1.
INTRODUCTION
Cybersecurity is critical to both our prosperity and our security. As our daily lives and
economies become increasingly dependent on digital technologies, we become more and
more exposed. Cybersecurity incidents are diversifying both in terms of who is responsible
and what they seek to achieve. Malicious cyber activities not only threaten our economies and
the drive to the Digital Single Market, but also the very functioning of our democracies, our
freedoms and our values. Our future security depends on transforming our ability to protect
the EU against cyber threats: both civilian infrastructure and military capacity rely on secure
digital systems. This has been recognised by the June 2017 European Council1, as well as in
the Global Strategy on Foreign and Security Policy for the European Union.2
The risks are increasing exponentially. Studies suggest that the economic impact of
cybercrime rose fivefold from 2013 to 2017, and could further quadruple by 2019.3
Ransomware4 has seen a particular increase, with the recent attacks5 reflecting a dramatic rise
in cyber-criminal activity. However, ransomware is far from the only threat.
Cyber threats come from both non-state and state actors: they are often criminal, motivated by
profit, but they can also be political and strategic. The criminal threat is intensified by the
blurring of the border between cybercrime and “traditional” crime, as criminals use the
internet both as a way to scale up their activities, and also as a source to find new methods
and tools to commit crime.6 Yet in the vast majority of cases, the chances of tracing the
criminal are minimal, and the chances of prosecution smaller still.
At the same time, state actors are increasingly meeting their geopolitical goals not only
through traditional tools like military force, but also through more discreet cyber tools,
including interfering in internal democratic processes. The use of cyberspace as a domain of
warfare, either solely or as part of a hybrid approach, is now widely acknowledged.
Disinformation campaigns, fake news and cyber operations targeted at critical infrastructure
are increasingly common and demand a response. For this reason, in its Reflection Paper on
the Future of European Defence7 the Commission stressed the importance of cyber defence
cooperation.
Unless we substantially improve our cybersecurity, the risk will increase in line with digital
transformation. Tens of billions of "Internet of Things" devices are expected to be connected
to the internet by 2020, but cybersecurity is not yet prioritised in their design.8 A failure to
protect the devices which will control our power grids, cars and transport networks, factories,
finances, hospitals and homes could have devastating consequences and cause huge damage
to consumer trust in emerging technologies. The risk of politically-motivated attacks on
civilian targets, and of shortcomings in military cyber defence, deepens the risk still further.
The approach set out in this Joint Communication will make the EU better placed to face
these threats. It would build greater resilience and strategic autonomy, boosting capabilities in
1
2
3
4
5
6
7
8
http://www.consilium.europa.eu/en/press/press-releases/2017/06/23-euco-conclusions/.
http://europa.eu/globalstrategy/.
See for example McAfee & Centre for Strategic and International Studies "Net losses: Estimating the Global
Cost of Cybercrime" 2014.
Ransomware is a type of malware that prevents or limits users accessing their system, either by locking the
system's screen or by locking the users' files unless a ransom is paid.
In May 2017 the WannaCry ransomware attack affected more than 400,000 computers in over 150 countries.
A month later, the "Petya" ransomware attack hit Ukraine and several companies worldwide.
EUROPOL's Serious and Organised Crime Threat Assessment 2017.
https://ec.europa.eu/commission/sites/beta-political/files/reflection-paper-defence_en.pdf.
IDC and TXT Solutions (2014), SMART 2013/0037 Cloud and IoT combination, study for the Commission.
2