On June 6, the Council of the European Union adopted the Recommendation on an EU Blueprint for cyber crisis management. As the name ‘Blueprint’ already gives it away a bit: it sets out a guidance for the Union-level cyber crisis management coordination between relevant actors and mechanisms.
The previous Blueprint had run its course
The previous Blueprint had already been in place since 2017. And in the cyber domain, this is pretty old. Since then, a number of new legislative initiatives have been introduced and some older ones got properly tested on the ground. To name but a few, the NIS2 Directive, the Cyber Resilience Act, Cybersecurity Act, Cyber Solidarity Act, the Cybersecurity Regulation for Union institutions, bodies offices and agencies (Union entities), the EU Critical Infrastructure Blueprint etc. On top of that, the hands-on experience from handling incidents and crises during that period created a new viewpoint on cyber crisis management. Therefore, the Blueprint was in need of some proper maintenance.
So, what changed?
The updated Blueprint maintains the three-level approach (technical, operational and political). It integrates recent regulatory and operational developments in the EU’s evolving cybersecurity ecosystem as well as lessons learnt from Union-level cyber exercises. It also takes into account new actors and their role in the ecosystem, notably the Cyber Crisis Liaison Organisation Network (EU-CyCLONe) and Cyber Hubs but also the Interinstitutional Cybersecurity Board (IICB), our governing board.
The new Blueprint essentially maps the mechanisms, networks and actors involved in crisis management and identifies when they come into play. The EU cyber crisis ecosystem though is fairly complicated and possibly overwhelming to the non-initiate. So, let’s untangle a bit the technical, operational and political levels and who is there for what.
The three levels of the cyber ecosystem
Technical teams represented by national CSIRTs remain on the front lines of the incident response. As for the Union-level coordination at the technical level, the CSIRTs Network is where information sharing and coordination happens. This level is arguably the busiest one with response efforts since it deals with all the incidents, small or big. If things seem to go big, CSIRTs Network should advise EU-CyCLONe on whether an observed cybersecurity incident may be deemed a potential or ongoing large-scale cybersecurity incident.
The EU-CyCLONe is entrusted with operational-level preparedness and response actions. It assesses the consequences and impact of relevant large-scale incidents and cyber crises and proposes possible mitigation measures. It works as an intermediary between the technical and political level.
The political level is represented by the Council of the EU, bringing together the Member States and overseeing the activation of the Integrated Political Crisis Response (IPCR) mechanism. The Council of the EU is supported by the European Commission and the European External Action Service to ensure the strategic response and coordinate with other horizontal and sectoral crisis management mechanisms. Throughout the crisis, the technical and operational levels systematically feed into the common situational awareness created at the political level.
Wider collaborations and information sharing
Additionally, the Blueprint acknowledges the reality that it is oftentimes beneficial to work with trusted private sector organisations. The Blueprint also suggests bringing closer civilian and military cyber actors, including by suggesting having joint exercises. Finally, good cooperation between the cybersecurity and the law enforcement communities remains to be a vital part of preparedness and response efforts.
More than an operational response
Depending on the nature of the threat and adversaries, some incidents necessitate a diplomatic response under the EU Cyber Diplomacy Toolbox, including by targeted sanctions against the individual perpetrators directly responsible for malicious activities against the EU and its Member States.
Moreover, the Blueprint elevates the importance of secure communication tools and channels that should be used in times of crisis and urges for coordination in public communications.
How do CERT-EU and Union entities fit into it?
We still remain the same CERT-EU as you know it. However, the new Blueprint is also aligned with our current situation as it acknowledges our regulatory mandate laid down in the Cybersecurity Regulation and our role in the EU cyber crisis mechanisms. It is no news that we are a member of the CSIRTs Network and that we act as the cybersecurity information exchange and incident response coordination hub for Union entities. But it is well noted in the revised Blueprint that we also officially have the role of the coordinator of the management of major incidents affecting Union entities. Having this role, we are well positioned to take an active part in the wider Union-level crisis management efforts, notably by engaging with our peers in the CSIRTs Network.
On the one hand, CERT-EU can relay the picture of the Union entities to the rest of the cyber ecosystem, feeding into the common situational awareness and operational response. On the other hand, our wider visibility to the EU actors and mechanisms can help us align and adjust our support to Union entities, being able to see the bigger picture of a crisis and how that may affect our constituents. If necessary, CERT-EU can make use of the EU Cybersecurity Reserve on behalf of the Union entities.
Finally, the IICB is newly introduced into the Blueprint because the IICB’s PoC to the EU-CyCLONe should share information on major incidents in Union entities with the EU-CyCLONe. It is also invited to compare notes with the EU-CyCLONe on crisis management plans for dealing with major and large-scale incidents.
The scene is set
The new Blueprint is a scene-setter. It maps all relevant actors and networks involved in the EU cyber crisis management as well as the main lines of effort. Furthermore, the Blueprint foresees additional guidance to follow up with more details on how the things should be done. That should hopefully bring some more value from the operational perspective. With the additional clarity, now comes the time to operationalise what is on the paper, exercise, learn and further improve.