Search for a report, a publication, an expert...
Institut Montaigne features a platform of Expressions dedicated to debate and current affairs. The platform provides a space for decryption and dialogue to encourage discussion and the emergence of new voices.

Why the Time is Ripe for an EU Joint Cyber Unit

Interview with Patrick Calvar

Why the Time is Ripe for an EU Joint Cyber Unit
 Patrick Calvar
Senior Fellow - Security

A spate of cyberattacks have wreaked havoc in the world over the last few years. From the SolarWind attack in the US in 2020 that endangered hundreds of companies, the ransomware attack against JBS - the world’s largest meat supplier - that paralyzed several of its systems in multiple countries, to the numerous attacks against hospitals in France since the start of the Covid-19 pandemic, effective defense policies against cyber threats are needed more than ever. This is why in January 2021, the European Union created a Joint Cyber Unit, to help European member states fight against these increasingly sophisticated and brash cyberattacks. Its objective is to "ensure an EU coordinated response, create more situational awareness and guarantee the preparedness to large-scale cybersecurity crises". Yet the EU, unlike the US, has no centralized federal forces to take unilateral actions on behalf of the whole "country". This means that cyberattacks targeting several States would still be treated as national security emergencies. Can this Joint Cyber Unit be an effective tool of coordination between the EU Member States against future cyberattacks? Patrick Calvar, Head of C. Conseil and Special Advisor on Security at Institut Montaigne, sheds light on this new initiative. 

European Union (EU) countries have been reluctant to hand over national security authority to the EU. However, recent cyberattacks in many European countries during the Covid-19 crisis have highlighted the need for a joint and coordinated response at the European level. Can the Joint Cyber Unit react quickly enough in the face of attacks against member state organizations?

The digital revolution still presents major challenges, the consequences of which are difficult to assess, especially in light of the technological progress being made on a daily basis. These consequences affect both our citizens and our governments. Our individual liberties are being tested, as well as the power and sovereignty of our countries. Simply put, these are very powerful new tools, useful to state intelligence services, but also to criminals and terrorists. Several recent events have exposed the weaknesses of our defenses against cyber attacks. Some have reached such a level of sophistication that they are difficult to detect and trace, not to mention the damage they cause, which is often difficult to estimate. The massive cyber attack on SolarWinds, an American company, is a case in point. 

Several recent events have exposed the weaknesses of our defenses against cyber attacks. 

Some specialists believe that we will never know precisely the extent of the damage inflicted by the hack (i.e. we won’t be able to identify every target and all the information stolen). It therefore becomes clear that we are now escalating from simple assaults on individual citizens, to transnational ones affecting our research, diplomacy, economies, industries, military capabilities and ultimately, our place in this unstable and competitive world.

European treaties provide that intelligence remains the exclusive purview of the Member States and, in my opinion, this must remain the case until a federal state is established, because our interests and priorities may differ.

Nevertheless, in the face of cyber attacks, we all talk about defending ourselves and we are all dealing with the same threats within the Union, and even more generally with our allies. Moreover, cybersecurity requires substantial financial and human resources, a smooth flow of information and coordinated action. For these reasons, the creation of the Joint Cyber Unit is fully warranted and ought to be supported by all.

In the past, we have already created similar structures at the European level, to fight against terrorism for example, or to control our shared borders (the Schengen Area). There is therefore nothing new as far as the aspect of a joint initiative goes and it does not in any way call into question our independence in terms of intelligence, which once again, I believe to be absolutely necessary in the absence of a political project of integration within the Union.

The creation of the Joint Cyber Unit is fully warranted and ought to be supported by all.

In conclusion, this system gives us the means to better prepare for and respond to any present and future attacks. Of course, our success will necessarily be greater as a group. To that end, let's not forget that we must also join forces with our main non-European allies.

Where should member states draw the line between sovereignty and cooperation within the EU and NATO?

I’ll say it again: given the scale of the threats, it is essential that we coordinate with our European partners and allies. But in the particularly sensitive areas of sovereignty and power, and therefore independence, absolute trust is paramount. So where do we draw the line? We must act pragmatically. However, we must not forget that our partnership with NATO has a long and proven history. Within the European Union, the integrating process is continually growing - the health crisis is only the latest example - because the problems are so universal and complex, and require such huge investments that no single State could provide them alone. In the cyber domain, this is all the more necessary because the risk is very high and will only increase in the years to come. But again, in the absence of European political integration - dare I say, a form of federalism - each country must be able to, and indeed has a duty to, retain its own capacity for action.

Receive Institut Montaigne’s monthly newsletter in English