Russia’s Cyber War: What’s Next and What the European Union Should Do.

What Should the European Union Do in the Immediate Term?
The EU has adopted new frameworks, including its much vaunted Strategic Compass, which, in the long term, will improve cybersecurity in the bloc, and potentially reduce the risk of catastrophic Russian cyberattacks. However, the EU needs to take more steps in the short term to shore up cyber defenses and mitigate the threat of Russian cyber operations. 

First, the EU should get its own house in order. The revised Network and Information Security (NIS) Directive–better known in Brussels circles as NIS 2–should be finalized in the coming months and will aim to further strengthen the security of supply chains, streamline incident reporting obligations, and introduce more stringent supervisory measures for a large number of operators of essential services and enterprises across the EU. While NIS 2 represents a step in the right direction, the EU still has some way to go in implementing harmonized cybersecurity rules across the bloc’s own institutions.  

Second, the EU and its Member States have a role to play in discouraging and deterring cyberattacks by demonstrating a willingness to act and impose costs on perpetrators. The first-ever operational deployment of the EU’s Cyber Rapid Response Team to Ukraine, alongside similar teams from the United States, was a welcome signal in this respect. One way to impose further costs would be by pushing for coordinated attribution of cyberattacks at the EU-level. On the offensive and deterrent side, the EU should adopt a pooling of capabilities on a voluntary basis. Similar programs already exist among other groups, such as NATO’s Sovereign Cyber Effects Provided Voluntarily by Allies (SCEPVA) program, which the EU could use as a model for its own programs. 

Third, the EU should ensure it is better prepared by leveraging the tools it already has at its disposal. Intelligence sharing and situational awareness have proven vital before and during the war in Ukraine, but the future effectiveness of these strategies in deterring and mitigating cyberattacks will be reliant on Member States willingness to contribute with timely and actionable intelligence. In the short term, the Cyber Crisis Liaison Organisation Network (CyCLONe), a recently created group bringing together the executives of the EU’s twenty seven national cybersecurity authorities, should be used to its full capability and integrated with the rest of the EU cyber ecosystem. CyCLONe, with their wealth of operational-level expertise, should be able to brief political decision-makers in the Council more frequently. On the military side, the EU still lacks a fully fleshed-out cooperation mechanism for military cybersecurity alerts, despite this being an objective since the 2014 EU Cyber Defence Policy Framework. Ensuring cooperation among both civilian and military groups is vital given the specter of Russian cyberattacks. 

Supporting Ukraine is every democracy’s duty. Russia will attempt to undermine this support through cyberattacks and other means. The EU needs to shore up its cyber defenses at home to ensure all Members can continue to aid Ukraine in the future. 

Arthur de Liedekerke is a Project Manager at political advisory Rasmussen Global and a non-resident fellow at the Institute for Security Policy at Kiel University (ISPK), Germany. Arthur Laudrain is a DPhil candidate in Cybersecurity at the University of Oxford (Wolfson College), Rotary Scholar for Global Peace, and Fellow at the European Cyber Conflict Research Initiative.This article is published courtesy of the Council on Foreign Relations (CFR).