The awareness of the damaging impact of cyber-attacks is globally growing due to a quickly expanding list of actual examples – from cyber-attacks on the Ukrainian electricity grid and the digital manipulation of the presidential elections in the United States to the global ransomware attacks in the past few months. The recently published European Commission´s Reflection paper on the Future of European Defence summarizes well the current challenge – Europe must have a stronger deterrent against cyberattacks.
How to prevent fast evolving and more damaging cyberattacks, is yet an unanswered question. Of course, prevention starts with basic ‘cyber-hygiene’ like updating software and installing appropriate security tools in ICT networks, but that is not enough; hackers will always find ways to exploit computer codes to circumvent security measures. It is important to take into account that cyber security is not only a matter of technical measures, but also of high politics, closely linked to the international political and strategic context. The current “political cyber playbook” is still a slim volume, but it expands daily as parts of the world move towards greater strategic use of cyber weapons to persuade their adversaries to change their behavior.
The recent history of cyber incidents shows that cyber criminals are a big global problem, but that states are responsible for developing the most powerful cyber weapons (or exploiting bugs in computer codes). Only state actors (or state-supported ones) have enough financial and human capacity to invest in developing the most powerful cyber weapons. Unfortunately, efforts to contain aggressive behaviour of states in cyberspace by developing international norm-setting through the United Nations recently failed. Without any common rules of behaviour, states can also rely on deterrence of cyber-attacks. This can be done by promising military retaliation, like the United Kingdom threatened with air strikes against cyber-attackers, or by more peaceful diplomatic instruments. Resilience is also being emphasized when strengthening cyber deterrence.
The European Union launched an interesting initiative in this context on 19 June. The EU announced to start developing what is called a ‘Cyber Diplomatic Toolbox’: a framework for joint EU diplomatic responses to malicious cyber activities. Although it is not specified what exactly the instruments in this diplomatic toolbox will be, the decision refers to ‘measures within the Common Foreign and Security Policy’ and the wording ‘restrictive measures’ is being used. This means that next to common diplomatic tools like making condemning statements, summoning ambassadors, or declaring diplomats persona-non-grata, one might especially think about political and economic sanctions against any adversary attacking EU member states in cyberspace. This kind of diplomatic retaliation tools may function as a deterrent, making malicious cyber operations less anonymous and risk-free while it brings little danger of immediate escalation.
The initiative is a valuable development and it should be supported in EU member-states. But it also raises five questions which have to considered.
First, a big problem is that EU countries differ in their level of cyber-readiness. This makes it difficult to carry out the principle of operational solidarity – that the member states would really be willing to support each other and, in particular, be able to execute a joint EU diplomatic response. Stronger political commitment to improve the level of cyber-readiness is needed in several EU member states. Otherwise “the cyber solidarity” weakens and joint response is harder to carry out – and the deterrent effect does not work.
Second, diplomatic means to respond are important, but it should not be forgotten that there are many other options to respond too. It is said that a state can respond using at least four instruments: diplomatic, informational, military, and economic. Policymakers need to consider the full range of responses at their disposal, from a quiet, diplomatic rebuke to a military strike. Sometimes the diplomatic response is not enough, especially if the impacts of cyberattacks are severe. A EU comprehensive framework with different ways to respond (more than just diplomatic tools) is needed.
Third, even if the EU member states agree with the content of the “Cyber Diplomatic Toolbox”, there have to be political processes and decisiveness to implement it concretely when a member state is hit by a cyber-attack. Joint political will to respond needs to be discussed thoroughly in advance and it is good to exercise it too.
Fourth, countering hybrid threats is a European priority, and the role of cyber operations in hybrid warfare is increasing. However, there usually are no “cyber-only” operations and hybrid warfare is characterized by the tailored use of all instruments of power (including cyber) against the vulnerabilities of the opponent’s systems. Therefore creating diplomatic response tools only against cyber-attacks is not enough. Most probably there will be simultaneously other influencing instruments used and they must be taken into consideration when considering the response as well. Cyber hostilities should not be separated from the hybrid warfare context.
Fifth, in order to succeed in using the Cyber Diplomatic Toolbox, the EU must strengthen its capabilities to be able to attribute the attacker better, improve European cybersecurity industry and increase the multidisciplinary cybersecurity research in Europe. If the EU does not possess strong cyber capabilities and understanding, then the diplomatic toolbox is likely to be relatively useless.
The cyber threat that Europe faces can only be tackled by working together. The initiative of the Cyber Diplomatic Toolbox may open a new and important page in European cyber deterrence, but only if it is supported by a strong political commitment and it the broader context is understood.
This op-ed was originally published by EUObserver.com on 7 July 2017. It is an adaption of the guest blog by Sico van der Meer on cfr.org/Council on Foreign Relations on 20 June 2017.
