In September, Ursula von der Leyen presented her vision for Europe’s “Digital Decade” (followed by a set of concrete proposals). The timeframe makes sense: whoever takes the lead in setting digital and cyber standards in the coming 10 years is very likely to set the rules of the game for the rest of the world. As I have argued here previously, today’s choices about Europe’s digital and cyber policies will be decisive for Europe’s place in the world. At the EU Cyber Forum, HRVP Borrell delivered a speech that stressed the geopolitical dimension of cyber diplomacy in the world of “power politics”. As he said, “Everywhere we look, we see rivalries, especially between the US and China, with technology as a major fault line and cyber as the new domain”. To succeed, then, Europe’s digital decade needs to be a truly global one from the start.
Setting up a Digital Compass
Ten years is a long time, and the history of European integration is packed with ambitious plans. In 2000, the Lisbon Strategy set an ambitious strategic goal for the EU to become “the most competitive and dynamic knowledge-based economy in the world”. Ten years later, amid the global economic crisis, President Barosso presented the Europe 2020 strategy – an agenda for European growth based on an innovative and green economy. Ultimately, these plans don’t deliver the ground-breaking results they promise.
Ambitious plans tend to quickly disintegrate in the face of changing political winds, evolving competing priorities and unforeseen events (see, for example, the impact of the COVID-19 crisis on the EU budget negotiations). To stay the course, the EU’s “Digital Compass” planned for 2021 will need clear orientation points. Here are four suggestions of what they might be.
- Sovereignty: The idea that EU needs the capacity to defend its strategic interests and values in the digital domain is already well established. Digital sovereignty (or digital autonomy) is a flagship concept driving the EU’s digital policies. But as the EU’s interdependent relationships with the US and China in particular become more conflict-ridden, and soft power is weaponised, the EU will need to deploy all its instruments to develop and implement a smart digital sovereignty policy. That includes foreign policy. As tensions between the United States and China rise, digital sovereignty will require the EU to make choices that strengthen European technologies and alternatives. But the EU will also need to fend off attacks on its policies. This will be impossible without a more confident cyber diplomacy.
- Resilience: As the EU invests in its digital sovereignty and strengthens its diplomatic presence, it becomes an even more attractive target for cyber espionage or politically-motivated cyberattacks. Therefore, investment in cyber resilience and the EU’s capacity to prevent and respond to cyberattacks needs to be a logical extension of efforts to safeguard the EU’s digital sovereignty. Several initiatives are already underway – including the revision of the Network and Information Security Directive, creation of a certification scheme and the creation of the Joint Cyber Unit, as well as several initiatives under the EU Security Union Strategy – and the EU should stay the course on these.
- Norms: The EU’s power as a maker of rules and setter of norms and standards is widely recognised. But the EU needs to do a better job of explaining and promoting those norms globally. The EU’s leadership on personal data management (GDPR) is undeniable and initiatives such as Europe’s digital future or the European Strategy for Data will only reinforce this position. However, the EU’s norms and standards need to be better-explained to international audiences. With many countries shifting away from the catalogue of norms and values, the EU needs to do a better job in demonstrating why its solutions, standards and norms work for everybody. Increasingly, the EU will also need to take a clear stance on initiatives such as the US Clean Network or proposals such as the US plans to ban TikTok and WeChat, which some considered a direct attack on the Internet. This, again, depends on diplomats fluent in the digital language of the EU.
- Multilateralism: The EU has been also clear about its commitment to multilateralism, including in cyberspace. As laid out by HRVP Borrell in his recent speech, the most important interest of multilateralism is “to set up stable norms and standards, applicable to all actors”, regardless of their position in the international system. But there are challenges to this vision coming from many sides. The governance of cyberspace is increasingly driven by the coalitions of like-minded countries – whether on 5G or standard-setting. The EU has so far interpreted multilateralism as being globally inclusive rather than “coalition exclusive”. The EU’s problem with multilateralism lies also in the fact that the same system that it aims to defend and promote is increasingly instrumentalised by actors like China, who use multilateralism as a weapon to fight against ideas such as digital sovereignty (e.g. the Data Security Initiative). The EU needs to take the lead if inclusive multilateralism is to be rescued.
Digilateralism in Cyber Diplomacy
Navigating between these different directions – at times mutually reinforcing, at times conflicting – requires a new overarching doctrine that will turn the compass needle accordingly. Such a doctrine needs to approach digital and foreign policy in a comprehensive way. The EU’s cyber diplomacy still needs a central vision. Digilateralism – a doctrine in cyber diplomacy that recognises the central role of technology and digital policies as a key element of foreign and security policy – can fill that role.
Admittedly, the name is a bit of a tongue twister, and new concepts often pollute the field instead of leading to constructive debate. But it is now urgent that the EU rally all its troops behind an idea that inspires a truly unified approach to cyber or digital issues – both internally and externally. So far, only a few countries seem to have embraced this doctrine. Estonia has made cybersecurity and e-governance its primary export products. The United States has turned its technological competition with China into a foreign policy priority. Technology and digital issues are also at the core of Australia’s International Cyber Engagement Strategy.
That such a doctrine is badly needed in the EU is beyond doubt. So far, the EU’s international engagement on digital issues has been treated distinctly from cyber diplomacy efforts focused on conflict prevention and responsible behaviour in cyberspace. Digilateralism builds a bridge between these two approaches, as it harnesses the EU’s internal norms and standards to promote responsible behaviour globally and to ensure the EU’s leadership as a norm-setter. This also corresponds to the currently prevailing narrative about the need to implement norms, i.e. to translate them from the high-level set of norms and principles agreed on at the UN into national legislation and institutional set-up. Ultimately, digilateralism offers a way to promote the EU’s model of digital transition on the global stage.
No Time to Lose
The logic behind this argument is straightforward: internal norms and standards strengthen the EU’s legitimacy internally; promoting them globally reinforces the EU’s external legitimacy and leadership. Together, they strengthen EU sovereignty.
How do we get there practically? Both the European Commission and the European External Action Service need to acknowledge that their agendas are mutually-reinforcing. The link between digital and foreign policy was well-captured by HRVP Borrell: “We, Europeans, we have been norm setters because we have been technological leaders. If we lose the leadership of technologies, we will not be able to continue being the norm setters”.
The internal-external nexus is a well-worn classic in European studies literature, and has also made it into the EU Global Strategy. But it still has a difficult time making inroads into the mainstream EU digital and foreign policy communities. This needs to change, or the “Digital Decade” announced last week will turn out to be one more big disappointment. The EU cannot afford to waste time: even while the Digital Compass and new policies are under development, the block should put “digilateralism” – or whatever other label it decides to deploy – into action. Implementing the three proposals below would be a great start.
- Make the EU’s digital standards, norms and principles a part of the EU’s official cyber diplomacy agenda. Unlike other actors, the EU has not been very forthcoming in explaining to its international partners how its laws and solutions contribute to overall stability in cyberspace. This despite global recognition of standards set by the NIS Directive, the GDPR, the EU toolbox to secure 5G networks, the EU’s certification scheme, the ethical principles for AI, the blueprint for crisis response and the elements of critical infrastructure protection.
- Expand the use of the Cyber Diplomacy Toolbox to promote the EU’s digital society model globally. So far, the Toolbox is used primarily in the context of international security. However, the current approach overlooks the contributions tools such as cyber capacity building and public diplomacy projects can make towards promoting the EU’s vision for a “digital future”. Part of that vision is the EU’s commitment to human rights online. But the EU has kept its explicit criticism of practices such as the Internet shutdowns in Belarus or the sales of surveillance technology to authoritarian regimes rather quiet. The EU’s horizontal sanctions regime against human rights abusers – a European Magnitsky Act – will partly address this problem. The conversation about a more comprehensive use of the Toolbox – beyond purely diplomatic instruments – is also slowly maturing within the EU’s foreign service. But it is motivated primarily by a sober calculation that most power and tools – such as setting standards in law or purely financial resources for cyber capacity building – are currently controlled by different services within the European Commission.
- Ensure that the EU’s domestic laws and regulations reinforce the rules-based global order, including through the implementation of norms and existing international law. Norms, while important to this discussion, suffer the significant shortcoming of being voluntary in nature. But the EU, with its market power, can and should reinvent itself as a normative power in cyberspace. Whether on data protection, AI or green tech, the EU has the tools and instruments to ensure broader compliance.
A unified approach to digital and foreign affairs is no longer a choice – even if the marriage of digital and foreign policy is more of a marriage of convenience than one of passion. The upcoming revision of the EU Cybersecurity Strategy later this year and the Global Digital Strategy expected in 2021 are good opportunities to make the commitment.
About the Author
Patryk Pawlak heads the Brussels office of the EU Institute for Security Studies and runs the Institute’s cyber-related activities. His work focuses on cyber, digital and tech policies of the European Union and other regional organisations. Since June 2016, he is a member of the Advisory Board of the Global Forum on Cyber Expertise.