EDA STUDY IDENTIFIES COOPERATION PROSPECTS IN CYBER DEFENCE

24 May 13. The European Defence Agency (EDA) presented results of its stocktaking study of military cyber defence capabilities. Using an in
depth methodology, the study benchmarked the degree of “Cyber Defence
Readiness” of 20 participating Member States (pMS) and different EU level organisations. The landscaping exercise shows a mixed picture with respect to military cyber defence capabilities on national and European level. It recommends strengthening cooperation, exchange of information and proposes avenues for pragmatic Pooling & Sharing of some cyber defence capabilities. The study supports the relevance of the cyber defence activities launched by the EDA in the areas of cyber training ranges and deployable situational awareness kits for CSDP missions.

“Cyberspace can be described as the fifth dimension of warfare, equally critical to military operations as land, sea, air and space. Our study reveals important gaps in military cyber defence capabilities across the EU. The Agency is offering Member States a range of projects to cooperate in the area of cyber defence capabilities as well as in the research & technology domain”, says Peter Round, Capabilities Director of the European Defence Agency.

The one-year stocktaking study aimed to establish a high-level understanding of cyber defence capabilities across EDA pMS to support progress towards a more consistent level of cyber defence capability across the EU. 20 countries were included in the study.

Methodology

This stocktaking exercise included research into the different EU level
organisations involved in cyber defence activities in the context of CSDP missions as well as data collection on cyber defence capabilities in pMS. The research was carried out via document review, semi-structured interviews and a questionnaire.

Cyber defence information was analysed according to a commonly understood military framework of capability, known as Defence Lines of Development. These contributors are: Doctrine; Organisation; Training; Material; Leadership; Facilities and Interoperability (DOTMLPF-I). To measure and to a certain degree benchmark the degree of “Cyber Readiness” the study utilised a five step maturity model with 69 discrete and weighted indicators for maturity, broken down within the DOTMLPF-I structure to achieve the required granularity. Each country was qualitatively assessed for each contributor against this weighted maturity model.

Results

On the national level, the study revealed a mixed picture with respect to military cyber defence capability. Generally speaking, in pMS where key decision-makers are familiar with cyber-security, cyber defence capabilities are more advanced. The 20 pMS exhibit strengths in the three capability domains of Leadership, Personnel and Interoperability. In the areas of Doctrine, Organisation and Training, an early level of maturity was defined which might be linked to the fact that these three areas require more complex and longer-term efforts to establish organisational structures. Facilities is the capability domain which remains to date highly immature or non-existent. Individual country profiles are classified and cannot be made available.

As regards cyber defence among EU organisations, the study highlights the complex operational set-up between the different institutions involved (e.g. EDA, the Member States, European External Action Service, European Commission, General Secretariat of the EU Council and related EU agencies). While threat analysis and cyber-intelligence gathering capability appears to be emergent, incident response capabilities could be deepened. The study also reveals that the culture of cyber-security good practice needs to be nurtured and that the use of military specific standards and tools is still poorly understood.

Recommendations

Military cyber defence on the European level is at a relative early