EU–ROK cooperation on cyber-security and data protection

George Christou and Ji Soo Lee

Introduction

The increased everyday use of the Internet and associated information and communication technologies (ICTs) has created new opportunities for consumers, business, and government, but also new risks and threats in the form of cyber-crime, cyber-espionage, and cyber-warfare. The global, borderless nature of cyber-space means that no one person, state, or organization is immune to such threats, and, equally, that any solutions addressing such threats must be coordinated at an international level. Thus the issue of securing cyber-space and creating a trustworthy digital environment has risen up the political agenda and become a priority issue and a pressing challenge in the twenty-first century. Indeed, both the EU and ROK realize the necessity of international cooperation in order to ensure that the digital challenges and threats can be addressed through both a common global vision for the Internet and norms for cyber-space that will enable safe, secure, and sustainable digital growth.

To this end, the EU and ROK established a bilateral cyber-dialogue in 2013 and are like-minded normatively and in their agreement on the applicability of international law to cyber-space; they also play a key role in relevant regional and multilateral settings, promoting confidence-building measures and laws and norms for state behavior in cyber-space. Thus, the EU and ROK provide mutual reinforcement in critical regional and multilateral settings, although it can be argued that more could be done at a practical and substantive level of cooperation on cyber-security issues. In relation to data protection, a central issue in recent years has been that of the compatibility of the ROK data protection laws with that of the GDPR. This said, substantive efforts have been made to resolve this issue through reforming the ROK data protection laws and intensive consultation and cooperation between the ROK and the EU. Indeed, considerable progress had been made at the time of writing this chapter on advancing the adequacy process in the ROK, indicating a high level of cooperation and convergence between the EU and ROK on data protection issues.

In order to provide a more comprehensive understanding of the EU and ROK approaches to cyber-security and data protection - and importantly -issues related to cooperation in these areas, this chapter is structured as follows. Sections I and II will outline the respective approaches of the EU and ROK. Section III will discuss issues in relation to international activity and cooperation, and the final section will then outline the main implications in relation to future cooperation on cyber-security and data protection between the EU and ROK.

The EU’s approach to cyber-security and data protection

Cyber-security

The EU’s approach to cyber-security has evolved over time in an ad hoc manner. It has incorporated and reflected the institutional logics of the EU actors that have been responsible for constructing the varied strands of cyber-security policy. These strands include, broadly: cyber-crime and cyber-attacks, dealt with in the main by Directorate Generals Justice and Home; Network and Information Security (NIS), which encompasses Critical Infrastructure Protection (CIP) and Critical and Information Infrastructure Protection (CUP), dealt with predominantly by Directorate General Connect; and finally, a cyber-defense element that falls under the CSDP mandate. The EU Cybersecurity Strategy (European Commission and High Representative 2013) delineates the above strands as strategic priorities, and adds two further dimensions: (1) Developing the industrial and technological resources for cyber-security; (2) Establishing a coherent international cyber-space policy for the EU in order to promote core EU values; with enhanced efforts to enhance cyber-diplomacy being added after 2015.

The EU’s efforts in cyber-security have not only been triggered by singular defining events but also by evolving trends. Within cyber-security and cyber-crime, persistent everyday cyber-breaches and major attacks, such as that on the power grid in Ukraine in 2015, Russia’s attempts to influence democratic processes and elections in the US and Europe, and attacks against EU institutions, have increased threat perceptions and incentivized the EU to enhance significantly its ability to deal with cyber-attacks (ENISA Threat Landscape Report 2017; IOCTA 2018). Moreover, there is a general consensus that the Russian-sourced, distributed denial of service (DDoS) attacks on Estonian public and private institutions and infrastructure in 2007 were critical moments in which the EU and NATO were forced

EU-ROK cooperation on cyber-security 57 to radically rethink their common approach to network protection and information security. Since then, the EU’s policy across its different cyber-security mandates has evolved incrementally.

Its approach was consolidated in the first Cybersecurity Strategy of the EU (European Commission and High Representative 2013). At the core of the Strategy is the Network and Information Systems (NIS) Directive, which was implemented¹ by EU Member States in May 2018. The aim of the Directive is to advance institutional preparedness among the Member States for cyber-events by developing a functioning national/governmen-tal Computer Emergency Response Team (CERT); establish prevention, detection, mitigation and response mechanisms for information sharing and mutual assistance amongst national NIS competent authorities; promote cross-border EU-wide cooperation through an EU NIS Action Plan; and improve the engagement and preparedness of the private sector through the reporting of major NIS incidents to national NIS-competent authorities.

Other initiatives, such as the contractual Public Private Partnership (ePPP) (European Commission 2016a), have aimed to stimulate the innovation and competitiveness of Europe’s cyber-security industry, whilst the proposed Cybersecurity Act (Council of the European Union 2018) - part of the broader Cybersecurity Package introduced in 2017 - seeks to strengthen the EU’s cyber-resilience, deterrence, and defense through a variety of initiatives (European Commission 2017b). Beyond this, and highlighting the increasing significance of cyber-security at EU level, the European Agenda on Security (European Commission 2015b) and the Joint Framework on Countering Hybrid Threats (European Commission and European External Action Service, 2016) provide strategic guidance on cyber-security and cyber-crime. Cyber is also recognized as a priority area in the EU’s Communication Launching the European Defence Fund (European Commission 2017c: 3), and is included in the European Commission Communication on achieving an effective and genuine Security Union (European Commission 2016b). Importantly, the EU Global Strategy (Council of the European Union 2016, p. 22) points to the importance of fostering a “common cyber security culture” in order to raise preparedness for cyber disruptions and attacks.

The EU’s approach to cyber-security is normatively underpinned by broader principles and guidelines that have been defined for Internet governance, stability, and resilience (European Commission 2011; European Commission and High Representative 2013; European Commission 2009, 2014). The EU approaches the global Internet as a public or collective good that should be available to and accessible by all. There is a normative view that use of the Internet should not be restricted or limited to any citizen, the exception being with regard to measures and instruments that are usedin order to prevent harm to others. Furthermore, for the EU it is clear that “Cybersecurity can only be sound and effective if it is based on fundamental rights and freedoms as enshrined in the Charter of Fundamental Rights of the European Union” (European Commission and High Representative 2013, p. 4).

There is also a very clear EU idea on the governance model of choice for the Internet and cyber-security policy more specifically, that of multi-stake-holderism (see European Commission 2009; and European Commission and High Representative 2013). Whilst the multi-stakeholder vision is born from the very complexity of the Internet - and is shared by many states (e.g., the US, Japan, ROK, Canada, and Australia), it is highly contested by those states (e.g., Iran, Russia, China, India) that consider (1) the US to hold too much power over the management of the Internet; (2) themselves to be under-represented in the existing global Internet governance institutions and that wish to see much more governmental involvement in cyberspace through the International Telecommunication Unions (ITU) - that is, a traditional intergovernmental rather than a multi-stakeholder approach.

The EU also places great importance on the global context and international cooperation for ensuring security in cyber-space. The EU is clear in its position that without cooperation and collaboration with international partners (public and private) to create global principles compatible with EU values, the EU’s attempts to construct its own resilient cyber-security policy will be fundamentally weakened, as will the stability and interoperability of the Internet. Global disagreement and contestation, for example, on the role of technical standards, data protection, and privacy, who should control and regulate the Internet, norms of behavior, and the appropriate legal conventions for fighting cyber-crime (e.g., the Council of Europe's Convention on Cybercrime 2001) can undermine any attempt to create a secure cyber-space for all.

The EU’s normative approach bodes well for positive cooperation with the Republic of Korea (ROK) in cyber-security on several fronts. First, both the EU and ROK are like-minded on the question of the application of international law to cyber-space; this, in contrast to states such as North Korea and China that are perceived to regularly contravene the laws. Indeed, the former is suspected to have orchestrated several cyber-attacks on ROK computer systems, including attacks on television stations on banks (March 2013) and Korea Hydro and Nuclear Power (Dec 2014). Second, the EU and ROK are normatively aligned on the international vision for the governance of the Internet - in terms of both defending and sustaining a safe, open, and stable Internet, but also as an enabler for sustainable development. That is, the Internet as an additional tool for integrating developing countries into the global economy (European Parliament 2015, p. 9). The

EU-ROK cooperation on cyber-security 59 decision to launch the EU-ROK cyber-dialogue, taken in November 2013, aimed at strengthening bilateral and regional collaboration and cooperation on global cyber-issues - with the 4th Meeting in January 2018 focusing on confidence-building measures, the applicability of international law and norms of responsible state behavior in cyber-space (EEAS 2018a).

The EU, then, has an evolving framework of initiatives and clear normative principles within which to create a “reliable, safe and open cyber ecosystem” (European Commission and High Representative 2013). The EU also has numerous instruments, institutions, and agencies (e.g., ENISA, EC3, EDA) at its disposal with regard to pursuing its Cybersecurity Strategy. These range from voluntary arrangements (to ratify the Budapest Convention), incentives, dialogues, and platforms for cooperation and coordination (e.g., the ePPP), to more formal, mandatory requirements, such as the NIS Directive and the GDPR which, respectively, compel the relevant stakeholders to report cyber-incidents, and ensure the privacy and protection of the data of EU citizens in Europe and beyond. There has been some progress on achieving certain aspects of the Cybersecurity Strategy. For example, the NIS directive is being implemented, and the European Cybercrime Centre (EC3) has been able to support EU law enforcement authorities to prevent and investigate cross-border cyber-crime (EC3 Report 2017). Here, novel operational governance mechanisms such as the Joint Cybercrime Task Force (J-CAT) have evolved to combat the threat of transnational cyber-crime (Christou 2018). ENISA has also provided essential support to Member States in providing guidance on EU NIS legislation (e.g., on reporting incidents), and, among other things, in alerting and preparing Member States thr ough cyber-exercises of the minimum national requirements and capabilities needed to respond to any cyber-attack.

Whilst the least mature in terms of the EU's strands, in cyber-defense, Member States did agree on the EU Concept for Cyber Defence in EU-led operations in 2012, allowing operational commanders to create and maintain situational cyber-awareness. In the same year, EU Defence Ministers also agreed to put cyber-defense on the Pooling and Sharing agenda to facilitate joint working on training and education. The European Defence Agency (EDA) as the lead agency in this field has also made some progress in realizing the five key areas agreed in the European Council Conclusions in December 2013 (European Council Conclusions 2013), in particular in relation to cyber-training, education, and exercise opportunities for Member States. In 2017, major attacks such as WannaCry and NotPetya that caused disruption not just in Europe but globally, catalyzed a revision of the EU’s Cybersecurity Strategy (European Commission 2017d) and specifically, the EU Cyber Diplomacy Toolbox (Council of the EU 2017) and the Blueprint for Coordinated response to large-scale cross-border cyber-securityincidents and crises (European Commission 2017a). Indeed, in June 2017, the EU adopted a framework for a joint EU diplomatic response to cyberactivities; and this was followed up in May 2019 with an EU general framework for its sanctions regime. In addition, an initiative in late 2017 for the development of an EU Cyber Rapid Response Force was agreed by a number of EU Member States (initially six-nine at the time or writing) under Permanent Structured Cooperation (PESCO) (EEAS 2018b).

Given the constant evolution of cyber-threats and their complexity, the revised cyber-security strategy (2017) builds on the above core strands and instruments to focus on further enhancing resilience, effective cyberdeterrence, and stronger cyber-defense through a variety of new proposals, including most significantly:

• • Strengthening the European Union Agency for Network and Information Security (ENISA) (creating a European Union Cybersecurity Agency that would build on ENISA’s work);
• • Creating an EU-wide cyber-security certification framework;
• • Creating a European Cybersecurity Research and Competence Centre;
• • A new Directive on the combatting of fraud and counterfeiting of noncash means of payment to provide for a more efficient criminal law response to cyber-attacks;
• • Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities and measures to strengthen international cooperation on cyber-security;
• • Blueprint for Coordinated response to large-scale cross-border cybersecurity incidents and crises.

Whilst in theory such proposals should enhance the governance of EU cyber-security, they also pose certain questions and challenges in relation to the EU’s ability to deliver on its objectives. Some have argued for instance that “the EU has neither properly defined resilience or deterrence nor made sufficiently clear how it intends to overcome institutional fragmentation and lack of legal authority in cybersecurity issues” going on to point out that controversial issues such as encryption and the harmonization of criminal law are omitted from its revised strategy (Bendiek et al. 2017). Others point to the need for further measures to “increase awareness,” and develop smarter policy and effective governance, in particular in relation to cyber-hygiene and pan-European collaboration and cooperation (Pupillo 2018). What is clear, is that the revised EU cyber-security signals intent and ambition and provides a platform for the improvement of the way in which the EU does cyber-security. Also clear, however, is that for such intent and ambition to be realized, further reflection is required on the critical concepts

EU-ROK cooperation on cyber-security 61 on which such cyber-security policy is based, and how it will coordinate, operationalize, and implement its most significant initiatives.