On 15 November 2019, the EU Cyber Direct Project organised the workshop “Deterrence in cyberspace: questioning the concept”. The workshop brought together scholars from academia, experts from think tanks and practitioners from both EU bodies and agencies as well as representatives from EU member states.
After the opening remarks by Dr. Patryk Pawlak (EU Institute for Security Studies) and Mr. Wiktor Staniecki (European External Action Service), scholars and experts investigated the concept of deterrence, stressing how its effectiveness remains elusive in the absence of an accepted causal model. Given that deterring effects are contextually specific and related as much with norms and taboos as with the potential use of weapons, the participants underlined that effective deterrence calls not only for capacities, weapons, threat credibility and pressure, but also for fine-tuned political skills that rely on contextual knowledge about the actor to be deterred. Moreover, they recognized that the reasons to resort to deterrence are as much strategic as they are political and include limiting strategic alternatives, the mobilization of political support, and the maintenance of self-identity.
The following sessions then focused on the validity and usefulness of the concept of deterrence when applied to cyberspace, as well as on the EU member states’ national approaches to cyber deterrence. The discussion was enriched by the contributions of high-level government officials from Estonia, France, and Poland, who shed light on their countries’ understandings of cyber deterrence, as well as the complementarity of the respective approaches.
The last session was dedicated to the role of deterrence in the European Union’s cyber posture. Deterrence and response to cyber-attacks are clearly listed as the motivation for putting the cyber sanctions regime in place. The Joint Communication ‘Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’ of 13 September 2017 states that “effective deterrence means putting in place a framework of measures that are both credible and dissuasive for would-be cyber criminals and attackers” (European Commission, 2017). Consequently, the Joint Communication defines concrete measures to support such approach:
- identifying malicious actors by improving capacity to identify those responsible for cyber-attacks;
- stepping up the law enforcement response, including by facilitating cross-border access to electronic evidence, establishing common forensic standards, and promoting the Council of Europe Convention on Cybercrime;
- public-private cooperation against cybercrime;
- stepping up the political response, including through the implementation of the cyber diplomacy toolbox;
- building cybersecurity deterrence through the Member States’ defence capability, including concrete cyber defence within the framework of a “Permanent Structured Cooperation” (PESCO) and further integrating cybersecurity and defence into Common Security and Defence Policy (CSDP).
In this context, the participants discussed the possibilities for the EU to craft a dynamic narrative that reflects both its norm-driven engagements and its ambitions in cyber diplomacy, as well as the links between deterrence and resilience and the role of the Cyber Diplomacy Toolbox in the European Union’s engagements towards cybersecurity.