While the American strategy of persistent engagement and the EU’s Cyber Diplomacy Toolbox – a framework for joint EU diplomatic responses to malicious cyber activities – could not be more different, they share the same underlying philosophy: the use of foreign and security policy tools to strengthen cybersecurity. Though their strategies differ significantly, the US and EU still have many instruments and strategic goals in common, which could be used to complement each other’s efforts.
Over the past four years, EU and US policymakers have focused on further developing their own political processes and cybersecurity policy approaches. Both see cybersecurity as essential to a prosperous and secure economy and society, however, their approaches differ significantly. The US strategic shift towards persistent engagement (i.e. a state of permanent competition with countries in cyberspace based on the use of offensive cyber capabilities) runs directly counter to the EU’s focus on conflict prevention through preventive, cooperative measures and the use of diplomatic instruments.
Those differences also translate into divergence between the two sides at the normative level. The US focus on its “defend forward” and persistent engagement doctrines has translated into a lack of commitment to some of the debated norms of responsible state behaviour, in particular the norm about protecting public core of the Internet. The norm states that “state and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet”.
This norm is supported by the EU and its member states through the Paris Call – which the United States has not joined – and other initiatives like the Global Commission on Stability in Cyberspace.
In addition, the United States has acknowledged the progress made in the EU when it comes to imposing consequences on malicious actors, but this was not followed by any concrete closer cooperation with the EU, such as joint sanctions announcements. Quite to the contrary: some unilateral steps taken by the US were met with silence in Europe. The largest coordinated response, the attribution of NotPetya, was coordinated by Australia and included the US and individual EU member states.
As “America is back” slowly replaces “America first” in US foreign policy, the question is to what extent the new Biden administration will lead to increased and meaningful cybersecurity cooperation between the US and the EU. A variety of different proposals for closer cooperation produced by think tanks in the past years (such as the Transatlantic Cyber Policy Research Initiative) never gained momentum, even though they offered an opportunity to evaluate the different approaches and their effects on the open, secure and free Internet or response cooperation. Biden’s promise of “building and tending relationships and working to identify areas of common interest while managing points of conflict” defines the cornerstones of such a joint way forward. So what are the areas of common interest to the US and EU in cyberspace?
Focus on What’s In Common
While the American strategy of persistent engagement and the EU’s Cyber Diplomacy Toolbox – a framework for joint EU diplomatic responses to malicious cyber activities – could not be more different, they share the same underlying philosophy: the use of foreign and security policy tools to strengthen cybersecurity by responding to malicious cyber activities.
As an analysis of the available instruments and tools shows, it is possible to achieve strategic cooperation in the use of the instruments supporting the implementation of common goals, even if the underlying policies do not align completely. In other words, excuses for inaction such as “the US cannot radically change its cybersecurity policies” or “the EU needs to figure out its own approach towards digital sovereignty first” can be no longer be used. There is also enough wiggle room for a strategic partnership between the US and the EU, one where expertise, resources and competencies could be shared for mutual benefit.
Cybercrime is a good example of an area where strategic cooperation has existed despite differences in approaches. It could be used as a springboard for a trustful close cooperation with clear objectives, as spelled out in the international operational agreement between the FBI and Europol. To ensure that cooperation runs smoothly, the European Cybercrime Centre within Europol has a full-time liaison officer from the FBI stationed in the Hague.
Therefore, a strategic partnership is possible where shared goals and tools exist that can be leveraged towards mutual benefit. Out of all 62 instruments available to the EU and US to achieve their cybersecurity policy goals, 32 are common to both sides and, of those, 20 instruments are feasible tools for joint implementation. Among them, one that stands out clearly is gaining an overview of threats to achieve situational awareness in order to respond effectively.
Strengthen Responses to Cyber Incidents
Both sides’ responses could be strengthened by achieving closer cooperation through a shared threat assessment that would inform political decisionmaking about how to address the threat. As the EU member states are thinking through proposals on how to use foreign and security policy to further protect the bloc’s interests, EU-level responses and institutions become important elements for coordinating within the EU. Therefore, for the State Department, the European External Action Service becomes an important partner in cyber diplomacy as well as, in essence, any political and strategic responses possible on EU level.
Regular exchanges regarding the cyber threat landscape would enable the development of a shared understanding over malicious cyber activities and their effects, creating an opportunity for the EU and the US to coordinate responses. The process in the EU is driven by the EU Intelligence and Situation Centre (INTCEN), an intelligence body of the European External Action Service. When necessary, INTCEN will assume a leading role in aggregating all-source information and preparing analyses and political assessments about a single event, or across events. This role is pursued in close cooperation with the CSIRTs network chaired by the rotating EU Presidency (currently held by Germany and to be held by Portugal and Slovenia in 2021), the EC3, ENISA or CERT-EU, as appropriate. Closer cooperation with the US, which has its own interagency process, could ultimately improve situational awareness of threats. Such joint situational awareness could feed into decisions to be implemented jointly, in coordination or separately.
Moreover, such cooperation between the EU and US could be a useful way for both sides to assess the effects of their respective responses as well as to identify, together, appropriate measures for broadening their cooperation through mechanisms such as joint exercises, which each side conducts separately and only on the strategic level. An exercise playing out a joint EU-US response to a cyber threat would be a means to explore different options. President-elect Biden wants to use diplomacy as “the first instrument of American power”. In this new political context, working together on strengthening each other’s responses to cyber incidents on the diplomatic level would be a logical move, given the EU’s emphasis. This is just one example of a situation where strategic partnership could be beneficial. However, this form of partnership relies on trust, respect and understanding.
Can a Liaison Heal the Marriage?
If the EU and the US want to enter into a strategic partnership focusing on their common interests, such as strengthening responses through improved joint situational awareness, one way to get there is by exchanging liaison officers between the European External Action Service and the State Department.
Liaison officers can support strategic partnerships and their development in several ways, such as by providing top-quality advice, facilitating effective knowledge management, communicating and coordinating their activities, creating new partnerships, facilitating the exchange of information and disseminating activities, findings and recommendations to the relevant stakeholders. Deployment of liaison officers to foster shared threat awareness would inform responses and would provide each side with a better understanding of how their counterparty conducts threat analysis. It could also help to identify means of conducting threat assessments together: what resources can be shared for mutual benefit? What key information needs to be shared to enable certain responses? For example, certain preventive/cooperative instruments in the respective EU and US toolboxes could be beneficial when used together (e.g. demarchés). By working together with the intention of developing a closer strategic partnership in the context of threat awareness and responses, the EU and US could develop a cooperation that is mutually beneficial while also managing their conflicting interests.
After years of neglect, the Biden administration provides an opportunity to strengthen EU-US cooperation on cybersecurity despite diverging strategies. The two have many instruments and strategic goals in common which could be used to complement each other’s efforts. No need to be picky. As the report shows, there are plenty tools to choose from.
This blog post is based on a longer report produced for the EU Cyber Direct project on EU-US cybersecurity cooperation.