This blog is hosted on Ideas on EuropeIdeas on Europe Avatar


Harmful Cyber Operations in the EU: Implementing the NIS Directive into the UK Legal System

Publication resulting from the UACES 2017 PhD and ECR Conference

The prevalence of cybersecurity threats against state infrastructure demonstrates the need for an effective European and national response, writes Eva Saeva. Focusing on the UK, she argues that, while legal measures are important, the fast-changing nature of the situation means that other avenues, such as public-private cooperation, are also essential.

The first major cyberattack on a nation state occurred ten years ago, in Estonia in 2007. The attack uncovered a grey area in the field of international law, and policy-makers and security experts were caught off guard.

In the years to follow, malicious activity exploiting the virtual space’s endless possibilities and vulnerabilities rapidly evolved and attacks on critical infrastructure increased significantly (e.g. in Georgia in 2008, the Stuxnet worm in Iran in 2010), creating a whole new domain of war – the online borderless world of cyberspace. But international law followed suit and scholars, decision-makers and even the UN agreed that existing international law applies to cyberspace and any comparison with the ‘Wild West’ was deemed as groundless.

Regardless, many questions remained unanswered. For instance, what actually constitutes a harmful cyber operation and who can perform such a powerful attack? The term ‘harmful cyber operation’ means any malicious activity that targets critical infrastructure sectors (e.g. electric grids, nuclear power plants, air traffic control, hospitals, etc.) of another state that can cause major damage, death or destruction in the physical world.

This can be conducted by a group sponsored by a state, or a non-state actor, acting independently. While these attacks might not always cross the threshold of use of force (prohibited by Article 2(4) of the UN Charter), they can still cause major consequences for the victim state and violate its sovereignty or the principle of non-intervention.

The European Union has not been immune from these developments. In the EU, cyberattacks (both harmful and non-harmful) against government institutions and critical infrastructure have significantly increased in recent years (e.g. in Italy in 2014, in Germany in 2016, and most recently, in a number of EU countries with the WannaCry ransomware).

Legislation on the malicious use of the virtual space at national level is different in all Member States. However, due to the interconnected information and network systems, an attack against one Member State will likely have a spill-over effect that could lead to breaching the security of the whole EU. Therefore, the need for a supranational legislation on cyberspace is clear.

As a result, after years of negotiations on promoting closer cooperation on issues such as data protection laws and the internal security of the Union, the Network and Information Security (NIS) Directive, the first comprehensive EU cybersecurity legislative instrument, entered into force in August 2016. It aims at harmonising and stabilising the level of cybersecurity across the Union through public-private cooperation.

The urgent need for such cooperation reflects the awareness that critical infrastructure sectors are mainly managed by private businesses (or ‘operators of essential services’, as per the NIS Directive) with their own rules and regulations. If states want to achieve a certain level of cybersecurity, public and private actors need to start cooperating more.

Case study: The UK

The UK represents an interesting case for analysis, mainly because of its approach to cyber issues: cyber has been considered a Tier One threat to national security since 2010. In light of Brexit, many will wonder whether or not the implementation of the NIS Directive into national law will happen. The answer is yes. The transposition has to be completed by May 2018, which means that the UK will have to do it regardless of Brexit.

Whether a new law will be introduced or present legislation will be adapted is still unclear. And while in many states the NIS Directive will fill in a void, this is not entirely the case with the UK. Although there is currently no Cybersecurity Act, the UK is one of the states with some cyber-related legislation regulating the security and intelligence agencies’ work, specifically the Government Communications Headquarters (GCHQ), which deals with cyber issues.

The law currently in force is the Investigatory Powers Act (IPA) 2016, which legalised bulk equipment interference powers, previously known as computer network exploitation and today known as hacking. In other words, the IPA legalised what has already been stated in the National Cyber Security Strategy 2016 – that the UK is developing offensive cyber capabilities.

The recent WannaCry global ransomware attack and its impact on the UK’s National Health Service (NHS) provides a clear rationale for the timely adoption of the NIS Directive. The issue with hacking medical records is far from new. It was already the subject of discussion in the UK back in 1991 when the ‘unpleasant aspects of these new systems of technology’ were acknowledged in relation to hacking into hospital computers.

Yet 26 years later, the WannaCry attack caused major disturbances and a halt to the work of the NHS. The virus hit devices using Windows XP – an outdated and unsupported version of Microsoft software, highly vulnerable to attacks, a fact the NHS was aware of. However, even though the NHS is a critical infrastructure sector, there is currently no law in the UK that enforces security measures for network and information systems, which, if present, would have technically prevented the attack.

This gap was also acknowledged in written evidence provided by Google, Yahoo, Microsoft, Apple, Twitter and Facebook on the Investigatory Powers Bill, which argued that the draft bill failed to provide statutory provisions on ‘the importance of network integrity and cyber security’. In cases like this, the great importance of the NIS Directive becomes obvious.

Even though the NIS Directive is an excellent initial step towards better coordination and safer cyberspace across the Union, it will be years before its effectiveness can be demonstrated. The problem is that the process of adopting law is time-consuming and cannot keep pace with technology. Laws cannot be amended immediately after a new network, device or software update has occurred. There are always going to be zero-day vulnerabilities to be exploited by security agencies and/or criminals. What the NIS Directive can do, however, is minimise the risk of further Wannacry incidents.

Please note that this article represents the views of the author(s) and not those of the UACES Student Forum or UACES.

Comments and Site Policy

Shortlink for this article:

Eva SaevaEva Saeva
Newcastle University

Eva Saeva is PhD Candidate in Law at Newcastle University. Her research concentrates on the EU’s legal approach to cybersecurity.


Recent Articles

How to Write for an Academic Blog

Published on by | 1 Comment
No 13

Blogs are increasingly relevant to researchers and, for those starting out in contributing to them, it can be useful to reflect on the differences with other outputs, writes Anthony Salamone. He sets out some suggestions on how to approach writing for an academic blog, including how to gain the most from the experience. As academia […]

Cyprus Peace Talks at a Stalemate: What Hope for Reconciliation?

Published on by | Comments Off
No 12

The substantial progress made in the Cyprus peace negotiations over the past 20 months risks falling short of success, as politics and grievances resurface, writes Fadıl Ersözer. He argues that true political leadership is required from both sides to achieve a lasting solution, and that the European Union as a framework can still be an […]

Brexit, Trump, Le Pen? How France’s Institutions Will Make It Difficult for Le Pen to Win the Election and Govern

Published on by | Comments Off
No 11

In the wake of populist successes in the UK and the US, Viviane Gravey examines the prospects for a Front National victory in the upcoming 2017 French presidential election. She argues that, while the institutional structure of French politics would limit the room for manoeuvre of Marine Le Pen, it is ultimately the responsibility of […]

How Best to Integrate Postgraduate Research into Academic Conferences?

Published on by | Comments Off
No 10

As academic coordinator of the European Union in International Affairs (EUIA) conference that took place in Brussels this May, Lisanne Groen introduced Young Researchers’ Masterclasses, which saw senior scholars give feedback on papers and presentations of early career researchers, and provided them with useful networking opportunities. In future, running the masterclasses before the conference, as […]

What Next after #UACES2016?

Published on by | Comments Off
No 9

With the UACES 2016 conference coming to a close, Viviane Gravey and Anna Wambach offer some suggestions for postgraduate researchers on how to make the most of a conference once it has finished. They recommend maintaining the momentum, both for one’s research and network, and planning ahead for future conference opportunities. The run-up to a […]

Brexit: The End of British MEPs’ Frustrations?

Published on by | 1 Comment
No 8

Despite the importance of the European Parliament in EU law making, MEPs have typically been marginalised in UK politics, writes Margherita de Candia. She argues this attitude on the part of national politicians may have contributed to the UK’s decision to leave the EU, and that the remaining Member States should recognise the importance of […]

Exactly like the EU, Just a Little Bit Cheesier? Discursive Links between the EU and the Eurovision Song Contest

Published on by | Comments Off
No 7

The Eurovision Song Contest can be a useful and fun allegorical tool for explaining the dynamics of the EU, writes Anna Wambach. She argues that, although comparisons between the two can create strong cognitive associations over time, if taken too seriously such links can lead to misunderstandings about how the EU works in practice. It […]

Political Myths and How to Study Them

Published on by | 2 Comments
No 6

Political myths are a particular kind of narrative used to shape the legitimacy of a political system, writes Jeremy F. G. Moulton. He argues that, despite the difference between the academic and common usages of ‘myth’, political myth theory can generate important insights for political authority, and that it may prove useful in understanding questions […]

Teaching European Studies: Student Forum Seminar Report

Published on by | Comments Off
No 5

This year’s Student Forum professional development seminar focused on teaching approaches to European Studies, write Quincy Cloet and Pawel Pustelnik. Reporting on the event, they outline the progression of the day and some of the main points from the discussions. The aim of the recent UACES Student Forum January 2016 Seminar in Edinburgh was to explore the different […]

UACES and Ideas on Europe do not take responsibility for opinions expressed in articles on blogs hosted on Ideas on Europe. All opinions are those of the contributing authors.