The European Union Policies on the Protection of ...

This article was downloaded by: [University of St Andrews] On: 02 August 2013, At: 01:17 Publisher: Routledge Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK

Intelligence and National Security Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/fint20

The European Union Policies on the Protection of Infrastructure from Terrorist Attacks: A Critical Assessment Javier Argomaniz Published online: 01 Aug 2013.

To cite this article: Intelligence and National Security (2013): The European Union Policies on the Protection of Infrastructure from Terrorist Attacks: A Critical Assessment, Intelligence and National Security, DOI: 10.1080/02684527.2013.800333 To link to this article: http://dx.doi.org/10.1080/02684527.2013.800333

PLEASE SCROLL DOWN FOR ARTICLE Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content. This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/termsand-conditions

Intelligence and National Security, 2013 http://dx.doi.org/10.1080/02684527.2013.800333

Downloaded by [University of St Andrews] at 01:17 02 August 2013

ARTICLE

The European Union Policies on the Protection of Infrastructure from Terrorist Attacks: A Critical Assessment JAVIER ARGOMANIZ*

ABSTRACT This article aims to provide an assessment of the evolution and contribution since 2001 of the European Union infrastructure and transport protection policies to the European fight against terrorism. Using the avowed goals of the Protect strand of the 2005 EU Counter-terrorism Strategy as a yardstick, the intention here is to evaluate the extent to which reality matches the aspirations present in the European political discourse and in particular the overall aim of ‘strengthen[ing] the defences of key targets, by reducing their vulnerability to attacks, and also by reducing the resulting impact of an attack’. In this way, special attention is paid to the outcomes from a number of initiatives in the field such as the European Programme for Critical Infrastructure Protection (EPCIP), the Critical Infrastructure Warning Information Network (CIWIN), the Action Plan for the Enhancement of the Security of Explosives, the directives and regulations on aviation and maritime security and others. Continuing the pattern set out by the other contributions in this issue, the objective is to assess the degree to which initiatives have led to practical results, the political and institutional factors that have facilitated the process of policy development and implementation, the obstacles that have stood in the way of the practical realization of the initial objectives and, finally, lessons learnt.

Introduction The bombings in Madrid and London have been a wake-up call for European governments on the importance of protecting the critical systems that enable societies to function from its targeting by terrorist groups. The explosions in Madrid’s commuter trains in March 2004 and London’s underground and bus networks in July 2005 demonstrated that, by attacking these transport *Email: [email protected] q 2013 Taylor & Francis


2

Intelligence and National Security

and communication nodes, it was possible for terrorist networks to damage European cities’ means of mass transit and, in the process, ensure a terrible cost in human lives. The consequences were wide-ranging: usage of public transport in the aftermath of the attacks in Madrid and London seriously diminished and the economic costs were very significant, not least in areas such as tourism. Protecting a state’s infrastructures from external damage is not an easy task. Modern societies are sustained by tightly coupled and increasingly complex interdependent systems of infrastructures. This interconnectedness renders critical infrastructures (CIs) vulnerable because a contingency in one element of the wider system is increasingly likely to affect other parts, leading to potential rapid escalations from individual disruptions. Just the fear of an attack may dislocate the functioning of critical nodes like national airports, as has been demonstrated time and again by terror alarms since 9/11.1 Moreover, due to processes of liberalization, deregulation and privatization of European national economic markets, it is not always clear who the key operators are for particular infrastructures and fragmented and diffuse ownership means that holistic policies in this area require the involvement of a large number of public and private actors. The management of public assets is even more challenging in the context of the European common market. The density and transnational character of many European CIs plus the interdependency of border security, transport and other cross-border infrastructures have increased the opportunities for multifaceted crises. Deregulation in the energy and telecommunication industries has also contributed to growing number of operators owning assets in more than one European country.2 Compounding this situation, increasing economic integration, freedom of movement and the geography of Europe3 are factors that would enhance the cross-border impact of large terrorist incidents, particularly if they involve CBRN materials. As critical systems become increasingly complex and integrated across geographic borders, a terrorist attack on a particular network could have a ‘cascade’ effect on the supply chain, multiplying the negative effects in the process (i.e. disruption of electric supply on air traffic control systems) and having significant cross-border effects in two or more countries (i.e. a chemical plant located near the border). As a case in point, a major terrorist attack in the port of Rotterdam could paralyze whole economic sectors in several European states, notably Germany. All of these factors have encouraged member states to better coordinate their efforts by inviting the European Union (EU) to become involved. In this respect, guarding CIs against breakdowns caused by terrorism is addressed by the 2005 EU Counter-terrorism Strategy under the Protect 1

Arjen Boin and Denis Smith, ‘Terrorism and Critical Infrastructures: Implications for Public– Private Crisis Management’, Public Money & Management November (2006) pp.295–304. 2 Alain Esterle, Hanno Rack and Burkard Schmitt, Information Security. A New Challenge for the EU, Chaillot Paper 76 (Paris: Institute for Security Studies 2005) p.54. 3 Mirjam Dittrich, Facing the Global Terrorist Threat: A European Response, Working Paper 14 (Brussels: EPC 2005) p.23.


European Union Policies on Terrorism

3

pillar, one of the four strands of the EU response.4 The EU Counter-terrorism Strategy understood that the Protect dimension should be about ‘strengthening the defences of key targets, by reducing their vulnerability to attacks, and also by reducing the impact of an attack’.5 The document contends that the EU should provide a platform through which to share information about national responses, foster public-private actors’ networks and deliver good practices and innovations. Conceptually, the protection of infrastructures from terrorist attacks is just one aspect of this Protect pillar. Protect is also about border control, defined as the ‘protection of our external borders’, and the non-proliferation of chemical, biological, radiological and nuclear (CBRN) materials and small and light weapons. In fact, most serious developments in this pillar have been in border protection, a well-established sphere of EU action. Progress here has occurred both internally, though the inclusion of biometric data in passports, establishment of the Visa Information System and the secondgeneration Schengen Information System under development, and in the field of transatlantic cooperation with initiatives such as the Passenger Name Records Agreement or the Visa Waiver programme. 6 These new technological tools are part of the development of the so-called ‘integrated border management system’. Likewise, the 2005 Strategy makes a clear conceptual distinction between infrastructure protection and consequence management, even if they are both linked in practice and often discussed together in academic literature. The former aims to make less amenable to external attacks potential targets that are fundamental for the day-to-day functioning of a society in sectors such as energy, transportation, communication technologies, industry and others. The latter relates to incident detection and disaster mitigation and recovery, and matters such as multinational joint exercises, contingency plans and alert systems. They are part of the Respond pillar and therefore outside the scope of this paper. Instead, the goal here is precisely to use the EU Counter-terrorism Strategy as a yardstick to assess the post-9/11 progress of EU policies on CI protection from man-made attacks. The argument that will be put forward is that the EU has become engaged in areas in which it had little involvement before the 9/11 attacks. The EU’s growing engagement is partially a result of the focusing effect brought about by the attacks in Madrid and London, which contributed to move these subjects up in European governments’ political agendas. At the same time, developments on the ground have been generally rather humble, in a context where a few remarkable practical successes contrast with a morass of slow-moving policy programmes. Although there seems to be a general agreement amongst national governments that the EU has a role to play in this field, the absence of major progress can be attributed to European 4

The other three being Pursue, Prevent and Respond. See Council of the European Union (2005) ‘The European Union Counter-Terrorism Strategy’, 14469/4/05, 30 November 2005. 5 Ibid., p.8. 6 For a more in-depth examination of these border control policies, see Leonard, Monar and Kaunert and MacKenzie’s articles in this issue.


4


governments’ lack of political will for pooling efforts in aspects that are sensitive to national sovereignty. The EU has followed a sectorial approach in this field, with activity scattered across spheres of action governed by a variety of institutional actors. In principle, this allows for a tailored approach to different CI needs and varying legal competences across the policy spectrum,7 yet as will later be discussed, this also has important implications for a coherent and holistic European response. Although an external observer would expect to find most policy action to be concentrated within the critical infrastructure protection (CIP) sphere, in reality much practical work has come under the transport security policy space. In parallel, the protection of computer communication structures has been mainly discussed under the cyber-security policy sphere. These three are sectors with strong individual dynamics but also functional overlaps. Finally, some horizontal programmes such as the CBRN policy package, the security of explosives policies Action Plan and Security Research funding schemes possess some elements that are relevant to the hardening of critical assets from intentional damage. Thus, CIP, transport security, cyber-security and crosssector programmes are, in that order, the main sections that this paper will cover before producing a general assessment at the end. Critical Infrastructure Protection Broadly speaking, CIP is a recent area of EU interest, practically non-existent prior to the 9/11 attacks.8 Although the impact of natural disasters on infrastructures was informally discussed in the aftermath of the 2004 Indian Ocean tsunami,9 it was only after the Madrid attacks when the European Council decided to substantively act at the EU level on the protection of critical infrastructures.10 The Council agreed to invite the development of policies ‘to strengthen the protection of citizens, essential services (such as water supplies, energy and communications) and production systems (agrofood and process industries)’.11 The request was taken up by the seminal 2004 Commission Communication ‘Critical Infrastructure Protection in the Fight against Terrorism’, which has acted as the foundation for the EU efforts in this field.12 Although terrorism takes priority here as the source of disruption, EU CIP followed 7 Asa Fritzon, Kristin Ljungkvist, Arjen Boin and Mark Rhinard, ‘Protecting Europe’s Critical Infrastructures: Problems and Prospects’, Journal of Contingencies and Crisis Management 15/1 (2007) pp.30– 41. 8 EU involvement was restricted to legislation and inspections in the radiation protection field in the framework of the EUROATOM Treaty. 9 Interview with Council Secretariat official, DG I Civil Protection Unit, January 2006. 10 New Defence Agenda, Strategic Priorities for Protecting Europe’s Infrastructure against Terrorism (Brussels: NDA 2005) p.6. 11 European Council (2004) ‘Declaration on Combating Terrorism’, 25 March 2004, p.11. 12 European Commission (2004) ‘Communication from the Commission to the Council and the European Parliament. Critical Infrastructure Protection in the Fight against Terrorism’, COM(2004)702 final, 20 October 2004.



5

from the start an all-hazards approach that accounted for other factors including natural disasters, negligence and criminal activity. Following the Communication, European ministers endorsed the idea of a more detailed program for CIP. The Commission responded in 2005 with a ‘Green Paper’ on a European Programme for Critical Infrastructure Protection (EPCIP), to gather feedback from relevant stakeholders such as CI operators, national authorities and private firms with a view to eventually formulating EPCIP. The Commission’s Green Paper had a mixed response from member states. Although there was a general agreement on the need for a European programme in this area, there were also significant differences of opinion13 on matters such as hazards to be covered, key principles, legal framework, definition of critical infrastructure, national overseeing bodies or responsibilities of the stakeholders. Nonetheless, results were eventually achieved with a 2006 Communication that outlined EPCIP’s main function as guaranteeing adequate levels of protective security on CI across the Union by ensuring that each member state is providing minimum levels of protection. This would be achieved with the identification of CIs, the analysis of vulnerabilities and the exchange of information on protection methods. The programme would involve a large number of stakeholders: public and private actors from national governments, regional authorities and owners and operators from the industry. The Commission would then work side by side with member states in agreeing to common principles, methodologies, list of CI sectors and standards of infrastructure protection. Effectively, EPCIP is constituted by three elements: a Council Directive, a financial programme14 and a Critical Infrastructure Warning Information Network (CIWIN). CIWIN’s objective is to create an epistemic community, a network of national specialists that would stimulate the exchange of expertise on shared threats, vulnerabilities and appropriate counter-measures. As a network made up by member states’ representatives, CIWIN is fully dependent on member-state authorities’ willingness to share knowledge and establish consultation. On the other hand, the 2008 Directive on the Identification and Designation of European Critical Infrastructures (ECIs) aimed to formulate a common procedure for designating CIs in Europe and a common approach

13

Interview with Commission official, DG JLS Infrastructure Protection Unit, March 2006. The 2007 ‘Prevention, Preparedness and Consequence Management of Terrorism and other Security related Risks’ Programme to support Member States’ efforts to ‘prevent, prepare for, and to protect people and critical infrastructure against terrorist attacks and other security related incidents by providing funding for relevant CIP-measures’. See Madelene Lindstro¨m, ‘The European Programme for Critical Infrastructure Protection’ in Stefan Olsson (ed.) Crisis Management in the European Union. Cooperation in the Face of Emergencies (Heidelberg: Springer 2009) p.52. 14


6


to improve resilience.15 It requests member states to identify ECIs, starting from the energy and transport sectors, and offers non-binding guidelines for the listing process. Energy and transport networks were initially chosen based on the fact that they met closely the Commission’s vision of ECIs: they are clearly transnational and their targeting by terrorists would have serious cross-border effects (i.e. an attack on a nuclear energy plant). Although the Directive has been generally welcomed, some actors have criticized it for being counter-productive to the EU’s general efforts. A 2012 UK House of Lords report argued for instance that ‘the designation of many categories of sensitive infrastructure as ECI would, because of wide sharing of information this would entail, not so much protect the infrastructure as potentially put it at risk’.16 More generally, and due to the fact that some ECIs are defence-related, the EU’s work in this area will have to overcome member states’ reluctance to provide information on CIs, particularly if a first-mover dilemma emerges here with member states refraining from exchanging sensitive information because of doubts about others’ commitments.17 Lack of trust is an important notion here because the Directive gives much leeway to national governments to avoid their obligations by simply producing a minimal list of designated ECIs or failing to impose rules on private operators. Therefore, it should not come as a surprise that a key principle running through EU action in this field is that of subsidiarity. The Commission has accepted that CIP is first and foremost a national responsibility.18 At the same time, and due to the transnational interlinkages between European CIs, the Commission sees its role as that of a necessary interlocutor on the matter of cross-border CIs and a ‘strategic actor’ facilitating at the European level the work of national authorities.19 Within the Commission, work has been guided by DG Justice, Liberty and Security (JLS)/DG HOME20 and by DG Transport and Energy (TREN)/DG MOVE and DG ENER. They have been assisted in places by the Commission’s Joint Research Centre (JRC), while negotiations at the Council have been held in the Working Group for Civil Protection (ProCiv). In sum, progress in this sector has been slow and ‘halting at best’.21 The negotiation phase for the EPCIP was drawn-out and protracted and, despite the 15

Council of the European Union (2008) ‘Council Directive 2008/114/EC of 8 December 2008 on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve their Protection’, Official Journal of the European Union, L 345, 23 December 2008. 16 UK House of Lords, Protecting Europe against Large-scale Cyber-attacks, HL Paper 68 (London: HSMO 2010), p.15. 17 Lindstro¨m, ‘The European Programme for Critical Infrastructure Protection’, p.58. 18 European Commission (2004) ‘Communication from the Commission to the Council and the European Parliament. Critical Infrastructure Protection in the Fight against Terrorism’. 19 Interview with Commission official, DG JLS Infrastructure Protection Unit, March 2006. 20 In February 2010 DG JLS was divided into DG HOME and DG Justice and DG TREN into DG MOVE and DG ENER. 21 Mark Rhinard and Arjen Boin, ‘European Homeland Security: Bureaucratic Politics and Policymaking in the EU’, Journal of Homeland Security and Emergency Management 6/1 (2009) p.5.


7

discussions starting as early as 2004, the European Parliament (EP)’s approval for the establishment of CIWIN was achieved only in 2009. As a result, at the time of writing, national authorities are still on the stage of designating ECIs and this only in two CI sectors: energy and transport. Disagreements between Commission Directorates-General (DGs) and poor coordination,22 the sensitivity of certain CIs, and member states’ very different legal traditions and CIP organizational systems23 explain the slow pace in getting action in this area off the ground.


Transport Security EU action in transport security has as a goal to provide a baseline level of protection to European transport systems. As transport policies are placed under the first-pillar framework, transport security has been considered a Community competence. Due to the fact that an EU-level regime already existed in this area, the Commission has become the leading decision-maker. In fact, it is safe to say that this is the area in EU counter-terrorism where this institution has performed its most visible role. Aviation Security Airports and airplanes have been frequent objectives for terrorist organizations since the first wave of hijackings in the 1970s. International cooperation and the introduction of new security measures in airports eventually led to the decline in hijackings but civil aviation’s symbolic status and the opportunity they provide for inflicting massive casualties make them still very attractive targets for Al-Qaeda associated groups. Jihadist networks’ successful attacks – and also their thwarted plots – have been interpreted by the authorities as demonstrations of existing vulnerabilities in civil aviation security and EU measures have been often a direct attempt to close perceived security loopholes. This has led to an ad hoc and piecemeal policy response that has lacked an overall strategic purpose. In this regard, 9/11 has encouraged member states to convert air security from an aspect to be discussed in intergovernmental fora to a first-pillar matter in order to ensure greater standardization and stronger enforcement of rules. Although air security is a shared competence, this supranational institutional setting has allowed the Commission to harmonize transport security by initiating binding Community legislation.24 Thus, the 9/11 events led initially to the EU’s Common Regulation on Civil Aviation Security, which called in 2002 for member states to adopt national security and quality control plans and to guarantee that minimum common standards are applied by airport authorities and airlines. It also empowered 22

Ibid., p.11. Lindstro¨m, ‘The European Programme for Critical Infrastructure Protection’, p.41. 24 Member states remain free to apply more stringent security measures provided that they are ‘relevant, objective, non-discriminatory and proportional to the risk that is being addressed’. See EurActiv, ‘Aviation Security’, 5 September 2008. 23


8


the European Commission to carry out inspections to ensure that Community rules are properly applied.25 This key 2002 regulation was amended in September 2005 when the Commission proposed strengthening the common air security rules. The move was based on the more than 40 inspections that it had conducted since 2004 to airports, operators and other entities applying aviation security standards. Findings led to changes in regulations regarding passenger and baggage screening, aircraft security checks and the recruitment and training of staff.26 In 200827 and 2010 the rules were extensively revised and updated to deal with matters such as access to cockpits, unruly passengers and ‘sky marshals’.28 Further changes came as a result of the August 2006 Heathrow plot to explode transatlantic carriers in mid-air by smuggling hydrogen peroxidebased liquid explosives disguised as soft-drink bottles. Following British pressure, EU countries agreed within a month to request the Commission to adopt an EU ban on liquids. The Commission agreed to the ban almost immediately and on 4 October an EU Regulation was adopted for that purpose, limiting the amounts of liquid that can be taken on flights departing from EU territories.29 From here, thanks to processes of imitation between states, collaboration between mayor players (i.e. UK and US) plus informal contacts amongst experts, the rules were diffused worldwide through International Civil Aviation Organization (ICAO) guidelines.30 This remains to this day the EU’s counter-terror measure that has impinged most visibly on European citizens’ day-to-day lives. More recently, in October 2010 printer cartridge packages containing explosives were shipped from Yemen on various cargo and passenger flights before being intercepted in the UK. The ‘printer cartridge plot’ highlighted the importance of air cargo for aviation security and led to the setting-up of a High Level Working Group31 and new legislation on enhanced screening for cargo originating from ‘high risk’ locations. Whether a location is ‘high risk’ or not is based on Intcen’s analyses and vulnerabilities identified by the industry.32

25 European Commission, ‘The European Commission Proposes Strengthening the Common Air Security Rules’, press release, 22 September 2005. 26 Ibid. 27 European Parliament and Council of the European Union (2008) ‘Regulation 300/2008 of 11 March 2008 on Common Rules in the Field of Civil Aviation Security and Repealing Regulation (EC) No 2320/2002’, Official Journal of the European Union, L 97, 9 April 2008. 28 EurActiv, ‘Parliament Approves Aviation Security Overhaul’, 12 March 2008. 29 Individuals are only allowed to bring on board up to 10 containers, of a maximum of 100 millilitres each. The containers must be held in a re-sealable plastic bag to be checked by airport security officials. A few exceptions apply, such as medicines or baby milk. 30 Xiana Barros, ‘EU Counter-terrorism and Aviation Security: Supranational Rules But Intergovernmental Politics?’, European Foreign Affairs Review 17 (2012) pp.53– 70. 31 Council of the European Union (2011) ‘EU Action Plan on Combating Terrorism’, 15893/1/10, 17 January 2011. 32 Council of the European Union (2011) ‘EU Counter-Terrorism Strategy – Discussion Paper’, 10622/11, 27 May 2011, p.8.



9

Not surprisingly, considering that transatlantic flights have been specifically targeted, aviation security remains a central issue for EU–US cooperation. The matter of armed marshals on transatlantic flights has been a long-running issue of discussion33 and, following the printer cartridge plot, the EU has collaborated with the US in forging an ICAO declaration committing states to further work on enhancing air cargo and supply chain security. This ICAO cooperation was inspired by a January 2011 joint EU–US statement on the screening and identification of illicit materials and on-board flight protection.34 The meeting was organized as a reaction to the ‘Christmas bomber’ plot against a US aircraft in Detroit on 25 December 2009. Although the Commission has been a leading actor and even an authoritative legislator in this field through DG JLS (and then DG HOME) and DG MOVE, its policies under the Community pillar have been shaped by input from the national experts present in the Aviation Security Regulatory Committee (AVSEC). In addition, following the Lisbon Treaty reforms to the comitology procedure,35 the European Parliament through its Civil Liberties, Justice and Home Affairs (LIBE) Committee has emerged as a key institutional figure alongside the Commission and member states, since European legislation on airport security now requires its prior approval. Interestingly the EP has been very vocal in their opposition to some of the most stringent airport security measures imposed after 9/11 due to the inconvenience they cause to passengers and doubts regarding the proportionality and effectiveness of the rules.36 So the Parliament has quickly used this new prerogative to force the Commission and the Council into a compromise in 2010 on the liquids ban. As a result, the ban was agreed to be phased out in future on the understanding that it would be replaced by better scanner technology capable of distinguishing liquid explosives from harmless liquids. This is just one example of the EP questioning approach to the post-9/11 rush towards stronger aviation security rules. Another came in the aftermath of the 2009 Christmas bomber plot, when the EP had a high-profile clash with the Council by opposing a proposal by member states for the inclusion of Whole Body Image (WBI) scanners in the EU list of scanning methods, which would have forced every EU country to install body scanners in all of their airports. The EP has given voice to critics’ objections to the scanners, who had expressed doubts on their effectiveness in detecting certain types of explosive material and raised concerns about their effects on health and their intrusion on individuals’ privacy. So far with limited success, since the

33

Kristin Archick, US – EU Cooperation Against Terrorism (Washington: Library of Congress 2011) p.13. 34 Council of the European Union (2011) ‘EU Action Plan on Combating Terrorism’, 15893/1/10, 17 January 2011, p.12. 35 This is the system of committees of national representatives that allows member states further control and oversight of the European Commission’s work in some specific matters. 36 Barros, ‘EU Counter-terrorism and Aviation Security’.

10



Commission still adopted a November 2011 legislation allowing airports the voluntary deployment of scanners in security checkpoints.37 Critics further contend that post-9/11 security rules have been put in place in response to specific incidents without a previous assessment of their cost, effectiveness, impact on civil liberties or the net reduction of risks they generate.38 Furthermore, European airlines and airports have been very critical of the economic burden derived from the increasing number of security rules they have to comply with, to the extent that ‘for European airports, security alone now represents up to 35 per cent of their operating costs’.39 Maritime Security Europe is still to witness a single significant terrorist attack against its maritime ports. Yet as illustrated by the 2000 Al Qaeda bombing of the USS Cole, where 17 US sailors and two terrorists were killed and another 39 sailors were injured, water-based environments offer significant opportunities for terrorist inflicting ‘mass coercive punishment on enemy audiences’.40 Terrorist attacks can potentially be a source of economic destabilization: disturbing the functioning of the cargo freight trading system could trigger a cascade of financial effects, especially if the operations of a major commercial port were curtailed. Furthermore, ports are focal points for both shipments of dangerous cargo and also major chemical and petrochemical production centres. As they are usually located near urban centres, a terrorist attack would trigger knockon effects on both the surrounding industry and local populations.41 Since much of the maritime trading system is designed to be as accessible and flexible as possible by keeping costs low, there is no incentive by the private sector to enact a stringent security regime. The initiative must come from national and international public bodies. In this context, specific EU action in maritime security has been heavily influenced by the International Maritime Organisation (IMO). For instance, the 2003 Directive for Security at the Port/ Ship interface derives from IMO 2002 standards. Alternatively, the IMO’s 2004 ‘International Ship and Port Facility Security Code’ (ISPS Code) was also adapted by the EU in July 2004 to introduce higher ship and port security levels. The goal of the ISPS Code is to provide a standardized, consistent framework for evaluating risk. It requires ports and vessels to install security systems and vessels alone to demonstrate that they have been calling only at certified ports.42 37

Council of the European Union (2011) ‘EU Action Plan on Combating Terrorism’, 17594/1/11, 9 December 2011. 38 K. Jack Riley, ‘Flight of Fancy? Air Passenger Security since 9/11’ in Brian M. Jenkins and John P. Godges (eds.) The Long Shadow of 9/11. America’s Response to Terrorism (Santa Monica: RAND 2011) p.159. 39 EurActiv, ‘Aviation Security’. 40 Peter Chalk, The Maritime Dimension of International Security Terrorism, Piracy, and Challenges for the United States (Santa Monica: RAND 2008) p.xiii. 41 EurActiv, ‘Transport Security’, 15 February 2007. 42 EurActiv, ‘Critical Infrastructure’, 13 December 2006.



11

Moreover, the 2005 Directive on Enhancing Port Security43 requested member states to draw up port security plans and to appoint a security officer in each major European port. The purpose was to improve security in those areas not covered by the 2004 Regulation on enhancing port and ship facility security.44 A 2006 security amendment to the European Customs Code introduced a system of electronic advance cargo information, an Authorised Economic Operator programme and more R&D funding for relevant technologies. The 2008 EU Modernised Customs Code builds on this with an IT-based risk management system to support custom inspections. According to the Commission, all of these rules make EU maritime security legislation ‘one of the strictest worldwide’.45 The EU has also adopted stricter cargo screening rules as a result of external pressure by the US. In 2004 the EU and the US signed a customs cooperation accord that has extended the US Container Security Initiative46 (CSI) programme to 10 EU member states’ ports. The programme stations US customs officers in foreign ports to help pre-screen US-bound maritime cargo and prevent the arrival of dangerous weapons or explosives to US shores.47 It is a reaction to the far from exhaustive screening of container shipments: in the neighbourhood of 2 per cent of all shipments worldwide previous to the introduction of the rule,48 a situation which creates a plethora of openings for illegal activity. Since a first-pillar European regime existed in this sector previous to 9/11, the Commission has been able to maintain a visible role. It has endowed itself with the powers of conducting inspections in order to identify weak points and monitor member states’ implementation of norms.49 With the goal of ensuring coherence in the implementation of maritime security measures throughout Europe, the Commission has conducted more than 400 inspections of ‘administrative authorities, maritime companies, recognized security organizations and ports and installations’.50 However, as in aviation 43

European Parliament and Council of the European Union (2005) ‘Directive 2005/65/EC of 26 October 2005 on Enhancing Port Security’, Official Journal of the European Union, L 310, 25 November 2005. 44 EurActiv, ‘Commission Adopts New Measures to Protect Ports from Terrorist Attacks’, 8 June 2007. 45 European Commission (2010) ‘Commission Staff Working Document. Secure Trade and 100% Scanning of Containers’, SEC(2010)131 final, 11 February 2010. 46 European Community and the USA (2004) ‘Agreement on Intensifying and Broadening the Agreement on Customs Cooperation and Mutual Assistance in Customs Matters to Include Cooperation on Container Security and Related Matters’, Official Journal of the European Union, L 304, 30 September 2004. 47 Archick, US-EU Cooperation Against Terrorism, p.13. 48 Roland Crelisten, Counterterrorism (Cambridge: Polity Press 2009) p.164. 49 European Commission (2008) ‘Regulation 324/2008 of 9 April 2008 Laying Down Revised Procedures for Conducting Commission Inspections in the Field of Maritime Security’, Official Journal of the European Union, L 98/5, 10 April 2008. 50 European Commission (2010) ‘Communication on the EU Counter-Terrorism Policy: Main Achievements and Future Challenges’, COM(2010)386 final, 20 July 2010.

12


transport security, the work of the Commission is not conducted in isolation but in close association with member state experts at the Maritime Security Regulatory committees (MARSEC).51 Land and Urban Transport Security


Some of the most devastating terrorist attacks in Europe in recent times have targeted land-based transport. As reported in a May 2010 EU Counter-Terror Coordinator (CTC) report: The Madrid train attacks on 11 March 2004 killed 191 people and wounded 1800. In London on July 2005: 52 people were killed and around 700 were injured. The attack on the Nevski express in Russia on 27 November 2009 killed 27 people and, in the Moscow Metro attack of 29 March 2010, 39 people were killed and 70 wounded.52 Despite all of this evidence, action in this area has been negligible, at least if compared to the aviation and maritime spheres: the EPCIP Green Paper did not include public transportation in the list of transport sectors and most of the Commission’s work in urban transport security is reduced to consultations with the public transport sector leading to few tangible results.53 This has moved the CTC to acknowledge that ‘more has to be done on the less protected area of land transport’.54 In reality, this is far from being a specific EU problem; aviation has also received remarkably more attention than rail transport at the domestic level55 due to well-known questions of cost, practicality and limited resources.56 Yet this trend has been compounded in EU decision-making by the lack of a standing committee on land transport security,57 the pre-eminence of the principle of subsidiarity and the absence of an international organization comparable to the ICAO or the IMO requiring a co-ordinated European approach. More recently, to remedy the EU’s limited involvement and lack of prioritization, the Stockholm Programme has called for greater attention to potential targets such as urban mass transit and high-speed rail networks. The 51

Council of the European Union (2011) ‘EU Action Plan on Combating Terrorism’, 15893/1/10, 17 January 2011, p.11. 52 Council of the European Union (2010) ‘EU Counter-Terrorism Strategy – Discussion Paper’, 9685/10, 10 May 2010. 53 EurActiv, ‘Transport Security’. 54 Council of the European Union (2010) ‘EU Counter-Terrorism Strategy – Discussion Paper’, 15894/1/10, 29 November 2010. 55 Exceptions being some special security measures are already applied on certain high-speed connections, such as the Eurostar. 56 Jack Riley, Terrorism and Rail Security. Testimony Presented to the Senate Commerce, Science, and Transportation Committee on March 23, 2004 (Santa Monica: RAND 2004). 57 The only relevant existing institutional structure is an expert group on urban transport security. See Council of the European Union (2009) ‘Implementation of the Action Plan on Enhancing the Security of Explosives’, 11056/09, 18 June 2009.


13

matter has also been prioritized in the Commission’s Internal Security strategy and the CTC discussion papers. Hence, and as a tentative first step, the Commission Communication on the Internal Security Strategy has suggested setting up a Land Transport Security body to add to that of Aviation Security (AVSEC) and Maritime Security (MARSEC).


Critical Information Infrastructure Protection It is widely recognized that the internet is an outstanding tool for terrorist groups: they can use it to plan operations, establish communications, incite to terrorism, train and recruit new members and raise funds.58 Yet despite being portrayed as a real and immediate threat in the media,59 there has not been so far a single recorded instance of cyber-terrorism,60 understood as an attack by terrorist networks against a critical information infrastructure (CII) that causes harm to persons or property and leads to death or injuries, as opposed to just the mere disruption of non-essential services.61 Although there have been in recent times high-profile cyber-attacks of political character, these are examples of cyber-activism (i.e. the 2007 Denial of Service attacks on Estonia) or cyber-warfare (i.e. the 2010 Stuxnet virus that sabotaged the Iranian uranium enrichment programme). The EU CTC himself has acknowledged that cyber-terrorism is not ‘the major hazard’ but ‘like in the field of the CBRN threat we have to start our preparation before terrorists acquire know-how or capacities to target our infrastructures’.62 Thus, the EU has recently launched some initiatives that concentrate on making CIIs more resilient to potential cyber-attacks by terrorist groups. Critical Information Infrastructure Protection (CIIP) is about the protection of systems such as the internet, mobile and fixed telecommunications, fibre optics, computer networks and satellites. These infrastructures are both essential for the functioning of most other CIs and also fundamental for 58

Raphael F. Perl, (OSCE), ‘Terrorist Use of the Internet: Threat, Issues, and Options for International Co-operation’, Second International Forum on Information Security, 7– 10 April 2008. 59 Of course, this is certainly not the first example of the media sensationalizing threats – real or perceived – to information infrastructures. Many reports predicting a catastrophic impact of the Y2K bug were of course greatly exaggerated. For a critical view on popular media’s coverage of cyber-threats, see Maggie Wykes and Daniel Harcus, ‘Cyber-terror: Construction, Criminalisation and Control’, in Majid Yar and Yvonne Yewekes (eds.) The Handbook of Internet Crime (Cullompton: Willan Publishers 2010) pp.214– 29. 60 Cyber-terrorism is defined by Pollitt as ‘premeditated, politically motivated attacks against information, computer systems, computer programs, and data, which result in violence against non-combatant targets by sub-national groups or clandestine agents’. See Mark M. Pollitt, ‘Cyberterrorism: Fact or Fancy?’, Computer Fraud and Security February (1998) pp.8 – 10. 61 Dorothy E. Denning, ‘Testimony before the Special Oversight Panel on Terrorism, Committee on Armed Services’, US House of Representatives, 23 May 2000. 62 Council of the European Union (2010) ‘EU Counter-Terrorism Strategy – Discussion Paper’, 15894/1/10, 29 November 2010, p.6.


14


managing breakdowns and bringing infrastructures back to work.63 In line with this, the EU’s flagship CIIP plan is built on five pillars: definitions of ECIIs, preparedness and prevention, detection and response, mitigation and recovery and nurturing of international cooperation. At the institutional level, the EU’s first notable response to cyber-crime was to encourage the establishment of national Computer Emergency Response Teams (CERTS) in Europe to provide advice, training and alerts on potential attacks.64 Following from this, a European Network and Information Security Agency (ENISA) was set up in March 2004 in order to act as a centre of expertise to assist the Commission, member states and private bodies in the analysis of current and emerging risks, sharing best practices and the development of standards. In 2010, ENISA coordinated the first panEuropean cyber-security exercise (Cyber Europe 2010), while the Commission tabled proposals to strengthen and modernize the organization to improve the reaction to individual cyber-threats. Nevertheless, the Commission’s proposal will have no bearing on the fact that the organization is still hampered by its remote location in Crete and low staff numbers,65 moreover ENISA’s mandate is restricted to first-pillar matters, which explains why Europol hosts the European Cybercrime Centre (EC3). Although Europol already had some limited cyber-crime capabilities, officials expect that the establishment of the EC3 will make Europol a major actor in this field.66 Although also mostly dealing with the problem of cyber-crime, a 2009 Commission Communication on Cyber-security illustrated EU’s increased interest in improving the capability for tackling cyber-attacks from any source. The Communication has been criticized for not having a well-defined global dimension,67 which is ironic, since one of its main goals has been to constitute a starting point for the development of global standards. This is a pressing problem: even if cyber-security is on the agendas of some 30 multilateral organizations, much of the work is fragmented and needs a clearer focus. Overall the document has been well received, even if its timetables for action have been disparaged for being rather unrealistic.68 Also in 2009, a European Public Private Partnership (EP3R) was launched as a Europe-wide governance framework for the resilience of ICT infrastructures. It aims to foster public-private partnerships on security and resilience objectives, baseline requirements and good practices and to encourage international cooperation in the global risk management of IT networks. In addition, the European Forum of Member States (EFMS)’s ambition is to be a platform for the exchange of best practices amongst national 63 Jan Metzger, ‘The Concept of Critical Infrastructure Protection’, in Alyson J.K. Bailes and Isabel Frommelt (eds.) Business and Security Public– Private Sector Relationships in a New Security Environment (New York: Oxford University Press 2004) pp.197 – 209. 64 EurActiv, ‘Cybersecurity: Protecting the Digital Economy’, 7 November 2011. 65 ENISA has about 65 staff members. 66 Interview with Europol officials, May 2012. 67 UK House of Lords, Protecting Europe against Large-scale Cyber-attacks. 68 Ibid.



15

authorities on the security and resilience of ICT infrastructures. According to the Commission, the EFMS has had a good start and is acknowledged by member states to be a helpful tool to support knowledge-sharing.69 On the legislative side, a 2010 Commission Directive repealed the 2005 Council Framework Decision on attacks against information systems. The objective of the legislation still is to approximate criminal law within the Union in the area of attacks against information systems and to ensure police and judicial cooperation regarding cyber-criminal offences. It has been updated to cover intentional hacking, distribution of viruses, denial of service attacks and website defacement. There are also examples here of transatlantic cooperation. A joint working group on cyber-security, established during an EU– US summit in November 2010, has been set up to work on cyber-incident management, public– private partnerships, awareness-raising and cyber-crime70 and has been already regarded as a ‘very high level and a very serious effort’.71 In sum, CIIP or, more broadly, cyber-security is a very recent field of EU interest. In spite of this, it has rapidly developed, to a substantial extent motivated by a series of high-profile events72 that have raised European concerns. Threat perceptions are not equally high amongst member states however: some governments are more aware of the threat of cyber-attacks on their critical infrastructure than others and are thus are more interested in sharing information.73 In fact: ‘only 12 member states have organized exercises for large-scale network security incident response and disaster recovery, according to ENISA’.74 Broadly speaking, national governments are also in different stages of experience and understanding of cyber-related threats. So in order to create a baseline level of security and bringing member states with less developed systems closer to the level of the most advanced, the EU’s approach has gone along the path of listing common standards and best practices. Furthermore, penalties have been harmonized to prevent ‘venueshopping’ by ill-intentioned Internet users, who would choose to act in those countries with the least restrictive jurisdictions. The idea is to avoid a disjointed response by member states ‘with different legal regimes, different offences and different prosecution systems’.75 This means that in practice EU 69

European Commission (2011) ‘Communication on Critical Information Infrastructure Protection. Achievements and Next Steps: Towards Global Cyber-security’, COM(2011)163 final, 31 March 2011. 70 EurActiv, ‘Cybersecurity: Protecting the Digital Economy’. 71 UK House of Lords, The EU Internal Security Strategy, HL Paper 149 (London: HSMO 2011) p.49. 72 The 2007 distributed denial of service (DDoS) attacks that shut down the systems of Estonia’s governmental sites and key private firms’ online services, the June 2010 appearance of computer virus Stuxnet, which disabled the centrifuges at an Iranian uranium enrichment plant, the March 2011 hacking of the European Emissions Trading Scheme and others. 73 EurActiv, ‘Critical Infrastructure’. 74 EurActiv, ‘Cybersecurity: Protecting the Digital Economy’. 75 UK House of Lords, The EU Internal Security Strategy, p.40

16


activity in this field will have little effect on those countries with an already well-developed cyber-security sector, such as the UK or Germany.


Horizontal Programmes Complementing the abovementioned efforts in the Protect strand, other horizontal programmes are relevant to the hardening of potential terrorist targets in Europe. These comprehensive plans of action are ‘horizontal’ insofar they encompass a large number of initiatives across the four strands of the European Counter-terrorism Strategy and, as such, they hold some relevance for the Protect dimension. Firstly, in 2008 the EU released an extensive and ambitious Action Plan for the Enhancement of the Security of Explosives. The most relevant measures are the setting-up of a Network of European Explosive Ordinance Disposal (EOD) units, an Early Warning System (EWS) and a Europol-hosted database with data on incidents related to explosives (European Bomb Data System (EBDS)).76 These, and most of the other 40 measures that are embraced in the Plan, aim to mostly prevent the unauthorized access to explosive devices by terrorists but they do also attempt to encourage national actors to apply security enhancement solutions to vehicles carrying explosives. In similar vein, a comprehensive (about 130 individual actions) 2009 EU CBRN Action Plan intends to prevent and limit the impact of CBRN attacks by restricting the access to these materials, improving their detection and enhancing the response to events involving CBRN substances.77 Relevance to the subject comes from the fact that two of the 26 specific goals of the plan are about increasing the security of high-risk CBRN materials and facilities and improving the security of transport. Regarding the former, the programme calls on member states to strengthen the relationship between site security managers and law enforcement authorities in areas like background checks and security vetting. It also aims to ensure that security plans and security managements systems in high-risk CBRN facilities are in place. In this context, the Commission would help by organizing workshops bringing together experts from the transport sector, security services, law enforcement and supervisory authorities. Finally, EU efforts in infrastructure protection have been underpinned by an exponential increase in funding for security research by the Commission. In practice, the development of the ESRP (European Security Research Programme) within the 7th Framework Programme of Community Research (2007– 13) (FP7) has been supported with an allocation of e1.4 billion.78 Unlike other aspects of FP7, the ESRP is managed by the European 76

European Commission (2007) ‘Action Plan on Enhancing the Security of Explosives’, press release, 6 November 2007. 77 Council of the European Union (2009) ‘EU CBRN Action Plan’, 15505/1/09, 12 November 2009. 78 Council of the European Union (2011) ‘EU Action Plan on Combating Terrorism’, 15893/1/10, 17 January 2011 , p.17.



17

Commission’s DG for Enterprise and Industry rather than DG Research. It involves more than 80 collaborative research projects on dual-use technology and 900 public and private organizations.79 This has led some to call it the start of a European ‘security-industry complex’80 ‘geared toward the public procurement of security technologies rather than objective research in the traditional sense’81 where ‘much of the thinking behind CIP techniques of the ESRP is derived from military technology and practice’.82 Clearly, security of infrastructures and utilities is an important part of this research effort: half of the workshops organized by the FP7 Security Research team to disseminate findings from projects have been in the areas of maritime border security and aviation security research. Complementing this allocation, an independent funding programme on ‘Prevention, Preparedness and Consequence Management of Terrorism and other Security Risks’ runs in parallel to the FP7. Furthermore, ESRIF, the European Security Research and Innovation Forum set up by the Commission to advise it in the priorities for future research, has one specific Working Party fully focused on security and critical infrastructures. Certainly, the search for technological solutions is a key aspect of the Commission’s approach to the protection of European CIs. Summary of Progress EU decision-makers believe that critical infrastructures are of major significance to European societies and that they must be protected against prolonged periods of breakdown. The attacks in Madrid and London and the alarms raised by other foiled plots have demonstrated that terrorism has the potential to cause major disruptions to the functioning of critical systems and test public trust in the authorities’ capacity to provide security. Yet the strengthening of these assets to better withstand external shocks is a challenging task that requires the involvement of both public and private actors. This has raised important questions regarding ownership, absorption of costs and effective coordination and communication needs. The fact that a breakdown in some European CIs may have a severe impact in neighbouring countries has forced European governments to consider a pan-European approach to this matter. In the area of counter-terrorism, CIP is part of an action-reaction cycle where terrorist innovation and learning results in new methods to circumvent security measures, which eventually triggers a response from the state in the form of new mechanisms to fend off terrorist threats. Although terrorist attacks in Europe have challenged in the past the stability and viability under pressure of key 79

Council of the European Union (2009) ‘EU Counter-terrorism Strategy – Discussion Paper’, 9717/09, 14 May 2009. 80 Ben Hayes, Arming Big Brother. The EU’s Security Research Programme, TNI Briefing Series, 2006/1 (Amsterdam: Transnational Institute 2006). 81 Ben Hayes, NeoConOpticon. The EU Security-Industrial Complex (Amsterdam: Transnational Institute 2009) p.19. 82 Ibid., p.60.


18


components of a state’s critical infrastructure, none of these have ever affected more than one country simultaneously. Even then, pressure from the attacks has encouraged European leaders to act and to adopt a formal commitment to greater European cooperation. This paper argues however that EU action has not yet matched the ambitions portrayed in their programmes and declarations. On the one hand, the EU has become more actively engaged in strengthening European public and private facilities from security risks, an area member states had been traditionally reluctant to delegate to the EU before 2001. There is now a broad assumption, at least in EU rhetoric, that the need for an EU role in enhancing CIP capability is indisputable due to the potential transnational impact of some natural and man-made disasters. EU’s efforts now ‘share a common focus on the protection of people, vital systems, and core societal values from dangerous threats’, so there has been a swift move from these matters being ‘virtually unnoticed at the supranational level’ to becoming a political priority.83 As a result, the EU has put forward a set of ambitious policy agendas in CIP, CIIP and other horizontal programmes. In these fields, the role of the EU has been mostly about stimulating, supporting and facilitating cooperation through the tools of policy frameworks and standard guidelines. EU action has pursued the development of common methodologies in the definition of what an ECI is, the improvement of coordination in the field, and the dissemination of best practices in order to enhance levels of protection. At the same time, only in the areas of transport and maritime security there has been a serious regulatory effort in the form of Community legislation and an operational role for the Union through individual inspections. Unlike much of EU counter-terrorism, the Commission has been the leading actor. It has proactively adopted the role of strategist and coordinator and, more rarely, also that of regulator. The Commission has actively supported the exchange of information and knowledge and assisted with national decision-making. In an attempt to reinforce this position, it has aimed to co-opt industry and interest groups with proposals for public– private security dialogues or referrals to a ‘high societal demand’. As in other dossiers, it has tried to tap in the support and legitimacy that comes from the support of large lobby groups to its proposals.84 There is also a functional necessity: due to the private ownership of major elements of critical infrastructure any security and control measures will, almost by definition, require the involvement of both private and public interests. Yet in reality private actors have been reluctant partners, particularly in transport security. As shown in other areas such as terrorist financing,85 whereas public authorities speak of virtuous public– private partnerships, industry representatives have a more negative perception, often seeing this 83

Fritzon, Ljungkvist, Boin and Rhinard, ‘Protecting Europe’s Critical Infrastructures’, p.30. Sonia Mazey and Jeremy John Richardson, ‘Institutionalizing Promiscuity: CommissionInterest Group Relations in the EU’ in Alec Stone Sweet, Wayne Sandholtz and Neil Fligstein (eds.) The Institutionalization of Europe (Oxford: Oxford University Press 2001). 85 See Bures in this issue. 84



19

relationship as one-sided. They often prefer to portray it instead as one side setting rules for the other to follow while the costs of what they see as a public duty are burdened on the private sector. In parallel, the role of the European Parliament has been keenly felt after Lisbon in the area of transport security, where the EP has brought to matters such as the liquid ban and airport scanners a much-needed reminder of the importance of privacy and passenger rights. This has led to some frontal clashes between MEPs on the one side and national governments’ interests on the other. Having noted this, and despite the broad agreement on a European approach to these matters, there is a long-running tension in this field between the notion of national sovereignty versus the transborder character of ECIs. National governments are aware of the necessity of enhancing cross-border cooperation on CIP but remain reluctant about delegating powers to the EU. Member states have reminded the Commission at every step of the discussions about EPCIP of the importance of the principle of subsidiarity and, even in the most communitarized policy spaces such as transport protection, supranational drive has been constrained and directed by Committees of national representatives. So the operational organization and on-the-ground delivery remains very much a national responsibility. In addition, an institutional analysis of the transport security and CIIP spaces cannot be complete without a reference to the role of external actors such as international organizations and the US. EU interaction with international organizations such as the IMO and the ICAO has worked both ways: the EU has worked hard in some cases, often together with the US, to upload Europe-wide regulations to the international arena whereas in other cases it has adopted and translated international rules to European legislation. Alternatively, no other international actor has influenced EU security policies more comprehensively than the US – leading in some instances to an asymmetric process of internalization of US security norms86 – and in this respect the transatlantic relationship in transport security has certainly been substantial. It has also resulted in some serious disagreements: as a case in point, US legislation mandating 100 per cent screening of cargo on flights and ships bound to the US has been rather controversial. Interestingly, these demands have pitched some US Members of Congress and European politicians calling for full screening of cargo on one side, and most EU officials and US Department of Homeland Security officers on the other. The latter claim that 100 per cent screening would be ‘impractical, pose significant technical hurdles, and impose heavy financial burdens on the air cargo industry’, suggesting instead a risk-based system to identify those shipments that require greater scrutiny and physical screening.87 This ‘politically

86 Javier Argomaniz, ‘When the EU is the “Norm-taker”: The Passenger Name Records Agreement and the EU’s Internalisation of US Border Security Norms’, Journal of European Integration 31/1 (2009) pp.119 – 36. 87 Archick, US – EU Cooperation against Terrorism, p.12.

20


complex’88 issue is part of a broader debate about how far security measures can go before becoming intrusive and over-expensive, a discussion where industries associations have lobbied EU institutions hard for the recognition of the high direct and indirect costs that additional layers of security represent for private operators.


Conclusions When we cut through these matters to consider the implications of the EU’s CIP response on the ground for European anti-terrorism, one cannot but highlight the fact that results have been clearly lopsided: a few remarkable instances of swift and firm EU action in a sea of barely visible practical advances in most policy spheres. Clearly, there have been widely differing degrees of intensity of action across sectors and dramatic disparities regarding the extent to which the EU adds value across the policy spectrum. At the moment of writing, European work is still ongoing on the identification of national CIs that have a cross-border impact. Attention is focused still on only two out of the 11 sectors that the Commission had originally identified to be covered by EPCIP.89 Defining which infrastructures are critical and under which particular set of circumstances is a challenging step since no absolute definition exists – only varying degrees of criticality – and this criticality can change due to new technological developments resulting in new CIs constantly emerging. Yet the reality it is that the EU has still not moved far from the discussion stage and, funding of CIP research aside, there have been no measures focused on actually strengthening those infrastructures in practice. Even these initial preparatory moves have faced scepticism from both private companies and national governments and doubts on whether resources devoted to ECI protection would grow in the absence of transnational crises.90 CIIP is similarly at an embryonic stage. Only very recently has the EU tried to better grasp the complexities associated with the protection of computer networks. Most of the work has focused on moving towards a better understanding of the problem, yet the CTC himself has criticized the fact that there is still a need for a better integrated approach to avoid the current overlap that exists with the advanced work that NATO already does on cyber-security.91 Understandably, whereas the problem of cyber-crime has attracted most of the attention, the potential threat of cyber-terrorism has been far more neglected. 88

Council of the European Union (2011) ‘EU Action Plan on Combating Terrorism’, 15893/1/10, 17 January 2011, p.12. 89 These were: energy, nuclear industry, information and communication technologies, water, food, health, financial, transport, chemical industry, space and research facilities. 90 Fritzon, Ljungkvist, Boin and Rhinard, ‘Protecting Europe’s Critical Infrastructures’. 91 Council of the European Union (2010) ‘EU Counter-terrorism Strategy – Discussion Paper’, 15894/1/10, 29 November 2010, p.7.



21

This takes us to aviation security, the closest thing to an EU ‘success story’. The Regulation restricting liquids on-board is perhaps one of the very few occasions where an EU anti-terrorist legislative act has had a rapid and direct effect in shaping the security environment and the continuing discussion on the introduction of scanners, although slow and protracted, is at least embracing fundamental notions such as civil liberties and cost-effectiveness, thanks in no small measure to the EP’s intervention. Even so, there has been certain adhockery and an absence of a holistic meditated response in both the aviation and maritime security spheres. More worryingly, progress on land and urban transport security has been almost non-existent despite the fact that these transit systems have been hit in the past by terrorist groups in Europe. Importantly, these significant disparities with regards EU involvement within and across sectors are problematic for policy coherence and encourage the displacement of malicious activity by allowing the persistence of vulnerabilities. As aviation becomes increasingly more secure, it is logical to expect that terrorist groups would switch to softer targets such as rail networks or multi-modal hubs. Moreover, since different means of transport are increasingly integrated, this creates interrelated liabilities. As an illustration, problems with an aircraft could lead to a suspect package being redirected by rail freight.92 Admittedly, horizontal consistency is a persistent problem in EU counterterrorism and this is again mirrored at a reduced scale here.93 A horizontally consistent policy response would ensure that its different components follow joint goals specified in common programmatic documents and concerted efforts are delivered across the board. Yet the EU’s policy on the protection of CIs from terrorist attacks is far from this end state, fragmented as it is into different sectors with their own parallel individual dynamics, policy framework documents and constellations of actors. As these policy sectors continue to expand with highly technical programmes involving specialists with limited knowledge of other areas, the current trend is towards growing sectorialization and policies that evolve in isolation from each other while failing to exploit synergies. Therefore, since the national governments’ resistance to moving quickly in some areas is unlikely to soften anytime soon, a potential avenue for EU institutions to enhance their contribution could be to work towards better coordination of institutional actors in the CIP, transport, CIIP and security research fields. An encompassing overall strategy document should subsume and tie these sectors together at a conceptual level and ensure that efforts within sectors are moving in the same direction. In addition to receiving particular attention from the CTC, the setting-up of an inter-service group presided over by the DG HOME director could also help to bring together all the DGs in the Commission with relevant responsibilities in the field of 92

Ibid., p.2. Javier Argomaniz, The EU and Counter-Terrorism. Politics, Polity and Policies after 9/11 (Abingdon: Routledge 2011). 93


22


guarding infrastructures from man-made attacks (DG MOVE, DG ENER, DG JUST and others). At this level long-term planning could be developed, specific initiatives prioritized and perspectives reconciled to move towards an EU approach that is both more balanced and comprehensive. In sum, a critical assessment of the value of the EU in guarding ECIs from terrorism is highly dependent on the assessment criteria. As already mentioned, the Counter-terrorism Strategy aimed to strengthen the defences of CIs, by reducing their vulnerability and ameliorating the effects of a physical or electronic attack. To do so, there was a need to ‘establish a Programme of work aimed at improving the protection of critical infrastructure across Europe ( . . . ) developing an all hazard approach which recognizes the threat from terrorism as a priority’ and ensuring that EU research efforts ‘contribute to developing methodologies for protecting crowded places and other soft targets from attacks’.94 If we use these statements as benchmarks for success, it is possible to argue that the EU has met its 2005 goals: an EPCIP programme has been agreed on, EU action plans on cyber-security, CBRN and explosives have been released, and principles of action and future work plans are in place. If, on the other hand, we consider that ‘success’ should be measured in terms of the capacity of EU policies to change the security context on the ground, then one would need to conclude that, although slowly moving forward, the EU has not yet travelled far enough from the starting line. Notes on Contributor Javier Argomaniz joined the St Andrews Centre for the Study of Terrorism and Political Violence (CSTPV) in 2009. He has developed his academic career in Spain (Universidad del Pais Vasco), Ireland (Trinity College Dublin) and the UK (Universities of Leicester, Nottingham and St Andrews). Dr Argomaniz has undertaken research at a variety of national and international projects in the areas of European Studies, Criminology and Political Violence. He has recently published a monograph for Routledge on the European Union counter-terror policies. Currently he co-directs an international and multidisciplinary study on terrorism victims. The project is funded by the European Union.

94

Council of the European Union (2005) ‘The European Union Counter-Terrorism Strategy’, p.9.