Based on recommendations from its recent report, the United States Cyberspace Solarium Commission offers ways to improve collaboration between the US and European partners and allies. By offering opportunities for collaboration in areas like cyberspace norms, multilateral engagement, capacity building and joint enforcement actions, the Solarium Commission seeks to improve the abilities of the US and EU to shape behaviour in cyberspace.
In March 2020, the US Cyberspace Solarium Commission released its public report. The document introduces a strategy of “layered cyber deterrence”: a comprehensive strategic approach to secure cyberspace that specifies actionable policy and legislative recommendations. Predicated on the idea that a renewed approach to deterrence can work in cyberspace, the strategy lays out the most comprehensive and coordinated path yet put forward. Layered cyber deterrence involves a whole-of-nation approach to shaping behaviour in cyberspace and denying the benefits of and imposing costs for malicious behaviour. By improving collaboration between the US government and various stakeholders, particularly the private sector and US allies, layered cyber deterrence can improve resilience and cyber defence. By implementing the report’s recommendations, the United States will be better able to work with allies and partners to hold malicious actors accountable and reward responsible behaviour in cyberspace. In order to achieve this global long-term goal, the United States must do its part by making its cyber ecosystem as secure as possible.
Naturally, the political perspectives of the United States and its European partners and allies differ in some ways. Nevertheless, there are many areas upon which both sides agree and productively collaborate. Both the United States and the European Union believe in the ultimate goal of a stable digital environment and an Internet that comports with the values of freedom and openness. Collective action is needed to defend this vision. The Solarium Commission has identified several areas that would benefit from increased engagement with European partners and allies.
Strengthening Cyber Norms and Confidence-Building Measures
The Solarium Commission recognises that, while unilateral action can be effective in the short term, multilateral engagement is more likely to yield long-term stability. As a basis for multilateral engagement, building a strong framework of norms – and Confidence-Building Measures (CBMs) to support them – is critical. Existing international agreements on norms provide a basis for this framework, but are only effective if they are observed; thus the challenge is how to reinforce and build upon these existing agreements.
The global COVID-19 pandemic clearly illustrates the critical need to strengthen these norms. Despite the existence of international agreements protecting critical infrastructure, a cyber actor reportedly linked to Iran brazenly targeted the World Health Organization during the pandemic. While this attack does not appear to have been especially destructive, other still-unattributed hacks targeting healthcare infrastructure have done significant harm, complicating pandemic response by forcing the cancellation of surgeries and rendering services unavailable for acute patients.
There are actions the US and EU member states can take together to implement agreed norms to prevent the kind of cyberattacks described above. First, states can ensure they domestically implement norms agreed to by the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE). This includes norms asserting that states should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technology (ICT). Further, states should prioritise norms aimed at preventing malicious cyber activity that targets critical infrastructure, including healthcare and public health services. Additionally, states should engage in head-of-state-level discussions, like the Group of Seven (G7) or Group of 20 (G20), to address the implementation of overarching cyber policy and norms. Finally, partners and allies should ensure that the values of a free, open and secure Internet remain a cornerstone of all future developments in the norms space.
To further strengthen norms, CBMs can be a valuable tool for building stability and connectivity between actors. Cyber CBMs are cooperative, non-binding actions and arrangements that demonstrate intent. CBMs can improve communication and trust between adversaries as well as between allies, making them particularly helpful in reducing the risk of conflict escalation. For example, states can undertake bilateral and multilateral cooperative efforts, such as sharing information and points of contact for responding to cyber incidents. Moreover, individual states can bolster CBMs through domestic actions, like clarifying definitions of critical infrastructure and making cyber strategies accessible online.
Coordinated Engagement in Multilateral Bodies
In many multilateral organisations, Russia and China have increasingly challenged shared democratic values while promoting authoritarian models by successfully garnering key votes and support from non-aligned states. In late 2019, Russia successfully advanced a UN resolution to chip away at the Council of Europe’s Budapest Convention on Cybercrime. This resolution provides Russia with an opportunity to reshape how international cybercrime is defined and prosecuted, likely in their favour. China has also been strategically and assertively advancing its agenda in UN sponsored bodies, and currently leads four of 15 different UN specialised agencies. The only other country with multiple leadership positions is France, which holds two. To counter this outsized influence, the United States and European Union, together with their allies and partners, should be more proactive about and invest the necessary resources in engaging international bodies. The Solarium Commission’s recommendations call for funding organisations within the United States that provide this capacity, but such efforts will be even more effective if complemented by similar international efforts to increase engagement. Working collectively can strengthen the benefits of the rules-based international order as it exists today.
In particular, ensuring a stable cyberspace that comports with the shared values of a free, open, interoperable and secure Internet requires active EU and US participation in ICT standards bodies. These bodies allow a multitude of participants, from both inside and outside of government, to create sound and secure global standards while protecting open markets and fair competition. Recently, China has used these forums to promote standards and protocols that favour their interests, rather than secure global technical standards which uphold human rights and fundamental freedoms. To counter this trend, the European Union and United States can coordinate with one another, as well as like-minded allies and partners, to more effectively promote models for current and future technologies that align with their shared values.
Collaboration on Capacity Building
Joint capacity-building projects offer particularly high-impact opportunities for countering malicious behaviour in cyberspace while also promoting and expanding access to a free and open Internet. Helping vulnerable countries improve their cybersecurity and cyber defences reduces the global attack surface, making the entire cyber ecosystem more secure. The United States and the European Union and its member states can assist more countries together, increasing the impact of investments in capacity-building projects by coordinating their areas of focus and sharing best practices.
As a starting point, the United States and European Union can continue to deconflict and share information on capacity-building efforts. The Global Forum on Cyber Expertise has been a helpful venue for this exchange. Moving beyond coordination and deconfliction, collaboration between partners and allies can increase the knowledge of all involved. For example, the multinational Cyber Offensive and Defensive Exercise, co-hosted by the United States and Taiwan, helped all partners – including the Czech Republic, Japan and Malaysia – to identify gaps in their crisis response capabilities, while building strong rapport between states.
The US and EU can also provide technical assistance to countries seeking to improve their overall level of cybersecurity. Even when partners enter a collaborative effort at different levels of capacity and capability, the exchange can be informative to all. For instance, in 2018 and 2019, at the request of the government of Montenegro, the United States sent US European Command and US Cyber Command experts to the NATO member to help protect their critical infrastructure and counter malicious actors on their systems and networks. This kind of successful partnership provides meaningful insight into threat actors targeting the region in a way that is mutually beneficial for both parties involved.
Non-aligned countries seeking to improve their cybersecurity may not have the luxury of being discerning when choosing to accept technical assistance. If China or other authoritarian-leaning states are the first to offer that assistance, non-aligned states may openly accept it, even if it potentially comes with surveillance and control. Absent US and European leadership in providing technical assistance and pathways that foster an open, secure and interoperable Internet, digital authoritarianism may spread. Governments that believe in a secure, rules-based future for the Internet must make this option globally viable by providing the technical assistance other countries need to advance digitally – otherwise they will very likely rely on technologies and practices offered by authoritarian states.
Joint Attribution and Sanctions
A united international coalition also strengthens efforts to hold malign cyber actors accountable. Measures aimed at imposing costs on adversaries, like indictments and sanctions, are more effective when consequences are widespread and coordinated. A preponderance of support helps to build the credibility of the coalition’s power to impose consequences and counter false narratives. It signals to non-aligned states that proponents of responsible behaviour in cyberspace are better – and more numerous – partners than those who push for authoritarian values.
The global community saw such a coalition in action in October 2019, when more than 20 partners and allies, including the European Union and many individual EU member states, joined the United States in condemning attacks on Georgia’s government websites and television stations. Moreover, in more than a dozen instances, states jointly attributed those attacks to Russia. This coordinated action was remarkable for its unity of purpose, but perhaps more so because it involved support from states that had not been targeted. Because the response was collective, the message had a far more resounding impact than it would have if it came solely from the targeted state.
In the spirit of that collaboration, the adoption of the EU sanctions regime in May 2019 was a great step towards holding actors accountable. This measure signals to the international community that malign cyber activity will not be tolerated. To capitalise on this success, the United States and European Union should focus future efforts on implementing joint sanctions against those who violate shared norms of responsible state behaviour.
Law Enforcement Collaboration
Law enforcement is an area where even deeper collaboration may be possible. Joint efforts on investigations, criminal indictments and international extraditions signal to bad actors that malign behaviour is unacceptable and will be punished. Moreover, states can enhance partnerships by engaging in exchanges of information, intelligence and best practices to bolster collective efforts.
The Solarium Commission recommends several actions that will not only improve the United States’ ability to counter international cybercrime, but also improve overall international stability in cyberspace. One recommended action is to improve the speed at which Mutual Legal Assistance Treaties and Mutual Legal Assistance Agreements are processed. The current process is lengthy and cumbersome; improving it will ultimately reduce the number of international safe havens in which cyber criminals can operate, making the United States and European Union more secure.
The takedown of the AlphaBay and Hansa dark markets is a strong example of international cyber law enforcement cooperation. Prior to its seizure in 2017, AlphaBay had spent two years as the largest dark web-based criminal marketplace. Law enforcement authorities in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom and France, as well as Europol, jointly took down AlphaBay and arrested its administrator. Authorities subsequently dismantled a secondary dark market site called Hansa that had attracted displaced criminals.
As outlined in this piece, building a cooperative coalition takes work on two fronts. The Solarium Commission’s report outlines many ways the United States can act domestically to improve its own position to engage globally. Nonetheless, establishing and maintaining a norms-based framework takes many hands. Internationally, the United States and its European partners and allies can cultivate a strong and enforced normative regime by working together to increase the frequency and scope of efforts to reward responsible state behaviour and enforce punishment of malign behaviour.
Featured image: credits to Giancarlo Revolledo
About the Author
Karrie Jefferson is a Director for Cyber Engagement with the U.S. Cyberspace Solarium Commission. Karrie is a Senior Privacy Analyst with the Cybersecurity and Infrastructure Security Agency.