A large contingent of four commissioners appeared in the press room of the Berlaymont building on Thursday to address the security of the European Union at a time of the Ukraine war. It was about defending against cyber attacks and moving troops more quickly within the EU. Such an increase in personnel is often a good means of covering up one’s own powerlessness or inactivity. In fact, the EU has little say on these issues – they fall within the competence of the Member States. Nor did it inspire confidence when Margarete Vestager, Vice-President of the Commission, said that Vladimir Putin’s war of aggression was a “wake-up call” for the EU. Was the EU really asleep until February 24, 2022?
Vestager later found it necessary to put her comment into perspective: it is about doing even more than before, above all: doing it together. The Commission can only draw up action plans and make recommendations and then has to hope that the 27 Member States will really go along with it. With this in mind, Vestager, together with Foreign Affairs Representative Josep Borrell, Internal Market Commissioner Thierry Breton and Transport Commissioner Adina Vălean, presented two projects that are intended to draw lessons from the Ukraine war in cooperation with NATO.
Firstly, the EU wants to examine how soldiers, including their weapons and other equipment, can get to their place of deployment in Europe more quickly and safely. “Above all, of course, from west to east,” Borrell indicated the direction. Roads, tunnels and tracks are to be expanded, and gaps in air and sea transport are to be closed. The secure supply of fuel is also a major issue.
Due to an attack, communication with German wind turbines failed
And secondly, the EU should develop joint strategies for defending against cyber attacks. Josep Borrell reminded that Russia’s attack on Ukraine was launched with a cyber attack on a satellite network operated by the US company Viacom. As a result of the attack, the Ukrainian military and police were paralyzed in their communication because they no longer had internet – as did several thousand German wind turbines. This blurs the lines between attacks on military and civilian infrastructure.
“Cyber warfare has become part of modern warfare,” Borrell said, adding that Europe must adapt. In order to bundle military and civilian competence, there will soon be a European coordination center for cyber defense. Personnel are to be trained specifically for cyber warfare – the commissioners gave different nuances about what this personnel must be able to do. Europe must be able to prevent, detect and ward off attacks (“prevent, detect, deter”), said Josep Borrell. Commissioner Breton, on the other hand, said that Europe must have the ability to attack on its part. From a German point of view, this is a very delicate point.
The EU Action Plan states that European states should have the full range of cyber defense capabilities in place, including “active defense capability”. It sounds as if the EU also advocates so-called “hackbacks”. The traffic light alliance in Berlin rejected this in the coalition agreement “as a means of cyber defence”.
Nothing has changed in the basic attitude when it means, for example, counterattacks on an attacker’s IT infrastructure. However, it is said in government circles in Berlin that interventions in foreign networks are not excluded within the framework of international law within narrow limits, for example to avert an imminent attack. In principle, according to the prevailing opinion of international law experts, cyber attacks can reach the threshold of an armed attack that entitles states to self-defense.
Baerbock complains about a confusion of competences in averting danger
In Germany, the federal government is also working on elements to strengthen cyber defense as part of the preparation of the national security strategy; As laid down in the coalition agreement, the Federal Foreign Office is in charge. Federal Foreign Minister Annalena Baerbock (Greens) wants the federal government to have responsibility and competence for civil security, which is currently the responsibility of the federal states. If necessary, the Basic Law would have to be changed for this, she said in a keynote speech at the end of September at the Hasso Plattner Institute in Potsdam.
There are “too many different procedures and institutions in our different federal states and cities”. That has to change. “If we want to act more effectively, we must clearly assign responsibilities for cyber defense, even below the threshold of military attacks,” she demanded. In order to avert cyber attacks at an early stage, Germany needs a strong national cyber defense center.
Responsibilities are currently fragmented, which is also indicated by the strict separation between the military, intelligence services, police authorities and other civilian government institutions, such as the Federal Office for Information Security (BSI), which is required by constitutional law in Germany. In addition, in the private sector, unless critical infrastructures are affected, the respective companies are responsible for securing their networks. It must therefore become clear in the coming weeks which of the EU recommendations the federal government intends to implement.