10 March 2021

Revisiting the EU Cybersecurity Strategy: A Call for EU Cyber Diplomacy


In December 2020, the European Union (EU) presented its new strategy on cybersecurity with the aim of strengthening Europe’s technological and digital sovereignty. The document lists reform projects that will link cybersecurity more closely with the EU’s new rules on data, algorithms, markets, and Internet services. However, it clearly falls short of the development of a European cyber diplomacy that is committed to both “strategic openness” and the protection of the digital single market. In order to achieve this, EU cyber diplomacy should be made more coherent in its supranational, demo­cratic, and economic/technological dimensions. Germany can make an important con­tribution to that by providing the necessary legal, technical, and financial resources for the European External Action Service (EEAS).

In 2019, the EU registered around 450 attacks on critical infrastructures in the energy and water supply sectors as well as information and communication technologies in the health, transport, and finance sectors. The vulnerabilities of technologically inter­depend­ent societies became particularly evident during the Covid-19 pandemic. In December, cybercriminals targeted the Euro­pean Medicines Agency. In order to preserve its socio-political model, the EU must assert itself in a security environment that is characterized by mutual threat per­ceptions and an increasingly dynamic tech­nological arms race. The director of the Technology and National Security Program at the Center for a New American Security, Paul Scharre, pointed out some time ago that the technology race is repeating the security dilemma of the nuclear age (Foreign Affairs, May/June 2019). How is the EU re­sponding strategically to the changed global political environment? What role can the EU play in preventing cyberattacks, for exam­ple on power plants, in advance? Are there crises management structures in place at the European level to ensure immediate and comprehensive action if necessary?

EU Cybersecurity Strategy

Since 2015, the EU has been working on its response options to attacks from – and con­flicts in – the cyber and information space (CIS). Some foreign and security policy initiatives have been launched in the last few years (see SWP Comment 19/2018). Worth mentioning here are, among others, the Diplomatic Response Framework (Cyber Diplomacy Toolbox) and the Cyber Defence Policy Framework (both 2018); the EU Cyber­security Act and the EU toolbox for 5G security (both 2019); as well as the EU Security Union Strategy and the Screening of (Digital) Investment (2020). Since 2020, the EU has focused its activities – together with the member states – on building operational capacity to prevent, deter, and respond to serious cyber incidents in Europe. The current framework is set by the new EU Cybersecurity Strategy for the Digital Decade, presented in December 2020 by the European Commission and the High Repre­sentative for Foreign Affairs and Security Policy, Josep Borrell. It is closely linked to other Union initiatives, such as the Digital Single Market Strategy, the Commission’s Economic Recovery Plan, and the Security Union Strategy 2020–2025.

The new cybersecurity strategy includes the establishment of a “Joint Cyber Unit” that will be tasked with strengthening the IT capabilities of defense communities in the field of cybersecurity and law enforcement agencies in cooperation with civilian and diplomatic communities. According to the strategy, the EU will also draw on the work of the European Defence Agency and promote cooperation in the military domain of operation, drawing on the newly created European Defence Fund. Further­more, the EU will be given a “cybersecurity shield” to identify threats early and take countermeasures before damage is done. The Commission wants to establish an EU-wide “network of Security Operations Centres across the EU.” It is to serve as a cooperation platform for the civilian and military authorities of the Union and mem­ber states that are responsible for cyber­security and to improve coordination in the event of major attacks. To protect critical infrastructures, existing EU law and the 2016 EU Network and Information Security Directive (NIS Directive) are to be revised, and greater use will be made of artificial intelligence to identify cyberattacks against hospitals, utilities, and transport networks.

Since 2018, the EU has had the Cyber Diplomacy Toolbox at its disposal to coun­t­er serious cyberattacks (see SWP Comment 19/2018). It has thus designed its own sanc­tions regime against IT attacks that was deployed in July 2020 in the course of the technical and legal handling of the 2015 hacker attacks on the German parliament. To implement the cybersecurity strategy, proposals will be made under the Common Foreign and Security Policy (CFSP) to expand the EU Cyber Diplomacy Toolbox to effec­tively counter attacks on critical infrastructure, supply chains, and democratic institu­tions and processes.

Although the cybersecurity strategy refers to EU initiatives such as those to com­bat hybrid threats, the European Democracy Action Plan, as well as EU emergency and crisis management, the deepening of con­fidence- and security-building measures of EU cyber diplomacy toward third countries remains largely underexplored. The need for such actions has been noted, but no concrete examples or institutional venues to implement them have been provided. The cybersecurity strategy thus expresses a one-sided understanding of security policy that shows little awareness of the fact that technical and technocratic actions must be accompanied by diplomacy.

Desideratum Cyber Diplomacy

The one-sidedness of the EU cybersecurity strategy is a problem because international norm-building is a key element for trust and security in the cyber and information space. The EEAS needs to be empowered for this very task of cyber diplomacy by align­ing its mandate accordingly. The current strategy neglects the important lesson of the nuclear age, namely that disarmament and trust-building actions lead to generally enhanced security. Political scientist Joseph S. Nye, for example, argues that, contrary to popular belief, deterrence in cyberspace can work. He is convinced that the development of international norms, which has so far been very limited, can have a positive effect on security in the CIS. For this, he said, it is essential not to limit the principle of deter­rence to classic territorial defense and imme­diate retaliation. Rather, cost-benefit analyses of unintended consequential costs would deter potential intruders from launching attacks.

The fact that a “cyberwar” has not yet taken place could be indicative of the effec­tiveness of this strategy. International norm processes can also dissuade state actors from attacking critical infrastructure. The norms for responsible state behavior in cyber­space, developed by the United Nations (UN) Group of Governmental Ex­perts, prohibit attacks against critical infrastructure. The UN General Assembly negotiations demonstrate that, despite political differences, work is underway on common norms for lawful state behavior and due diligence in cyberspace. Under the Cyber Diplomacy Toolbox, the Horizontal Working Party on Cyber Issues is tasked with these matters; however, so far it has only had a coordinating and not a shaping role in EU cyber diplomacy due to lacking EU supranational competence.

Furthermore, there is still little consen­sus on standards for responding to cyber actions below the thresholds relevant under international law (retorsion); for the ap­prov­­al of hardware and software; for deal­ing with supply chain dependencies; and for vul­ner­ability management. The Novem­ber 19, 2020 “non-paper” by Germany and five other EU member states also remains un­clear with regard to concrete actions. The dangers posed by proxies, i.e., non-state actors acting on behalf of the state, reduce the effectiveness of trust- and security-build­ing actions. The Council of Europe’s Buda­pest Convention is to be revised ac­cord­ingly in order to take more effective action against non-state cybercrime with a second sup­ple­mentary protocol. Another source of danger that should not be under­estimated is the high number of low-thresh­old attacks, for example against small and medium-sized enterprises. It still needs to be clarified what counts as a critical IT secu­rity incident that must be reported, includ­ing to partner states outside Europe: Is it when the attackers penetrate the network and disrupt it, or already when they scan the infrastructure of a potential critical infrastructure facility and try to find weak points?

The cybersecurity strategy also mentions jointly coordinated NATO-EU situational aware­ness in the CIS, but it remains un­specific about its implementation. The potential of the Helsinki-based European Centre of Excellence for Countering Hybrid Threats to build “legal resilience” in rela­tion to state interference is equally under­utilized in EU-NATO cooperation. Some governments advocate active countermeasures, along the lines of the United States demonstrating its supremacy in cyberspace. Others, however, argue for the development of a consensual frame of reference that assigns accountability to states according to their resilience measures to prevent conflict escalation in the CIS. The EU strategy seeks to integrate both approaches more effec­tively than in the past. In order to realize this ambition, the EEAS must be given a stronger mandate in the future in terms of personnel, funding, and legal competence.

Digital sovereignty and resilience can only be achieved as a pan-European and pan-societal task that includes close co­ordi­nation at the EU level as well as with demo­cratic partners; moreover, economic policy and technological expertise must be explic­it­ly included. This means that EU cyber diplomacy must set the framework for this, as the CIS is not bound by the competencies or borders of individual countries. Public institutions, business, the scientific com­munity, and civil society must work hand in hand much more intensively at the Euro­pean level than they have to date. The estab­lishment of a European Cybersecurity Industrial, Technology and Research Com­petence Centre and a network of national coordination centres are a first good step. Cyber diplomacy can create the supra­national, democratic, economic, and tech­nological conditions, both internally and externally, to provide the necessary infra­structure, know-how, and cutting-edge tech­nology.

The Supranational Dimension

Sectorally conceived policy silos – in which the digital dimensions of foreign, defense, and domestic policy are developed in parallel – are notoriously ill-suited to cybersecurity. On the other hand, it makes sense for the EU Commission to support the interlocking of internal market regulations, the fight against cybercrime, the CFSP, and the Common Security and Defence Policy, as well as initiatives of the Permanent Struc­tured Cooperation. An annual imple­mentation report, modeled after the pro­gress reports on the implementation of the Security Union Strategy, would be bene­ficial and should give more attention to aspects that have been neglected so far, such as technical intelligence and infor­mation exchange.

In particular, it should systematically cover: the preparation and use of cyber­attacks; the manipulation and sabotage of business, financial, and industrial markets; the increasing vulnerability of critical infra­structure; and the growing threat to the reliability of traditional defense systems from military hackers. Although the new Strategic Compass is intended to facilitate common EU situational awareness, this will require that internal and external cyber­security agencies prepare to pool their intel­ligence in the EEAS when needed. Situational awareness should be underpinned by a “horizon scanning” facility, at least as a first step. Artificial intelligence should help establish early crisis detection.

This should be followed up by the devel­opment of an attribution procedure in the CFSP decision-making process. To date, there are no common standards for clearly identifying the perpetrator of a cyberattack. The Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities in­dicates that member states may use differ­ent methods and procedures for attributing malicious cyber activities, as well as employ “different methods and procedures to estab­lish a degree of certainty on attributing a malicious cyber activity.” However, the methods, procedures, definitions, and cri­teria of the member states are not to be harmonized, as attribution is to remain a sovereign act. The EEAS, with its Intelli­gence and Analysis Centre, would have to be provided new personnel and technical competencies if it is to (be able to) publicly state who is responsible for cyber incidents; this would be of particular importance for countering hybrid threats, which also in­clude disinformation. Measures under the Cyber Diplomacy Toolbox do not require legally secured attribution in every case. Rather, they aim to defend against cyber inci­dents using political-communicative and technical means. It should be possible to tailor the use of resources, depending on the conflict situation.

In addition, it should be considered how the actions envisaged in the toolbox can be deployed in the event of a failure of key infra­structures in such a way that the ability to command, act, and function is main­tained. Horizontal and vertical cyber­security cooperation between the EEAS and the Commission on the one hand, and be­tween the EU and the member states on the other, is key for the resilience of the ICT structures. This crisis management exists only as a blueprint and must be under­pinned by the member states in terms of per­sonnel, funding, and competencies.

The EU member states should recognize that digitalization challenges classic diplo­macy at the national level, to the extent that the foreign policy role of the EU Com­mission changes in the course of implement­ing the European Digital Strategy: Its role is gaining more weight in cyber diplo­macy. It is the Commission that urges mem­ber states to be vigilant about attempts to divide them, both externally and internally. This call for vigilance with regard to foreign direct investments or the acquisition of stra­tegic assets, especially in the digital econo­my, by third countries could take even greater account of the risks posed by the volatility or undervaluation of European stock mar­kets.

The Democratic Dimension

Digital foreign policy and cyber diplomacy must place more attention than traditional foreign and security policies to involving non-governmental interest groups and in­dependent scientists in the policy process and to ensuring that the multistakeholder approach is applied as broadly as possible. To be sure, the practice of multistakeholder governance to date has been criticized for being misused by large digital corporations as an instrument for globalizing their own business interests and technical standards. However, the decisive integration of all societal stakeholders has ultimately proven to be a factor that safeguards fundamental rights. In particular, a reform of the global Internet governance infrastructure is as necessary as it is important, whereby the “democratic” dimension must be strength­ened, for example by expanding the role of the Internet Governance Forum (IGF) as a global stakeholder meeting, consistently involving parliamentary representatives in IGF meetings, and including local and regio­nal initiatives. Within this framework, the EU’s external cyber foreign policy, man­dated by the member states, will be able to continue to work toward ensuring that cen­tral institutions such as the Internet Corpo­ration for Assigned Names and Numbers (ICANN) and the Internet Engineering Task Force (IETF) are geared toward inclusivity and participation of all social groups and not just toward the interests of business (see SWP Research Paper 14/2019). Parlia­mentary expertise is particularly in demand here, as it has been increasingly used in recent IGFs.

The technology-induced uncertainty in global politics is clearly reflected at all levels in a fundamentally changed per­cep­tion of the opportunities and dangers of connectivity and interdependence. US politi­cal scientists Henry Farrell and Abra­ham L. Newman point out that interdependence is not only a promise but also a danger (International Security, July 2019). Global networks and supply chains in the financial and trading systems, in the management of the Internet, and in the global communications infrastructure, they argue, are highly asymmetric and can be used by powerful states as weapons against political opponents. The Corona pandemic and the assertive posturing of US and Chi­nese technology companies have given this impression more weight. On many issues – from access to the global financial and mone­tary system and innovative techno­logy to needed medicines, digital communications, and network infrastructure – forums, podiums, and supply chains con­trolled by private actors constitute a source of power. States currently find themselves overwhelmed when their presidents can be stripped of their virtual megaphones by digital CEOs.

Against this backdrop, the revitalization of bilateral cyber diplomacy in the form of a trade and technology council between the EU and the United States has gained special attention for transatlantic cooperation since Joe Biden’s election as US president. From the US perspective, any reconfiguration of a European cyber foreign and security policy should be based on an alliance of democratic multilateralists that must include the United States. Europe will only be strong enough to defend the functioning of the digital in­ternal market based on European treaties against China and other authoritarian states if it cooperates with democracies such as Canada, Australia, Japan, the United States, and others, even if they only co­operate in the short term (ad hoc coali­tions).

The literature already contains concrete proposals in this regard, some with far-reaching consequences. In October 2019, Richard A. Clarke and Rob Knake advocated the establishment of a US-led “Internet Free­dom League” that would encompass all states committed to a free, open, and demo­cratic Internet. It should form a digital block analogous to the European Schengen Area, within which data, services, and prod­ucts could move freely, whereas all those states that do not respect freedom of ex­pression and the protection of privacy and allow cyber­crime would be excluded: “The goal should be a digital version of the Schen­gen Agreement.” In this cyber and information space, which according to the US view has yet to be developed, vulnerable online sys­tems would be identified, their operators informed, and their resilience jointly work­ed on; malware and botnets would be elimi­nated at an early stage; and cyberattacks among the members would be prohibited – similar to the coordination of global health policy by the World Health Organization. Certainly, these goals are broadly consistent with, but go beyond, UN standards for re­sponsible state behavior. Such a tech diplo­macy alliance should integrate the EU’s various cybersecurity programs in the West­ern Balkans and the six Eastern Partnership countries in the EU’s immediate neighborhood, as well as in other countries world­wide.

The Economic-technological Dimension

In his influential study on the danger of fragmentation of the global Internet, politi­cal scientist Milton L. Mueller describes forcefully that all hopes for a global Inter­net depended directly on non-state and private actors continuing to play an essen­tial role in its governance. There is no guarantee that individual European mem­ber states will not mimic the Internet censorship measures being pursued by Russia and China using deep packet in­spection tools and banning VPNs unless they are countered by a strong social and legal corrective. This corrective can have both a cognitive and a power-political effect. In the European Commission, out­standing expertise has been built up in preparation of relevant legal acts on digital markets, services, algorithms, and data – in contrast to American, Chinese, and Rus­sian standardization. This knowledge of regulations, standards, and norms is in high demand by various international play­ers such as the African Union, the ASEAN states, Brazil, Australia, and South Korea.

Europe’s role as an exporter of standards in data protection and data security, en­cryp­tion, and cybersecurity also has eco­nomic consequences for players on the inter­national market who want to continue to operate in the digital single market – despite the high requirements, for example, for compliance with standard contractual clauses for data transfers, which were made even more stringent by the restrictive case law of the European Court of Justice in July 2020. The EU’s cyber diplomacy must nego­tiate the future global standard contractual clauses on data transfer as well as a new trans­atlantic Privacy Shield with the United States in the Transatlantic Council on Trade and Technology.

EU approaches to the management of critical Internet resources also imposed by the Digital Services Act and Digital Markets Act will in the future envisage even stricter targets than before: Dependencies on indi­vidual suppliers are to be diversified. Audit­ing by means of an EU-wide IT security label is to link market access for all market participants to minimum standards and certifications. Encryption technologies are to ensure high European security standards in the future in order to guarantee the in­teg­­rity and security of data. However, civil society and the business community are criti­cal of mandatory decryption or master keys for law enforcement agencies, as de­manded by individual governments.

An important initiative for securing Euro­pean digital sovereignty is the strengthen­ing of the European cloud and data infra­structure project GAIA-X. In order to assert themselves against non-European market power, leading member states and the Euro­pean Commission are attempting to bundle European companies and leverage their own values based on the EU treaties as a com­petitive advantage against third parties. Data protection and data security should no longer be seen as a hindrance to technologi­cal development, but as a driver of inno­vation – especially in light of the fact that quantum computing can already circum­vent common methods of cryptography.

EU digital sovereignty is complex, but that does not mean that everything should now be done autonomously via the EU Com­mission, but rather that a technically sophisticated strategic choice should be made to control those truly critical com­ponents. Cyber diplomacy of the EEAS, in close consultation with the European Com­mission, requires an intensive co­operation between public and private partnerships if it is to be technically competitive. Therefore, it should strive to promote the devel­op­ment of trusted IT through these part­ner­ships. Artificial intelligence can be used associatively for the early detection of attacks on automated systems. Finally, in­formation about Indicators of Compromise, i.e., characteristics and data that indicate a system or network is compromised, must be made available to all stakeholders so that everyone can participate in the solu­tions offered.

The cyber diplomacy conducted by EEAS, in cooperation with the Commission or the Cyber Security Agency, should be enabled to raise these technological requirements to the level of European infrastructures so that industry and the owner of the critical infra­structures can benefit from the results. Last but not least, the Commission intends to broaden the scope of what critical infra­struc­ture should include. In addition to traditional sectors such as energy, institutions of national and strategic interest will also be targeted. In the future, the Commission will have an even greater role in ensur­ing the availability, integrity, and confidentiality of European data through a single market external policy.

Update of Cyber Diplomacy Needed

A world that is growing together needs common rules and a binding legal frame­work so that common markets can develop and the security dilemma can be resolved. If EU member states turn to a truly EU cyber diplomacy that is guided by the maxim of “strategic openness” in its insti­tutional, democratic, and economic dimen­sions, they can ensure that the post-war era will only not become the digital pre-war era. Strategic openness is central to maintaining the internal market in order to effectively counter the siren songs of mercantilist iso­la­tionism and territorial sovereignty think­ing, even in the digital age. The EU’s digital self-assertiveness manifests in reducing dependencies, promoting the empowerment of civil rights, holding platforms account­able, and increasing the competitive­ness of the European economy.

With this aspiration in mind, EU cyber diplomacy should, first, help citizens retain informational self-determination over their personal data. Second, cyber diplomacy, in the service of the EU’s digital sovereignty, is linked to the strategic capacity to act and presupposes that the Union can also assert its ideas on data protection and security inter­nationally. Third, a European “resovereignization” in cyber diplomacy in the digi­tal age means realizing that a minimum de­gree of dominance or control by the EU over the necessary technological resources – from Internet nodes to cloud infrastructure to international standard-setting – is what makes digital sovereignty possible in the first place. Fourth, this includes ensuring that European laws are applied to cyberspace and are enforced by European courts. China and the United States, for example, essentially limit themselves to domestic providers for critical infrastructure (hard­ware and software) for cybersecurity reasons. Fifth, in the spirit of reciprocity and com­petitiveness, harmonization of IT security legislation and procurement and licensing rules at the EU level would be logical. Co­operation between the EU and democracies such as the United States, Canada, Singapore, South Korea, and Taiwan could pro­mote this.

These goals are served by the EU’s new and planned legal acts and strategies on data, markets, services, and algorithms in Europe and, most recently, on cybersecurity. As the Union moves forward in this way, member states should also be prepared to update Europe’s narrative as a force for peace in the digital age through more robust and coordinated foreign, security, and defense policies and by honoring their strategic orientation and institutional anchoring in EU cyber diplomacy. This would at least be the logical consequence. Qualified majority decisions are certainly needed to be able to respond with restric­tive measures in the event of serious cyber­attacks.

But harmonization is not always the path to optimization. A pan-European and pan-societal approach to cybersecurity means formalizing the exchange of knowl­edge between institutions, security author­ities, academia, and industry. Defense and diplomacy in the cyber and information space remain sovereign tasks. At least since the ruling of the Federal Constitutional Court (BVerfG) on the Federal Intelligence Service of May 19, 2020, and the BVerfG’s non-acceptance decision of December 16, 2020, it has become clear that the obligations of all German authorities under the rule of law do not end at the state’s external borders, and that the state is fundamentally liable for violations of fundamental rights abroad – this also applies in the CIS. This means that close cooperation is required in this complex cybersecurity architecture. At the same time, it places new demands on constitutional principles in Germany, such as the separation between defense and police powers and the limits to the deploy­ment of the military within German bor­ders. Effective and accountable cybersecurity policy at the national level creates conditions that enable administrative assistance at the EU level and in cooperation with al­liance partners in a legally secure manner – with EU cyber diplomacy as the centerpiece.

Dr. Annegret Bendiek is Deputy Head of the EU / Europe Research Division at SWP.
PD Dr. Matthias C. Kettemann, LL.M. (Harvard), is Research Programme Head at the Leibniz Institute for Media Research / Hans-Bredow-Institut and Research Group Leader at the Humboldt Institute for Internet and Society and at the Sustainable Computing Lab at the Vienna University of Economics and Business.

No comments: