The EU as a Leader of Global Cyber Security Policy

Regulation of technology, therefore, should be focused on shaping the political landscape the EU is willing to operate in and spread globally. We use examples such as the Budapest Convention or EU trade policy to demonstrate how the EU spreads its norms beyond its borders to motivate other global actors to comply with the norms it promotes. The other approach is to support development of security instruments such as the SIMARGL toolkit that spread security instruments to everybody, effectively supporting professional civil society in the EU, contributing to capacity building and decentralizing power in cyber space while delivering more security.

Introduction

Threats in and through cyberspace reach all aspects of society: critical infrastructure, health services, transportation, and global financial markets but also forums for debate that are crucial for nourishing open democratic societies. At the bottom of this, however, lies a deep societal concern, namely that through the unharnessed operation of emerging disruptive technologies citizens may lose faith in the technological and socio-political infrastructure of the political communities they inhabit. No single tool can answer this ongoing complex process. We argue that despite the fact that some technical tools might be developed to address mere technical security issues, they need to be developed with an aim to secure and nourish the key democratic principles of the EU as well.

Nowadays, democratic societies rely on a broad, technologically driven institutional infrastructure to safeguard them. The ongoing digitalization of European societies is making cyber security an ever more relevant topic for policy making. Over the past years the debates concerning cyber security have shifted considerably. Whereas the early debates were shaped by narratives of large-scale cyber-attacks disrupting critical infrastructure, we now observe that hacking attacks and technological failure are more frequent but have less societal impact.

The gradual shift of attention from one image to another does not mean that the experts were necessarily wrong when thinking about the risks nested in the cyberspace. It rather shows the inherent unpredictability of technological change and the complexity of this technology. The core problem in cyber security is, and has been ever, the fluid and constant evolution of the technology we use. The ideas behind any framework depicting the desirable ends – the normative framework – should be based on the general principles the EU stands on, particularly the principles of multilateralism which the EU wishes to nourish. In technical language, it means an emphasis on balanced distribution of power between actors holding certain technologies we use, and the whole society that depends on them.

In this recommendation we emphasize the necessity not to fall prey to the idea that new technologies as such are either a threat or a quick solution. In contrast, we argue for understanding the thorough societal character of cybersecurity threats as well as the answers to them. The EU must therefore respond with acknowledgement of the societal problems. The technology itself must become a tool of nourishing democratic principles, not harming them. In this way, the EU can become a global leader in a cyber security that is original and in line with EU values.

Existing EU Initiatives 

The EU already has a variety of tools at its disposal when it comes to cyber security. Several EU strategies in this area and additional tools that concern not only security issues but Big Tech regulations, cloud services or subsidizing digital technologies such as machine learning or semiconductors, have been developed over the past decade. The European Union Agency for Cybersecurity (ENISA) is a core institution that was founded in 2004.

Today it aims at enhancing capacity-building across the EU and is involved in policy making.
Furthermore, the first NIS directive was agreed upon in 2016 and currently the second NIS
directive is being negotiated. The former is the first cybersecurity legislation and thus needs
to be adopted by every member state.

The first NIS directive consists of three parts: national capabilities, cross-border collaboration and national supervision of critical sectors. This means that member states not only need national capabilities, but they also need to supervise critical sectors such as energy and digital infrastructure. Speaking more to direct security threats, the EU proposed a Cyber Defence Policy Framework in 2014, which was updated in 2018. It promotes activities such as real-time sharing of cyber threat information among member states and
cooperation between the military and civilian sector. In 2018 the emphasis lay not only on the further development of defence capabilities but also on training exercises and research.

In 2017 the ‘Cyber Diplomacy Toolbox’ was adopted. It increases the ability to coordinate actions across the EU in responding to and preventing threats. As such it aims at increasing the cohesiveness of EU actions. However, a caveat here is that states keep their sovereignty in attributing attacks to specific actors. Only when the attribution is clear can a core aspect of the toolbox, namely sanctions, be applied. Attribution is a core challenge when it comes to cyber security, and it thus remains an open question how effective this toolbox will be in hard cases.

In 2020 the newest cybersecurity strategy was released. Embedded in the ‘digital decade’ this strategy acknowledges how digital technologies are an integral part of every aspect of society. Under the headline ‘Thinking Global, Acting European’ the aim is to ensure an open and safe internet, and actively engage in global norm and standard setting and mainly in preserving the democratic processes and institutions. This aim is developed in detail in the European Democracy Action Plan.

As a result, we can see that the EU is willing to engage with the issue of cyber security from a variety of perspectives and put high priority on it.

Mapping the Problem

Cyber security as a policy challenge will remain fluid given the constant evolution of technology and of our habits of how we use it. This socio-technological dynamic is compatible with the argument of the technical communities that no software will ever be bug-free and therefore secure; however, it also means that no policy can ever be precisely targeted for a long time. Besides this problem, the recent example of Apple being willing to use AI to identify child sexual abuse on the iCloud accounts of hundreds of millions of
users and thus triggering strong resentment regardless of the open design of the proposed technology, which seeks only patterns without intervening in users’ privacy, showed how trust in technology is also crucial. Multiple actors seeking different interests in a constantly changing, technologically enabled environment are intermingled with social dynamics, and this creates a pulsing cloud of knowledge, practice, threat and opportunities that requires a clear destination into which we wish to steer it.

Consequently, regulatory bodies have difficulties in adapting appropriately to the everchanging – fluid – threat landscape. In addition, it is often difficult to anticipate the (unintended) consequences of regulatory measures for technological innovation, economic relations and society. Two striking examples here are the block-chain technology, especially cryptocurrencies, and artificial intelligence. While blockchain can deliver trust by technology between two peers, crypto coins based on it have the potential to deconstruct the trust of central institutions in democratic states. Artificial intelligence will be able to lower the numbers of deaths on roads when cars will be reliably autonomous but has a disruptive potential beyond imagination if it operates beyond the line of singularity. Both represent emerging challenges for political regulation, demonstrating how technology is able to change the political landscape tremendously. The SIMARGL toolkit using AI shows how we can approach security without producing attributable datasets that could be exploited
by criminals or hostile governments by using patterns instead of bulk datasets, but it does not answer the problem of trust development as in the case of Apple mentioned above.

Therefore, we must continually nourish the trust that technologies are used to secure the core EU values and democratic principles, and use the technology transparently (so that it would be unexploitable by any political authorities, including democratic ones) to secure it against malign cyber activities conducted by states as well as common cyber-crime.

Answering the Problem

Legal and normative instruments

Society needs technologies in which it can trust. This trust can in part be achieved by tackling malicious use of technology. This malicious use can be divided into two branches: cyber-crime and malign use of technology by a state. Both are internationally addressed by the Budapest Convention, by the ongoing process at the UN to draft a global comprehensive cybercrime treaty and by the OSCE and its cyber confidence building measures. A harmonization of laws related to cyber-crime investigations would have the side effect of dismantling the possibility of states cloaking their malicious activities as common
crimes, as they would be forced or motivated to cooperate. This can be achieved by globally adopted norms related to the behaviour of states in cyber space in relation to cyber-crime investigations. Following other research institutes in the EU arguing that the EU should behave as “a norm superpower” in order to address the complex challenge of cyber security, we argue that the EU has a great potential to become a global norm entrepreneur in this regard.

The EU Security Union Strategy 2020–2025 distinguishes between internal and external cyber threats. While internal threats relate primarily to cybercrime, external threats stem from assertive industrial policies of third countries combined with the continued cyber-enabled theft of intellectual property or a mix of cyber-attacks, damage to critical infrastructure, disinformation campaigns, and radicalization of the political narrative. External cybersecurity threats are addressed via the framework for a joint EU diplomatic
response to malicious cyber activities (the “cyber diplomacy toolbox”) setting forth measures under the Common Foreign and Security Policy, including restrictive measures (sanctions), which can be used against activities that harm the EU’s political, security and economic interests.

In 2017, the European Commission explicitly declared its intention to use trade policy instruments to promote standards of environmental, consumer, social and labour protection as well as fundamental rights around the world without compromise. In this context, non-trade objectives notably expanded the scope of EU trade agreements. By the same token, the European Commission realized that it could accelerate global climate action by including a climate change-related provision into its trade agreements. The EUJapan Economic Partnership Agreement entered into force in 2019 and was the first such agreement to include a specific commitment to the Paris Climate Agreement.

Having said that, the EU may similarly start including in its agreements, for instance, a reference to the Budapest Convention or a commitment to set up a fast and effective regime for international cooperation, as well as assurances of the existence of procedural mechanisms to assist in the successful prosecution of cybercrime.

The EU should be aware of the risk that regulating technologies in order to nourish the democratic debate could backfire with the exact opposite effect, namely lowering the democratic deliberation. Using the fake news label against opponents or plainly banning block chain technologies will produce resistance, as people will lose belief in democratic institutions and could use that technology against them. Technologies should work for democratic deliberation and an open society as they did at the beginning of the cyber age; regulation is just one tool in this, as the institutions must also act in line with the European values we all share.

EU cyber security capacity building

Capacity building aims at increasing the efficiency and effectiveness of institutional responses to cyber security incidents. Since cyber attacks and some technological failure will inevitably happen, the aim can only be to increase the resilience of institutions and infrastructures. Capacity building thus also includes individuals and smaller companies and focuses on enhancing their skills and infrastructures so that they would react appropriately to cyber incidents. The EU invests heavily in capacity building, and it is a cornerstone for its current cybersecurity strategy for the digital decade. Investments in research and
development, and fostering the cooperation among member states and stakeholders are two important aspects of the EU agenda. In addition, capacity building plays out in economic policies when it comes to the resilience of global supply chains, which are considered fundamental for the digital economy. A strong focus lies on 5G technology, which is also core to the idea of ‘digital sovereignty’. Rolling out 5G is crucial for the future of the EU as a digital economy but also for future research and development in core areas such as AI.
In sum, capacity building thus takes a comprehensive look at all stakeholders and aims at improving the resilience of societies in the wake of inevitable cyber incidents.

As such, capacity building should be streamlined into external action particularly in the neighbourhood countries with the strategic aim of building a forward resilience that is not constrained by the territorial trap of the state – and the EU as the commonwealth of states – but recognizes the dynamic nature of flows in the global politics that can create pressures on the EU and its member states’ systems from afar. Cybersecurity governance in terms of both legislative frameworks and institutional / capacity building should be integrated in the ENP (European Neighbourhood Policy) and promoted through the NDICI (Neighbourhood, Development and International Cooperation Instrument – Global Europe), as well as through development of means and processes to protect critical information infrastructure in the partner countries based on EU norms and regulations.

This will reduce existing vulnerabilities that can be exploited by third powers to disrupt local systems; it will also increase the partner states’ digital sovereignty, in particular when combined with a rising awareness of the risks related to acquiring 5G and/or surveillance and other technologies from third powers, and with providing and promoting both normative frameworks and practical solutions for responsible national cyber governance. This should be seen as a long-term activity to assist partner states, with a particular focus
on the associated countries in the Eastern Partnership (Ukraine, Moldova, and Georgia) that are likely to experience more pressure in the near future, complementing other crisis response initiatives such as the deployment of EU cyber teams to fend against cyber attacks from abroad.

Technical design

Another approach that is recommended for bearing in mind whenever applying cybersecurity solutions is ensuring that they come in the form of toolkits – i.e., their construction should be of a modular character. This is the most effective way of reacting to various situations and challenges, even the unsuspected ones. Modular solutions only engage the elements necessary for a specific situation, thus saving time and resources
and being as effective as possible. A toolkit-based approach (exactly as the one from the SIMARGL project) ensures a diversity of cybersecurity solutions allowing for countering various threats and attacks.

Conclusion

The EU should continue in spreading standards, norms and rules regulating technologies to the extent that non-EU countries will be economically motivated to comply with EU rules. EU trade policy appears to be a particularly effective tool in doing so. The Budapest Convention could become another instrument that precisely defines what the EU values are and how we want to secure them, in this case, against cyber crime or malign cyber activities conducted by states masked as crime. Moreover, the ENP and the NDICI are great tools for the forward resilience of the neighbouring countries. In general, we argued that cyber security should not be limited to technical solutions of the infinite emergence of software vulnerabilities but must be approached as a fluid and constantly changing socio-technical environment where technology primarily secures and nourishes democratic values, and also serves human flourishing as in the case of climate change.

Recommendations

→ Continue in the implementation of standards, norms and rules regulating technologies to the extent that non-EU countries will be economically motivated to comply with them.

→ Support transparency in an open-source and diversification fashion. It is a great method for developing cyber security instruments that serve the security of all and not a hidden political agenda; therefore, it serves to generally develop trust in technology and the intentions of democratic institutions.

→ Regulate technology indirectly by defining which values and democratic principles it should secure through internal regulation with a possible spill-over effect and through international treaties such as the Budapest Convention as well.

→ Support the core principles of democracy and the EU as a continuous lighthouse navigating the policy actions regulating the evolution of technology.