EU-US Cybersecurity Policy Coming Together: Recommendations for instruments to accomplish joint strategic goals

Abstract

The need for more US–EU collaboration on cybersecurity policy has been identified by policymakers and diplomats from the EU and the US in their official Cyber Dialogues 2018 and 2019 as well as by international cybersecurity policy scholars. As the EU shapes its cybersecurity policies and fosters coordination among member states, cooperation at the EU level becomes more important to the US. EU–US cooperation to achieve shared policy goals such as prosecution and prevention of cybercrime has already resultedin implementing policy instruments together such as a joint exercise or information-sharing agreement specifically on cybercrime. Nevertheless, on a broader strategic level and with the focus on responses to malicious cyber-activities, concrete steps forward have been difficult to achieve in an environment where the EU and the US grapple with an ever-changing threat landscape that targets their values and ways of life and has made them focus on developing further their own processes and policy approaches in 2018–2020. This paper sets out to find actions that the EU and US can implement together. It takes a practical approach by first identifying joint strategic goals and analysing the commonalities of EU and US cybersecurity policy. This allows a broader perspective on what the EU and US joint strategic goals really are, and what is feasible to do together. It is important to take account of the limitations and divergences that, as many others have pointed out, make cooperation difficult, but this paper uses them more as a means to find which instruments are actually feasible. Anyone who is interested to learn more about the EU and US, as well as those who are looking to find a way forward for transatlantic cooperation, will find glimpses of hope here and there in a policy field where it cannot be denied that the EU and US diverge as much as they converge.

Key takeaways on EU-US cooperation

• The intention of closer cooperation between the US and the EU to prevent, detect and react to malicious cyber-activities lacks a clear signal of what the joint strategic goal(s) of closer cooperation are.

• Joint strategic goals can be developed by first identifying shared goals and then analysing which shared goals would be better pursued together.

• The EU and US should focus on:
  
  
• Assisting each other in improving resilience
• Achieving a common understanding of threats and vulnerabilities
• Improving cooperation mechanisms among a diverse set of stakeholders
• Improving the cybersecurity workforce

• The EU and US have 32 instruments in common.

• Looking at past instruments implemented together gives an indication of what may be feasible in the future. Of the 32 instruments the EU and the US have in common, they have so far implemented only eight together.

• There are three prerequisites for joint implementation of instruments:
  
  
• The need for specific joint strategic goals
• The need for cooperation mechanisms supported by regular exchange
• The need for own capacity and availability to contribute to the joint endeavour

• The limitation ‘availability of instrument’ eliminates 30 instruments from being considered for joint implementation, as it is hard to overcome in the short term.

• The limitation ‘lack of capability’ eliminates one instrument for joint implementation, i.e. the gathering and sharing of classified intelligence, for which the EU level relies on member states’ capabilities.

• The limitation ‘lack of political/legal authority’ eliminates 12 instruments for joint implementation. It includes for example many foreign instruments such as sanctions, public attribution and demarchés, but also internal instruments that are passed through legal actions, such as incident reporting requirements or declaration of what constitutes a critical infrastructure.

• There is potential for the EU and the US to save resources by jointly implementing a certain instrument; for example, both countries do open-source analysis of threats and vulnerabilities that target companies that operate in the European market as well as the US market. The same information may be shared through different channels.

• The paper identifies 20common instruments that are feasible to do together.

• Seven recommendations describe how the 20instruments could be implemented jointly so that they address the joint strategic goals for responding to malicious cyber-activities:
  
  
• Develop joint technical bulletins
• Fund a process to develop joint automatic, standardised open-source threat and vulnerabilities intelligence-sharing solutions among like-minded countries
• Practise joint strategic and political assessments of threats and explore responses in a cybersecurity policy simulation
• Joint comparative study on effectiveness of instruments via the Transatlantic Cyber Policy Research Initiative (TCPRI)
• Develop targeted exercises and trainings for different stakeholders
• Set up liaison officers at State Department and Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) as well as the European External Action Service (EEAS) and the European Union Agency for Cybersecurity (ENISA)
• Work together on global guidelines/frameworks for cybersecurity skills development

Key takeaways on EU cybersecurity policy for US policymakers

• The EU, a supranational organisation, has been active in conducting cybersecurity policy using a diverse set of instruments—a total of 36 were identified.

• Setting parameters is a way for the EU to have some influence on how incidentreporting is specifically implemented, by offering guidance. Nevertheless, most details on implementation are decided at member-state level.

• For non-EU countries such as the US, EU Council decisions are important because they show the common political position within the EU and that follow-up political decisions may be taken at EU level on the topic, rather than just by member states individually.

• Frameworks in general indicate that the EU works closely with member states on long-term goals and ultimately aims to harmonise the implementation of instruments as much as politically feasible.

• The EU is positioning itself as an information hub with the aim of achieving a common situational picture among stakeholders within the EU to enable joint responses or foster preventive measures and mitigation.

• The EU acts as a provider offering workshops, summits and platforms to meet, and facilitates studies and educational campaigns that include a diverse set of stakeholders. These instruments allow stakeholders from across the EU to work together on diverse cybersecurity (policy) issues.

• Overall, funding can be seen as another resource for the EU to support EU cybersecurity policy goals and/or achieve the implementation and use of certain instruments, such as training, sharing of information, development of best practices and guidelines or increasing awareness.

Key takeaways on US cybersecurity policy for EU policymakers

• The US federal institutions have been active in conducting cybersecurity policy using a diverse set of instruments defined as governmental interventions to achieve policy objectives: a total of 58 have been identified.

• In order to find vulnerabilities and threats and thereby improve cybersecurity of federal agencies and other stakeholders, the US uses innovative instruments, experimenting with activities that may be new and not (yet) used in other policy fields e.g. hackathons.

• The National Institute of Standards and Technology (NIST) framework, for example, is voluntary but NIST’s compliancestandards guide federal agencies and contractors to meet requirements mandated under the Federal Information Security Management Act (FISMA) and other regulations.

• The US provides services for assessing the cybersecurity level and making recommendations after the tests.

• In order to respond to malicious activity effectively, US federal agencies have set up different coordination platforms. Those can be ad-hoc groups, such as the Cyber Unified Coordination Group.

• In order to achieve a common situational picture, the US uses different instruments, for example guidelines on how to gather and share classified and open source information with internal and external stakeholders.

• Public attribution is used to alert internal actors such as companies about ongoing malicious activities. These alerts are usually accompanied by information to identify the actors and deploy defences.

• The John S. McCain National Defense Authorization Act shaped the US position on what constitutes the imposition of consequences, noting that all instruments of national power can be used in response to certain states.

• The US identifies countries that pose risks to US cybersecurity as an instrument to enable responses that aim to ‘disrupt, defeat and deter cyber attacks’. The US will compete and persistently engage in cyberspace with countries identified as a risk, using instruments such as monitoring and offensive cyber operations.

• Cyber Command works in concert with other domestic agencies, each doing its part towards the overarching goals and assisting other departments’ missions with their activities.

All in all, what the author aims to achieve with this paper is to show what could be possible to do together and a way to analyze EU and US cybersecurity policy comparatively by looking at the different instruments each applies.