The sabotage of the Nord Stream pipelines in the Baltic Sea last month is now taken as the first major attack on European maritime infrastructure (Photo: Danish Defence)
The sabotage of the Nord Stream pipelines in the Baltic Sea is now taken as the first major attack on European maritime infrastructure.
In consequence, critical infrastructure protection has gained much attention — including by the European Commission and the European Parliament.
-
The majority of subsea cable connections of the EU run through the UK (Photo: Bob Mical)
In a debate on the war in Ukraine in the parliament last week, EU Commission president Ursula von der Leyen laid out a five-point action plan. Does this plan suffice?
Her first point concerned preparedness and getting the Critical Infrastructure Directive, which provides new legislation, approved by parliament.
Known as NIS2 the directive encourages member states to identify their critical infrastructures and to ensure reporting of incidents.
While von der Leyen is certainly right that the NIS “will strengthen the resilience of critical EU entities”, NIS2 was largely written with cyber security concerns in mind, rather than physical attacks.
Moreover, it does not reflect the specifics of under water infrastructures, that after all connect countries, and are often outside of the jurisdiction of an EU member state.
The second point of the plan is to conduct a “stress test”.
This has the goal “to identify whether we have weak points and where these weak points are. And of course, we have to prepare our reaction to sudden disruption.”
These tests are supposed to be done by the member states with assistance by the commission and should focus first on “the energy sector”, “followed by other high-risk sectors, such as the offshore digital and the electricity infrastructure.”
Desktop exercises vs real-world scenarios
Unfortunately, the commission has not provided further details of how such tests could look like. It is likely that they will take the format of table top exercises and scenario workshops. This is in many ways a productive step, as such exercises are valuable in identifying structural weaknesses and gaps in communication. They are also useful to enhance trust and confidence among the state agencies and the private sector involved.
Improving capacities to “support member states in addressing the disruption of critical infrastructure, for example, with fuel, with generators, with necessary shelter capacity” is the third item in the plan.
This is part of ongoing work on the EU civil protection mechanism. While useful to prepare for catastrophic events more general, it is unclear how this component can actually increase resilience and prevent or at least deter future attacks.
Prevention is addressed in van der Leyen’s fourth point.
She argues to “make best use of our satellite surveillance capacity. We have these satellites in place. We have the capacity to do the surveillance to detect potential threats.” Van der Leyen here refers to the satellite imageries provided by the European Space Agency.
For the maritime domain, these satellite images are commissioned and distributed by the European Maritime Safety Agency.
Satellite surveillance only part of solution
It is hard to see how occasional satellite pictures can contribute to deterrence. Who will analyse the images, how will the conclusions from such analyses be shared, and what action will follow? So far none of the EU agencies has a mandate in this regard.
Satellites are a useful part of the surveillance picture, but they are only effective if they are complemented with other tools, such as the surveillance of marine traffic, of fisheries and cross border movements by ships and aircrafts.
This kind of work is coordinated by the European Maritime Safety Agency (EMSA), the European Fishery Control Agency (EFCA) and the European Coastguard and Border Agency (Frontex).
None of them has a mandate, or resources, to conduct the monitoring and surveillance of critical infrastructures.
The EU has ambitious plans for maritime inter-agency information sharing in what is called the Common Information Sharing Environment (CISE).
CISE is led by EMSA and supposed to be operational next year. It has the potential to provide a major tool for European coast guards and other maritime security forces, and also has military component, managed by the European Defence Agency. To improve surveillance, critical infrastructure protection must become a key dimension in CISE and its military component.
Von der Leyen’s final point is little more than a general security policy mantra, namely to “strengthen our cooperation with Nato and with key partners like the United States on this critical issue.”
This not only brings one back to the endless conundrum of the EU’s security and defence policy, that is, how to organise the separation of labour with Nato while avoiding duplication and maintaining an independent posture.
It is also noteworthy that the most important partner for European critical maritime infrastructure protection is not even mentioned. The majority of subsea cable connections of the EU run through the UK.
In our report to the European Parliament discussed in the debate on 5 October, we have outlined a series of other steps that the commission could take to improve resilience.
While our report focused on subsea data cables, these recommendations are more widely applicable to under water infrastructure.
These include to strengthen the collaboration with industry, to enhance repair capacities, to mainstream infrastructure protection in education and training, to ensure that it is an issue on the diplomatic agenda, and to use the revision of the mandate of EMSA and the drafting of the new European Union Maritime Security strategy as initial policy vehicles.
These steps should form part of the plan.
Source: euobserver.com