The Bangemann Report was one of the most important documents in the foundation and development of EU cyber security policy. The reason for this is that the origins of all the core elements in that policy discourse can be traced back to this document. While the initiation of interest in ICT can be found in the White Paper establishing the Internal Market in 1985 (European Commission, 1985), it was in the Bangemann Report that this interest began to coalesce into a more recognisable “cyber” policy.
The Bangemann Report was specifically requested by the European Council in a meeting in Brussels in 1993 (European Council, 1993b, p. 11). The Commission was tasked with sponsoring and co-ordinating a committee of experts who would examine the fundamental social and economic changes brought about by emergent ICT. At the time it was recognised that Europe as a whole had to adapt to these new technologies as “those economies which are the first to complete this transformation [to ICT] will have a significant competitive edge” (European Council, 1993b, p. 11). Once again economic factors were the primary driving force for this measure. To ensure this economic competitive advantage, the European Council therefore requested:
that a report be prepared for its next meeting by a group of prominent persons fully representative of all relevant industries in the Union and of users and consumers, designated by the Council and the Commission, on the specific measures to be taken into consideration by the Community and the Member States in this sphere (European Council, 1993b, p. 12).
The report was to cover the development and interoperability of infrastructure networks “for facilitating the dissemination of information” as well as basic trans-European services such as databases and email (European Council, 1993b, p. 12).
The purpose of the Bangemann Report was to examine the economic and social implications and potential of digital infrastructures and new media. However, it inadvertently established certain policy choices which became standard goals and aims for
all cyber policies produced since. This included those documents dealing with security and safety issues. In effect, the Report created crucial path dependencies in this particular field (Fligstein and Mara-Drita, 1996, p. 5). This linear connection between the Bangemann Report and the EUCSS can be demonstrated with a tabular comparison of key elements of both documents.
Table 6-1: Comparison of the Bangemann Report and the EUCSS32
Bangemann Report 1994 (Bangemann, 1994)
European Cyber Security Strategy 2013 (European Commission, 2013a)
Economic factors including market forces Information and communications technology has become the backbone of our economic growth and is a critical resource which all economic sectors rely on.
Data protection and online privacy must be enshrined rights
Protecting fundamental rights, freedom of expression, personal data and privacy
Cybersecurity can only be sound and effective if it is based on fundamental rights and freedoms as enshrined in the Charter of Fundamental Rights of the European Union and EU core values. Reciprocally, individuals' rights cannot be secured without safe networks and systems. Any information sharing for the purposes of cyber security, when personal data is at stake, should be compliant with EU data protection law and take full account of the individuals' rights in this field.
Creation of Jobs The EU should make the best of the Horizon
2020 Framework Programme for Research and Innovation, to be launched in 2014. (Horizon 2020 is the financial instrument implementing the Innovation Union, a Europe 2020 flagship initiative aimed at securing Europe's global competitiveness. Running from 2014 to 2020, the EU’s new Framework Programme for research and innovation will be part of the drive to create new growth and jobs in Europe). Intellectual property and online piracy must be
combatted
Across the EU, more than one in ten Internet users has already become victim of online fraud. EU (particularly Commission) must promote
actor co-operation
The Commission and High Representative will increase policy co-ordination and information sharing through the international Critical Information Infrastructure Protection networks such as the Meridian network, co-operation among NIS competent authorities and others. Private sector involvement crucial Our freedom and prosperity increasingly depend
on a robust and innovative Internet, which will continue to flourish if private sector innovation and civil society drive its growth.
32 In this table, general references to the document source have been placed in the column heading, rather than for each individual point. This was done for ease of reading.
As shown in Table 7 above, the Bangemann Report and the EUCSS share certain vital components, indicating a direct connection between the concepts initiated in 1994 and those published in the EUCSS of 2013. The Bangemann Report makes clear that economic factors such as market forces (Bangemann, 1994, p. 16) and the creation of jobs (Bangemann, 1994, p. 10) underpin the Union’s interest and strategic outlook in ICT. This position is a cornerstone of the EUCSS as it is acknowledged that cyberspace “has become the backbone of our economic growth and is a critical resource which all economic sectors rely on” (European Commission, 2013a, p. 2; Interview, Smith and Jones, eu-LISA, 2014). In 1994, data protection and online privacy were fundamental rights to be enshrined both in the information society and in future policy (European Commission, 1996c, p. 12). These are to be ensured via technical and regulatory measures (Bangemann, 1994, p. 22,131).
The protection of fundamental rights such as privacy and safety, online or offline, are core tenets of the EUCSS (European Commission, 2013a, p. 4). Dr Udo Helmbrecht, the Executive Director of ENISA, stated that basic civil rights cannot be ensured without data protection (Interview, Helmbrecht, ENISA, 2014). This view is echoed by officials from eu-LISA (Interview, Smith and Jones, eu-LISA, 2014). The precursors to the regulatory framework for intellectual property rights and combatting online piracy were also established in 1994 (Bangemann, 1994, p. 21). This would form a core element of tackling cyber-crime by 2013 (European Commission, 2013a, p. 9) including the establishment of the European Cyber Crime Centre at Europol (Europol, 2013a).
The linear connection is not restricted simply to policy aims or strategic goals, however. The Bangemann Report also states that the way these goals would be achieved was for the EU, in particular the Commission, to facilitate actor co-operation, particularly the pooling of resources (Bangemann, 1994, p. 12). This view is echoed by the Commission facilitating the sharing of information and best practice amongst core interested parties under the terms of the EUCSS (European Commission, 2013a, p. 16). There was also in 1994 a growing recognition of the importance of the private sector in this regard (European Council, 1994a). An entire chapter of the Bangemann Report is devoted to securing private finance and ensuring that the private sector accept responsibility and take a lead role in the development of future initiatives (Bangemann, 1994, p. 34). The role of the private sector in EU cyber policy does not diminish over the next 28 years. In 1996 the private sector was seen as crucial for developing Internet and multimedia use in education
(European Commission, 1996d, p. 16), and by 2013 it was a lynchpin in securing the EU’s digital space (European Commission, 2013a, p. 2,5).
Core path dependencies in cyber security policy were established when the Bangemann Report was endorsed by the European Council (European Council, 1994b, pp. 7–8). A strong economic focus was instituted, centring on employment and economic growth. As established in Chapter 5 of this thesis on the EU’s discourse, Union cyber security policy acknowledges that ICT infrastructures form the backbone of economic and social life. The choices made in the Bangemann Report focussed policy attention on socio-economic factors such as wealth creation and employment. This in turn would lead to the adoption of a more socio-economic approach to the manner in which the EU would seek to secure its digital space. The aim was for the EU to become a digital domain in which to do business with confidence, in safety and with access to numerous new commercial opportunities.
In 1994 these policy choices sought to maximise the potential for new technologies and ICT to contribute to the economic and social development of the EU (European Council, 1994b, p. 8). This policy was part of the wider international movement towards digital and online media in that it set in train a crucial policy choice – a path dependence – which ultimately would differentiate it from other cyber security strategies of the 2010s. As examined in Chapter 1, the EU takes a very different approach to cyber security to most other actors. A number of key cyber security actors take a more active position against external intrusions (Dewar, 2014, p. 14) or “attacks” under the laws of armed conflict (Dinstein, 2012, p. 264). Although a legitimate policy choice, it is one predicated upon a pessimistic view of cyberspace as a domain replete with myriad threats, threat agents and potential disasters which may occur leading to concentrations on worst-case scenarios (Dunn Cavelty, 2012a, p. 22) .
The EU in 2013 takes a more optimistic view. It seeks to establish a digital space where people can live, interact, communicate and do business safely and securely, confident in the knowledge that their data is safe and the infrastructures they are using are resilient (European Commission, 2013a, p. 2, 1994, p. 5). This positive position was established in the Bangemann Report and persisted for the next two decades. The developing digital space, what would eventually be labelled as “cyberspace”, was seen not as a realm of danger, but as one of great commercial opportunity for European society to enjoy and
exploit (European Commission, 1996b, p. 2, 1994, p. 3). Exploited opportunities needed to be safe and secure, but this did not detract from the EU’s positive attitude to cyberspace and digital media, an attitude which persists in the EUCSS with its description of “an open and free cyberspace” (European Commission, 2013a, p. 2). According to officials at eu- LISA, the fundamental purpose of the EU’s involvement as a body in digital and online technology is to promote a free, open and secure internet (Interview, Smith and Jones, eu- LISA, 2014).
The initiation of the Single Market and the publication of the Bangemann Report established a number of vital path dependencies for EU cyber security policy which would both affect and effect policy choices in later decades. A focus on maximising growth and employment cemented the economic prioritisation of EU policy as regards cyberspace as a whole. A consequence of this was that the EU considered cyberspace as a domain filled with opportunities, rather than threats, a view which was perpetuated throughout the timescape of cyber security policy development.
However, at the same time as socio-economic paths were being laid down a clarification of the EU’s capacity to act in core policy sectors was also occurring. Against the backdrop of the establishment of the Single Market, the EU’s competences were being codified, in particular those relating to security and external policy. While the Single Market and the Bangemann Report would create strong path dependencies in cyber security policy with respect to its economic foci, highly specified competence in security matters would have an equally important influence on the ability of the EU to respond to the security issues that arose along with the increased social and commercial use of ICT and the internet.