How coherent is EU cybersecurity policy?

Recent security breaches at major companies and cyber-attacks such as the WannaCry ransomware attack have put cybersecurity firmly on the EU's political agenda. But how coherent an actor is the EU in the field of cybersecurity? Drawing on a recent study, Andre Barrinha and Helena Farrand-Carrapico write that there remains a lack of cohesion in EU cybersecurity policy, with the main responsibilities in cybersecurity governance remaining with the member states. It remains to be seen whether recent events will encourage EU states to cooperate more closely on the issue or whether stronger responses will be pursued by individual states at the national level

When trust fades, Facebook is no longer a friend: shifting privatisation dynamics in the context of cybersecurity as a result of disinformation, populism and political uncertainty

This article discusses how populism and political uncertainty are impacting on one of the main current trends in the Area of Freedom, Security and Justice, namely the privatisation of JHA. Through an exploration of a cybersecurity policy case study, the article proposes to understand how the privatisation of internal security, which has resulted in private actors shaping JHA policies and regulation, is currently being disrupted. Through the use of the theoretical lenses of Regulatory Capitalism, the article argues that this change is directly related to a reduction in trust relations between the State and certain private sector actors, which occurs when priorities in addressing populism and political uncertainty are perceived to diverge

Discursive continuity and change in the time of COVID-19: The case of EU Cybersecurity Policy

This article explores the extent to which Covid-19 has impacted the trajectory of EU Cybersecurity Policy. The Covid-19 crisis has led to an unprecedent reliance on digital solutions, ranging from teleworking to virus-tracking systems, resulting in the proliferation of Covid-19 related cybercrime, critical information infrastructure attacks and dissemination of pandemic disinformation. Although the virus has been repeatedly portrayed as life altering and as having considerably increased the cybersecurity risks faced by States, businesses and citizens, the proposed solutions, however, have accelerated existing trends in the field rather than resulting in significant institutional change. In particular, there has been a reinforcement of the role as a coordinating actor, of the introduction of further coherence between sub-areas and instruments, and of the positioning of public-private partnerships at the heart of the policy. However, where the role of social media platforms in facilitating the spread of disinformation is concerned, a changing trust relationship has resulted in a discursive shift in which these platforms require greater oversight, a belief reinforced by the spread of Covid-19 disinformation. The article proposes, through the lenses of historical and discursive institutionalism, that the EU’s response to Covid-19 in the field of cybersecurity can only be understood in light of these pre-existing trends, which are the result of an economic and security path dependence that emerged in the 1980s

‘People like that cannot be trusted’: populist and technocratic political styles, legitimacy, and distrust in the context of Brexit negotiations

Debates in and over the European Union (EU) are increasingly characterised as being based in arguments that are either ‘populist’ or ‘technocratic’. As systems of communication, this article argues, populism and technocracy possess dramatically different logics of argumentation, modes of communication and meaning-making, distinct narratives, with appeals to distinct sources of legitimacy. As such, actors adopting either political style construct their identity in a way that seeks to legitimise its own political action, while in turn delegitimising that of its opponents. This results in an atmosphere of distrust between actors using these different communication styles, making any form of negotiation or cooperation between them exceedingly difficult. In the context of the Brexit negotiations, which this article uses as a case study, the UK Government has adopted a populist style characterised by narratives of taking back control, legitimised by the will of the people, communicating often in a ‘low’ political style and using a narrative of crisis and threat. In comparison, the EU has adopted a technocratic style characterised by narratives of technical policy making and the need for rationality, legitimised through the laws, rules and processes by which it is governed, communicating in a ‘high’ political style while using a narrative of stability and continuity. These radically different views of the world have resulted in an increasing of tensions and distrust by the parties to Brexit negotiations that were already heightened by a sense of ‘betrayal’ over Brexit

Digital/sovereignty and European security integration: an introduction

The notion of digital sovereignty, also often referred to as technological sovereignty, has been gaining momentum in the European Union’s (EU) political and policy discourses over recent years. Digital sovereignty has come to supplement an already substantial engagement of the EU with the digital across various security policy domains. The goal of this article and of the overall Special Issue is to explore how the discourse and practices of digital sovereignty redefine European security integration. Our core argument is that digital sovereignty has both direct and indirect implications for European security as the EU attempts to develop and control digital infrastructures (sovereignty over the digital), as well as the use of digital tools for European security governance (sovereignty through the digital). It is thus essential to further explore digital sovereignty both in terms of European policies and of a re-articulation of sovereign power and digital technologies – what we suggest calling digital/sovereignty

Push and back: The ripple effect of EU border externalisation from Croatia to Iran

Pushbacks have become a key feature of EU migration controls since 2015. As this article argues, practices of pushbacks stretch from EU spaces, such as Croatia, to its external borders and neighbouring countries, reaching as far as Iran. Although pushback tactics and their consequences are widely discussed in public, activist, policy debates, and by refugees themselves; academic literature has a limited engagement with pushbacks and their effects. To address this gap, we set up the concepts of “push” and “back” to question the ripple effect of informal and violent border controls that occurs transversely in multiple geopolitical contexts and timelines of migratory journeys. The article draws on ethnographic fieldwork in two border locations: the Croatian border with Bosnia-Herzegovina and the Turkey-Iran border. We argue that the EU’s governance of its external border encourages identical practices of “push” to different locations. We show that “pushes” generate multi-layered violence enmeshed in the local security (and at times militarized) contexts when people are “back”; or forcibly returned to their starting locations. The analysis of “push” and “back” contributes to the literature on the EU externalisation of migration governance and border violence, which we examine through informal and violent border practices inside and outside of the EU

Disputing security and risk: The convoluted politics of uncertainty

This chapter explores some of the dilemmas that arise in using uncertainty as a lens to interpret societal problems and issues. Using several cases to open up discussion we argue that it is vitally important to understand the historical, political and cultural context in which debates about risk, uncertainty and (in)security materialise. Arguing for a re-specified, context-specific account, we seek to unravel dominant understandings of uncertainty in three domains: cyber security, counter-radicalisation strategy and mechanisms for coping in the aftermath of structural violence. While acknowledging the value of uncertainty as an heuristic device, we argue that established units of sociological analysis – such as power and ideology – remain important explanatory concepts in understanding institutional actions and policy drivers

Study on the Evaluation of the European Union Agency for Network and Information Security

The European Union Agency for Network and Information Security (ENISA) was established in 2004. The Agency provides advice and recommendations, data analysis, and supports awareness raising and cooperation by the EU bodies and Member States in the field of cybersecurity. ENISA uses its expertise to improve cooperation between Member States, and between actors from the public and private sectors, as well as to support capacity building. The present study involves the evaluation of ENISA over the 2013-2016 period, assessing the Agency’s performance, governance and organisational structure, and positioning with respect to other EU and national bodies. It assesses ENISA’s strengths, weaknesses, opportunities and threats (SWOTs) with regard to the new cybersecurity and digital privacy landscape. It also provides options to modify the mandate of the Agency to better respond to new, emerging needs and assesses their financial implications. The findings of the evaluation study show that ENISA has made some important achievements towards increasing NIS in the EU. However, a fragmented approach to cybersecurity across the EU and issues internal to the Agency, including limited financial resources, hinder ENISA’s ability to respond to the ever growing needs of stakeholders in a context of technological developments and evolving cybersecurity threats