Only ten member states in Europe – among them France, the United Kingdom, the Netherlands, Germany and the Czech Republic – have recently developed national cyber defence strategies, based on an interministerial approach involving both civilian and military components.

In the EU institutions in Brussels, coordination is in full swing. The European Commission has set up rapid reaction teams and proposed the creation of a cyber crime centre by 2013.

The European External Action Service (EAS) is working closely with the Directorates-General for Home Affairs and Information Technology, while the European Defence Agency (EDA) serves as an interface for European initiatives with applications on military and defence networks.

“This is only a start, but we are not lagging behind. Canada is launching invitations to tender in this area and the United States and Australia have just published their strategies. Korea is also working on cyber defence. Things are getting organised across the planet because the players have become aware of all the different dimensions. This is not just a technical matter; it is also legal and political,” an EU expert told Europolitics.

The states are organising their activities in different ways. France set up, in 2009, the national Network and Information Security Agency (ANSSI) and published, in February, its national strategy for defence and security of information systems. One of its four objectives is to guarantee the country’s freedom of decision by protecting sovereignty over its information. The United Kingdom released £650 million last year to protect government information networks. Poland has just amended its legislation to be able to declare a state of war or emergency in case of a cyber threat. Estonia has a cyber defence centre and created a national Cyber Defence League. Its Defence Minister, Mart Laar, called for common European standards for the protection of the entire internet, in June in Brussels.

“NATO concentrates only on military aspects, yet 85% of internet infrastructure is in the hands of the private sector and 80% of attacks have been directed against the private sector,” he explained at a seminar organised by the European Security Round Table.

According to the EDA, the first level of protection consists in eliminating openings due to negligence (through rules of good conduct, such as scanning of USB keys or locking of screens), after which the focus should be on residual threats like acts of terrorism or espionage.

“Organisations and states must raise their level of protection to cover 98% of threats and have dedicated teams, information technology ‘fire brigades’ to solve the remaining 2%, which can be targeted attacks,” said an expert. NATO is said to be the target of some 100 attacks per day, while the Commission estimates losses by European companies due to cyber attacks at around €750 billion a year.