Lessons from EU's Cyber Policy StanceDr. Wegener of WFS Geneva, on Europe's Approach to CyberSec Legislation
As North American and other developed geographies for security have struggled with cyber challenges in the past year, the European Union has enjoyed relative success when it comes to developing uniform action and effective legislation to address cyber challenges.
What is Europe doing right that can be replicated in India and other Asian nations?
"What gives the European Union a distinct advantage is that it confronts the cyber age and its unique challenges in a unified manner better than others who act individually," says Dr. Henning Wegener, the Chairman of the Permanent Monitoring Panel on Information Security at World Federation of Scientists, Geneva. "When the European organs [commission, parliament, council of ministers], in concurrence, adopt a regulation, it immediately becomes law in all 28 countries and does not need to go through a lengthy, painful and difficult ratification process." (Also See: EU Agrees on Data Protection Rule Reboot)
An erstwhile diplomat in the foreign service of the federal republic of Germany, and a former German ambassador to Spain, Dr. Wegener feels that moreover, owing to the interconnected nature of European economics, even non-member European nations usually follow this lead, so that cybersecurity policy is largely being addressed and efforts implemented uniformly across the region. (Also read: EU Hammers Out Cybersecurity Rules)
In this conversation with ISMG on a recent visit to India, Wegener shares some recommendations from EU's experiences in dealing with challenges in the cyber domain, and formulating of policy and legislation. He speaks about:
- Why European cyber initiatives and policies are effectively implemented;
- Recommendations from these policy efforts;
- How India/Asia can emulate Europe's approach.
Wegener has been the Chairman, Permanent Monitoring Panel on Information Security, World Federation of Scientists, Geneva since its inception in 2001. He is a former Ambassador of Germany. He served as Ambassador for Global Disarmament in Geneva (1981-1986), Assistant Secretary-General for Political Affairs at NATO (1986-1991), Director General at the German Federal Chancery (1991-1994) and thereafter as Ambassador to Spain (1995-1999).
Edited excerpts from the interaction follow:
European Policy Trends
VARUN HARAN: When it comes to dealing with cybersecurity and privacy challenges, Europe has been forging ahead in charting initiatives and effective mechanisms. You are from Germany. How do you see things happening in Europe - at least in Western Europe and the more developed nations there?
Dr. HENNING WEGENER: In cybersecurity, the agency, apart from national efforts, that calls the shots is the European Commission. And the European community has the unique quality that has never happened in history, that it combines 28 independent nations - in this case, highly industrialized nations - but with a joint normative faculty. The European Commission, with the approval of the European parliament and council of ministers, can legislate - which it does in the case of cybersecurity. And when the European organs adopt a regulation - the commission, the parliament, and the council of ministers, in concurrence - then it becomes law immediately in all 28 countries. It does not need to go through a lengthy, painful and difficult ratification process.
This gives the European Union a distinct advantage that it confronts the cyber age and its unique challenges in a unified manner, better than others, who act individually.
But beyond that, the EU - even though it only has about 500 million inhabitants - is industrially speaking and in terms of cyber potential, a huge bloc. This also has an exemplary function towards other neighboring countries. Practically all European countries who do not belong to the EU also follow our path - they cannot do otherwise, because it is an interconnected economic system. The unique structure of the EU has meant its response to cybersecurity has been more effective than individual efforts.
HARAN: What are some of the things in terms of cybersecurity policy creation the EU has done that others can take a leaf from?
WEGENER: There are several. The EU has a Europe-wide CERT agency, which is supplemented by fully functional national CERTS - which the European CERT coordinates. The EU also has regulations - immediately effective directives, which are guidelines, to be implemented nationally, on most of the issues of cybersecurity. For instance, critical infrastructure protection, or the protection of personal data, for which a new directive is in the offing. So we do this in common, and this gives us a lot of uniformity in the market and guides industry and law enforcement well.
All members of the EU are also all members of the Budapest convention on cybercrime, which is a huge step towards the harmonization of penal legislation on cyber matters, and the common law enforcement, and government cooperation that comes with it. These are areas, I feel, where India should not go it alone, and should work in the larger, trans-national context.
Advice for India, Asia
HARAN: Which is my next question. What are some recommendations for India to replicate what is happening in the EU, which can enable it to lead by example in the Asian context?
WEGENER: In the first place, the Indian legislation in cyber areas is good, I feel. The National Cyber Security Policy document that India has is a good document. There are about 37 countries - and separately the EU - that have adopted similar strategies with a guiding document. The IT Act is also a good effort, although it needs revision now, because it is in parts outdated. (Also See: Why India's Cyberlaw Must Rapidly Evolve)
With India playing an extraordinary role in the cyber economy, legislation needs to correspond to this. What I find lacking is more international involvement - in the United Nations, in the Asia context, and ratifying, for instance, the convention on cybercrime, and taking initiatives internationally. India is called upon to do more in these areas because of its already great importance in this sphere, which will become even more so in the future.
Lesson from EU Experience
HARAN: What is a message for nations worldwide that you can share from the European experience?
WEGENER: The most important message is the dimension of the threat today, because the threat has been growing so exponentially and in so many ways that we have not fully fathomed. We need to give cybersecurity and the functioning of a responsibly managed information society a much higher position in our national value scales and operations.