In June 2017, the Council of the European Union agreed to develop the cyber diplomatic toolbox, a joint EU diplomatic response to deter malicious cyber operations. The cyber diplomatic toolbox is a potential game changer for EU cybersecurity as it signals the potential consequences aggressors might face when they target EU member states’ information systems. However, there is more to that than meets the eyes. The toolbox should be considered alongside other relevant measures that, when combined, are likely to make malicious actors think twice before unleashing a cyber operation.
The toolbox was endorsed at a curious time in international cybersecurity history, namely when diplomatic efforts aimed at regulating states’ behavior in cyberspace were struggling and attacks against information systems were becoming more vicious. Earlier in the month, the United Nations Group of Governmental Experts (UN-GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security was unable to come to a consensus on a report that should have forwarded the debate on the application of existing international law in cyberspace. Negotiations collapsed because of irreconcilable positions of participating states on the applicability of international humanitarian law and states’ self-defense and responsibility. This demonstrated the growing politicization of international cybersecurity policy and the complex path to achieving a universal understanding of how states should govern themselves online.
The development of the toolbox was also endorsed when two significant cyber incidents severely undermined information systems and data across the world. In May 2017, the ransomware WannaCry infected over 230,000 systems in more than 150 countries, while three months later NonPetya did the same in computer platforms in more than 60 countries. The NATO Cooperative Cyber Defence Centre of Excellence in Tallinn suggested that if the two malwares were attributed to a state, this could open up possibilities of countermeasures by victim states.
In this international context, the EU cyber diplomatic toolbox relies on the assumption that international law is applicable to cyberspace. Malicious cyber operations could be considered wrongful acts under relevant international law regimes, and states should not conduct or support any ICT operation emanating from their territories contrary to their international obligations. In the case of an attack, the EU would employ all measures under the Common Foreign and Security Policy – including restrictive measures like sanctions – as possible retorsions if a member state is subject to an attack. In light of the apparent difficulties on attributing well-engineered cyber operations, the EU also reminds that attribution is a state’s decision based on “all-source intelligence” and that not all measures of the framework might require attribution.
With the cyber diplomatic toolbox, the EU and its member states try to draw a red line for acceptable behavior in cyberspace and to alter adversaries’ calculus when deploying cyber operations. The goal is to signal to potential aggressors the possible consequences of foreign hacking, as well as to change attackers’ views on the costs and benefits of their actions. Until today, benefits for the attackers have been higher than the costs. Attackers knew that they could easily get away with the penetration of countries’ network and systems due to technical difficulties related to attribution and the political uncertainty surrounding responses. By noting that not all measures necessitate attribution and that malevolent operations will not be left unaddressed, the toolbox seeks to redress a situation in which adversaries were more incentivized to attack as the victims were nonplussed in their response. Implementation of the toolbox – which is likely to be ready by the end of this year – should add further granularity to a policy that already in its current status is set to make adversaries ponder a little bit longer before engaging in hacking.
While being a potential game changer in international cybersecurity, the toolbox should not be seen in isolation from other measures that the EU has devised in its broader approach to cyber diplomacy. Indeed, cyber dialogues, EU-coordinated responses to large scale cybersecurity incidents and EU-NATO cooperation are the three important factors that could complement the potential effect of the toolbox.
The cyber dialogues organized by the European External Action Service (EEAS) offer venues for the exchange of information and opinions on topics of common interest such as international norms of responsible state behavior, international cybercrime, and cybersecurity. In recent years, the EU has been active in promoting such dialogues with countries such as the US, China, Japan, the Republic of Korea and India. Recently, the EU suggested that it would prioritize in its future external engagements on international cyber security issues, promote principles of due diligence and states’ responsible use of ICT. As suggested in other fora including the OSCE and the UN, exchanges of information at regional and sub regional levels on countries/regional organization’s cybersecurity policies are essential in achieving clarity and make actions and counteractions in cyberspace predictable, with a view to avoid miscalculation.
An EU-coordinated response to large scale incidents is also likely to alter the calculus of a potential cyber aggressor. Indeed, if the EU demonstrates that it can bounce back from significant attacks perpetrated through ICT means, attackers might be less likely to see its actions as worth it. Linking cyber crisis management with the toolbox offers an integrated solution that can make a foreign attack less effective because its outcome would produce less damage than it could – through an effective crisis response – and propel a potential retorsion by the victim – via the application of countermeasures. Fort this purpose, the EU published a Blueprint aimed at increasing the efficiency of coordination between EU entities and member states during cybersecurity crises. Importantly, the Blueprint attempts to integrate cyber crisis management within existing crisis management mechanisms such as the EEAS’s Crisis Response Mechanism, which is activated in case of crises with an external dimension. As encouraged by the European Commission, it is essential that member states establish an EU Cybersecurity Crisis Response Framework, to be rehearsed during cybersecurity exercises such as Cyber Europe.
Finally, an effective EU-NATO cooperation on cybersecurity/defence is another element that could better shield both organizations from foreign cyber threats. Given that the EU and NATO are comprised of almost the same member states and confronted with similar threats, collaboration on information sharing, exchange of concepts and training/exercises would be a logical step. Therefore, it is not surprising that EU and NATO’s computer emergency response teams signed a technical arrangement on unclassified technical data sharing in February 2016 and, in December of the same year, agreed to a common set of proposals aimed at countering hybrid threats, crisis response (which might include cyber components) and cybersecurity/defence, among others. Most notably, by participating to each other’s exercises, this improved cooperation is likely to clarify how the two organizations would react to attacks of national significance, as well as when a digital attack could potentially trigger collective action involving military force.
In the end, the cyber diplomatic toolbox is likely to constitute an important deterrent against state actors who have been harassing countries through ICT means. However, if streamlined into a coherent policy and aligned with the toolbox, it is the combination of all the aforementioned measures, rather than only the cyber diplomatic toolbox, that will make a difference in the protection of EU systems and networks.
Tommaso De Zan, Associate Fellow, European Union Institute for Security Studies and PhD Researcher in Cyber Security, University of Oxford