Compare
Compare
The United States has historically been a strong partner in cyber diplomacy for the EU based on common values (human rights, rule of law), goals (open, stable and secure cyberspace) and interpretation of international law. Cyber diplomacy with the US has also been operationalised in the form of information-sharing and cooperation to tackle cybercrime, cooperation on cyber defence via NATO and cyber capacity building in third countries. Despite differences over certain foreign policy issues, the EU and the US remain close allies in cyberspace.
Thanks to its regulatory powers, robust digital economy, and active foreign and security policy, the European Union is one of the key players in cyberspace. The EU strongly promotes the position that international law, and in particular the United Nations (UN) Charter, applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible State behaviour that have been articulated by the UN Group of Governmental Experts. It also encourages the development and implementation of regional confidence building measures, both in the Organisation for Security and Co-operation in Europe and other regions. On a bilateral level, the EU has established cyber dialogues with strategic partners to reinforce the exchange of good practices, lessons learnt and further the idea of responsible state behaviour in cyberspace.
The US believes that international law is applicable in cyberspace. As part of the ‘like-minded’ coalition, the US recognises a need to acknowledge the full breadth of relevant international law, including international humanitarian law (IHL), human rights law, customary international law on the responsibilities of states for internationally wrongful acts. The general applicability of IHL in cyberspace is not to be misconstrued as a tacit endorsement of aggression in the cyber domain; instead, it only serves to remind states of the responsibility to respect and protect civilians in the event of armed conflict.
In the context of multilateral fora, US diplomats have specifically emphasised the applicability of the right to self-defence under Art. 51 of the UN Charter, noting that a State may lawfully take cyber-based or non-cyber-based countermeasures in response to internationally wrongful cyber activities attributable to another State, but only subject to the requirements of the doctrine under international law and the principles of necessity and proportionality. Under the auspices of the UN, the EU and its Member States have consistently reaffirmed that a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety, international humanitarian law, and international human rights law.
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues.
In the context of multilateral fora, US diplomats have specifically emphasised the applicability of the right to self-defence under Art. 51 of the UN Charter, noting that a State may lawfully take cyber-based or non-cyber-based countermeasures in response to internationally wrongful cyber activities attributable to another State, but only subject to the requirements of the doctrine under international law and the principles of necessity and proportionality. Under the auspices of the UN, the EU and its Member States have consistently reaffirmed that a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety, international humanitarian law, and international human rights law.
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues.
As stated in the 2018 National Security Strategy, the United States views voluntary, non-binding norms of state behaviour during peacetime as essential components of a framework of responsible State behaviour in cyberspace. The US has participated in all iterations of the UN Group of Governmental Experts (UNGGE) as well as the latest Open-Ended Working Group.
In these multilateral fora, US diplomats have typically opposed attempts at shifting to a legally binding status for norms of responsible state behaviour, arguing that such discussions are “premature” and do not represent the best way to address the immediate threats given the fast pace of technological developments.
The starting basis for any further discussions on the part of the US rests on the current buildup of consensus surrounding the norms identified in the 2015 and 2021 GGE reports. Efforts should be concentrated on the implementation of existing consensus norms, not the creation of entirely new normative concepts (i.e. in relation to harmful hidden functions and specific critical infrastructure sectors). Since 2014, the EU’s ambition has been to act as an ‘honest broker’ on multilateral discussions surrounding issues of cyber governance and norms of responsible state behaviour, aiming to ensure the support and partnership of proactive players in the context of the global debate. The EU has long promoted the need for voluntary, non-binding norms. It believes that norms crystallised under the UN GGE process should generally not be revisited and that progress should be made on matters relating to their implementation.
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures.
In these multilateral fora, US diplomats have typically opposed attempts at shifting to a legally binding status for norms of responsible state behaviour, arguing that such discussions are “premature” and do not represent the best way to address the immediate threats given the fast pace of technological developments.
The starting basis for any further discussions on the part of the US rests on the current buildup of consensus surrounding the norms identified in the 2015 and 2021 GGE reports. Efforts should be concentrated on the implementation of existing consensus norms, not the creation of entirely new normative concepts (i.e. in relation to harmful hidden functions and specific critical infrastructure sectors). Since 2014, the EU’s ambition has been to act as an ‘honest broker’ on multilateral discussions surrounding issues of cyber governance and norms of responsible state behaviour, aiming to ensure the support and partnership of proactive players in the context of the global debate. The EU has long promoted the need for voluntary, non-binding norms. It believes that norms crystallised under the UN GGE process should generally not be revisited and that progress should be made on matters relating to their implementation.
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures.
The March 2021 Interim National Security Strategic Guidance states that “[the US] will make cybersecurity a top priority, strengthening our capability, readiness, and resilience in cyberspace.” Following the recommendations of the 2020 Solarium Commission, the US government has adopted the concept of ‘layered resilience’ and is gradually rolling out a comprehensive arsenal of resilience measures across a variety of domains.
The US has been active in engaging in strategically-minded capacity building with partners; US capacity building in Africa with organisations such as the African Union and SADC, for instance, have been largely motivated by Washington’s wish to promote an open, secure, and democratic model for Internet governance across the African continent.
In relation to cyber defence, there have been several joint operations and military exercises, both bilaterally (e.g. between the US Cyber Command and the Montenegrin military) and under the auspices of NATO. Recent regional engagement efforts such as the dialogues in the context of the tripartite AUKUS coalition and the Structured Quadrilateral Security Dialogue (the eponymous Quad) also heavily feature references to collaborative cyber-capacity building. In multilateral fora, the US has also welcomed the inclusion of confidence-building measures in the GGE reports and noted that, in order for CBMs to be useful, they need to be implemented at minimum on a bilateral basis and preferably on a multilateral and eventually an international basis. The EU places great importance on cyber resilience and capacity building. Internally, the Union has built a robust legal acquis in relation to the resilience of critical infrastructures, the cornerstone of which rests upon the 2016 Network and Information Security (NIS) Directive and the 2013 and 2019 Cybersecurity Acts. This legal meshwork seeks to integrate cybersecurity into all elements of the supply chain and introduce soft law mechanisms like the EU cybersecurity certification scheme. In doing so, it harmonises national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU.
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action.
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution.
The US has been active in engaging in strategically-minded capacity building with partners; US capacity building in Africa with organisations such as the African Union and SADC, for instance, have been largely motivated by Washington’s wish to promote an open, secure, and democratic model for Internet governance across the African continent.
In relation to cyber defence, there have been several joint operations and military exercises, both bilaterally (e.g. between the US Cyber Command and the Montenegrin military) and under the auspices of NATO. Recent regional engagement efforts such as the dialogues in the context of the tripartite AUKUS coalition and the Structured Quadrilateral Security Dialogue (the eponymous Quad) also heavily feature references to collaborative cyber-capacity building. In multilateral fora, the US has also welcomed the inclusion of confidence-building measures in the GGE reports and noted that, in order for CBMs to be useful, they need to be implemented at minimum on a bilateral basis and preferably on a multilateral and eventually an international basis. The EU places great importance on cyber resilience and capacity building. Internally, the Union has built a robust legal acquis in relation to the resilience of critical infrastructures, the cornerstone of which rests upon the 2016 Network and Information Security (NIS) Directive and the 2013 and 2019 Cybersecurity Acts. This legal meshwork seeks to integrate cybersecurity into all elements of the supply chain and introduce soft law mechanisms like the EU cybersecurity certification scheme. In doing so, it harmonises national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU.
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action.
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution.
The US is a signatory and an early proponent of the Budapest Convention. A big part of American cyber diplomatic activity has, in fact, been focused on promoting the Budapest regime as the global model of cybercrime governance. In 2019, the US firmly opposed the Russian-sponsored resolution calling for an alternative legal instrument to the Convention; following the passing of the resolution, however, the US has agreed to participate in the Ad Hoc Committee established under UNGA resolution 74/247 despite the fact that the “surprise text” within the May 2021 resolution was seen as an effort to “circumvent dialogue” and undermine the “balanced, inclusive, consensus-based process” sought by the US.
On a multilateral level, the US is also a party to the UN Convention against Transnational Organised Crime (UNTOC) and the Inter-American Convention on Mutual Legal Assistance of the Organisation of American States (OAS) and is a member of Interpol.
Bilaterally, the US has completed an agreement with the UK under the CLOUD Act that facilitates cross-border data sharing directly between US companies and the British government; the US is trying to expand this type of bilateral engagement, currently negotiating a similar agreement with Australia. The EU has been an early champion of the Budapest Convention signed under the auspices of the Council of Europe, given the overlapping membership of the two organisations. Much of the EU’s cyber diplomatic efforts have focused on promoting the Convention as the main instrument of choice for fighting cybercrime on a global level. EU member states have consistently opposed Russian bids for replacing this regime with another legal framework.
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency.
On a multilateral level, the US is also a party to the UN Convention against Transnational Organised Crime (UNTOC) and the Inter-American Convention on Mutual Legal Assistance of the Organisation of American States (OAS) and is a member of Interpol.
Bilaterally, the US has completed an agreement with the UK under the CLOUD Act that facilitates cross-border data sharing directly between US companies and the British government; the US is trying to expand this type of bilateral engagement, currently negotiating a similar agreement with Australia. The EU has been an early champion of the Budapest Convention signed under the auspices of the Council of Europe, given the overlapping membership of the two organisations. Much of the EU’s cyber diplomatic efforts have focused on promoting the Convention as the main instrument of choice for fighting cybercrime on a global level. EU member states have consistently opposed Russian bids for replacing this regime with another legal framework.
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency.
