Last month, the European Union renewed the mandate of the European Network and Information Security Agency, its principal cybersecurity agency, giving it expanded responsibilities. In an email interview, Alexander Klimburg, a fellow at the Austrian Institute for International Affairs specializing in cybersecurity as well as EU foreign and security policy, explained the state of EU cyberdefense and its role in EU-U.S. relations.
WPR: How is responsibility for cybersecurity divided among EU member states and the institutions of the EU?
Alexander Klimburg: In the EU Cyber Security Strategy, published earlier this year, the EU committed itself to all five of the mandates of international cybersecurity: military cyber, intelligence and counterintelligence, counter-cybercrime, critical infrastructure protection and crisis management, and Internet governance and cyberdiplomacy. In practice the EU has clear preferences, however. It is fairly “strong” on counter-cybercrime and critical infrastructure and crisis management, and it is steadily improving its ability to engage in the international cybersecurity diplomatic discourse. The EU is very weak on military cyber and intelligence, largely for no other reason than that the EU is primarily a civilian and not a military or even security union.