This article was originally published by The European Union Institute for Security Studies (EUISS) on 4 May 2016.
As an international actor, the EU can expect to win enemies as well as admirers. Two recent terrorist attacks in close succession – the first targeting an EU military mission in Bamako, the second in the ‘EU quarter’ in Brussels – seemingly confirm this. They also lend weight to the argument that if member states want the EU to be a robust international actor, they must give it the counterterrorist powers to protect itself. But is the EU facing a classic terrorist logic of action-and-reprisal and, if not, what exactly is the EU’s risk profile?
A player and a pole
On 22 March, bombs were detonated in the public area of Brussels Zaventem airport, raising concerns about the vulnerability of Europe’s interconnected infrastructure networks – a particular preoccupation of the European Commission. Already last year, the Thalys train was the subject of two terror scares, showing that Islamists are ready to disrupt Europe’s transport systems. Now it has emerged that the perpetrators may have been eyeing harder infrastructure targets across Europe, including such critical infrastructure as nuclear power plants.
Another bombing occurred in Brussels that day, in a metro station serving the EU quarter. Although at least one of the attackers had been employed in an EU institution (as a cleaner) there is no evidence that the terrorists were directly targeting EU buildings or personnel. But, as Islamist media feeds now boast about having ‘attacked the heart of Europe’, the seed of an idea may well have been planted. Indeed, there are indications that the terrorists had been scoping the city’s diplomatic buildings (choosing the metro only because of the crowds and softness of the target).
An unconnected terrorist attack the night before was what really sharpened the EU’s threat perception: in Mali, gunmen fired on a hotel housing the EU’s military mission. This reinforced the impression that terrorists are starting to target the EU directly, ‘punishing’ staff in reprisal for the EU’s political actions and attempting to disrupt European public goods like free movement. This would be a response to the EU’s own nature as an international actor, being both a player (a classic unitary actor with common positions) and a pole (leveraging its model of cross-border cooperation).
The EU’s staff and buildings – in particular its diplomatic infrastructure overseas – are demonstrably at risk. In 2015, 99 of the EU’s 139 overseas delegations experienced security incidents – a steep year-on-year rise since 2012. Most of these were related to a general deterioration in security, such as that which forced the EU to move its delegation in Libya to Tunis or evacuate personnel from the Central African Republic. As the EU sets up a delegation in Somalia and begins re-engaging in Libya, its personnel and buildings will be even more exposed to risky environments.
They may also find themselves being picked out as targets directly. Already EU staff and buildings overseas are the focus of political demonstrations – a strong indicator of the EU’s growing profile as a player. True, EU delegations are not always the starting point for the protests, but anger often spills over from elsewhere to focus on EU buildings and vehicles, with demonstrations concentrated in those regions where the Union’s influence is felt most intensely – including in Eastern Europe and the Middle East.
It is harder to quantify the incidents experienced by Europe’s cross-border infrastructure systems. In 2006, governments began identifying infrastructures whose outage would have effects for more than one member state. But by 2012, they had designated only 14, and whole systems (airtraffic control, geospatial positioning) had slipped through the net. Operators are also notoriously reluctant to report attacks, only slowly giving information about suspected sabotage (such as on a nuclear plant in an EU border region in 2014).
The EU’s peculiar profile
This risk-profiling of the EU as ‘player’ and ‘pole’ relies on a straightforward logic of action-and-reaction (the EU takes international action x, terrorists respond with y). Yet EU officials caution against placing the Union, and its conception of itself, centre stage in this way – for two slightly different reasons. On the one hand, the EU’s international profile is often too low for it to be more than an incidental or generic target. On the other, when it does take high-profile action, the EU is not neatly categorised – it remains a complex bundle of players and political goods.
The Brussels attacks illustrate the first qualification. The terrorists were not interested in targeting EU buildings, let alone attempting direct reprisal for EU policies such as the bloc’s participation in the global coalition against the so-called Islamic State of Iraq and the Levant (ISIL). The EU buildings in Brussels were, in the eyes of the terrorists, just that – buildings. As such, they were measured against a simple tactical goal: ISIL has calculated that it can gain for itself a sheen of stateliness by engaging in gun battles with security forces. ‘Urban warfare’ is a means of achieving this.
EU buildings may admittedly be particularly attractive targets because they are bound to draw heavily-armed official protection. But, since they are protected by forces of the host state (whom the terrorists ultimately may wish to target), the buildings are probably more at risk because of their location in a particular member state than their symbolism as EU infrastructure. In short, if terrorists do pick out an EU building, then it will probably be from a range of other diplomatic buildings, some better guarded than others, and possibly feeling the heat from police and investigators.
Overseas, the threat to EU buildings is slightly different: the EU’s delegations and missions are more clearly associated with specific EU policies and actions, and the chances of reprisal are greater. But the causal logic leading to an attack may still be haphazard. When the EU squeezes ISIL’s funding streams in Iraq, for instance, the fallout for the Union’s overseas delegations and missions is diffuse: EU staff are placed at risk anywhere from Somalia (as ISIL spreads across Africa and new affiliates seek Western targets) to Kosovo (as poorlypaid foreign fighters slink home to Europe).
This highlights the second qualification: the EU is complex in its makeup and activities, and is not the straightforward ‘player’ or ‘pole’ it imagines. Even in the case of the Mali attacks, where the terrorists appear to have picked out the EU mission with care (there are far softer targets in Bamako) and to have acquainted themselves with the EU’s internal political workings (including speculation that the terrorists were specifically trying to sew tensions among the EU-28) questions remain about who exactly the attackers were addressing and what their precise message was.
This highlights the real link between the EU as an actor and its risk profile. The EU is a complicated, and sometimes confusing actor, and this increasingly exposes it to risk. Complexity can, of course, serve to shield an actor if malcontents are unable pin it down. But, as the EU today struggles to predict the exact threats it faces, its internal complexity may become a vulnerability: it could well permit terrorists to misrepresent European actions or even hamper its members’ capacity to act.
Coping with complexity
This in turn seems to bolster the argument in favour of creating a more centralised counter-terrorist hub at an EU level: if the Union cannot exercise coherent oversight of terrorist threats, its multiple moving parts will be left vulnerable. And yet, European officials are cautious about going down this path. If the EU is complex as an international actor, they say, it is because the world itself is complex. Certain vulnerabilities are inherent to the EU’s work in the world, and they require as a response basic political sense and laborious daily coordination just as much as a refocusing of powers.
Take the way the EU’s humanitarian activities inevitably elide with its civil-protection work. Humanitarian staff are able to work in some unstable parts of the world because insurgents recognise them as impartial. The same is not true of civil-protection assistance, which is performed by states at the behest of crisis-hit governments. It takes a certain level of political awareness to realise that, when crisis-stricken Islamabad calls on the EU for civil assistance, in nearby Afghanistan questions will be raised about whether the EU truly is a neutral humanitarian player.
The EU’s international work is also inextricably intertwined with the third countries themselves – indeed the EU has to rely on host states for the very protection of its personnel. This exposes it to threats in countries like Afghanistan, where it is engaged in security sector reform precisely because local authorities are weak or repressive. Again, it takes a certain degree of political nous on the part of the EU to ensure that its demands for its personnel to be protected by armed private guards does not give Kabul an excuse to slack off in its own work to prevent the spread of firearms.
On the face of it, of course, the way the Commission’s counter-terrorist powers are organised can seem a little illogical and unnecessarily fragmented – especially given the interlinked nature of Europe’s critical infrastructure. Yet, there is a good reason why the Commission competency for protecting infrastructures in the fields of communications, transport, health or finance is shared between different Directorate Generals and agencies: each player has its own, specific know-how and set of relations.
A centralisation of counter-terrorist powers will not per se make the EU more effective – and may well make it less creative. True, the Commission is often ‘flying blind’ when it comes to protecting Europe’s critical infrastructure – indeed, it is not even told which systems member states designate as ‘critical to Europe’, merely receiving a list of numbers in each category. Yet the Commission is learning to overcome such difficulties, initiating processes such as the twice-yearly meetings with national points of contact to discuss shared risks like drone overflights or cyber-attacks.
Indeed, the EU’s attempts to make its powers more coherent and concentrated have sometimes distracted it from more critical practical tasks. The Commission has spent years trying to learn from the US, Canadian and Australian national models of critical infrastructure protection. But, while this has certainly delivered useful lessons about internal coordination, it may also have obscured the more pressing international task – shoring up the EU’s infrastructure links to vulnerable neighbours such as major gasprovider Algeria.
‘To protect and to enable’
The EU is especially at risk from terrorism for a simple reason: the phenomenon requires highly costly preventive measures to protect staff, buildings and political goods, typically outstretching the direct cost of the attacks themselves. For an actor like the EU, with so many moving parts and interdependencies, these preventive measures could prove crippling. Already, the EU mission in Kabul spends 45% of its budget on security, and the EU’s dedication of just 10% of its overall spending on delegations to security may prove unsustainably low.
This challenge may explain why many of the units responsible for the security of EU staff and buildings are moving from risk avoidance to risk management: the mantra is to ‘protect and enable’ – a rather decentralised approach designed to give staff the skills to judge the risks facing them. Security units are investing heavily in training, underpinned by precise risk assessment to ascertain, say, that the priority in Kabul should be to help staff move around the city more freely, and not expend too many resources protecting them from indirect fire in the mission grounds.
This empowering approach to security can even be applied to intangible goods like free movement. The Commission is currently highlighting ‘insider threats’ – the risk of critical infrastructure being attacked by a rogue employee of the operator itself. The Commission wants EU governments to pass on vital background information to operators in other member states. The goal is not just to safeguard Europe’s physical networks. By improving vetting procedures, the EU hopes to ensure that operators continue to employ non-nationals, making the free movement of labour viable in this sector.
Naturally, this ‘protect and enable’ approach cannot fully resolve the trade-offs between functionality and security. This is clear as the EU establishes its delegation in conflict-prone Somalia. If the Union sends only ‘essential staff’ without their family members it may reduce diplomats’ contact to local society. If the EU relies on locally-engaged staff, it risks employing people whose loyalties are split. And if the EU gives local staff full access even to sensitive parts of the delegation, it may expose them to blackmail by terrorists who want information.
Nor does this approach always allow the EU to escape costly preventive security measures. In its humanitarian work, the EU partners with big organisations which actually pioneered the ‘protect and enable’ approach, and it sets great store by their ability to safeguard EU staff. But the risk is that it will end up partnering only large wellresourced players like the UN or the Red Cross, at the expense of smaller local organisations. To avoid this, the EU now finds itself underwriting the efforts of its small partners to ‘protect and enable’ their own workers.
Finally, the need to ‘protect and enable’ applies to personnel undertaking increasingly dangerous functions on the frontline. Officials working under Frontex, the EU border agency, have already been shot at by people-smugglers reclaiming their vessels, and the dangers will intensify if terrorist organisations move into the sector and nudge out risk-averse criminal groups. But these personnel simply must retain close contact to the migration flows: they are the ones who flag suspected criminals and terrorists, often in closed interviews designed to reveal migrants’ nationality.
Safeguarding EU citizens
The decentralised approach to security is clearly well-suited to a complex actor like the EU. But there is one group of people who will not readily accept its mantra of ‘risk management’ over ‘risk avoidance’: the EU’s own citizens. They expect for themselves an absolute standard of internal security, and are already concerned that the EU may be inadvertently exposing them to risk. There is no evidence that European citizens as such are being targeted by terrorists (just like there are no known specific threats against EU staff or buildings), but this could change.
Outside the EU, European citizens are at growing risk of kidnap because they hail from a bloc whose membership requires a degree of prosperity. Inside the EU, more worryingly, European citizens are at risk in their capacity as voters: terrorists have targeted citizens of Western democracies on the grounds that they can be held accountable for the actions of their governments. If terrorists were now to justify an attack on European citizens with this rationale, there would be major political fallout: not all European voters feel proper ownership of EU policy.
It might also spur the EU to take on greater counter-terrorism powers, in a bid to show that it can protect its citizens in the same way that states do. But officials again caution against this impulse, arguing that it would play into the terrorists’ true aim: the terrorists, rather than trying to punish the EU for its actions, would be probing at citizens’ deeper unease at life in a complex and interdependent world.
Roderick Parkes is a Senior Analyst at the EUISS.