When it comes to digital and cyber policies, a message from Brussels this week is clear: nobody puts the EU in a corner. Faced with the growing competition and challenge to its way of doing business, Brussels is pushing back hard with concrete ideas to fight disinformation, to ensure greater independence from foreign digital giants and build a more cybersecure and resilient Europe.
Since the beginning, Directions has stressed the need for the EU to play a more active role in leading the world’s digital transformation. Rather than re-learning ‘the language of power’, our team has asked for the EU to demonstrate its ‘value beyond values’.
This week has brought good news in this respect. The European Commission has announced the European Democracy Action Plan, which makes concrete proposals to fight disinformation, and presented long-awaited legislative proposals for the Digital Services Act and Digital Markets Act that will impact the EU’s digital ecosystem. The Council, too, has made headlines with the adoption of the resolution on security through and despite encryption.
But it is the EU Cybersecurity Strategy for the Digital Decade – a joint initiative of the European Commission and the High Representative for Foreign Affairs and Security Policy – that will attract most attention from those interested in the EU’s cybersecurity posture. The document focuses on three areas of action: 1) resilience, technological sovereignty and leadership; 2) building operational capacity to prevent, deter and respond; and 3) advancing a global and open cyberspace. This post addresses the cyber diplomacy dimension of the Strategy.
Digital meets diplomacy
Reading the document, one quickly realises that this baby is not the fruit of love but rather comes from an arranged marriage. It is not a big secret that the European External Action Service had to make its case to the European Commission for the international aspects to be included. The structure of the documents clearly reflects – and respects – the division of labour between the Commission and the European External Action Service. And even though the recognition of the need for these two institutions to work together does not go deep enough, many elements of this document are a step in the right direction.
Most importantly, the document acknowledges – albeit very timidly – that diplomacy is a valuable instrument to support the EU’s digital policies, but also that the EU’s external actions need to embrace the promotion of those policies. The Strategy mentions the need to actively promote the EU’s 5G Toolbox as ‘a valuable model for third countries’, including through providing technical assistance for the development of effective regulatory measures. This, however, will probably have to wait until the implementation of the 5G Toolbox across the EU is mature enough.
The Strategy also recognises the importance of diplomacy in reinforcing the security of the DNS root system for European and global use. This is great news given that the need to protect the core of the internet has gained much international recognition since the idea was first floated by the Netherlands in 2015. In addition to developing contingency plans and reassessing the role of the two EU root server operators, the Commission intends to promote the implementation of key internet and internet security standards for DNS, routing and email security in its relations with third countries, with an explicit mention of Africa. Those concerned about the rise of digital authoritarianism and the challenges it poses to an open, secure and resilient internet will welcome this provision.
Finally, the Strategy also recognises the need for the EU to step up its engagement and leadership on international standardisation processes, especially in terms of emerging technologies, in order to ensure that they reflect EU values. The upcoming Standardisation Strategy will define the objectives and action plan for international standardisation, including regarding cooperation and burden sharing with like-minded partners and other European stakeholders. Coincidentally, Paul Timmers – a man who was closely involved in drafting previous EU cybersecurity strategies – provided concrete ideas how to do it right in one of his earlier posts.
Diplomacy meets deterrence
The new Strategy also plays an important signalling role in terms of the EU’s cyber diplomacy. However, the document missed the opportunity to provide long-awaited clarity on confused messaging about what kind of international actor in cyberspace the EU wants to be in an increasingly competitive geopolitical environment.
The document departs from the framework provided by the Narrative Paper on an open, free, stable and secure cyberspace adopted by EU member states in June 2019, which defined the EU’s objectives in cyberspace as preventing conflicts, building stability, and promoting and enhancing cooperation. Regrettably, the Strategy does not make a single reference to the EU’s role in preventing conflicts in cyberspace (but you should nonetheless read a paper on the topic by Camino Kavanagh and Paul Cornish). Instead, it focuses on ‘cyber deterrence posture’. This is a disappointing turn given that the concept of cyber deterrence has been broadly criticised in the scholarship as unsuitable for the EU (Mika Kerttunen contributed to this debate in another post), and even the part of the Strategy devoted to cyber defence avoids using the term.
In addition, it is still not clear what kind of policy instrument the EU Cyber Diplomacy Toolbox (CDT) is becoming. For many years now, EU diplomats have been trying to convince their interlocutors that the CDT aims to strengthen accountability and promote responsible state behaviour in cyberspace by equipping the EU and its member states with a range of instruments to counter malicious activities. But the new Strategy places the CDT at the centre of the EU’s future ‘cyber deterrence posture’, which contributes to ‘responsible state behaviour and cooperation in cyberspace’.
This makes things confusing. The section of the Strategy that speaks of responsible state behaviour clearly focuses on working with international partners and providing European leadership in the discussions at the UN and other relevant international venues. However, by linking responsible state behaviour to cyber deterrence posture – as defined in the Strategy – the document is sending a signal, intentionally or not, that the CDT is a collection of sticks with very few carrots. These doubts should be resolved while defining the EU’s cyber deterrence posture and may require a clearer strategic communication from the European External Action Service in the meantime.
Strategy meets expectations
The new Strategy is no doubt the result of many compromises. This is no surprise for those familiar with how these processes work in practice. But that also implies that this Strategy will not meet all expectations. And while the EU still needs a proper international cyber engagement strategy to provide a clear vision and guide its cyber diplomacy efforts, there is much to like in this document:
- The EU’s digital standards, norms and principles are a part of the EU’s official cyber diplomacy agenda. The Strategy also provides sufficient space to ensure that the EU’s domestic laws and regulations reinforce the rules-based global order, including through the implementation of norms and existing international law. As such, the Strategy delivers on much of what I have called for in an earlier text on ‘Making Europe’s Digital Decade Global’.
- Cyber defence is recognised as critical for the EU Common Security and Defence Policy (CSDP) missions and operations. As the EU continues to play an important role as a security provider, cyber defence of the CSDP missions and operations will guide the review of the Cyber Defence Policy Framework (CDPF). The development of state-of-the-art cyber defence capabilities and strengthening cooperation on cyber defence research, innovation and capability development are mentioned too. Most exciting, however, is the recognition of the role that civilian CSDP missions can play in strengthening the EU’s wider response to cybersecurity challenges in partner countries (see my earlier text on civilian cyber missions for how that could look in practice).
- The EU’s added value on responsible behaviour in cyberspace is clearly stated. The Strategy refers to the EU as ‘best placed to advance, coordinate and consolidate Member States’ positions in international fora’. But more surprisingly, it calls for the EU to develop its own position on the application of international law in cyberspace. In the past, François Delerue made concrete suggestions on how to go about this process in practice and make sure that we ask the right questions.
- The EU’s commitment to the protection and promotion of human rights and fundamental freedoms online is supported with concrete actions. Although the document avoids any references to ‘free’ cyberspace, it does have a whole section on how the EU intends to lead in this domain, i.e. by making sustained efforts to protect human rights defenders, civil society and academia working on issues such as cybersecurity, data privacy, surveillance and online censorship. The Strategy also commits the EU to prevent the misuse of emerging technologies through diplomatic measures and the export control of such technologies.
- Cyber capacity building gets a proper boost. The Strategy proposes developing an EU External Cyber Capacity Building Agenda to steer the EU efforts in line with its 2018 Council Conclusions on External Cyber Capacity Building Guidelines and the Agenda 2030 for Sustainable Development. The steering role will be provided by a new EU Cyber Capacity Building Board and the implementation supported by the EU’s Cyber Capacity Building Network. These are all great ideas that will have to be carefully considered, also within the wider framework of digital cooperation as a more recent international cooperation priority for the EU, before putting pen to paper even though some initial thinking has been already done.
All these efforts are commendable, but they are no quick fixes to years (some may argue decades) of insufficient funding and the lack of political leadership. Moving forward will require tough political compromises among the EU-27 and the institutions themselves. Some suggestions may take years to mature and bring concrete results. Although the Strategy remains vague on a timeline for its implementation, there should be no doubt that we will closely monitor the progress.
About the Author
Patryk Pawlak heads the Brussels office of the EU Institute for Security Studies and runs the Institute’s cyber-related activities. His work focuses on cyber, digital and tech policies of the European Union and other regional organisations. Since June 2016, he is a member of the Advisory Board of the Global Forum on Cyber Expertise.