Compare
Compare
The United States has historically been a strong partner in cyber diplomacy for the EU based on common values (human rights, rule of law), goals (open, stable and secure cyberspace) and interpretation of international law. Cyber diplomacy with the US has also been operationalised in the form of information-sharing and cooperation to tackle cybercrime, cooperation on cyber defence via NATO and cyber capacity building in third countries. Despite differences over certain foreign policy issues, the EU and the US remain close allies in cyberspace.
An EU candidate country since 2012, Serbia is an important partner in the Western Balkans. The 2020 iteration of the Digital Evolution Scorecard characterised Serbia as a ‘break out’ economy, meaning that despite a relative lack of digital infrastructure the country is rapidly digitalising; internet penetration is one of the highest across the region, standing at 79%. Over the past decade, Serbia’s digital policy has been focused on attracting foreign investment, deepening the digital transformation across the public and private sectors, and promoting economic growth in line with EU targets. These objectives have been operationalised through a series of strategies, notably the Strategy for the Development of Information Security for the period 2017-2020 and the Strategy for combat against cyber crime 2019-2023. The ITU notes, however, that “while innovative, internet-based e-commerce is expected to bring significant growth and development, obsolete legislation and a lack of harmonisation with EU standards and best practice persist, hampering progress”. As the country becomes increasingly more digitalised, the challenge for Serbian cyber diplomacy will be to develop and enhance avenues of European, regional, and international cooperation.
Thanks to its regulatory powers, robust digital economy, and active foreign and security policy, the European Union is one of the key players in cyberspace. The EU strongly promotes the position that international law, and in particular the United Nations (UN) Charter, applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible State behaviour that have been articulated by the UN Group of Governmental Experts. It also encourages the development and implementation of regional confidence building measures, both in the Organisation for Security and Co-operation in Europe and other regions. On a bilateral level, the EU has established cyber dialogues with strategic partners to reinforce the exchange of good practices, lessons learnt and further the idea of responsible state behaviour in cyberspace.
The US believes that international law is applicable in cyberspace. As part of the ‘like-minded’ coalition, the US recognises a need to acknowledge the full breadth of relevant international law, including international humanitarian law (IHL), human rights law, customary international law on the responsibilities of states for internationally wrongful acts. The general applicability of IHL in cyberspace is not to be misconstrued as a tacit endorsement of aggression in the cyber domain; instead, it only serves to remind states of the responsibility to respect and protect civilians in the event of armed conflict.
In the context of multilateral fora, US diplomats have specifically emphasised the applicability of the right to self-defence under Art. 51 of the UN Charter, noting that a State may lawfully take cyber-based or non-cyber-based countermeasures in response to internationally wrongful cyber activities attributable to another State, but only subject to the requirements of the doctrine under international law and the principles of necessity and proportionality. The country has not assumed a firm stance on the application of international law in cyberspace. Serbia’s position paper concerning the Open-Ended Working Group (OEWG) highlighted that multilateral dialogue on “information security” must occur “with strict respect for the Charter of the United Nations”. Echoing the stance of states such as China, Russia, and Cuba, Serbia also raised the alarm about the “danger of developing offensive ICT and militarising the digital space”. Under the auspices of the UN, the EU and its Member States have consistently reaffirmed that a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety, international humanitarian law, and international human rights law.
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues.
In the context of multilateral fora, US diplomats have specifically emphasised the applicability of the right to self-defence under Art. 51 of the UN Charter, noting that a State may lawfully take cyber-based or non-cyber-based countermeasures in response to internationally wrongful cyber activities attributable to another State, but only subject to the requirements of the doctrine under international law and the principles of necessity and proportionality. The country has not assumed a firm stance on the application of international law in cyberspace. Serbia’s position paper concerning the Open-Ended Working Group (OEWG) highlighted that multilateral dialogue on “information security” must occur “with strict respect for the Charter of the United Nations”. Echoing the stance of states such as China, Russia, and Cuba, Serbia also raised the alarm about the “danger of developing offensive ICT and militarising the digital space”. Under the auspices of the UN, the EU and its Member States have consistently reaffirmed that a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety, international humanitarian law, and international human rights law.
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues.
As stated in the 2018 National Security Strategy, the United States views voluntary, non-binding norms of state behaviour during peacetime as essential components of a framework of responsible State behaviour in cyberspace. The US has participated in all iterations of the UN Group of Governmental Experts (UNGGE) as well as the latest Open-Ended Working Group.
In these multilateral fora, US diplomats have typically opposed attempts at shifting to a legally binding status for norms of responsible state behaviour, arguing that such discussions are “premature” and do not represent the best way to address the immediate threats given the fast pace of technological developments.
The starting basis for any further discussions on the part of the US rests on the current buildup of consensus surrounding the norms identified in the 2015 and 2021 GGE reports. Efforts should be concentrated on the implementation of existing consensus norms, not the creation of entirely new normative concepts (i.e. in relation to harmful hidden functions and specific critical infrastructure sectors). Serbia was represented in the 2016-2017 UN Group of Governmental Experts (UNGGE). Despite its EU candidate status, Serbia does not typically vote in alignment with the EU on key cybersecurity resolutions presented before the UN First Committee. Notable examples include UNGA resolution 73/27, which first established the Open-Ended Working Group (OEWG), as well as later resolutions 74/29 and 75/240. Since 2014, the EU’s ambition has been to act as an ‘honest broker’ on multilateral discussions surrounding issues of cyber governance and norms of responsible state behaviour, aiming to ensure the support and partnership of proactive players in the context of the global debate. The EU has long promoted the need for voluntary, non-binding norms. It believes that norms crystallised under the UN GGE process should generally not be revisited and that progress should be made on matters relating to their implementation.
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures.
In these multilateral fora, US diplomats have typically opposed attempts at shifting to a legally binding status for norms of responsible state behaviour, arguing that such discussions are “premature” and do not represent the best way to address the immediate threats given the fast pace of technological developments.
The starting basis for any further discussions on the part of the US rests on the current buildup of consensus surrounding the norms identified in the 2015 and 2021 GGE reports. Efforts should be concentrated on the implementation of existing consensus norms, not the creation of entirely new normative concepts (i.e. in relation to harmful hidden functions and specific critical infrastructure sectors). Serbia was represented in the 2016-2017 UN Group of Governmental Experts (UNGGE). Despite its EU candidate status, Serbia does not typically vote in alignment with the EU on key cybersecurity resolutions presented before the UN First Committee. Notable examples include UNGA resolution 73/27, which first established the Open-Ended Working Group (OEWG), as well as later resolutions 74/29 and 75/240. Since 2014, the EU’s ambition has been to act as an ‘honest broker’ on multilateral discussions surrounding issues of cyber governance and norms of responsible state behaviour, aiming to ensure the support and partnership of proactive players in the context of the global debate. The EU has long promoted the need for voluntary, non-binding norms. It believes that norms crystallised under the UN GGE process should generally not be revisited and that progress should be made on matters relating to their implementation.
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures.
The March 2021 Interim National Security Strategic Guidance states that “[the US] will make cybersecurity a top priority, strengthening our capability, readiness, and resilience in cyberspace.” Following the recommendations of the 2020 Solarium Commission, the US government has adopted the concept of ‘layered resilience’ and is gradually rolling out a comprehensive arsenal of resilience measures across a variety of domains.
The US has been active in engaging in strategically-minded capacity building with partners; US capacity building in Africa with organisations such as the African Union and SADC, for instance, have been largely motivated by Washington’s wish to promote an open, secure, and democratic model for Internet governance across the African continent.
In relation to cyber defence, there have been several joint operations and military exercises, both bilaterally (e.g. between the US Cyber Command and the Montenegrin military) and under the auspices of NATO. Recent regional engagement efforts such as the dialogues in the context of the tripartite AUKUS coalition and the Structured Quadrilateral Security Dialogue (the eponymous Quad) also heavily feature references to collaborative cyber-capacity building. In multilateral fora, the US has also welcomed the inclusion of confidence-building measures in the GGE reports and noted that, in order for CBMs to be useful, they need to be implemented at minimum on a bilateral basis and preferably on a multilateral and eventually an international basis. Serbia’s legislative framework on cybersecurity is structured upon the 2016 Law on Information Security and its bylaws. The Law ushered in several institutional developments, including the creation of a national CERT in the regulatory agency for electronic communications and postal services (RATEL). The national CERT “monitors the status of incidents on national level, provides early warnings, alerts and announcements, and reacts on incidents by providing the information on affected entities and persons”. [x] It also holds seminars and technical trainings for operators of special importance (critical infrastructure) [x].
Meanwhile, the 2021 Cyber Tesla drill (organised in collaboration with the US state of Ohio) constitutes only one example of Serbia’s increased emphasis on critical infrastructure through the prism of cyber defence; the stated objectives included the “construction of military defence system capacities and the National CERT’s capacities for the protection from high-tech attacks, as well as an enhanced cooperation with relevant government and private sector organisations and academic institutions for the purpose of protection of the IT systems”.
In its UNGGE position paper in 2016, Serbia emphasised the importance of interstate cooperation in “maintaining effective and responsive mechanisms for information exchange, alerts and announcements on cybersecurity incidents”. The paper goes on to posit that “the special focus should be on the protection of critical infrastructure”, especially in the case of transnational attacks. In 2021, Norway donated a platform worth €1.2 million which will “[serve] to hold cyber exercises at the national level enables the real situation of different attack scenarios, and will contribute to capacity building and training of officials in various state institutions”, according to State Secretary of the Ministry of Trade, Tourism and Telecommunications Milos Cvetanovic [x]. The EU places great importance on cyber resilience and capacity building. Internally, the Union has built a robust legal acquis in relation to the resilience of critical infrastructures, the cornerstone of which rests upon the 2016 Network and Information Security (NIS) Directive and the 2013 and 2019 Cybersecurity Acts. This legal meshwork seeks to integrate cybersecurity into all elements of the supply chain and introduce soft law mechanisms like the EU cybersecurity certification scheme. In doing so, it harmonises national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU.
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action.
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution.
The US has been active in engaging in strategically-minded capacity building with partners; US capacity building in Africa with organisations such as the African Union and SADC, for instance, have been largely motivated by Washington’s wish to promote an open, secure, and democratic model for Internet governance across the African continent.
In relation to cyber defence, there have been several joint operations and military exercises, both bilaterally (e.g. between the US Cyber Command and the Montenegrin military) and under the auspices of NATO. Recent regional engagement efforts such as the dialogues in the context of the tripartite AUKUS coalition and the Structured Quadrilateral Security Dialogue (the eponymous Quad) also heavily feature references to collaborative cyber-capacity building. In multilateral fora, the US has also welcomed the inclusion of confidence-building measures in the GGE reports and noted that, in order for CBMs to be useful, they need to be implemented at minimum on a bilateral basis and preferably on a multilateral and eventually an international basis. Serbia’s legislative framework on cybersecurity is structured upon the 2016 Law on Information Security and its bylaws. The Law ushered in several institutional developments, including the creation of a national CERT in the regulatory agency for electronic communications and postal services (RATEL). The national CERT “monitors the status of incidents on national level, provides early warnings, alerts and announcements, and reacts on incidents by providing the information on affected entities and persons”. [x] It also holds seminars and technical trainings for operators of special importance (critical infrastructure) [x].
Meanwhile, the 2021 Cyber Tesla drill (organised in collaboration with the US state of Ohio) constitutes only one example of Serbia’s increased emphasis on critical infrastructure through the prism of cyber defence; the stated objectives included the “construction of military defence system capacities and the National CERT’s capacities for the protection from high-tech attacks, as well as an enhanced cooperation with relevant government and private sector organisations and academic institutions for the purpose of protection of the IT systems”.
In its UNGGE position paper in 2016, Serbia emphasised the importance of interstate cooperation in “maintaining effective and responsive mechanisms for information exchange, alerts and announcements on cybersecurity incidents”. The paper goes on to posit that “the special focus should be on the protection of critical infrastructure”, especially in the case of transnational attacks. In 2021, Norway donated a platform worth €1.2 million which will “[serve] to hold cyber exercises at the national level enables the real situation of different attack scenarios, and will contribute to capacity building and training of officials in various state institutions”, according to State Secretary of the Ministry of Trade, Tourism and Telecommunications Milos Cvetanovic [x]. The EU places great importance on cyber resilience and capacity building. Internally, the Union has built a robust legal acquis in relation to the resilience of critical infrastructures, the cornerstone of which rests upon the 2016 Network and Information Security (NIS) Directive and the 2013 and 2019 Cybersecurity Acts. This legal meshwork seeks to integrate cybersecurity into all elements of the supply chain and introduce soft law mechanisms like the EU cybersecurity certification scheme. In doing so, it harmonises national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU.
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action.
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution.
The US is a signatory and an early proponent of the Budapest Convention. A big part of American cyber diplomatic activity has, in fact, been focused on promoting the Budapest regime as the global model of cybercrime governance. In 2019, the US firmly opposed the Russian-sponsored resolution calling for an alternative legal instrument to the Convention; following the passing of the resolution, however, the US has agreed to participate in the Ad Hoc Committee established under UNGA resolution 74/247 despite the fact that the “surprise text” within the May 2021 resolution was seen as an effort to “circumvent dialogue” and undermine the “balanced, inclusive, consensus-based process” sought by the US.
On a multilateral level, the US is also a party to the UN Convention against Transnational Organised Crime (UNTOC) and the Inter-American Convention on Mutual Legal Assistance of the Organisation of American States (OAS) and is a member of Interpol.
Bilaterally, the US has completed an agreement with the UK under the CLOUD Act that facilitates cross-border data sharing directly between US companies and the British government; the US is trying to expand this type of bilateral engagement, currently negotiating a similar agreement with Australia. The Information Society and Information Security Development Strategy for the period 2021-2026 provides a comprehensive approach to the field of information security, which includes both (a) information security of ICT systems of special importance and security of the Republic of Serbia, and (b) security of citizens and businesses, which is particularly reflected through the fight against cybercrime. Its predecessor, the 2017 Strategy for the Development of Information Security, in turn, indicates the fight against cybercrime as one of the government’s five key priorities.
In light of EU accession negotiations, Serbia has signed and ratified the Council of Europe Convention on Cybercrime (Budapest Convention), including its Additional Protocol on Xenophobia and Racism Committed Through Computer Systems. Nevertheless, the country also voted in favour of UNGA resolution 74/247 calling for an international legal instrument to govern this domain. Domestically, the national legislative framework has been developed in accordance with the Budapest Convention and EU legislation. A High-Tech Crime Unit has recently been established within the special prosecutor’s office, along with three specialised units: crime analysis; terrorism and extremism; and drug prevention, addiction and repression.
Serbia is a member of Interpol, with which the country has discussed ways to enhance cooperation with regard to combatting cybercrime. Serbia is also gradually developing its own bilateral cooperation network, signing a Cooperation Memoranda with India in 2016 [x] and Romania in 2017 [x] as well as receiving assistance from Russian experts [x].
Special thanks to Ms Maja Lakusic for her valuable comments. The EU has been an early champion of the Budapest Convention signed under the auspices of the Council of Europe, given the overlapping membership of the two organisations. Much of the EU’s cyber diplomatic efforts have focused on promoting the Convention as the main instrument of choice for fighting cybercrime on a global level. EU member states have consistently opposed Russian bids for replacing this regime with another legal framework.
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency.
On a multilateral level, the US is also a party to the UN Convention against Transnational Organised Crime (UNTOC) and the Inter-American Convention on Mutual Legal Assistance of the Organisation of American States (OAS) and is a member of Interpol.
Bilaterally, the US has completed an agreement with the UK under the CLOUD Act that facilitates cross-border data sharing directly between US companies and the British government; the US is trying to expand this type of bilateral engagement, currently negotiating a similar agreement with Australia. The Information Society and Information Security Development Strategy for the period 2021-2026 provides a comprehensive approach to the field of information security, which includes both (a) information security of ICT systems of special importance and security of the Republic of Serbia, and (b) security of citizens and businesses, which is particularly reflected through the fight against cybercrime. Its predecessor, the 2017 Strategy for the Development of Information Security, in turn, indicates the fight against cybercrime as one of the government’s five key priorities.
In light of EU accession negotiations, Serbia has signed and ratified the Council of Europe Convention on Cybercrime (Budapest Convention), including its Additional Protocol on Xenophobia and Racism Committed Through Computer Systems. Nevertheless, the country also voted in favour of UNGA resolution 74/247 calling for an international legal instrument to govern this domain. Domestically, the national legislative framework has been developed in accordance with the Budapest Convention and EU legislation. A High-Tech Crime Unit has recently been established within the special prosecutor’s office, along with three specialised units: crime analysis; terrorism and extremism; and drug prevention, addiction and repression.
Serbia is a member of Interpol, with which the country has discussed ways to enhance cooperation with regard to combatting cybercrime. Serbia is also gradually developing its own bilateral cooperation network, signing a Cooperation Memoranda with India in 2016 [x] and Romania in 2017 [x] as well as receiving assistance from Russian experts [x].
Special thanks to Ms Maja Lakusic for her valuable comments. The EU has been an early champion of the Budapest Convention signed under the auspices of the Council of Europe, given the overlapping membership of the two organisations. Much of the EU’s cyber diplomatic efforts have focused on promoting the Convention as the main instrument of choice for fighting cybercrime on a global level. EU member states have consistently opposed Russian bids for replacing this regime with another legal framework.
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency.
