NORM VIOLATIONS IN CYBERSPACE: TRANSATLANTIC RESPONSES

On December 12th-13th the EU Cyber Direct project, hosted by project partner GMF, organized a two-day conference in Washington DC bringing together American and European experts and policy-makers to discuss increased cooperation. The first part of the conference focused on the implementation of a Transatlantic Cyber Policy Research Initiative. The second part focused on transatlantic responses to norm violations.

The workshop on norm violations started with a roundtable on EU-US responses to Cyber threats.

The roundtable brought together government and non-government cyber security experts to discuss possible EU and US as well as joint responses to cyber threats.

The discussion covered a range of response strategies from conventional incident management, to active cyber defense and broad sanction regimes. It thereby covered the national as well as international cooperation mechanisms that could be leveraged to create a more effective EU-US response to cyber threats. The underlying question was

“what response do we choose based on what level attribution to reasonably and proportionally respond to what kind of cyber operation?”

Key aspects which were mentioned during the debate include:

mainstreaming incident response and connecting it to the broader political level and to crisis response is useful;
sharing raw intelligence with strategic partners is crucial but a challenge;
joint training and exercises are vital to prepare for threats;
more research and work needs to be done within the field of responses to attacks below the threshold of armed conflict;
the key for international cooperation is that states come to terms with their own cyber security architectures first;
Strategic risk analysis of national assets is key to responses;
disjointed strategies are highly problematic, especially when paired with a deterrent approach that is not fully thought through;
The economic dimension has to be factored in for the broader picture;
Like-minded states have to work together to address these issues.

The workshop continued with a roundtable on attribution of cyber threats. The roundtable brought together government and non-government cyber security experts to discuss possible EU and US as well as joint responses to cyber threats.

In the roundtable of attribution, experts discussed current challenges of attribution and practices. Attribution was seen as an evolving policy challenge and still needs more practicing on both sides of the Atlantic.

Key aspects which were mentioned during the debate include:

the role of public attribution connected with challenge of proof/ level of evidence and implications for cyber insurances;
the connection between attribution as a means to an end and (swift) response;
public-private cooperation for holistic intelligence assessment on attribution;
trust as precondition for transatlantic cooperation on intelligence sharing for attribution;
risk assessment of critical national targets to better understand the threat.