The European Union’s “fragmented” approach to cybersecurity means Ireland remains one of its weakest states least capable of tackling threats, according to an international expert.
Ciaran Martin, former chief of the UK’s National Cyber Security Centre, warned the “patchy” capabilities of member states are creating issues with responding to cyber threats in the bloc.
At present, “responding to cyber threats within the European Union is a mostly unplanned mix of rules, procedures and capabilities divided between member states and the EU,” he wrote in a paper published by the Institute of International and European Affairs (IIEA) think-tank.
Of the many member states who “fall short” when it comes to cybersecurity capabilities, Mr Martin highlighted Ireland as one of the weakest and a “north-west outlier” among the generally more capable states located nearby.
Ireland was one of six EU states ranked outside the top 50 in the UN’s International Telecommunications Union’s latest Global Cybersecurity Index from 2020, coming in 54th place.
Meanwhile three EU countries made the top 10 (Estonia, Spain and Lithuania) and a further four (France, Luxembourg, Germany and Portugal) the top 20.
"No European country can, in practice, be strategically autonomous alone in #cybersecurity"
New IIEA publication out today! @ciaranmartinoxf looks at European #strategicautonomy and cyber security obstacles facing the #EU
— IIEA (@iiea) May 12, 2022
Mr Martin noted that many EU states view cybersecurity as the responsibility of the state attacked rather than an EU matter, but said that threats faced by the bloc and its member states “straddle” both national security and common areas of European economic regulation.
Transnational cyber criminals threaten economic and social disruption on a daily basis, he said, and tackling this “is primarily about economic policy, business and trade regulation” to be determined “to no small degree at EU level, particularly in single market regulations as well as EU wide cyber strategies.”
However, Mr Martin said “the ever-present threat of espionage against the elected legislatures or diplomatic missions of European countries from the likes of Russia, Iran and China is something that few if any member states will see as something requiring a common approach at an EU wide level, imposed by the EU’s institutions.”
“Even when criminal activity spills over into national level harm – such as the ransomware attack on Ireland’s healthcare system in 2021 – the response is one for the national government,” he said.
Mr Martin said this “division of responsibilities between member states and the EU’s institutions makes a coherent strategy on strategic autonomy very difficult to conceive, and nearly impossible to deliver.”
“This is augmented by a third problem, which is a lack of capability within the EU itself… ENISA – the EU’s cybersecurity agency – is significantly smaller than many national authorities for cybersecurity and it is based in Greece, far from the normal centres of EU power,” he added.
It comes after the Government previously announced a significant expansion in both funding and staffing for Ireland’s National Cyber Security Centre, with legislation due to be published this year also granting it greater powers.