The Cold War seems to be going on and not just as a part of history, when looking at the current situation of international cyber politics. While the EU’s diplomat-in-chief Josep Borrel Fontelles finds multilateralism to be the solution, the concept amounts to nothing if the main actors in cyberspace have no common ground. The dialogue continues but is heavily influenced by the great powers contestation. We are running out of time to address this. When technology advances in leaps and bounds, politics cannot lag behind. If the EU is truly committed to advancing international security and stability, it is high time to act accordingly.
Does the EU have what it takes to lead?
Interviewing Josep Borrel has led Patryk Pawlak to ask whether the EU has what it takes to lead? Can it lead if it is not already the leader in development of these technologies it now tries to supress? The answer is yes. As Mr. Borrell has indicated, it is certainly worth recognizing the EU’s potential, and as things stand not only the EU can, but it must take the lead in advancing solutions to cyber issues. Ever deteriorating relations between great powers, leave only the EU capable of this. While the west and the east are taking their own routes, our European way has unique pull for both sides. A powerful actor who, despite our western connection, bows to neither direction yet able to sustain communications both ways. A setting perfect for progressive dialogue and action.
The question then, is how do we take the lead? It would be disastrous to lose relations to either or any direction. However, we have some leverage of our own. The EU is a formidable diplomatic and economic power of its own right. The diplomat-in-chief accordingly emphasized the need to speak the “language of power”. The ability to make autonomous decisions is the EU’s greatest tool in making change. In this light, the EU could play the role of a facilitator without marking any new boundaries. In addition, with the recent change of power in the US we might go a long way without problematic issues. Regrettably, Mr. Borrell does not endorse using this capacity in more aggressive manner.
On the other hand, China is investing in Europe in such manner that we are within reason to expect cooperation, that is trade, commerce, and diplomatic dialogue to continue. Their need to stay a part of the western market zone is great. If the US does not open its doors, it could prove a beneficial tool for the EU during negotiations.
The most challenging view arises from Russia. As Mr. Borrell stated, Russia is the least likely to cooperate. In other words, they want to play by their own rules, often leading in disturbance among other states. If we were able to turn actors like the private sector, the US and/or China to our side though, Russian interest for true cooperation would increase. Intellectual property within a unified cyberspace, even if it consists of just us, the EU and one of the actors above is far greater than any of the great powers alone. This at least, is fortunate for us since their unilateral view protects us from facing dangerous cooperation between powerful states, aimed against our call for regulation.
As Borrell and Pawlak discussed, all cooperation is based on goals that align. So, the best way for us to utilize this is by making sure our actions enable economic growth and ensure human rights. It is very hard to attack the EU if we are able to promote these concepts. For example, European Council sanctions from last June against actors involved in cyberattacks were definitely a step towards the right direction.
The growing responsibility of EU
International politics is in a stalemate with the cyber world. One of the main building blocks: the UN’s structure is being twisted in a battle of the great powers contestation. In addition to the failing of creating binding norms cyber wise, silence has become another great issue. States refuse to start or participate in an open and problem-solving dialogue as that would mean to admit to the problems. If they think they have an advantage, they see no reason to act. Thus, the notations of non-binding and voluntary are frequently expressed. Notwithstanding, they hold close to no value in solving our problems. For crisis situations, this lack of clarity tends to only further complicate matters.
This is alarming, but there is hope. Aude Géryn and François Delerue consider a possible beacon of light, in regard to the UN, in their article: A New UN Path to Cyber Stability. The advocates of cybersecurity and stability have put together an idea about a new Programme of Action: For advancing responsible state behaviour in cyberspace (PoA). The potential here lies in levelling the playing field. Old unions such as the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) have not yielded results, despite demanding commitment and draining resources. The polarity is too great for the major powers and their respective camps to work together. As an alternative, if we had their approvals for the new PoA initiative, much of the drawn-out tension would ease. Dialogue on the matter would not be as much dictated by existing issues between great powers.
From the EU’s perspective, the PoA would provide valuable information about the states ongoing positions regarding the topics of the program. For example, if we were to regulate in a similar manner following the implementation of the GGE-borne voluntary norm of: “States should not knowingly allow their territory to be used for internationally wrongful acts using cyber domain”, to the more politically binding framework the new PoA aspires to build, our move has already been approved, to some degree, by those who did so for the PoA. Value is added through those who did not approve the original initiative as well, since refusal calls for explanation, leading in much needed attention on the actual conflicts. The issue here, lies in timing. If it is taken seriously, the PoA is likely to be discussed at the next UN General Assembly and that does not bode well for its future. As long as member-states are not willing to lose their “edge”, the UN is not capable to take on these matters. Regrettably, this is the current state of affairs.
It is good to take note that none of the major powers sponsors the idea yet. Gery believes that this is a threat as well as it’s an opportunity. For the program to have a positive impact, it truly needs to find common ground. For example, if China got a hold of the reigns, it could twist the program to serve its own agenda, while driving the west out of the deal. For this and every other program, depicting why they would work nonaligned is critical. All in all, for the UN to reach any concrete decisions takes too long. Fortunately, the EU has much more agency in these matters. Within, despite our slow start, the EU is waking to the growing threats from cyberspace. A Germany led joint non-paper focusing on protecting and reinforcing Europe’s digital sovereignty, is one such act. Still, while many of its points are appropriate, it lacks initiative. The next steps cannot be reviewing the non-paper, it needs to be implemented according to its message.
Actions to take for EU
At this point we have touched the subject of responsibility that falls on the EU, the reasons behind it, guiding frameworks and some key points to consider when taking action. These in mind, we can focus on something concrete for the area of interest, that the EU would be correct to start working on immediately.
First our take on the US Clean network program. Intrinsically valuable for the EU, should we endorse it from a neutral standpoint. Network traffic from untrusted sources cannot pass through either side. While the EU takes this stance, China needs some reassurance that we are not working towards cutting it off the western grid. On the other hand, the US requires a validation that the world needs more cooperation. Removing sources of potentially harmful data from the grid before they become threats is pivotal, but for the EU, taking sides due to prejudice adopted from our companions undermines our diplomatic efforts. Here as well, balance can be achieved.
Robert Knake’s article, What’s Wrong With The Clean Network Initiative? presents some interesting pointers regarding the movement, such as a digital trade zone instead of the mass censure of China. The trade zone or the like, we would be correct to show interest in, could opt for credibility rather than “clean”, valuing the freedom of internet, shared privacy protections and strengthened mechanisms for cross-border cybercrime. In other words, require member states to meet these commitments. Over time the digital trade zone could prove to be too large of a market for the Chinese government or other individual states to ignore, Knake argues. This way, economic methods can be used to put significant pressure on states to change their ways.
The current version of the clean network program called for a response from China and this was the Global initiative on data security. A very general initiative calling states to work together, while aiming to counter the censure presented by the clean network. The issue here lies in the concept of multilateralism turning into what it has become in the setting of the UN. It is an idea dominated by great powers, where small actors are left by the wayside. With threats to its sovereignty, the EU needs to stay cautious of this movement.
A second area to work on is cooperation in countering and identifying cyber crime. By opening borders with trusted partners to gain access and resources to act against unlawful actors the EU could develop its capabilities as well as enforce trust in cyberspace. Certainly, many actors are afraid of revealing their cyber capabilities, but in time, supporting see through tactics in sectors where everyone can agree would prove beneficial. One very present theme where cooperation is needed, would be the handling of data. The non-paper led by Germany had an insightful take on this. “Regarding access to digital evidence, the EU and its Member states recognize the importance of encryption to protect important data. Now what is needed, is a lawful way to access digital evidence concerning malicious cyber activities.” Not an easy task to take on. The key here could be our perception of the digital information. Data is something to be viewed by who owns it, not by its location. Therefore, instead of risking too strict regulation, it would be possible to bring in a third party organisation to act as a middle-man for all parties, being the individuals, the private-, and the public sectors. This way of organizing should focus on gathering trusted and skilled individuals from different countries, which would enable smooth cooperation between participating states. The exchange of data would be secured by heavy resources, but not controlled by governments. Instead of the current trend of having all the information shared, only the parts that matter would be passed on as products. Rest would optimally be secured by law and remain out of governmental control. This paradigm is built on the three main pillars: law, politics, and technical understanding.
The third area of improvement is the EU’s view on international law. In February 2015, the Council of the EU strongly encouraged all members to support the western view of the applicability of international law in cyberspace. Troubling since current laws, especially in peace time, are not precise/unambiguous enough for agreement on how they can be applied to cover issues in cyber context. Furthermore, we are limited by a lack of precedent regarding this matter. This is because when the law leaves too much room for states to operate, it can be manipulated. States such as the US, Russia and China are fully capable of utilizing the unclarity of law in situations which would logically require considerably more strict consequences. For example, mass surveillance or the increasing use of APT groups as means for hybrid warfare. Following the damage and potential harm caused, the focus here as well, should be placed on data. The law condemns attacks on civilian objects, but can data be considered under this umbrella term? It has no physical structure, yet the influence is far greater than that of many physical objects. As prime target for unethical operations, more needs to be done to protect it.
Conversation around this issue is restricted. Hollis, Vila and Rakhlina-Powsner offer good insight on this in their article Elaborating International Law for Cyberspace. States do support the idea of updates, but that is the extent of the argument. Even states that have been on the receiving end of “unlawful” actions are hesitant to accuse anyone per international law. Gatherings focusing on cybercrime are few and those regarding international peace and safety in cyber context are next to none. As such, applying international law in cyberspace strongly depends on customary law. To approach the issue, hosting meetings focusing solely on cyber context of peace and security, could prove beneficial. Creating precedent is another area of potential improvement. As we start applying international law within the EU’s own jurisdiction more actively, the dominant view of distrust among the UN member states, leading to state silence, might change.
One more area to work on. The private sector holds a significant role within the cyberspace yet, the current GGE-borne view provides states the mandate of cyber safety and security. An actor with such amount of concrete power and resources is far too influentialnot to be included within the decision-making process. This is particularly true when the decisions involve it regardless of its presence. One might argue for the Global Tech Panel, but it lacks authority. Elsewhere the fear of tech giants is not helping either. Is the private sector not at fault then? The US vs. Google case among many, remains an clear indication that there is still lacklustre efforts from majority of organisations. However, it can still be noted that states are equally at fault regarding many of the claims made. While both actors abuse data with little regard for ethics, it is useless to point fingers. This, on the current scale is possible only due to regulation falling further behind development. Essentially, the scale of ground level knowledge within the private sector is vast, and the knowledge of politics does not fall short. Moreover, they face every decision we make; enabling them to rid the pressure coming from states, or at least allow measures to act against it. So what is to be done? A possible solution is making it mandatory for the private sector to elect representatives much like in politics. Participating in international politics as more than just a side character brings the sector much needed responsibility to act more discreet as well as an opportunity to grow. The private sector can be ally of the EU and presents a plethora of opportunities.
It’s time then
With President Biden looking to draw red lines in protecting critical infrastructure against cyber-attacks, timing is great for the EU to look for alignments according to these principles. Going forward as we currently do will only lead to more serious and irresponsible sate behaviour. Technology is progressing in ways that left unregulated, stomping human rights cannot be avoided. The course is far from ideal, but with joint effort it is possible to make change. Looking for true cooperation where possible, as well as leading with insight and morale are keys, how the EU can reach concrete results in stabilizing cyberspace. Fortunately, the EU has always worked towards creating more secure environment for our society to prosper in. This includes the cyber context. All it needs now, is to focus this effort accordingly.
Veikko Markkanen, Junior analyst, Cyberwatch Finland
Veikko is currently studying at University of Jyväskylä. He is completing BSc in Computer Science and aims to graduate with MSc in Cyber Security by 2025. With his passion to writing, Veikko’s skills in analytical thinking and pedagogy have already seen interest by respected players in the fields of strategic cyber security and international cyber politics.