The new EU cyber security paper falls short of providing a full-fledged strategy and of matching rhetoric with resources, argues Thorsten Benner. Instead Brussels should lead the way in creating a rules-based cyberspace.
"We want a peaceful strategy because you don't want to play with fire by developing cyber weapons." This is how EU Commission Vice President Neelie Kroes, a driving force behind the new EU "cyber security strategy" that was unveiled in Brussels on Thursday, sums up the EU approach to cyber defense.
This stands in marked contrast to the US approach. Outgoing US Defense Secretary Leon Panetta has repeatedly warned about a "cyber Pearl Harbor" or a "cyber 9/11" that "could virtually paralyze the nation. " Last October, Panetta stated: "This is a pre-9/11 moment. The attackers are plotting."
Raising the alarm bells has proved effective for the Pentagon and the emerging cyber military-industrial complex. The US cyber command is set to expand fivefold in the coming years despite overall shrinking military budgets. Its chief also heads the National Security Agency which has the world´s most advanced cyber intelligence capabilities. Washington is using its cyber edge not just for defensive purposes. From Stuxnet the world knows that the US engages in highly sophisticated offensive cyber operations.
The EU, however, emphasizes defensive measures, the protection against attacks as well as resilience. At the same time, Brussels asserts in its new strategy that its "international cyber policy will be to promote cyberspace as an area of freedom and fundamental rights". Is this only due to the EU´s blind infatuation with its self-image as a civilian power or because EU countries would not be able to mount sophisticated offensive operations such as Stuxnet anyway? Perhaps a little bit of both.
Domestically, the EU is right to focus on the cyber vulnerabilities in the private sector running critical infrastructure from transport to communication. Until now, there existed no clear standards and requirements for protection and reporting of attacks on the part of private companies.
The EU now proposes mandatory standards and reporting requirements for security breaches which go beyond the voluntary approach favored until now also in the US. The new mandatory regime (including the option to make reported attacks public) will finally get the laggards in business to take cyber security seriously.
Innovation is crucial
At the same time, however, reporting is not enough. As Raj Samani of security software provider McAfee emphasizes, the EU needs to ensure that "technological innovation continues to be at the forefront of efforts to out-innovate the malicious actors."
Internationally, the defense only posture on cyber capabilities raises a number of questions. For the EU's Kroes, the reason is simple. "We do not want an arms race in cyberspace," she asserted at the Munich Security Conference last weekend.
But do the old military analogies still fit today's digitalized world? What is a cyber weapon and what constitutes a cyber attack? Is it possible to distinguish defensive and offensive capabilities? How would arms control look like? Could using cyber capabilities not offer a more humane way of conducting war? Does it make sense to speak of "cyber war" in the first place? What new international norms do we need and how can we agree on applying existing norms?
Unfortunately, the new EU cyber security strategy is thin on answers. There is nothing resembling a cyber defense doctrine in the new EU paper. As Marietje Schaake, a leading European Parliamentarian on the issue, asserts, it is "an assessment more than a forward looking strategy." The EU rightly "encourages the development of confidence building measures in cyber security, to increase transparency and reduce the risk of misperceptions in state behavior."
But it says nothing about concrete diplomatic initiatives to put this into action. Will EU members for example push for more transparency on cyber capabilities within NATO? Will the EU initiate concrete confidence building measures with those countries such as China where the risk of misperceptions is greatest? What crisis management channels will be established?
This is all the more crucial since the attribution of cyber attacks is notoriously difficult and since that might lead to a confrontation spiraling out of control and could also lead to a conventional war. The new paper is also thin on how to turn the EU´s commitment to values into action. While the strategy talks about "monitoring the export of products or services that might be used for censorship or mass surveillance online", it stops short of calling for full-fledged export controls and bans.
Who's in charge?
On paper, the EU expresses its determination to act coherently in its "engagement with key international partners and organizations" and to "mainstream cyber issues" into its common foreign policy. But it is left up to the EU member states to make the necessary investments to turn this goal into reality. During Thursday's press conference on the new strategy, the EU´s foreign policy chief Catherine Ashton did not explain where the resources and precise plans needed to establish the EU as a cyber diplomacy heavyweight would come from and who would control them.
But this would be needed also to demonstrate that cyber security is not a domain that should be left to be dominated by the military. That is all the more unfortunate since there is a strong opening for Europe to make a difference in the global cyber policy arena.
Around the world, there is a growing suspicion of what comes across as an aggressive and secretive US cyber posture with little investment in diplomacy and global norms. At the same time, many countries are pushing to make cyberspace less free while vamping up their own cyber capabilities to catch up with Washington.
Embedding cyberspace in a rules-based order to make it secure, free and open is a goal that is fast slipping from our grasp. It will take EU leadership to help turn the tide. The hodgepodge with good intentions that is the EU cyber security strategy is a first start. Now it is time for the EU to match the rhetoric with resources and actions.
Thorsten Benner is co-founder and director of the Global Public Policy Institute (GPPi) in Berlin