NATO Secretary General Jens Stoltenberg waits for the start of a meeting of the North Atlantic Council at NATO headquarters in Brussels on Thursday, May 19, 2016.

NATO Secretary General Jens Stoltenberg waits for the start of a meeting of the North Atlantic Council at NATO headquarters in Brussels on Thursday, May 19, 2016. Virginia Mayo/AP

A Transatlantic Plan to Bolster Europe’s Cyber Defenses

The cyber world of the 21st century may soon look dangerously similar to the political world of the 19th.

It’s cliché to say that we are increasingly dependent on internet-enabled technologies. Nevertheless, Europe is struggling to keep up. Shrinking budgets limit European countries’ ability to invest in building resilience against cyberattacks. The interconnectedness of critical infrastructure, along with the coming internet of things, forces European policy makers to consider the following question: how we protect and create resilient critical infrastructure?

Finding an answer to this question is politically fraught. Security experts who adhere to the realist school of international relations theory argue that policymakers must accept the increasing militarization of cyberspace. They argue that states must build up their offensive and defensive cyber capabilities. This view has gained currency in a number of countries, as strategic planners issue national security policies with a cyber component. Likewise, the European Union and NATO have begun corralling their respective members to establish common defensive capabilities. It is also hard to overlook the reemergence of the state in cyberspace as they emphasize their digital sovereignty.

More liberal minded scholars warn that the build-up of offensive capabilities only repeats the mistakes of the past. It will foster mistrust, lead to a new arms race and might even lead to the internet’s fragmentation as states assert their sovereignty. A free, open and trustworthy internet is an important global public good, and an offensive build-up puts that at risk. Following up on the approach of work under the auspices of the United Nations and Organization for Security and Cooperation in Europe (OSCE), much of policymakers’ attention has been focused on finding agreement common norms for state behavior in cyberspace with mixed success.

Recently U.S. and EU officials have been adapting concepts found in the law of state responsibility, which sets out how and when a state is responsible for a breach of its international obligations, to promote certain cyber norms. For example, policymakers across the Atlantic are promoting the idea of state responsibility—states are responsible for the cyber activity originating from their territory. The UN Group of Governmental Experts on cyber issues picked up and endorsed this idea in its 2015 report, and will likely expand on this notion when its work resumes later this year.

As the European Union will update its 2013 cybersecurity strategy, and will extend it to a “strategy for cyberspace” it should make the norm of state responsibility a cornerstone. A number of member states are developing their offensive and defensive capabilities, making an EU-wide strategy essential to ensure that their actions are compatible with norms that support a free, open, and trustworthy internet. The European Union can promote state responsibility in cyberspace in three ways:

  1. EU coordination. Since 2003, EU officials have coordinated their cyber efforts through a Friends of the Presidency Group on Cyber Issues. Having this group agree to a common position on the norm of state responsibility would give the European External Action Service—the European Union’s diplomatic corps—a common message and outreach strategy with which to build support. The External Action Service’s work can be supported by the European Network and Information Security Agency, the authoritative reference for cybersecurity in the European Union.
  2. Transatlantic support. Making states responsible for their cyber activities is only possible if states can attribute offensive cyber incidents. Despite their differences on privacy, espionage, and surveillance, the European Union and the United States need to cooperate to solve the attribution problem. One way they could do this is by supporting an effort to create an independent court of arbitration with the forensic capabilities to identify parties responsible for offensive cyber activities. An independent third party would improve the credibility of attributing an incident to a particular state thereby making it responsible.
  3. Military restraint. Under international law, if a state has had its sovereignty violated, it is entitled to use all necessary and proportionate means to terminate that violation. This would apply in cyberspace, where a targeted state could engage in what has been dubbed “active defense” to end an ongoing cyberattack started by another state. Although taking these types of countermeasures are legal under international law, in practice, responses of this kind easily run the risk of escalation, possible legal breaches, and undermining the tradition of military restraint in foreign and security policy. To avoid this, EU member states should ensure that their respective militaries remain committed to a defensive approach, and promote this posture within NATO, the OSCE and other multilateral security institutions.

The internet is too precious and important to be left to the realists and to those who can only think in the categories of conflict and confrontation. A transatlantic initiative is required to ensure that it remains free, open and trustworthy. Without this, we might wake up one day and see that the cyber world of the twenty-first century looks dangerously similarly to political world of the nineteenth century.

This post appears courtesy of CFR.org.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.