CS Notes

02 EU Structures, Espionage Landscape & Rhetoric Basics

Apr 18, 202511 min read

This session covered three distinct but relevant topics for the Cyber 9/12 Challenge: a primer on the European Union’s structure and cybersecurity approach, an overview of industrial espionage in the modern era, and foundational principles for effective public speaking.

EU Primer (Frank Schimmelfennig)

This presentation provided a foundational understanding of the European Union, its political system, decision-making processes, and specific relevance to cybersecurity.

What is the EU? (EU vs. IO vs. State)

The European Union presents a complex structure, often described as unique. Compared to traditional states, it possesses relatively weak coercive, administrative, and fiscal capacity. It lacks its own police or army, maintains a small bureaucracy relying on member states for implementation, and does not levy taxes directly, with its budget funded by state allocations. It’s often characterized as a Regulatory State (Majone), focusing on codification, monitoring, and sanctioning rather than direct administration.

However, unlike typical International Organizations (IOs), the EU serves a general purpose across many policy areas. It operates under a hard legal order with supremacy over national law in designated fields, frequently utilizes majority decision-making rather than requiring unanimity, and features a clear separation of powers among its institutions.

Political System of the EU

The EU employs an intricate system of checks and balances with numerous potential veto points, blending intergovernmental and supranational elements.

Key Institutions

  • European Council: Heads of state or government; sets overall political direction.
  • European Commission: Executive arm, guardian of the Treaties, holds the primary right of legislative initiative.
  • Council of the EU (Council of Ministers): Composed of national ministers; represents member state governments in legislative and policy decisions.
  • European Parliament (EP): Directly elected body representing EU citizens; co-legislator with the Council.
  • European Court of Justice (ECJ): Ensures uniform interpretation and application of EU law.
  • European Central Bank (ECB): Manages the Euro and monetary policy for the Eurozone.
  • European Court of Auditors: Audits EU finances.

Power Sharing

Power within the EU is shared both horizontally and vertically. Horizontally, powers are dispersed across multiple EU institutions (e.g., executive functions involve the Commission, Council, and European Council; legislative functions involve the Commission, Council, and EP; judicial functions involve the Commission and ECJ). Vertically, power is shared between the EU level and member states, with national administrations implementing EU rules, national parliaments scrutinizing governments and EU legislation, and national courts applying EU law, often via preliminary rulings from the ECJ.

Consensus-Based Decision-Making

Despite mechanisms for majority voting, the EU political culture strongly emphasizes consensus. (Double) Supermajorities are often required, and the system lacks the traditional government/opposition dynamics found in national parliaments. A strong consensus culture prevails, particularly within the Council. To overcome institutional blockages and reach agreement, informal consultation and trilogues are frequently employed.

Policy-Making and Legislation

EU law operates on different levels. Primary Law consists of the EU Treaties, amended via a complex process involving the European Council, Intergovernmental Conferences (IGC), detailed elaboration by the Council, EP consent, and national ratification. Secondary Law refers to EU legislation passed by the institutions, taking several forms:

  • Regulation: General application, binding in its entirety, directly applicable in all member states.
  • Directive: Binding as to the result to be achieved, but leaves choice of form and methods to national authorities (requires national transposition); general application, indirect effect.
  • Decision: Binding in its entirety upon those to whom it is addressed; specific application, direct effect.

Tertiary Law includes delegated acts, implementation acts (often handled by the Commission), and ECJ case law.

Ordinary Legislative Procedure (OLP)

The most common legislative procedure (approx. 90% of legislation) is the OLP. The Commission holds the exclusive right of proposal. Legislation requires consent from both the Council of the EU and the European Parliament (co-decision). While it can involve up to three readings, informal trilogue negotiations frequently lead to adoption in the first reading, making formal conciliation rare.

EU Implementation and Enforcement

Member states are obligated to implement directives timely and effectively. Failure can trigger the following:

Commission Infringement Procedure

  1. Informal consultation with the member state.
  2. Letter of formal notice.
  3. Reasoned opinion.

If the issue persists, the Commission can refer the case to the European Court of Justice (ECJ). The ECJ may first issue a judgment ruling that the state must comply, and if non-compliance continues, issue a second judgment imposing lump sum or periodic penalty payments.

Assessment

Formal implementation rates are generally high (under 2% deficit). Around 90% of infringement cases are settled before reaching the ECJ, and the Commission wins approximately 90% of the cases that do proceed to court, indicating the effectiveness of the enforcement mechanism.

EU Cybersecurity Regulations & ENISA

Several key regulations form the backbone of EU cybersecurity policy, including the original regulations establishing ENISA (460/2004, 526/2013). The Regulation (EU) 2019/881 (Cybersecurity Act) significantly strengthened and permanently established the renamed European Union Agency for Cybersecurity (ENISA). It also created a framework for voluntary European cybersecurity certification schemes for ICT products, services, and processes, aiming for high cybersecurity, resilience, and trust across the EU. More recently, Commission Implementing Regulation (EU) 2024/482 laid down rules for adopting the European Common Criteria-based cybersecurity certification scheme (EUCC).

EU Agencies

General Characteristics

The EU has around 35 specialized agencies located across 23 member states (e.g., ENISA in Greece), mostly established between 2000-2010. These agencies possess their own legal personality, are established via secondary law, and are distinct from core EU institutions. Governed jointly by the Commission and member states, they hold varying regulatory or operational competences. Their creation often stems from crises or member states’ reluctance to delegate further powers directly to the Commission. As of 2018, agency staff constituted roughly 13.4% of all EU personnel.

ENISA Mandate & Tasks (under Cybersecurity Act)

ENISA’s core mandate is to achieve a high common level of cybersecurity across the EU. Its tasks include supporting national authorities and EU institutions, serving as a centre of technical expertise, developing resources, aiding policy implementation, promoting capacity building (like CSIRT development and exercises), fostering operational cooperation, supporting the cybersecurity certification framework, collecting and analyzing threat information, providing advice, raising awareness, and advising on research priorities.

ENISA Management Structure

  • Management Board: Representatives from each Member State + Commission; sets general direction.
  • Executive Board: 5 members; prepares decisions for the Management Board.
  • Executive Director: Manages the agency; accountable to the Management Board, EP, and Council.
  • ENISA Advisory Group: Experts from relevant stakeholders.
  • National Liaison Officers Network: Facilitates information exchange between ENISA and Member States.

Industrial Espionage in the Digital Age (Dr. Axel Sitt)

This presentation explored the concept of industrial espionage, its evolution, and its relevance in the contemporary digital landscape.

Definition and Context

Industrial Espionage is defined as espionage conducted for commercial purposes, distinguishing it from political espionage focused on national security. While political espionage is typically governmental and international, industrial espionage often occurs nationally between competing companies or corporations. Though the methods and technology evolve, the practice itself is long-standing, with historical examples ranging from ancient military strategy to modern corporate conflicts.

Key Aspects of Industrial Espionage

Understanding espionage operations requires considering several factors:

  • Technology: Tools have shifted from physical intrusion to predominantly cyber methods.
  • Human Aspects: Exploiting human factors (vulnerabilities, corruption, deception, coercion) remains central.
  • Timing: Operations often target critical phases like product development or launch.
  • Purpose: The goal is typically to acquire valuable assets like money, know-how, skills, or capacity, though ideological motives can also play a role.
  • Legal Aspects: Operates in legally grey or illicit areas, sometimes involving bypassing regulations or sanctions (e.g., circumventing export controls). Relevant laws (like RICO, FCPA, EEA in the US) attempt to address these activities.

Beyond Espionage: Competitive Intelligence & Reconnaissance

Industrial espionage exists on a spectrum of information gathering. This also includes Competitive Intelligence, which focuses on gathering information legally and ethically (e.g., analyzing patents, public reports), and Reconnaissance, the preliminary information gathering that often precedes more targeted actions, whether legal or illicit. These activities vary in professionalism, quality, and proximity to the target (external vs. internal sources).

Shifts in the Digital Age

Digital transformation has fundamentally altered the landscape:

  1. Object of Protection: Security focus shifted from the physical “castle” to protecting “data anywhere,” massively expanding the attack surface.
  2. Knowledge Level: Required technical expertise for attackers has often decreased due to readily available tools.
  3. OT Security: Focus in Operational Technology evolved from purely safety (“no one gets hurt”) to encompass security (“no one gets inside”).
  4. Aggressor Universe: Expanded beyond direct competitors to include diverse actors like State-Sponsored groups, Criminal organizations, and Hacktivists.
  5. Speed: The pace of operations and attacks has dramatically increased.

Aspects That Have Changed the Game

Several factors have reshaped modern industrial espionage: a diverse Attacker Universe with varied motivations; extremely low Barriers to Entry for certain attacks; Technology & AI acting as powerful accelerators; the high potential for Collateral Damage; evolved Extortion Methods (like “quadruple extortion”); increasing Compliance pressures on organizations; and frameworks like the (Cyber Kill Chain) providing models for understanding attack stages.

Common Ransomware Types

Ransomware is a frequent tool in modern cybercrime, often linked to espionage through data theft:

  • Crypto: Encrypts files/data.
  • Lockers: Blocks access to the system.
  • RaaS (Ransomware-as-a-Service): Platform model for deployment.
  • Extortion: Encrypts and exfiltrates data, threatening leaks.
  • Wiper: Destroys data, sometimes disguised as ransomware.
  • Scareware: Fakes infections to trick users into paying.

What Can/Should Be Done?

Verification

Start by understanding your specific situation: What is your risk? Who might attack you and why? What assets have been targeted, how, and for what purpose? Based on this, determine what constitutes a meaningful defense.

Human Aspects

Recognize that humans often remain the weakest link. Be aware of psychological manipulation tactics attackers use, such as appealing to Commitment/Consistency, Social Proof, Liking/Similarity/Deception, Authority, or simply using Distraction.

Smartphone Awareness

The convenience of smartphones introduces risks. Be mindful of geo-location tracking, using unsecured Wi-Fi/VPNs, voice recognition features, the information revealed in photos and social media posts, the dangers of uploading sensitive data, and the importance of strong screen locks. Remember the adage: “You pay with your data!”

Data as Value

Treat data as “the new Gold.” Understand its value (to you and potential attackers), its potential uses (including dual-use implications), the risks associated with third-party access, and how data flow might relate to bypassing embargoes or sanctions.

The Key

Ultimately, effective defense hinges on proactive Risk Management and a clear understanding of the Drivers motivating potential threats.

Speak Well about Weird Stuff (Rhetoric Preparation)

This workshop prepared participants for the public speaking demands of the 9/12 Challenge, emphasizing practice and foundational rhetorical principles.

Why Practice Public Speaking?

Public speaking is not only a necessity for effective participation in the 9/12 challenge but also a highly transferable skill with significant benefits in professional and personal life.

Goals for the Workshop

The workshop aimed to motivate participants to Practice, encourage speaking with Conviction, prompt consideration of personal Style, and foster mindful Teamwork during presentations.

Practice!

Consistent practice is crucial and the primary antidote to stage fright. Practice whenever reasonably possible, designating specific time or building it into conversations. Actively seek feedback from others and engage in critical self-evaluation.

The Basics of Rhetoric

Elements of a Speech

  • Content: What you say.
  • Style: How you say it.
  • Structure: The organization of your speech.

Modes of Persuasion (Aristotle)

  • Ethos: Appeal to the speaker’s credibility, character, and trustworthiness.
  • Logos: Appeal to logic, reason, evidence, and structure.
  • Pathos: Appeal to the audience’s emotions.

Speak from the Heart

Authenticity and conviction are vital for effective communication. Ensure you truly Understand the material you are presenting. Believe in the message or proposal you are advocating (“selling”). Focus on conveying ONE main, clear idea you want the audience to remember.

Consider Your Own Style

Develop a speaking style that is authentic to you while remaining effective. Start by mastering the Foundation – good structure and clear delivery. Observe speakers you admire (politicians, actors, writers, comedians, etc.) and identify specific elements of their style that resonate. Then, Adapt those techniques and approaches that work well for you, rather than simply imitating.

Mindful Teamwork

Effective team presentations require close coordination. Prepare the content and delivery together. Be aware of each other during the presentation, coordinating transitions and roles at all times. Use a pre-arranged clock/timer and signals for effective Time Management.

Further Practice & Frameworks

Exercises

  • Give impromptu speeches about everyday topics (like your day).
  • Select specific stylistic devices (metaphors, rhetorical questions) and practice using them deliberately.
  • Imitate speakers you admire to understand their techniques.
  • Read and analyze great speeches: Examine their structure, word choices, and implied shifts in tone, volume, or tempo.

Other Frameworks Mentioned

  • A Japanese “Warai” (Comedy) structure diagram highlighting elements like Power, Tempo, Drama, etc.
  • Branches of Rhetoric:
    • Judicial: (Concerns past actions, justice/injustice)
    • Epideictic: (Concerns present praise/blame)
    • Deliberative: (Concerns future action, expediency/inexpediency) – most relevant for policy proposals.

Next: 03 AI in Security - Risks, Governance, and the EU AI Act

Graph View