diving the attacks in three categories – red, orange, yellow – and demanding incident reporting from the level “yellow” (Ibid.: 29-31). Every incident that passes the threshold needs to be reported by the companies that each Member State has enlisted as essential services providers (Directive (EU) 2016/1148: 4). The harmonised incident reporting system coincides with the experimentalist governance, allowing the rules to be adapted to the local context (Zeitlin 2016: 9). Similarly to the aims of other EU supervisory bodies (Ibid.: 5-11), the purpose of the EU in cyber policy has become to ensure consistence among the Member States when it comes to cyber resilience capacity building.

The following chapter examines the EU’s experimentalist efforts in law enforcement and institution building in achieving greater cyber resilience across the Union. In cyber defence of the private companies, EU integration is most visible in the relevant directives (Directive 2013/40/EU; Directive (EU) 2016/1148), regulating the EU policies and visions, and in the development of relevant institutions, such as ENISA, which manages the Member States’ capacity through the national CERTs. The following chapter uses the four steps of experimentalist governance to explain how the EU develops its cyber legislation and how it implies it through its institutional networks.

(28)

Chapter 3 – Experimentalism in EU cyber policy

3.a. Legal framework for the incident reporting system

The European cyber security regulation has been developing fast over the last two decades. Different areas of cyber security have formed a framework of directives issued by the European Commission and the Council, as well as information reports and guides published and shared with the Member States by ENISA. With multiple directives, the EU has created a safer and more opene reporting system for cyber incidents. The process tracing of the EU legislative documents in this chapter will elaborate how the EU has moved from simple exchange of information about cyber threats to developing a more secure incident reporting systems. To analyse the development of the European Union Directives on Network and Information Systems, this sub-section (3.a) applies process tracing to observe how the EU has revised its legal acquis.

Before diving into process tracing of the directives, the following sub-section will describe how the four steps of experimentalist governance are present in the larger vision of the EU cyber policy. To do that, the 2013 European Union Cyber Security Strategy will be analysed. The sub-section follows the structure of the four steps of the experimentalist governance, which are (1) setting the broad framework goals, (2)

providing broad discretions to pursue these goals, (3) providing incident reports and feedback to the central institutions, and (4) revising the regulation. After that, the

chapter turns to the Directives on Network and Information Security to clarify how the Union has carried to out these strategies.

3.a.i. 2013 Cyber Security Strategy of the European Union

The European Commission published the Cyber Security Strategy of the European Union: An Open, Safe and Secure Cyberspace in 2013 (European Commission JOIN(2013)). Although the Strategy emphasises the state’s importance in securing the cyberspace, the leading role is still assigned to the private sector, as the business network “owns and operates significant parts of cyberspace” (Ibid.: 2). Since private companies are always the first respondents to cyber attacks against their systems (CCD CoE interview 2017), the EU’s role primarily entails supervisory tasks in

(29)

giving out the guidelines and creating a safe information-sharing environment. These tasks also appear in the Cyber Security Strategy. What should be noted in analysing the Strategy in the context of experimentalism is that because the purpose of any strategy is to describe the comprehensive direction of the policies, its (1) broad goals become visible due to the document’s type. Nevertheless, they provide an insight of the Union’s experimentalist aims.

The Strategy outlines the need for standardisation of the legal frameworks, and achieving openness and safe use of the Internet across the Union (European Commission JOIN(2013): 2). More specifically, the Cyber Security Strategy drafts five primary goals, towards which the European Union is destined to move. These five primary objectives can be observed as the (1) broad framework goals. Although classical experimentalist policy-making includes specific metrics to reach the goals, the cyber policy field is influenced by cyber attacks and their development, which is why the Cybersecurity Strategy is unable to define any more specific goals than “achieving cyber resilience” (Ibid.: 4). The closest that the EU regulation comes to setting a metric system in cyber resilience can be observed in the work of ENISA, which constantly monitors the trends in threats landscape and requires the Member States to take intensified action in areas that have experienced a recent increase of incident frequency (ENISA 2016e). The following list introduces the five broad goals outlined in the Strategy and elaborates on the way the Union is pursuing them by emphasising (2) the broad discretions given to lower-level actors, such as the Member States, private businesses, and civil society.

1. The EU intends to achieve cyber resilience. The Strategy explains how to manage that by increasing national capacities and raising awareness among the private actors (European Commission JOIN(2013): 5-9). One of the most important aspects, and to which the thesis will come back several times in the following chapters, is the establishment of minimum requirements. For that the Member States are expected to create competent authorities for network and information security and create a Computer Emergency Response Team (Ibid.: 5). Often Member States already had these CERTs in place before 2013, allowing them to designate the Teams to the work with the EU. Additionally, the Strategy encourages the Member States to create national cyber security strategies and cooperation plans (Ibid.: 5). Under the section that describes how to achieve cyber resilience, the Strategy also emphasises the creation of

Cyber policy and resilience of the European Union : can cyber defence without supranational authority be effective?