The COVID-19 crisis and subsequent lockdown rules have left its mark on every aspect of our lives. The cross-border nature of capacity building work meant that lockdown presented also challenges to continuation of implementation to EU funded cyber capacity building projects. On the other hand, we are witnessing a significant increase of using digital tools to continue operations and deliver. However, crisis and intensified online work was accompanied by the increase of cyber incidents as highlighted by ENISA and EUROPOL EC3 in their public communication.
The EU CyberNet in cooperation with experts from DG DEVCO and the EEAS conducted an informal survey among the EU-funded cyber projects aimed to gain better understanding of the general impact of the pandemic to our usual operations and capabilities, map the different strategies the projects have adopted to overcome the challenges and find best practices.
The survey audience included 13 projects and representatives of institutions that contributed to the EU CyberNet’s workshop “Enhancing a Coordinated Implementation of EU’s Capacity Building Actions in the Cyber Domain” on 10-11 March 2020 in Brussels. 10 out of 13 involved projects (77%) provided their responses. These responses reflect the assessment of the situation as of the end of May 2020 based on the information known at the time and without prejudice to the further development of the crisis.
Executive summary
- The EU-funded cyber capacity building projects managed well in adjusting their work to the new circumstances by introducing teleworking, organising events online and focussing on tasks that could be done remotely. At present, the short-term impact of the pandemic on projects’ implementation was mostly assessed as moderate and the long-term impact on the overall projects’ objectives was assessed as low to moderate, assuming the crisis would not deepen or continue for a longer period of time.
- Although most of the projects did not have business continuity plans, they were able to adjust fast. No legal or budgetary problems were identified. However, for the future it was suggested to include mitigating measures in relevant project documentation in design and planning phase and develop business continuity plans (adjusting objectives, activities, clarifying how much of the objectives could be delivered through alternative means) as appropriate. This becomes vital in case the interruption to in-person meetings and travel to or from partner countries should last longer and online activities are not possible due to limited accessibility of the Internet.
- Increased amount of capacity building activities delivered through online means requires special attention. Therefore, in order to develop an effective teleworking culture, it would be useful to draw up a guidance for organising online events. In addition, high level of security must be ensured in online working. Establishment of the EU cybersecurity certification of ICT services and products would provide the necessary assurances in selecting effective and secure digital tools. Until the certification scheme is implemented in practice, the projects could benefit from cybersecurity guidelines or principles and recommendations on the most effective and secure tools by competent bodies.
- It is important to continue monitoring developments of the crisis and gather periodically feedback from the projects in order to respond rapidly and provide best possible support and ensure implementation of the projects’ objectives.
Impact of the crisis
The first part of the survey concerned the pandemic’s impact on the projects’ 1) short-term activities, 2) general and specific objectives (end results), 3) different sectors inside the projects, 4) relations with partners and stakeholders, and 5) possible changes in the operating environment (including by other donors).
- Overall, the impact of the COVID-19 crisis on the delivery of the projects’ planned activities was assessed moderate to significant (80% and 20%, respectively). This means that 80% of the projects managed to adjust to and deliver in the new situation. Some of the activities were cancelled or postponed, while some of the planned activities on time using alternative channels. 20% of the respondents assessed the impact on overall activities as significant; everything was postponed as it became impossible to deliver on any planned activities under the circumstances.
- In comparison to the short-term plans, in the mid-term perspective the project implementers assessed, at present (May 2020), the pandemic’s impact on the overall delivery of projects’general and specific objectives to be low to moderate. Main aspects to highlight are:- While the crises has caused serious challenges, most projects have a lifespan long enough (or it can be extended) so that they are able to adjust and the time left for the implementation is sufficient to achieve the projects’ general or specific objectives. However, the situation can change for worse and travel restrictions continue to last.
– A recurring and broadly shared concern by respondents were travel restrictions that have made in-person meetings or participation at events impossible, affect planned missions and can lead to the need to extend the implementation period.
– While revising work plans and introducing fully online activities can help achieving the same results, it is not always an option due to technical limitations, for example internet access may not be universal in partner countries or for other particular counterparts.
– In one case, it was emphasised that as the cybercriminals used the pandemic-created confusion in their interest, it also put the cybersecurity high in the agenda and generated more attention to cybersecurity that will be beneficial for raising awareness in the mid-term perspective
– Several projects pointed out that instead of events or trainings that have been postponed or cancelled, they have used the opportunity to focus on other tasks critical to the overall project that can be implemented under restrictions (see also p 9).
- Looking into their own project implementation, it was not surprising that the biggest impact has been observed on the planned activities (90% of the respondents). Half of the respondents emphasised difficulties with logistics and 30% also reported challenges to advancing their planning and concept development. To a lesser extent also issues concerning staffing and experts, security and communication (outreach and visibility) were raised. Capacity building projects do not operate in isolation and partners’ capacity to adapt to situation is an important factor. It was highlighted that counterparts in the law enforcement community had had their priorities changed to fighting the COVID-10 pandemic and, at least in the short term, that is the focus of their attention. On the positive side, nobody reported financial or legal issues to have become problems.
- Similarly to the overall impact, the projects assessed the pandemic’s impact on their previously established working relationships and channels of communication with their partners mostly as moderate (70%) – there were occasional difficulties with communicating with partners, but established channels and arrangements worked. 20% assessed the impact as limited (required readjustment) and 10% as significant (many problems were encountered). Essentially, the assessment depended on the nature of the project, the target countries and counterparts. While some highlighted that their national counterparts were surprisingly adaptive and willing to experiment with different formats, it was also mentioned that teleworking from home posed difficulty in countries with limited internet access. Based on the responses one can assume the projects have established good networks and presence that allowed to continue working in a changed environment.
- Finally, in regards to impact we asked the respondents whether they observed any changes in the way other international donors (e.g. by China, the United States, international organisations, etc.) approached their capacity building projects as a result of the pandemic. The majority of the respondents has not observed any additional, ad hoc and solely crisis driven support, but in two occasions, the respondents noted additional support (or at least discussions about it), in particular in the Latin American region.
Measures to cope with the crisis and best practices
The second part of the survey concerned the measures the projects undertook to cope with the new situation and the best practices they identified as a result.
- One of the issues that could be of interest and relevance for the EU at large to ensure business continuity of its projects worldwide is the issue of having in place business continuity plans (or relevant guidance). It appeared from the survey that 60% of the projects did not have project-based business continuity plan prior to the crisis. However, and as a positive side, this did not prevent projects from reorganising their work and adjusting to the circumstances. For 40% of the response cases business continuity plan was part of an initial risk assessment, developed as part of the Annual Action Plan or established by the organisation implementing the project. The projects are encouraged to analyse risks arising from possible long-term crisis and travel restrictions to develop business contingency plans allowing the projects to continue delivering the pre-set objectives and/or include new relevant ones. However, it has to be recognised that designing a plan could be challenging for smaller teams without prior experience or knowhow.
- In responding to the crisis the project implementers mostly did not have to implement any unplanned and resource-demanding crisis response measures (70%). Projects were able to re-prioritise, use innovative solutions, and move to online channels as much as possible (e.g. trainings, seminars). Increased malicious online behaviour that accompanied the crisis also provided the projects with opportunities to develop new activities supporting partner countries in countering the threats or attacks.
- None of the projects identified contractual terms or conditions that had limited their ability to deliver in the crisis situation. A respective communication and guidance on flexibility by DG DEVCO had well served its purpose. For the future (and for planning hypothetical similar situations) it was suggested to include mitigation strategies or principles in the relevant project documents in design and planning phase, which would allow some flexibility on the delivery of activities in terms of deadlines, specific goals and/or budgetary issues. It was also mentioned that regardless of the mission of a given project, it could be approached with requests for other kind of support by the local authorities.
- In regards to best practices, they projects came out with a variety of solutions. The Projects adjusted fast to their revised working modalities, sustained momentum and engaged with stakeholders in order to find alternative ways to deliver without altering overall objectives. In a word cloud view the most prominent word to emerge was online while some of the detailed proposals were the following:
- Swiftly develop a contingency plan in case there was no prior plan; disseminate it to the counterparts and the Delegations of the EU.
- Create specific channels and specific activities to support the countries against the pandemic, thus making it also a priority of the programme.
- Constant dialogue with local counterparts, Delegations of the EU and the EU institutions.
- Agree on the shared technological mobile and online collaboration platforms to allow for seamless communication inside the team across borders.
- Reprioritise tasks and implement tasks not dependent on location (administration, procurements, etc.). When other activities are postponed, adapt work plan and conduct online trainings, needs assessment, prioritise desk research, assessment of legislation and analytical work.
- Maintain weekly work routines (regular meetings and discussions, continue to implement scheduled work plans, etc.)
- Maintain direct contact with national teams in the partner countries to assess the impact of the global crisis, discuss countermeasures taken and agree on priorities that could be addressed by the project in the short/medium term.
- Organising global topical webinars also allow to convey related policy messages to a larger audience.
10. Looking forward to and assuming that the share of capacity building activities delivered online might grow, the respondents also made a number of both generic as well as detailed suggestions to cope with this trend. Highlighting three recurring lines of thought that have become crucial, especially in case the crisis deepens and lasts longer:
- Develop an effective remote working culture, and maintaining direct contacts with the personnel in partner countries. Proper programming is required based on the needs of the partner countries and combining online events with other relevant activities (not ad hoc events only). It is important to maintain the local ownership and involvement, emphasising the relevance of the activities, even if delivered online. It was also suggested to develop a guidance to conducting online courses. For a successful outcome, clear and comprehensive materials are required that support online activities and take into account the complexity and the impact on individuals attending the online events lasting longer than a few hours (especially if active participation is not always possible).
- Cyber hygiene and security – in addition to the recommendation to promote the EU data protection standards, it is vital to train the participants in basic cyber hygiene , ensure the security of the information exchange, invest in secure connections and use the platforms recommended by cybersecurity experts. While technical tools and easy access are important, it is also a matter of work culture.
- Develop common tools and platforms between the EU and other regions, take time to experiment and test various situations and conditions (e.g. with 500+ participants with interpretation, create simulation environments, active participation etc.). The currently available online conference solutions may be sufficient in the short term, but in the long run, customised or even in-house online training/conferencing solutions could be worthwhile.
11. In their assessment of the efficiency of the technical tools available for them, 50% the projects found the efficiency good, 30% found it to be average and 20% found it poor. In one case, a problem was raised about a limited licence restricting the number of participants at online meetings and also a problem with interpretation. Most widely mentioned online tools were Zoom and Microsoft Teams, to lesser extent Google Meet, Skype, Bluejeans, FaceTime, Signal and Webex. It could be concluded that the EU should invest in secure and functional online platforms for an effective communication between the EU, its projects and beneficiary countries. The EU cybersecurity certification scheme developed by the Commission and ENISA could be a useful tool in this regard. Until the certification scheme is functional, the projects could benefit from the recommendations by the cybersecurity experts for secure online tools.