A critical year for the transatlantic cyber diplomacy
As the scale, sophistication, and frequency of malicious cyber activity increase internationally, it is imperative that the European Union and the US collaboratively and comprehensively address these cyber threats and their impact on security, critical infrastructure, democratic governance, and economic system. Ensuring effective deterrence of, and response to, cyber-attacks conducted by state or non-state actors involves a tailored approach that encompasses different policy strands, takes full stock of malicious actors’ capabilities, intent, nature, and goals, and promotes stability in cyberspace through dialogue, norms of state behavior, application of existing international law, and confidence-building measures. Consistent, common and comprehensive cooperation along these lines could assist in conflict prevention, aid cooperation, and foster stability in cyberspace.
This was the belief conveyed by US Deputy Coordinator for Cyber Issues, Michele G. Markoff, and Head of the Security Policy Division of the European External Action Service, Rory Domm, at the Transatlantic Perspectives on Cyber Diplomacy Stakeholder event, which was jointly organised by the EU Institute for Security Studies (EUISS), the German Marshall Fund of United States (GMF), and the Stiftung Neue Verantwortung (SNV) on the occasion of the fifth meeting of the EU-US Cyber Dialogue that took place in Brussels.
The discussion shed light on the most salient challenges that the US and the EU have identified in cyberspace and provided insights on their respective approaches to countering cyber threats and deterring malicious threat actors, as well as on the challenges US and EU policymakers encounter along the way.
Participants from both the US and EU shared a concern that highly disruptive, state-linked malicious cyber activities conducted below the threshold of the use of force have the potential to disrupt the prosperity, peace, and stability in cyberspace. What complicates the issue further is finding ways to impose consequences on the malicious actors who conduct them. The challenge stems primarily from the use of proxies and mercenaries by states for the conduct of cyber-attacks, the difficulties in discerning intent and purpose of malicious operations (i.e. intelligence gathering, economic espionage, and reconnaissance), and difficulties linked to attribution.
Ms Markoff highlighted the complexities in designing novel ‘ex post’ tailored cyber-deterrence and response frameworks. Any response must remain tailored, limited and contextually specific on the nature and consequences of the attack, the intent of the threat actor, and the purpose of the overall operation. Simultaneously, states must ensure that deterrence measures are effective, timely, and do not fuel escalatory cycles. Finding a proportionate pressure point for each country that launches offensive cyber operations, how proactive defensive measures should be, and what is the role of private actors in how deterrence is used remain continual challenges to deal with for both the US and the EU.
Moreover, the imposition of consequences on malicious cyber behaviour must take place in accordance with states’ own capacities and must align across different policy strands. An illustrative example of such a holistic approach is the EU’s framework for joint response to cyber-attacks, the EU Cyber Diplomacy Toolbox, which sets out a wide-ranging set of practical diplomatic measures and principles to be implemented in the aftermath on a cybersecurity incident.
Moreover, the EU and the US reaffirmed their close partnership in the discussions about the future of the United Nations Group of Governmental Experts (UNGGE) process. Ms Markoff, the American representative to the GGE, shared her frustration with the main issues which ultimately led to the failure of the framework, including problems related to an expanded membership, the format, the timing of the meetings, as well as the penetration of geopolitical dynamics into the framework. Both sides underlined that fostering international cooperation is an effective method towards mitigating cyber threats and deterring adversaries in the long term. Besides collaborating in particular areas, such as cyber-crime capacity-building and training, the US and the EU are aiming to advance the construction of an overarching framework of responsible state behavior, founded on the application of existing international law to cyberspace, the advancement of a set of non-binding norms of state behavior and the efficient implementation of practical confidence-building measures.
Similarly, the US and EU encourage other nation states to increase transparency in the international environment by clarifying concepts and doctrines in their national cybersecurity strategies, military doctrines, and legal reasoning. Working together on cyber diplomacy and identifying synergies across multiple cyber-governance fora remain vital elements of the transatlantic partnership. The progress on practical confidence-building measures made in the framework of the Organisation for Security and Co-operation (OSCE) was underscored as a constructive, successful and sustainable model of collaboration between the United States and the EU.
Both sides stressed that the primary objective of the EU-US partnership on cyber diplomacy is to continue strengthening a multi-stakeholder model of internet governance that is accountable, transparent, inclusive and accessible to all stakeholders. Another main objective included the need to promote and protect the transatlantic core values and principles reflected in a global, open, free, stable and secure cyberspace where human rights, fundamental freedoms and the rule of law fully apply.