__________________________________________________________________________________________
Policy Department C: Citizens' Rights and Constitutional Affairs
on technological threat tools, the study also described malware and its variants. Five
types of threat were identified: unauthorised access, disclosure, modification of
information, destruction and denial of service.
Bearing in mind the limitations of threat assessments, the study identified the main
threats as states and profit-driven criminals. These two categories require different
responses since different cybersecurity capabilities are legally and operationally equipped
to respond to them. From a capabilities perspective, this is a crucial observation.
Cybercriminals mainly fall within the remit of law enforcement, whereas actions taken by
states become an issue of national security. This relates to the discussion about how
cybersecurity is defined and what implications this has on policy ownership.
7.3 Cybersecurity capabilities in the EU
The EU Cyber Security Strategy published in 2013, along with the proposal for a Network
and Information Security (NIS) Directive, set the stage for an overarching approach to
cybersecurity in the EU. The Strategy sets out five objectives and in this study the team
focused on the first three in order to describe cybercapabilities: cybercrime,
cyberresilience and cyberdefence.
This study provided an overview of the institutional structures in place in the EU and
described the role the different entities currently play according to their mandates.
Overall, there are three main institutional players: the European Network and
Information Security Agency (ENISA); the European Cyber Crime Centre (EC3); and the
European Defence Agency (EDA). These have individual mandates for different aspects
of the cybercapability in the EU. They are supported by a number of additional players,
including Computer Emergency Response Teams (CERTs).
ENISA plays a leading role in the area of cyberresilience. According to its mandate,
ENISA has the authority to force Member States to take necessary actions, as its advice
forms the core of the Commission’s harmonisation strategy.
In the area of cybercrime, EC3 along with Eurojust plays a pivotal role in facilitating and
coordinating the fight against cybercrime. Through strategic analysis, EC3 offers
comprehensive advice on emerging trends and methods of criminal activity to
policymakers. Where identified threats are of high order and magnitude, the Joint
Cybercrime Action Taskforce (J-CAT) brings in the expertise of various liaising authorities
beyond the EU to coordinate an international response.
In the area of cyberdefence, where the role of the EU is least pronounced, the EDA leads
capability development.
7.4 Cybersecurity capabilities in the US
The landscape in the US is more diverse and arguably more complex to map in
comparison to the EU. The US maintains a lengthy history with respect to cybersecurity
policy, dating back to 1998 when the US government began its efforts to address
cyberspace-related risks. In the years since, the question of effectiveness has been a
focal point of discussion. Within each of the three objectives used to categorise
capabilities (cybercrime, cyberresilience and cyberdefence), various players have a role
to play and often have to engage in the challenging exercise of determining who has to
do what, when and how.
In the area of cyberresilience, the US Department of Homeland Security (DHS) has a
formal leadership role and maintains various responsibilities, including securing Federal
Civilian Government Networks, protecting critical infrastructure and responding to
114